Location privacy: The challenges of mobile service devices

Adding to the current debate, this article focuses on the personal data and privacy challenges posed by private industry's use of smart mobile devices that provide location-based services to users and consumers. Directly relevant to personal data protection are valid concerns about the collection, retention, use and accessibility of this kind of personal data, in relation to which a key issue is whether valid consent is ever obtained from users. While it is indisputable that geo-location technologies serve important functions, their potential use for surveillance and invasion of privacy should not be overlooked. Thus, in this study we address the question of how a legal regime can ensure the proper functionality of geo-location technologies while preventing their misuse. In doing so, we examine whether information gathered from geo-location technologies is a form of personal data, how it is related to privacy and whether current legal protection mechanisms are adequate. We argue that geo-location data are indeed a type of personal data. Not only is this kind of data related to an identified or identifiable person, it can reveal also core biographical personal data. What is needed is the strengthening of the existing law that protects personal data (including location data), and a flexible legal response that can incorporate the ever-evolving and unknown advances in technology.     

Sorting out smart surveillance

Surveillance is becoming ubiquitous in our society. We can also see the emergence of “smart” surveillance technologies and the assemblages (or combinations) of such technologies, supposedly to combat crime and terrorism, but in fact used for a variety of purposes, many of which are intrusive upon the privacy of law-abiding citizens. Following the dark days of 9/11, security and surveillance became paramount. More recently, in Europe, there has been a policy commitment to restore privacy to centre stage. This paper examines the legal tools available to ensure that privacy and personal data protection are respected in attempts to ensure the security of our society, and finds that improvements are needed in our legal and regulatory framework if privacy is indeed to be respected by law enforcement authorities and intelligence agencies. It then goes on to argue that privacy impact assessments should be used to sort out the necessity and proportionality of security and surveillance programmes and policies vis-à-vis privacy.     

Video surveillance in public space in China

Video surveillance device has been widely installed in public places at present. How should the right of privacy under video surveillance in public space be considered and protected effectively? There is no enough attention in the existing legislation of China, which results in a relatively conservative attitude in the judicial system of China. In fact, it is supposed to have privacy interests in public space. Privacy is not simply an absence of information about people in the minds of others. Moreover, it is the control over information about ourselves. Unlike casual glimpse by passers-by, the continuous, intentional and intensive focus of video cameras make individuals lose control of their information, which consequently leads to lose their privacy interests in public space. Thus, in order to protect personal privacy interests and defend personal justice in public space, it is necessary to regulate video surveillance in public space in legislation and judicature.     

Asymmetries of control: Surveillance,intrusion, and corporate theft of privacy

This paper deals with the asymmetry in relations between the individual actor and the corporation. In particular the paper focuses on the impact of corporate use of technologies of surveillance, ostensibly to reduce crime and to increase efficiency. A case is made that the use of these technologies to invade citizens' personal privacy in order to procure personal information without consent is a still-unrecognized form of corporate theft. Steps toward a remedy are suggested.     

Constructing a surveillance impact assessment

This paper describes surveillance impact assessment (SIA), a methodology for identifying, assessing and resolving risks, in consultation with stakeholders, posed by the development of surveillance systems. This paper appears to be the first such to elaborate an SIA methodology. It argues that the process of conducting an SIA should be similar to that of a privacy impact assessment (PIA), but that an SIA must take account of a wider range of issues, impacts and stakeholders. The paper categorises the issues and impacts to be considered in the conduct of an SIA and identifies the benefits of a properly conducted SIA.     

Normative challenges of identification in the Internet of Things: Privacy,profiling, discrimination,and the GDPR

In the Internet of Things (IoT), identification and access control technologies provide essential infrastructure to link data between a user's devices with unique identities, and provide seamless and linked up services. At the same time, profiling methods based on linked records can reveal unexpected details about users' identity and private life, which can conflict with privacy rights and lead to economic, social, and other forms of discriminatory treatment. A balance must be struck between identification and access control required for the IoT to function and user rights to privacy and identity. Striking this balance is not an easy task because of weaknesses in cybersecurity and anonymisation techniques. The EU General Data Protection Regulation (GDPR), set to come into force in May 2018, may provide essential guidance to achieve a fair balance between the interests of IoT providers and users. Through a review of academic and policy literature, this paper maps the inherent tension between privacy and identifiability in the IoT. It focuses on four challenges: (1) profiling, inference, and discrimination; (2) control and context-sensitive sharing of identity; (3) consent and uncertainty; and (4) honesty, trust, and transparency. The paper will then examine the extent to which several standards defined in the GDPR will provide meaningful protection for privacy and control over identity for users of IoT. The paper concludes that in order to minimise the privacy impact of the conflicts between data protection principles and identification in the IoT, GDPR standards urgently require further specification and implementation into the design and deployment of IoT technologies.     

