Home | Top | Abstract | Contents | Reading | References | Contacts

Privacy in the Information Age

---

individual freedom faces competition from technological advance



Graham K Smith
MSc Computing
School of Computing and Mathematical Sciences
De Montfort University
April 1994

Home | Top | Abstract | Contents | Reading | References | Contacts

Abstract

Using current UK legislation as a starting point, this paper briefly discusses the impact that the changing role of technology is having upon each individuals' right to privacy. It concludes by challenging the computing fraternity to exercise social responsibility for their profession.
Privacy in the Information Age
Copyright Graham K Smith © 1994. All Rights Reserved.


---

Home | Top | Abstract | Contents | Reading | References | Contacts

Contents

• Abstract
• Introduction
  • The Concept of Privacy
  • Some Basic Definitions
• The UK Data Protection Act
  • Historical Perspective
  • Concerns over personal privacy
  • Trade Considerations
  • Purpose of the Act
  • The Data Protection Principles
  • The Operation of the Act
  • Proposals for a new European law of privacy
• Changes in Technology
  • Moving forward into the Information Age
  • Electronic Surveillance
  • Future Concerns
• Conclusion
• Appendix I:
  Computer Professionals for Social Responsibility
• Further Reading
• References
• Contacts
  • Studying towards an MSc Computing degree
  • Centre for Computing and Social Responsibility
  • Computer Professionals for Social Responsibility
Privacy in the Information Age
Copyright Graham K Smith © 1994. All Rights Reserved.


---

Home | Top | Abstract | Contents | Reading | References | Contacts

Introduction

The Concept of Privacy

Many erudite philosophers have attempted, with varying degrees of success, to establish an accepted definition of privacy [1]. Such a task is outside the scope of this paper, and it must therefore suffice to say that the need to keep certain types of information private is generally accepted and, within this context, it is possible to discuss what constitutes abuses of privacy, and measures to limit such abuses, without a prior definition of privacy itself.

It should be noted however, that individuals' sensitivities can vary with circumstances. The reader is therefore asked to exercise tolerance if their own view of what constitutes an abuse of privacy is more exacting than that of the author.

Some Basic Definitions

Our starting point is the establishment of certain definitions:

Data - information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose.
Personal Data - data relating to a living individual who can be identified either from the data, or from the data in conjunction with other information in the possession of the data user.
Data Subject - an individual who is the subject of personal data.
Data User - a person (or body corporate) who holds data.
Data Protection - the adoption and promulgation, by persons and organizations that use and maintain personal data, of ethical practices that recognize and promote the privacy of the individual. One would expect to see such practices cover five areas:

1. to declare the use for which personal data is stored;
2. to ensure that only relevant data is stored, and that such data is complete, correct and, where appropriate, current.
3. to provide the data subject with a right of access to all such data;
4. to ensure adequate logical and physical security of personal data;
5. not to transfer personal data to any organization that does not have similar controls in place to minimize misuse of data.
Privacy in the Information Age
Copyright Graham K Smith © 1994. All Rights Reserved.


---

Home | Top | Abstract | Contents | Reading | References | Contacts

The UK Data Protection Act

Historical Perspective

Recent media reports tend to the conclusion that individual privacy is coming under attack: the potential for abuse in computer-held data is much greater than it ever was for paper-based systems.

Yet this is not a new phenomena: in 1969 Lord Windlesham introduced a private member's bill dealing specifically with computerised personal records. Although unsuccessful this bill together with another, also unsuccessful, private member's bill presented in 1970 lead to government concern and resulted in the appointment of a committee under Sir Kenneth Younger "To consider whether legislation is needed to give further protection to the individual citizen and to commercial and industrial interests against intrusions into privacy by private persons and organisations or by companies and to make recommendations."

