Privacy has always been an important value to Americans. Many Americans believe
ID: 3692304 • Letter: P
Question
Privacy has always been an important value to Americans. Many Americans believe that a great many personal issues are simply not the business of the government. In Griswold v. Connecticut (1965), the Supreme Court established a "zone of privacy" regarding contraceptive use. Since that time, the Court has addressed other privacy issues. In your posting, address the following points:
1. List three topics that you believe should be included in this zone of privacy. (The three topics do not have to be lofty—they should merely be things that you think the government should not have the right to pry into).
2. Do you believe that the availability of information on the Internet and the Internet's widespread use makes maintaining your privacy more difficult?
Explanation / Answer
Please follow the data below :
Zone of privacy :
Zone of privacy refers to a set of distinctive privacy rights that are fundamentally protected by the Constitution. These rights are guaranteed by the Bill of Rights. For example a citizen has every right to be secure in one’s person, or house.
1)
List of measures that needs to be added :
Appropriate security measures for protecting personal information need to be considered in regards to all of your entity’s acts and practices. This section outlines examples of key steps and strategies you should consider under the nine broad topics listed below. It includes a number of questions to ask yourself when considering or implementing these steps and strategies.
Governance, culture and training.
Internal practices, procedures and systems.
ICT security.
Access security.
Third party providers (including cloud computing).
Data breaches.
Physical security.
Destruction and de-identification.
Standards.
These steps and strategies are not intended to be prescriptive or exhaustive and it may not be necessary to take all the steps and strategies outlined below. You should also consult relevant standards and guidance on information security including any which are particular to your sector or industry (see ‘Standards’ and ‘Information security resources’ below).
The steps and strategies vary in ease of implementation and the impact that they will have on users. What is reasonable in the circumstances may vary between entities, and may change over time, for example, as a result of technological change or if you become aware that security measures that previously protected personal information are no longer adequate.
You should be fully aware of all the personal information you handle, where it is kept and the risks associated with that information before deciding what steps to take. You could undertake robust information asset management by developing and maintaining a list or register which provides a high level description of the types of and location of personal information you handle. This will help ensure that your personal information security measures are comprehensive.
Governance, culture and training :
Fostering a privacy and security aware culture
Your privacy and security governance arrangements should include appropriate training, resourcing and management focus to foster a privacy and security aware culture among your staff. Personal information security should be an integrated component of your entire business and not left to the compliance or ICT area alone. The creation of this culture will require the active support of and promotion by, senior management.
Insufficient interest in personal information security from staff, in particular senior management including the board (or equivalent decision making body), can lead to threats to the security of personal information being ignored and not properly attended to. Appropriate training can assist in mitigating these issues and making staff aware of common personal information security threats (see ‘Personnel security and training’ section below).
If your entity has experienced a significant breach of personal information security, the focus of your senior management should be to look at whether significant cultural changes are needed to improve security in the long term rather than relying on superficial solutions or treating such issues as ‘someone else’s problem’.
Oversight, accountability and decision-making
You should establish clear procedures for oversight, accountability and lines of authority for decisions regarding personal information security. You could have a body or designated individual/s that are aware of what personal information you hold, where and how it is held and responsible for ensuring that it is held securely. This role could include defining information security measures and implementing and maintaining those measures. This role should be overseen by, and accountable to, your senior management.
Are privacy and personal information security steps and strategies driven by your senior executives?
Do the governance arrangements foster a privacy and security aware culture among your staff?
Do the governance arrangements promote awareness and compliance with personal information security obligations?
What governance arrangements do you have in place?
Are there clear procedures for oversight, accountability and lines of authority for decisions related to personal information security?
Is it clear who is responsible for the overall operational oversight and strategic direction of your information handling projects?
Are there distinct areas or persons who have responsibility for security and privacy issues?
Are these areas or persons aware of what personal information you hold and where and how it is held?
If there are several areas or teams responsible for information security and privacy, are there governance arrangements in place to ensure that they work together, creating a focal point for privacy advice and solutions and preventing silos?
Are regular meetings held at the senior management and operational level to discuss security and privacy issues and incidents?
Do your change management processes include consideration of the effect of changes on personal information security?
Do governance arrangements include risk management and business continuity plans?
Are there ICT governance protocols in place? For example are there persons responsible for the accreditation and approval of personal information security controls to ensure that each control is effective and appropriate?
