Vous êtes sur la page 1sur 24

kent wada

director, strategic IT policy


ucla chief privacy officer

feng shui for big data


october 27, 2015

ecar working groups general meeting


educause annual indianapolis

kent wada
director, strategic IT policy
ucla chief privacy officer

harmony for big data


october 27, 2015

ecar working groups general meeting


educause annual indianapolis

accessibility
security
privacy

data

slide 2 of 24

accessibility
security
privacy
big
data

governance
value

slide 3 of 24

information
security

protects
all information

cyber
IT security

protects
technical
infrastructure

information about individuals


(e.g., student/patient records; SSNs)

confidential information

(e.g., intellectual property, security info)

information
privacy

protects
information
about individuals

information
infrastructure

(e.g., computers, smartphones, networks)

slide 4 of 24

information security officer


information
security

protects
all information
cia

confidentiality
integrity
availability

(traditional realm of the)


privacy officer

information about individuals


(e.g., student/patient records; SSNs)

information
privacy

protects
information
about individuals

compliance

privacy rulese.g., hipaa, ferpa,


state breach notification laws
open records laws (state, foia)

fair information practices principles

notice/awareness, choice/consent,
access/participation, integrity/security
enforcement/redress

dataset techniques

e.g., de-identification, anonymization,


constraints on use v. collection

information security and information privacy are generally complementary

slide 5 of 24

autonomy
privacy

covers individuals
from observation

individuals
information about individuals
(e.g., student/patient records; SSNs)

information
privacy

protects
information
about individuals

safeguards against surveillance


/ big brother / the monitoring of
behavior, data mining / profiling

values

first amendment, anonymity


academic freedom
ethical behavior

its not just security vs privacy, it may be privacy vs privacy


increasingly because of big data

slide 6 of 24

information security officer

privacy officer
autonomy
privacy

individuals
information
security

protects
all information

information about individuals


(e.g., student/patient records; SSNs)

confidential information

(e.g., intellectual property, security info)

covers individuals
from observation

information
privacy

protects
information
about individuals

information
cyber security

protects
technical
infrastructure

infrastructure

(e.g., computers, smartphones, networks)

___________________________
Based on the diagram developed for the report below. See http://ucop.edu/privacy-initiative for further information.
Privacy and Information Security Initiative Steering Committee Report to the President. Rep. University of California, Jan.
2013. Web. 24 Aug. 2015.
http://ucop.edu/privacy-initiative/uc-privacy-and-information-security-steering-committee-final-report.pdf

slide 7 of 24

big data privacy hazards


indiscriminate collection of data
data generation
volunteered data
observed data
inferred data

SHAZAM LOGO

AMAZON ECHO

SHAZAM LOGO

FITBIT CHARGE HR

continuous collection of non-traditional pii


___________________________
Based on material from Doron Rotman, KPMG.

slide 8 of 24

big data privacy hazards


indiscriminate collection of data
data generation
indefinite storage

volunteered data
observed data
inferred data

infinite reuse
deidentified data reidentified

AOL LOGO

HARVARD UNIVERSITY SEAL

NETFLIX LOGO

slide 9 of 24

big data privacy hazards


indiscriminate collection of data
data generation
indefinite storage

volunteered data
observed data
inferred data

infinite reuse
deidentified data reidentified
data breaches
GENERIC BREACH
NOTIFICATION LANGUAGE

ASHLEY MADISON LOGO

SEAL OF THE US OFFICE OF


PERSONNEL MANAGEMENT

slide 10 of 24

big data privacy hazards


indiscriminate collection of data
data generation
indefinite storage

volunteered data
observed data
inferred data

infinite reuse
deidentified data reidentified
data breaches
predictive analytics
descriptive summarize what happened
predictive forecast what may happen in the future
prescriptive recommend one or more courses of action

slide 11 of 24

big data privacy hazards


indiscriminate collection of data
data generation
indefinite storage

infinite reuse
deidentified data reidentified
data breaches
predictive analytics
algorithmic discrimination

volunteered data
observed data
inferred data

FICO LOGO

PARTIAL STILL

FROM THE MOVIE


MINORITY REPORT

slide 12 of 24

July 22, 2015 A GitHub project is using the


23andMe API for genetic decoding to act as a way
to bar users from entering websites based on their
genetic data race and ancestry.
Stumbling around GitHub, I came across this bit of
code: Genetic Access Control. Now, budding
young racist coders can check out your 23andMe
page before they allow you into their website!
Seriously, this code uses the 23andMe API to pull
genetic info, then runs access control on the user
based on the results. Just why you decide not to let
someone into your site is up to you, but it can be
based on any aspect of the 23andMe API. This is
literally the code to automate racism.