The Younger Report, published in 1972, provided confirmation of the existence of a level of concern about computers. It stated: "We cannot on the evidence before us conclude that the computer as used in the private sector is at present a threat to privacy, but we recognize that there is a possibility of such a threat becoming a reality in the future." [2]

Concerns over personal privacy

It seems incredible that, in the days before Personal Computers had been invented and even students on degree courses accessed computers by means of stacks of punched cards and reams of continuous listing paper, the British Government had recognized that increasingly data held on powerful computers were becoming open to abuse in ways that posed threats to individual privacy. The cynic might observe that the Younger Committee's investigations were explicitly limited to the private sector (despite strong pressure from a variety of sources, and in rejection of proposals from the Committee Chairman himself, both the then Labour Government, and it's successor Conservative Government, on taking office, declined to modify the terms of reference to include the public sector), and that it was the adoption of the "Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data" in 1981 by The Council of Europe (CoE) [3], following on from it's adoption by the Council of the Organization for Economic Co-operation and Development (OECD) in 1980 [4], that provided the stimulus for enactment of The Data Protection Act [5]. However, we are now jumping ahead, and must return to the events of 1975.

It was three years after publication of the Younger Report that a Government White Paper was issued on "Computers and Privacy" [6] together with a supplement "Computers: Safeguards for Privacy" [7]. These papers responded to the Younger Report findings relative to the private sector and provided evidence that a parallel, but unpublished, study of confidentiality in State computer installations had also taken place. In the White Paper, the Government proposed legislating both to set standards governing the use of computers that handle personal information; and also to establish a "permanent statutory agency to oversee the use of computers in both the public and private sectors, to ensure that they are operated with proper regard for privacy and with the necessary safeguards for the personal information which they contain." A further committee, this time under the Chairmanship of Sir Norman Lindop, was established in 1976. It's terms of reference focused upon the narrower concern of computers and data processing:

"To advise the Government on the permanent control machinery needed to ensure that all existing and future computers holding personal information, in both the public and private sectors, are operated with appropriate safeguards for privacy, and to consider and refine the objectives to be incorporated in legislation establishing permanent safeguards."
The committee reported in 1978 [8], recommending various actions including the establishment of a Data Protection Authority. Unfortunately by this time work was underway at the OECD, and the government deferred taking action on Sir Norman's recommendations pending discussions on the embryonic OECD guidelines [9] (all twenty-four OECD member countries have now accepted these guidelines). In time, those guidelines matured into the previously mentioned CoE Convention [10] which has now been signed by the UK, along with nineteen of the thirty other states (thirteen states, including ten EC member states, have now ratified this Convention by enacting domestic data protection legislation).

In order to ratify the Convention, it is necessary to pass (and implement) appropriate domestic legislation. The government thus issued a further White Paper in 1982, endorsing the CoE principles in order to ratify the Convention and proposing the establishment of the Information Commissioner. A Bill, published later the same year, failed in June 1983 because of a general election. It was revised and brought before Parliament again the following year, and received the Royal Assent on 12 July 1984.

Trade Considerations

Writing in 1985, Greville Janner [11] described the main object of introducing the UK's Data Protection Act as to ensure that the UK is not excluded from various trade deals which involve the transport or transmission of personal data." This fear of losing contracts for lack of data protection legislation is possibly nearer the truth: some third world countries are now using such legislation to create non-tariff barriers around indigenous data processing companies. Such actions tend to give credence to the belief that the main driving factor behind legislation is creation of corporate wealth, rather than protection of the individual citizen.

Purpose of the Act

As has been stated earlier, the Data Protection Act was designed to allow the United Kingdom to ratify the CoE "Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data" [12].

The Convention has two objectives:

1. to protect individuals in circumstances where information about them is processed automatically;
2. to facilitate a common international standard of protection for individuals, such that the free flow of information across international boundaries can proceed properly.
The Data Protection Act is therefore concerned with information about individuals which is processed by computer (personal data). It introduced significant new rights for individuals to whom that information relates (Data Subjects). Such an individual generally has the right to:
• claim compensation for damage and any associated distress arising from the loss or unauthorised destruction or disclosure of personal data relating to him or her, or arising from the inaccuracy of such data;
• have a copy of the information about him or her which is held in computers (the "subject access" right);
• challenge the information if he or she believes it to be wrong and, where appropriate, have it corrected or erased.
The Act places obligations on those who use personal data in computers (Data Users). They must be open about that use (through the Data Protection Register) and follow sound and proper practices (the Data Protection Principles). Computer Bureaux have more limited obligations mainly concerned with maintaining appropriate security around personal data.