Personnel security and training :
Personal information security includes ensuring your entire staff are aware of their privacy and security obligations (including senior management). Human error can be a contributing cause to data breaches and undermine otherwise robust security practices where the systems have not been designed to deal with it.
It is therefore important that all staff understand the importance of good information handling and security practices. Privacy training may help staff understand their responsibilities and avoid practices that would breach your privacy obligations. Training should take into account new starters, contractors and temporary staff.
Where appropriate, do staff have appropriate security clearances or undergo security vetting?
Are staff provided with training on physical and ICT security and the handling of personal information?
When is training provided to new starters?
Is training also provided to short term staff and contractors?
Is refresher training provided to your staff and does this occur on a regular basis?
Are your staff informed of your internal practices, procedures and systems which relate to the handling of personal information? (see ‘Internal practices, procedures and systems’ section below)
How are your staff informed of changes to these practices, procedures and systems?
Is personal information security training of staff considered at the project design stage?
Is there an appropriate amount of training, resourcing and active management support to promote a privacy and security aware culture?
Does training emphasise to staff the importance of not accessing personal information or databases unnecessarily?
Does training make it clear to staff what would constitute misuse of personal information?
Does training cover identity authentication procedures?
Does training emphasise to staff the importance of authentication processes not infringing customer/client privacy?
Does this training cover recognising and avoiding inadvertent disclosures?
When verifying an individual’s identity?
When publishing files online — are staff trained to identify and remove embedded personal information not intended for public release?
Does training address the need to avoid weak passphrases and passphrase reuse?
Are staff reminded on a regular basis of their obligations to handle personal information appropriately?
Are there signs in the workplace or alerts on computer systems?
Do computer logon screens outline staff privacy and security responsibilities?
When a staff member moves to a different position, or leaves your organisation or agency, is their access to personal information reviewed or revoked?
Are staff trained to report privacy issues to the area or persons who have responsibility for security and privacy issues?
Does training cover recognising and avoiding ‘phishing’ and ‘spear phishing’ attacks and ‘social engineering’?
Are staff advised on how to mitigate against unauthorised access if they discuss customers’ or clients’ personal information over the telephone?
Are there procedures governing the printing of documents containing personal information?
Is there a policy that covers information security when staff members work offsite, such as from home, a secondary site office or a temporary office?
What standards of physical security are applied to those workspaces, for example, the appropriate storage of physical files?
If employees are given remote access to work ICT systems, what measures are in place to secure this access?
Who has overall responsibility for the security of personal information at those workspaces?
Are there clear polices governing the use of end-user mobile devices, including use of staff’s own devices (known as ‘Bring Your Own Device (BYOD)’) and procedures for taking work home?
Are there minimum standards for security of end-user mobile devices (such as password protection, encryption)?
Are return address labels placed on end-user mobile devices in case of loss?
Are staff members educated about the risks of accessing or handling the entity’s data on unauthorised/insecure devices, including the risks associated with BYOD practices?
If it is necessary for staff to take personal information off the premises, what steps do you take to ensure the security of personal information that is removed?
Is confidential business information segregated from personal user information?
2)
Internet privacy involves the right or mandate of personal privacy concerning the storing, repurposing, provision to third parties, and displaying of information pertaining to oneself via the Internet. Internet privacy is a subset of data privacy. Privacy concerns have been articulated from the beginnings of large scale computer sharing.
Privacy can entail either Personally Identifying Information (PII) or non-PII information such as a site visitor's behavior on a website. PII refers to any information that can be used to identify an individual. For example, age and physical address alone could identify who an individual is without explicitly disclosing their name, as these two factors are unique enough to typically identify a specific person.
Some experts such as Steve Rambam, a private investigator specializing in Internet privacy cases, believe that privacy no longer exists; saying, "Privacy is dead – get over it". In fact, it has been suggested that the "appeal of online services is to broadcast personal information on purpose." On the other hand, in his essay The Value of Privacy, security expert Bruce Schneier says, "Privacy protects us from abuses by those in power, even if we're doing nothing wrong at the time of surveillance."
Privacy issues of social networking sites :
The advent of the Web 2.0 has caused social profiling and is a growing concern for Internet privacy. Web 2.0 is the system that facilitates participatory information sharing and collaboration on the Internet, in social networking media websites like Facebook, Instagram, Twitter, and MySpace. These social networking sites have seen a boom in their popularity starting from the late 2000s. Through these websites many people are giving their personal information out on the internet.