___________________________
Genetic Access Control Code Uses 23andMe DNA Data For Internet Racism. (2015, July 22). Retrieved from
http://science.slashdot.org/story/15/07/22/0146236/genetic-access-control-code-uses-23andme-dna-data-for-internet-racism

slide 13 of 24

ARTICLE HEADLINE FRANK PASQUALE UNRAVELS THE NEW MACHINE AGE OF ALGORITHMS AND BOTS

___________________________
Selinger, Evan. Frank Pasquale Unravels the New Machine Age of Algorithms and Bots. The Christian Science Monitor 28
Jan. 2015, Passcode sec. Web. 24 Aug. 2015.
http://csmonitor.com/World/Passcode/Passcode-Voices/2015/0128/Frank-Pasquale-unravels-the-new-machine-age-of-algorithms-and-bots

slide 14 of 24

history says:
data, once collected, can rarely be uncollected
data, once collected, will always find another use
the rules change
the concerns are greatest:
when data are used to make decisions about people
when data are collected about people without their
knowledge or consent
when data about people are used in unexpected ways
without subjects knowledge or consent
when data are shared with external entities

slide 15 of 24

partial privacy timeline


1789

1890

1948

1968 60s-70s 1972

US

constitution
privacy
tort
brandeis right
to be let alone

declaration
of human rights

1977

>

privacy added
to california
constitution as
inalienable right

privacy
rulings by
SCOTUS

UN

1974

privacy
commission
report
privacy act
ferpa/
student

___________________________
Based on a timeline developed by Sol Bermann, Privacy Officer, IT Policy, Compliance, Enterprise Continuity Strategist, at the
University of Michigan.

slide 16 of 24

partial privacy timeline, cont


1991

1995

common
rule/
human
research
privacy

1998
coppa/
children
online

1999

2003

2010

first state
breach
notification
law

hipaa/
medical and
health

data
protection
directive
EU

1996

chief
counselor for
privacy in fed
govt
first cpo

2012

2015

google
implements
the EU right
to be
forgotten

red flags/
id theft
calECPA

glba/loan

slide 17 of 24

public-private
partnerships
(whether we
know it or not)

google apps for education


learning analytics
translational research
scholarly publications

slide 18 of 24

implementing bdfs

at ucla via the dgtf

These governance mechanisms should be invoked when


competing privacy interests, goals, University values, or
obligations in the application or use of these data exist and for
which no statutory provision, common law, or University policy
is directly applicable.

___________________________
UCLA. (2015). UCLA Data Governance Task Force: Final Report and Recommendations (DRAFT).
Borgman, Christine, and Kent Wada (co-chairs). UCLA Data Governance Task Force.
https://ccle.ucla.edu/course/view/datagov

slide 19 of 24

implementing bdfs

at ucla via the dgtf

the goal is not to be an irb, vet everything, or be seen as


those who say no, but to:

resolve legitimate disagreements and provide a path


forward
promote transparency and open discussion

am i my data?
am i more important?

___________________________
http://lex.ucsc.edu/resources/datalex_registration.html
DataLex 2015: Privacy, Big Data, and the Law. (n.d.). UC Santa Cruz, Digital Arts Research Center. Retrieved
from www.ustream.tv/channel/c6Mv3vuye3D

slide 20 of 24

were all sitting on treasure troves of data

but the private sector has no irb


and a different mission (value = monetize)
the facebook contagion experiment may have made things
worse

slide 21 of 24

security
(big)
data

accessibility
privacy

governance
value

slide 22 of 24

accessibility
security
privacy
big
data

governance
value

slide 23 of 24

kent wada
director, strategic IT policy
ucla chief privacy officer

harmony for big data


october 27, 2015

ecar working groups general meeting


educause annual indianapolis

slide 24 of 24