The Act established the Information Commissioner in a position of independence reporting directly to Parliament. The Registrar is charged with administering the Act and supervising its operation. His decisions are subject to the supervision of the Courts and the Data Protection Tribunal, which was also established by the Act [13].

The Data Protection Principles

The Act was designed to ensure that "personal data" are used only in accordance with eight general principles, which are themselves intended to accord with the CoE Convention:
• The information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully.
• Personal data shall be held only for one or more specified and lawful purposes.
• Personal data held for any purpose or purposes shall not be used or disclosed in any manner incompatible with that purpose or those purposes.
• Personal data held for any purpose or purposes shall be adequate, relevant and not excessive in relation to that purpose or purposes.
• Personal data shall be accurate and, where necessary, kept up to date.
• Personal data held for any purpose or purposes shall not be kept longer than is necessary for that purpose or those purposes.
• An individual shall be entitled:
  (a) at reasonable intervals and without undue delay or expense:-
  
  (i) to be informed by any Data User whether he holds personal data of which that individual is the subject, and
  (ii) to access to any such data held by a Data User; and
  
  (b) where appropriate, to have such data corrected or erased.
  
• Appropriate security measures shall be taken against unauthorized access to, or alteration, disclosure or destruction of, personal data and against accidental loss or destruction of personal data.
  Note that all eight principles apply to Data Users, only the eighth applies to Computer Bureaux.

The Operation of the Act

In practice the primary method of monitoring compliance must be subject access (this is not a satisfactory system for checking disclosure to third parties, but at least the subject should be able to check compliance with the quality principles and also, to some extent, sources), yet this right is exercised so infrequently that most data users have not found it necessary to have routine procedures in place to deal with such requests.

Proposals for a new European law of privacy

Changes from the current UK position are being proposed in a number of areas, principally widening the definitions of what constitutes "personal data" and "processing" so as to remove many existing restrictions (eg personal data is extended to include any information relating to an identifiable natural person; it is difficult to imagine any activity relating to information about individuals, whether or not by automatic means, which will be able to escape the "processing" definition) as well as requiring that the data subject's consent must normally be obtained to their information being processed. The 1992 Privacy Directive also aims to strengthen control over trans border data transfers (eg by restricting the content of flows such as the transmission of data between a company and it's overseas subsidiaries), although the proposals have been watered down significantly from those put forward in 1990.

All this is being done "in the interests of securing free flows of personal data within the European Communities" which somehow begs the question: if this is the objective, why create a right of privacy, which goes considerably further than the Council of Europe's 1981 "Convention for the Protection of Individuals With Regard to Automatic Processing of Personal Data", extending to all forms of structured information relating to identifiable natural persons, whether alive or dead? The author is of the opinion that the answer lies in a growing awareness of the potential for abuse of personal information, both in the private and public sectors, by unrestricted data flows. This view is supported by provisions contained within the recently-published ISDN Directive [15], which would allow telephone service providers to collect and store only that information about their customers which is necessary to provide requested services.

Home | Top | Abstract | Contents | Reading | References | Contacts

Changes in Technology

Moving forward into the Information Age

It was in World War II that electronic computers first became a reality. Developed in secret, primarily to break codes and ciphers, some leading scientists thought that there would never be a need for more than half a dozen "computational machines" in the entire world.

Today, we live in the new "information age" - an era brought into existence by developments in electronic engineering that formed the subject matter for science fiction writers less than thirty years ago. From it's origins in the field of semiconductor physics, the ubiquitous "chip" has now become an integral part of our daily lives, bringing us such items as: personal computers, fax machines, ISDN, wireless digital networks, cellular phones and exposing us to such services as cable TV, direct mail, telephone calling line identity (CLI) [16] and credit cards.

Never before has it been possible for someone to access so much information so quickly and in such a structured manner. Twenty years ago our library tickets were little cardboard folders holding a book's identity card, stored in long wooden racks by date order. To recall a reserved book meant the librarian had to spend so long in looking through the folders to see who had the book on loan that many libraries used any available excuse to withdraw the service. Nowadays loan details for all copies of a particular title can be found at the press of a button!