It has been a topic of discussion of who is held accountable for the collection and distribution of personal information. Some will say that it is the fault of the social networks because they are the ones who are storing the vast amounts of information and data, but others claim that it is the users who are responsible for the issue because it is the users themselves that provide the information in the first place. This relates to the ever-present issue of how society regards social media sites. There is a growing number of people that are discovering the risks of putting their personal information online and trusting a website to keep it private.
In 2013 a class action lawsuit was filed against Facebook alleging the company scanned user messages for web links, translating them to “likes” on the user’s Facebook profile. Data lifted from the private messages was then used for targeted advertising, the plaintiffs claimed. "Facebook's practice of scanning the content of these messages violates the federal Electronic Communications Privacy Act (ECPA also referred to as the Wiretap Act), as well as California's Invasion of Privacy Act (CIPA), and section 17200 of California's Business and Professions Code," the plaintiffs said. This shows that once information is online it is no longer completely private. It is an increasing risk because younger people are having easier internet access than ever before, therefore they put themselves in a position where it is all too easy for them to upload information, but they may not have the caution to consider how difficult it can be to take that information down once it is out in the open. This is becoming a bigger issue now that so much of society interacts online which was not the case fifteen years ago. In addition, because of the quickly evolving digital media arena, peoples interpretation of privacy is evolving as well, and it is important to consider that when interacting online. New forms of social networking and digital media such as Instagram and Snapchat may call for new guidelines regarding privacy. What makes this difficult is the wide range of opinions surrounding the topic, so it is left mainly up to our judgement to respect other people's online privacy in some circumstances. Sometimes it may be necessary to take extra precautions in situations where somebody else may have a tighter view on privacy ethics. No matter the situation it is beneficial to know about the potential consequences and issues that can come from careless activity on social networks.
Other potential Internet privacy risks :
a) Malware is a term short for "malicious software" and is used to describe software to cause damage to a single computer, server, or computer network whether that is through the use of a virus, trojan horse, spyware, etc.
b) Spyware is a piece of software that obtains information from a user's computer without that user's consent.
c) A web bug is an object embedded into a web page or email and is usually invisible to the user of the website or reader of the email. It allows checking to see if a person has looked at a particular website or read a specific email message.
d)Phishing is a criminally fraudulent process of trying to obtain sensitive information such as user names, passwords, credit card or bank information. Phishing is an internet crime in which someone masquerades as a trustworthy entity in some form of electronic communication.
e)Pharming is a hacker's attempt to redirect traffic from a legitimate website to a completely different internet address. Pharming can be conducted by changing the hosts file on a victim’s computer or by exploiting a vulnerability on the DNS server.
f)Social engineering where people are manipulated or tricked into performing actions or divulging confidential information.
g)Malicious proxy server (or other "anonymity" services).
h)Use of weak passwords that are short, consist of all numbers, all lowercase or all uppercase letters, or that can be easily guessed such as single words, common phrases, a person's name, a pet's name, the name of a place, an address, a phone number, a social security number, or a birth date.
i)Using the same login name and/or password for multiple accounts where one compromised account leads to other accounts being compromised.
j)Allowing unused or little used accounts, where unauthorized use is likely to go unnoticed, to remain active.
k)Using out-of-date software that may contain vulnerabilities that have been fixed in newer more up-to-date versions.
l)WebRTC is a protocol which suffers from a serious security flaw that compromises the privacy of VPN-tunnels, by allowing the true IP address of the user to be read. It is enabled by default in major browsers such as Firefox and Google Chrome.
Reduction of risks to Internet privacy :
Inc. magazine reports that the Internet's biggest corporations have hoarded Internet users' personal data and sold it for large financial profits. The magazine reports on a band of startup companies that are demanding privacy and aiming to overhaul the social-media business, such as Wickr, a mobile messaging app, described as using peer-to-peer encryption and giving the user the capacity to control what information is retained on the other end; Ansa, an ephemeral chat application, also described as employing peer-to-peer encryption; and Omlet, an open mobile social network, described as giving the user control over their data so that if a user does not want their data saved, they are able to delete it from the data repository.
Hope this is helpful.
Related Questions
drjack9650@gmail.com
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.