Tackling the U3 trend with computer forensics

A new technology has emerged, allowing applications to be stored and run on portable devices, such as flash drives and iPods. Sandisk's U3™ smart technology appears to be becoming the standard in this new realm of portability. With the advent of this technology, questions are arising as to the effects it will have on computer forensic investigations. Probably hundreds of thousands of people have purchased devices with U3 or similar technologies already. The fear is that these people will be able to plug their devices into computers, do their misdeeds and then simply unplug those devices, removing any trace. This article will illustrate that this is not the case and will discuss different artifacts that a device such as this will leave behind. For the purposes of this illustration we have investigated the use of some of the most common applications used on U3 drives. This information will serve as a guide to investigating computer crimes perpetrated via U3 or similar technologies. Investigators must keep in mind during their investigations the possibility that their suspects have used such technology, particularly when their investigations seem to lead to a dead end.     

Prisoners' expectations of the national forensic DNA database: surveillance and reconfiguration of individual rights

In this paper we aim to discuss how Portuguese prisoners know and what they feel about surveillance mechanisms related to the inclusion and deletion of the DNA profiles of convicted criminals in the national forensic database. Through a set of interviews with individuals currently imprisoned we focus on the ways this group perceives forensic DNA technologies. While the institutional and political discourses maintain that the restricted use and application of DNA profiles within the national forensic database protects individuals' rights, the prisoners claim that police misuse of such technologies potentially makes it difficult to escape from surveillance and acts as a mean of reinforcing the stigma of delinquency. The prisoners also argue that additional intensive and extensive use of surveillance devices might be more protective of their own individual rights and might possibly increase potential for exoneration.     

Unmanned aircraft systems: Surveillance,ethics and privacy in civil applications

This paper examines how the use of unmanned aircraft systems (UASs) for surveillance in civil applications impacts upon privacy and other civil liberties. It argues that, despite the heterogeneity of these systems, the same “usual suspects” – the poor, people of colour and anti-government protesters – are targeted by UAS deployments. It discusses how current privacy-related legislation in the US, UK and European Union might apply to UASs. We find that current regulatory mechanisms do not adequately address privacy and civil liberties concerns because UASs are complex, multimodal surveillance systems that integrate a range of technologies and capabilities. The paper argues for a combination of top-down, legislated requirements and bottom-up impact assessments to adequately address privacy and civil liberties.     

Pondering personal privacy: a pragmatic approach to the Fourth Amendment protection of privacy in the information age

As technology with surveillance capacities has advanced, the debate over the rights of the citizenry to be free from governmental breaches of personal privacy has intensified. Within the United States, government actions legally challenged as intrusions into personal privacy have been analyzed under the Fourth Amendment, but Supreme Court rulings in such cases lack a clear and consistent rationale. Additionally, while more than a dozen federal privacy statutes have been enacted, each piece of legislation pertains to a specific type of information (e.g. driver’s license information, education records, and financial records). There is no overarching federal legislation which protects the individual’s private affairs from warrantless government inspection. A key issue underlying the scope of the debate and the variation in court decisions and public policies pertinent to invasions of privacy by government agencies is the lack of a clear and cogent definition of ‘privacy.’ By means of a review of the evolution of legal protections of privacy under the Fourth Amendment and a review of the evolution of technology with surveillance applications, it is suggested that there is a need for a sound operational definition of privacy. As a starting point for an informed and pragmatic dialogue on this matter, an operational definition of privacy built upon extant case and statutory law is provided.     

Citizen acceptance of police interventions: an example of CCTV surveillance in Las Vegas,Nevada

Efforts to install crime cameras in public are sometimes met with resistance from segments of the community who raise concerns over personal privacy. Drawing on an example from Las Vegas, NV, this paper explores community acceptance of CCTV cameras placed in a high-crime public location. In doing so, the paper applies a theoretical model that describes the mechanism by which private citizens accept interventions developed by police or other security officials. The paper analyzes specific privacy concerns raised by camera opponents and classifies the methods that police used to address those concerns and gain community support.     

When video cameras watch and screen: Privacy implications of pattern recognition technologies

Computer vision technologies based on pattern recognition software will soon allow identifying human behaviour that deviates from a pre-defined normality. Such applications are foreseen, amongst others, to be used in public places with purposes of crime prevention, especially in the context of the fight against terrorism. This technology increases the level of automation of video surveillance, changing the main nature of surveillance. The balance of power between the citizen and the State is altered, calling for a new balancing of interests. The automation of risk detection moreover raises the issue of the protection against partially automated decision-making. This paper will deal with the challenges raised by proactive video surveillance technologies to the way how privacy and security have been balanced so far. Attention will moreover be brought to the new safeguards that should be devised to protect the citizens from increased scrutiny and growing automation of the decision-making process.     

Restrictions on cryptography in India – A case studyof encryption and privacy

The developments of technology in communications industry have radically altered the ways in which we communicate and exchange information. Along with the speed, efficiency, and cost-saving benefits of the digital revolution come new challenges to the security and privacy of communications and information traversing the global communications infrastructure. As is with any technology the misuse of technology is noticed similarly the encryption technology. Encryption and other advanced technologies may be used, with direct impact on law enforcement and therefore some restrictions are necessary in the interests of national security. The problem, however, is ensuring that the restriction is legitimate and solely for in the interests of national security, the state not being allowed to interfere and keep a track on individuals' activities and private lives without sufficient cause. The individual needs encryption to protect their personal privacy and confidential data such as medical information, personal financial data, and electronic mail. In a networked environment, such information is increasingly at risk of being stolen or misused. Therefore, encryption is critical to building a secure and trusted global information infrastructure. Digital computers have changed the landscape considerably and the entire issue, at its simplest level, boils down to a form of balancing of interests. The specific legal and rights-related problems arising from the issue of cryptography and privacy in the Indian context are examined in this paper.     