Alongside these technological developments a remarkably stable political climate has led to the cultural changes which are now forcing the pace in moving towards the emergence of a global economy.

Electronic Surveillance

Information gathering for taxation purposes previously requiring whole populations moving across continents (eg Luke's Gospel 2:1-4) can now be accomplished by electronically harvesting individual data records from disparate sources (eg Inland Revenue records, Bank and Credit Card account data, Supermarket EPOS systems, Immigration Records, Telephone call billing systems, Petrol Station sales records, Credit Reference Agency data banks) and using fuzzy logic techniques to identify matching data items, thus building up a composite record of one's lifestyle. Never before has it been possible to illicitly undertake such wholesale monitoring of peoples' activity using multiple data records which, although not ordinarily sensitive when taken on their own, become so in combination. Some have argued [17] that if each type of data is protected against deliberate theft and careless disclosure, regardless of whether held on computer or other files, the extent of extra precautions necessary to prevent combinations would be minimized. David Tebbutt recently drew attention to an airline which is already starting to link databases from its many business interests (eg hotels, entertainment and car-hire operations) in order to use the resulting knowledge to "sell you stuff at every point of contact" [18]. This theme was continued by Stuart Baker at the Fourth Conference on Computers, Freedom and Privacy [19]:
"Much of the privacy problems that we see in an electronic world are not because people are intercepting our communications; they're because we are giving it away. But what we don't like is that there are people now in a position to collate it all from public stuff that we willingly gave up."

Of course, problems arise when attempting to link records which have been collected at different times and for different purposes. Credit card companies need to have very fast access to account details using the card number alone, but nevertheless want to be able to know which cards the individual has had issued. To resolve this dilemma they might allocate a unique identification code to the individual, perhaps comprising the first five characters of surname plus first initial and date of birth. It immediately becomes apparent that, although it may suffice for a small credit card company, such a coding system would result in multiple individuals sharing the same code. Because of such difficulties most data users key their data on existing codes (eg employees NI number) that they hope will reduce the likelihood of duplications. Various government attempts at uniquely numbering individuals (eg the "Australia Card") have met with stoic resistance (as many as 100,000 US citizens may be using the same Social Security Number, the SSN first appearing on a sales card inside a 1950's wallet [20]). Current initiatives may therefore be carried out in a more covert manner (eg the Australian "tax file" number), and have even been marketed as beneficial (eg the proposed UK NHS number, which "will allow immediate access to a patient's computerized medical history by any doctor in the country, should one fall ill" [21]). Even the USA is planning the voluntary use of a "US Card" containing health care, financial, tax and identity data (eg PIN, private key for digital signatures) as well as being open to new applications (perhaps police record, voting registration, political affiliation?). At a recent conference [22], a representative of the US Postal Service stated that plans had been made to allow a hundred million of these cards to be issued within months of approval being given.

Yes, this revolution in electronic digital communication surely brings with it a disturbing erosion of our privacy. In the past, if the government wanted to violate the privacy of ordinary citizens, it had to expend a certain amount of effort to intercept one's letters and listen to, and possibly transcribe, spoken telephone conversation. In his evidence to the US House of Representatives Subcommittee for Economic Policy, Trade, and the Environment, Philip Zimmermann likened this approach to catching fish with a hook and a line, one fish at a time:

"Fortunately for freedom and democracy, this kind of labour-intensive monitoring is not practical on a large scale. Today, electronic mail is gradually replacing conventional paper mail, and is soon to be the norm for everyone, not the novelty it is today. Unlike paper mail, email messages are just too easy to intercept and scan for interesting keywords. This can be done easily, routinely, automatically, and undetectably on a grand scale. This is analogous to drift net fishing-- making a quantitative and qualitative Orwellian difference to the health of democracy." [23]

Some agencies, however, adopt a different approach:

On 1st March 1990 the US Secret Service raided the Austin, Texas, offices of Steve Jackson, an entrepreneurial publisher who ran a computer bulletin-board service (BBS) in his spare time. It was alleged (amongst other matters) that the one or more messages posted in public access areas of the BBS contained information which infringed the privacy of certain US politicians.

Many issues pertaining to civil rights arose out of this case; however, writing in Scientific American [24], Kapor considered that BBS' should be treated like the telephone service, operating "under a context-neutral regime in which access is available to any entity that can pay for it." rather than being held to a publisher's standard of libel in respect of messages posted on the BBS by other users. Recent seizure of an adult BBS, and the discovery on it's return that subscribers private email messages had been read by postal inspectors, is causing something of a furore at the present time [25].

Whilst it would be unthinkable for telephone companies to monitor our calls routinely, or cut off conversations because the subject matter was deemed offensive, users of electronic mail and BBS' are seen in a different light: pclan magazine [26] reports that under the terms of a bill currently (Oct 93) going through Congress employers would be granted limited rights to monitor employees private email.

As we move towards the cashless society predicted by the New International Economic Order (NIEO) in their "Global 2000" strategy [27] one wonders if a place remains for individual privacy in the information age.

Future Concerns

What can be done to limit further large-scale abuses? One of the most effective strategies seems to be the swift and massive expression of public sentiment. In 1991 30,000 complaints were received by Lotus Development Corporation against its proposed Lotus Marketplace: Households database [28], resulting in its demise. This product was to have contained a vast amount of data on 120 million North Americans, including their names, addresses, estimated incomes, consumer preferences, and other personal details. In effect anyone with a suitable PC could purchase a copy for £400 and use the information to their own ends (perhaps searching for the names and addresses of all single women over seventy years of age would be useful for aspiring burglars).

Such techniques are not of much use on an individual basis, although the use of encryption techniques (eg PGP, Clipper) have their place [29]. The increasing trend to ask prospective candidates to exercise their "subject access" rights in order to supply prospective employers with verified personal information about themselves is worrying. Will a refusal to co-operate in obtaining such information as spent convictions from police records result in a lost job opportunity? Amnesty International's policy with regard to Data Protection [30] clearly states that "before issuing any data to a data subject, Amnesty International may require proof that any request made by, or on behalf of, the data subject was completely voluntary. This applies in particular to data subjects who are deprived of their liberty, or who may for other reasons be suspected of acting under duress."

On the education front, there is much to be said for ensuring that discussion of the broader ethical issues forms an integral part of all professi onal computing courses [31]. It seems all too-easy to limit such discussions to the issues of virus propagation and software copyright protection. Hopefully any academic readers will now appreciate that there are much weightier ethical matters which need ongoing consideration as the technology evolves.

Privacy in the Information Age
Copyright Graham K Smith © 1994. All Rights Reserved.


---

Home | Top | Abstract | Contents | Reading | References | Contacts

Conclusion

Clearly the Information Age has taken us by surprise: standards of personal privacy that had become enshrined in law and tradition are seen to be inadequate to deal with the opportunities that technological change is forcing upon us. Society is becoming increasingly dependent upon an infrastructure which is itself not yet sufficiently dependable [32].

Each and every one of us who is involved with processing personal data has a responsibility to become involved in shaping the way that data can be used. It is not enough to simply leave the setting of limits to our legislators.

This paper tried to give due weight to the radical view that, in regards to it's legislation on computers and privacy at least, the government has not historically seen the civil liberties of its citizens as a primary objective. Researching this topic in much greater detail (particularly the legal aspects) than previously, I have been struck both by the pre-eminence of commerce over individual freedom and the gradual (almost silent) erosion of privacy brought about by recent technological advances. Perhaps this paper will have a part to play in instigating a British equivalent of Computer Professionals for Social Responsibility [33] (CPSR)?

In conclusion, I would like to quote again from Philip Zimmermann, who seems to phrase this point so well:

"When making public policy decisions about new technologies for the Government, I think one should ask oneself which technologies would best strengthen the hand of a police state. Then, do not allow the Government to deploy those technologies. This is simply a matter of good civic hygiene."[34]
Privacy in the Information Age
Copyright Graham K Smith © 1994. All Rights Reserved.


---

Home | Top | Abstract | Contents | Reading | References | Contacts

Appendix I:
Computer Professionals for Social Responsibility

The mission of CPSR is to provide the public and policymakers with realistic assessments of the power, promise, and problems of information technology. As concerned citizens, CPSR members work to direct public attention to critical choices concerning the applications of information technology and how those choices affect society.