Standards for privacy of individually identifiable health information. Office of the Assistant Secretary for Planning and Evaluation, DHHS. Proposed rule

This rule proposes standards to protect the privacy of individually identifiable health information maintained or transmitted in connection with certain administrative and financial transactions. The rules proposed below, which would apply to health plans, health care clearinghouses, and certain health care providers, propose standards with respect to the rights individuals who are the subject of this information should have, procedures for the exercise of those rights, and the authorized and required uses and disclosures of this information. The use of these standards would improve the efficiency and effectiveness of public and private health programs and health care services by providing enhanced protections for individually identifiable health information. These protections would begin to address growing public concerns that advances in electronic technology in the health care industry are resulting, or may result, in a substantial erosion of the privacy surrounding individually identifiable health information maintained by health care providers, health plans and their administrative contractors. This rule would implement the privacy requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996.     

Surveillance deputies: When ordinary people surveil for the state

The state has long relied on ordinary civilians to do surveillance work, but recent advances in networked technologies are expanding mechanisms for surveillance and social control. In this article, we analyze the phenomenon in which private individuals conduct surveillance on behalf of the state, often using private sector technologies to do so. We develop the concept of surveillance deputies to describe when ordinary people, rather than state actors, use their labor and economic resources to engage in such activity. Although surveillance deputies themselves are not new, their participation in everyday surveillance deputy work has rapidly increased under unique economic and technological conditions of our digital age. Drawing upon contemporary empirical examples, we hypothesize four conditions that contribute to surveillance deputization and strengthen its effects: (1) when interests between the state and civilians converge; (2) when law institutionalizes surveillance deputization or fails to clarify its boundaries; (3) when technological offerings expand personal surveillance capabilities; and (4) when unequal groups use surveillance to gain power or leverage resistance. In developing these hypotheses, we bridge research in law and society, sociology, surveillance studies, and science and technology studies and suggest avenues for future empirical investigation.     

Standards for privacy of individually identifiable health information. Office of the Assistant Secretary for Planning and Evaluation, DHHS. Final rule

This rule includes standards to protect the privacy of individually identifiable health information. The rules below, which apply to health plans, health care clearinghouses, and certain health care providers, present standards with respect to the rights of individuals who are the subjects of this information, procedures for the exercise of those rights, and the authorized and required uses and disclosures of this information. The use of these standards will improve the efficiency and effectiveness of public and private health programs and health care services by providing enhanced protections for individually identifiable health information. These protections will begin to address growing public concerns that advances in electronic technology and evolution in the health care industry are resulting, or may result in, a substantial erosion of the privacy surrounding individually identifiable health information maintained by health care providers, health plans and their administrative contractors. This rule implements the privacy requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996.     

The retention of personal information online: A call for international regulation of privacy law

New technologies permit online businesses to reduce expenses and increase efficiency by, for example, storing information in “the cloud”, engaging in online tracking and targeted advertising, location and tracking technologies, and biometrics. However, the potential for technology to facilitate long term retention of customers' personal information raises concerns about the competing right of individuals to the privacy of their personal information. Although the European Commission has recently released a proposal for regulation to “provide a data subject with the right to be forgotten and to erasure”, neither the OECD Privacy Guidelines nor the APEC Privacy Framework includes any requirement to delete personal information. While New Zealand includes a “limited retention principle” in the Privacy Act 1993, apart from one limited exception the privacy principles cannot be enforced in court. Taking New Zealand privacy law as an example, this paper examines the issue of retention of customer data, explains why this is a serious problem and argues that although it could be addressed by appropriate amendments to domestic laws, domestic privacy legislation may not be sufficient in an online environment. In the same way as other areas of law, such as the intellectual property regime, have turned to global regulatory standards which reflect the international nature of their subject matter, international privacy regulation should be the next stage for the information privacy regime.     

公共空间运用大规模监控的法理逻辑及限度——基于个人信息有序共享之视角

为应对现代化进程中的社会风险,安抚公众对风险的恐慌情绪,公共空间大规模监控随之诞生,并迅速在现实社会和网络空间中全面运用。公共治理不能取安全保障而舍隐私保护,公共空间大规模监控的运用并非以牺牲隐私权为代价,而是在保障安全法益的同时兼顾隐私法益的保护。在此"既保障安全,又保护隐私"的法理念下,公共空间大规模监控的运用体现了风险治理从个人本位走向社会本位的转变趋势,并促进了个人信息保护从自主支配到有序共享的逻辑转换。为寻求安全保障与隐私保护之间的平衡路径,在公共空间合理运用大规模监控措施,就必须加强信息收集、存储、使用的阶段性控制,建立个人信息合理使用制度,实现个人信息的有序共享。