Founded in 1981 by a group of computer scientists concerned about the use of computers in nuclear weapons systems, CPSR has grown into a national public-interest alliance of information technology professionals and other people. Currently, CPSR has 22 chapters in the U.S. and affiliations with similar groups worldwide. In addition to our National Office in Palo Alto, California, we maintain an office in Washington, DC.

CPSR is a democratically organized grass roots alliance. Our accomplishments are the result of the member activism. Many CPSR members serve as national organizers

Every project we undertake is based on five principles:

• We foster and support public discussion of, and meaningful involvement in, decisions critical to society.
• We work to correct misinformation while providing understandable and factual analyses about the impact of societal technology.
• We challenge the assumption that technology alone can solve political and social problems.
• We critically examine social and technical issues within the computer profession, both nationally and internationally.
• We encourage the use of information technology to improve the quality of life.

CPSR Projects

By sponsoring both national and local projects, CPSR serves as a catalyst for in-depth discussion and effective action in key areas:
• The National Information Infrastructure
• Civil Liberties and Privacy
• Computers in the Workplace
• Technology Policy and Human Needs
• Reliability and Risk of Computer-Based Systems

In addition, CPSR's chapter-based projects and national working groups tackle issues ranging from the implementation of Calling Number ID systems to the development of nanotechnology and virtual reality, from the use of computers in education to working conditions for computer professionals, from community networks to computer ethics.

Membership Benefits

As a member of CPSR, you are joining a nation-wide network of concerned people who are committed to bringing a public interest perspective to all aspects of information technology. CPSR's work covers a wide variety of issues including the proposed National Information Infrastructure, privacy and freedom of information, the demilitarization of national technology policy, cryptography, participatory design approaches to system development, and more.

CPSR has a reputation for being on the forefront of issues pertaining to the impact of information technology on society, taking action to implement positive examples of the use of information technology such as local community networks as well as participating in regional and national policy discussions.

Other membership benefits include:

• Joining with other concerned people to affect policy-making at the local, regional, and national level.
• Access to an international network of people who can provide expertise and well-researched support for progressive positions concerning information technology policy.
• Access to on-line information and discussion groups on key topics concerning the socially responsible use of information technology.
• The chance to participate in local and national work groups on issues of particular interest to you.
• A quarterly newsletter containing in-depth analysis of major issues as well as updates on CPSR activities and action alerts.
• Invitations and discounts to CPSR events and publications.

Organizational Information

CPSR welcomes everyone who uses or is concerned about the role of information technology in our society.

Please direct membership enquiries to:

CPSR National Office
P.O. Box 717
Palo Alto
CA 94301
U.S.A.

Tel (001) 415-322-3778
Fax: (001) 415-322-4748
E-mail: cpsr@cpsr.org


Privacy in the Information Age
Copyright Graham K Smith © 1994. All Rights Reserved.


---

Home | Top | Abstract | Contents | Reading | References | Contacts

Further Reading

Forester, Tom and Morrison, Perry (Second Edition, 1994),
Computer Ethics: Cautionary Tales and Ethical Dilemmas in Computing,
London: The MIT Press (Highly readable)

Madsen, Wayne (1992),
Handbook of Personal Data Protection,
Basingstoke: MacMillan Publishers (Comprehensive reference manual for those involved in both national and international aspects of personal data protection)

The Guideline Series of Booklets, and other helpful material about the Data Protection Act is published by:
Office of The Information Commissioner,
Springfield House, Water Lane, Wilmslow, Cheshire, SK9 5AX
Tel: (01625) 535777 (Enquiries)

Ettinger, J E (Editor) (1993)
Information Security: An Integrated Approach,
London: Chapman & Hall (good, if somewhat technical, primer)

Middleton, R A J (Editor) (1990)
Guidelines on Good Security Practice
Swindon: British Computer Society (handy guide for IT Managers)

Background Material not otherwise referenced:

Consensual realities in Cyberspace,
Saffo, Paul, Communications of the ACM v32 (Jun 89) p664-665

Brunner, John (1975),
Shockwave Rider,
London: Dent (also London, Methuen 1988)

Stoll, Clifford (1989),
The Cuckoo's Egg,
London: Bodley Head

Ethics and the Internet,
Cerf, Vint, Communications of the ACM v32 (Jun 89) p710

Data protection: more apathy than anger,
Eustace, Peter, The Engineer v262 (24 Apr 86) p29-30

Reflections on trusting trust (Turing Award Lecture), Thompson, Ken,
Communications of the ACM v27 (Aug 84) p761-3,
(see also discussion v27 (Nov 84) p1085-6 and v28 (Aug 85) p792-3)

Crackdown on hackers' may violate civil rights,
Charkes, Dan, New Scientist v127 (11 Jul 90)

Dickson, Gordon R (1965),
Computers Don't Argue,
Conde Nast Publications
(included in Asimov, Issac (1983),
Computer Crimes and Capers,
Chicago: Academy, (also Harmondsworth, Middx: Penguin Books, 1986)

Donaldson, John, et al (1992),
Business Ethics - A European Casebook,
London: Academic Press

Teaching students about responsible use of computers, Saltzer, Jerome H,
Communications of the ACM v32 (Jun 89) p704

Stanley, Manfred (1978),
The Technological Conscience: Survival and Dignity in an Age of Expertise,
Chicago: The University of Chicago Press

Privacy in the Information Age
Copyright Graham K Smith © 1994. All Rights Reserved.


---

Home | Top | Abstract | Contents | Reading | References | Contacts

References

1. Samuel Warren and Louis Brandeis' 1890 definition as "the right to be left alone" is one of the more succinct examples. A more recent, and wider ranging, definition is "the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about themselves is communicated to others" (anon)
   

2. Cmnd 5012, Sir Kenneth Younger (Chairman),
   The Report of the Committee on Privacy,
   (London: HMSO, 1972)
   

3. Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data,
   (Council of Europe, 1981)
   

4. Guidelines on the Protection of Privacy and Transborder Data Flows
   (Paris: Organization for Economic Cooperation and Development, 1980)
   

5. 1984 Chapter 35,
   Data Protection Act 1984,
   (London: HMSO, 1984)
   

6. Cmnd 6353,
   Computers and Privacy,
   (London: HMSO, 1975)
   

7. Cmnd 6354,
   Computers: Safeguards for Privacy,
   (London: HMSO, 1975)
   

8. Cmnd 7341, Sir Norman Lindop (Chairman),
   Report of the Committee on Data Protection,
   (London: HMSO, 1978)
   

9. op cit
   

10. op cit
    

11. Data Protection,
    Jenner, G,
    Chemistry and Industry v22 (18 Nov 85), p747
    

12. op cit
    

13. Statement of Policy of the Information Commissioner,
    released for publication on 3 December 1986
    

14. COM (92) 422 final SYN 287
    Amended Proposal for a Data Protection Directive,
    European Commission, 15 October 1992, as quoted in:
    Charlton, Simon,
    A privacy law for Europe: back to the data protection drawing board,
    Computer Law and Practice, Vol 9 No 1, 1993
    

15. Draft Proposal for an ISDN Directive, as quoted in:
    US Dept of Commerce National Telecommunications and Information Administration,
    Inquiry on Privacy Issues Relating to Private Sector Use of Telecommunications-Related Personal Information:
    Notice of Inquiry and Request for Comments,
    (Washington, Docket No 94104-4004, 1994)
    

16. Because of space limitations it has not been possible to include discussion on the privacy implications of CLI when coupled with reverse-search techniques applied to computer-based phone directories.
    

17. Ellis, L (Editor),
    Privacy and the Computer - Steps to Practicality,
    (London: British Computer Society, 1972)
    

18. Whose benefit is it anyway?
    Tebbutt, D
    Computer Weekly, 31 Mar 94 p24
    

19. Panel Discussion,
    Cyberspace Superhighways: Access, Ethics and Control,
    Chicago: John Marshall Law School, March 94
    

20. Marc Rotenburg,
    "Prepared Testimony and Statement for the Record of Marc Rotenburg, Director, Washington Office, Computer Professionals for Social Responsibility (CPSR) on the Use of the Social Security Number as a National Identifier, before the Subcommittee on Social Security, Committee on Ways and Means, US House of Representatives,"
    reprinted in Computers and Society, col 21, nos 2, 3, and 4, 1991, pages 13-19.
    

21. National Strategic Framework for Information Management,
    (London: Department of Health, 1992 Draft Update)
    

22. CardTech/Security Conference as quoted by
    Murray, W H in NII and the US Card,
    an internet discussion group available in bit.listserv/ethics-l
    

23. Testimony of Philip Zimmermann to Subcommittee for Economic Policy, Trade, and the Environment, US House of Representatives, 12 Oct 1993 as reported in Computer Underground Digest, Volume 6 No 30.
    

24. Kapor, M, Civil Liberties in Cyberspace, Scientific American v265 (Sep 91) pp 116-120.
    

25. various articles, editorial discussion and letters in
    Computer Underground Digest, vol 6 issues 32, 33, 35 (1994)
    

26. Upfront (editorial), pclan, Oct 93, p5
    

27. Smith, Barry
    The Anti-Christ and the coming Money Crash
    lecture given in Auckland, 1992
    

28. Forester, Tom and Morrison, Perry,
    Computer Ethics: Cautionary Tales and Ethical Dilemmas in Computing,
    (London: The MIT Press, Second Edition, 1994)
    

29. Legislative committees are already at work, in both Holland and the USA, on proposals to outlaw all encryption devices except those which have been "government approved". At the time of writing these committees are in their early days, and it is still unclear if approval will be given to any encryption methods which do not provide means for decoding by "lawful authorities".
    

30. Madsen, Wayne,
    Handbook of Personal Data Protection,
    (Basingstoke: MacMillan Publishers, 1992)
    

31. Ethical attitudes of entry-level MIS personnel,
    Paradice, David B,
    Information and Management v18 (Mar 90) p143-151
    

32. Guidelines for the Security of Information Systems,
    (Paris: Organization for Economic Cooperation and Development, 1992)
    

33. see Appendix I
    

34. op cit
    

Privacy in the Information Age
Copyright Graham K Smith © 1994. All Rights Reserved.


---

Home | Top | Abstract | Contents | Reading | References | Contacts

Contacts

MSc Computing Course

I originally wrote this research paper to fulfil part of the requirements for the award of an MSc Computing degree at De Montfort University, Leicester and to stimulate discussion in an area of personal concern.

Coming from a background in electronics, and with almost ten years experience of business computing, I found this full-time course to be most stimulating and of real practical relevance. For those not fortunate enough to be able to take a sabbatical, the degree can also be completed on a part-time, modular basis. To obtain more information about studying for the degree, please write to:

MSc Computing Course Leader
Department of Information Systems
School of Computing Sciences
De Montfort University
The Gateway
Leicester
England, LE1 9BH

Tel: +44 (0)116 255 1551
Fax: +44 (0)116 254 1891
E-mail: rh@dmu.ac.uk


Centre for Computing and Social Responsibility

Almost a year after this paper was submitted, the Centre for Computing and Social Responsibility at De Montfort University came into being. Its mission is to undertake research and provide teaching, consultancy and advice to individuals, communities, organisations and governments at local, national and international levels on the impact of computing and related technologies on society and its citizens.

If you'd like to enlist the services of CCSR, please write to Simon Rogerson (Centre Director) at:

Centre for Computing and Social Responsibility
School of Computing Sciences
De Montfort University
The Gateway
Leicester
England, LE1 9BH

Tel: +44 (0)116 255 1551 ext 8466
Fax: +44 (0)116 254 1891
E-mail: ccsr@dmu.ac.uk
Web site http://www.ccsr.cse.dmu.ac.uk/


Computer Professionals for Social Responsibility

Enquiries about membership of the Computer Professionals for Social Responsibility to:
CPSR National Office
P.O. Box 717
Palo Alto
CA 94301
U.S.A.

Tel (001) 415-322-3778
Fax: (001) 415-322-4748
E-mail: cpsr@cpsr.org
Web site: http://www.cpsr.org


Privacy in the Information Age
Copyright Graham K Smith © 1994. All Rights Reserved.


---

Last modified 28-Oct-95
Page design by: Graham K Smith.