Preparation for Extended Study by daniekl

PREPARATION FOR EXTENDED STUDY STUDY IN GRAPHIC DESIGN

Project Proposal

Prepared by: Daniel Low Yik Mun Tutor: Kate Rogers

Proposal Title / Area of Investigation How privacy affects our life and to show how and what information is being leak. What are the tools that are being used in this matter as such, CCTV.

Overall Nature and Direction of Work There is a series of posters that Iâ&#x20AC;&#x2122;ve design based on the theme ` Privacy`. Furthermore I have tried different type of methods that I havenâ&#x20AC;&#x2122;t tried before such as drawing something on dried leaves and also have some experiment regarding the theme. For now, I am trying to get everyoneâ&#x20AC;&#x2122;s attention by the visual outcome from the posters that I have design. With large image and some text do really gets the job done. On the other hand, the style that I am following are mainly minimalist where there are a lot of white space. It is tricky when it comes to design the layout. For some reason, privacy did attracted me on different type of ways. For instant, how did information actually got leaked out. Is it done by purpose or is it that someone need to find out something that is secret about you. In this world that we are living, the government gets the authority to check on your emails, calls, and what-so-ever. It just feels unprotected. Besides that, hidden camera are being used to record something which no one is aware of. An installation of directly connected components that create a circuit which cannot be viewed by anyone.

Future Outcome Beyond after graduation, I hope that I will understand better with how to protect my own privacy.

Research

Protecting Your Own Privacy * Be discreet when filling out application forms, whether online or in paper form. Often, you can provide general instead of specific information and still complete the transaction (for example, responding “over 18” or “younger than 65” when asked for age). Try to determine what information on an application or warranty form is for marketing purposes and not necessary for completing the transaction. When you are asked to sign authorizations to disclose your personal information, date the form or add an expiration date and cross out language that makes the authorization too broad or general. Revoke the authorization in writing if you reconsider later. * Protect the confidentiality of your Social Security number. Just say no. Social Security numbers are really not necessary when applying for credit or insurance. There are legal limits when government agencies ask for Social Security numbers (explained in “Ben Franklin’s Web Site”). Any request for your number when the transaction has tax consequences – like getting a job or opening a bank account or buying a house – seems reasonable. In other cases, ask for a random number you select or, if you must, try providing only the last four digits. Most toll-free service lines will ask for Social Security numbers (or last four digits) but will process your request if you just say no and provide other means of verifying your identity. Most of these companies do not have your SSN on file anyway! Why give it to them? * Attach conditions to sensitive information that you feel you

have to provide. Ask that it not be further disclosed outside the organization or that it be destroyed after a certain period. Ask to inspect it in the future. This creates a binding contract with the organization. If it refuses to accept your conditions, that tells you about its information practices. * Never provide sensitive information over the telephone or Internet to someone you don’t know – including your Social Security number, home address or phone number, bank-account or insurance-policy numbers, bank balance, mother’s maiden name, or medical information. If you want, call back the company and keep a record of its phone number. Phrase your demand so that it elicits a positive response, not a negative one. Don’t say, “I refuse. . . .” Say, “Because I’m concerned about my privacy, I chose to keep that information to myself. . . .” Say, “I’d rather not. What else can I do to complete the transaction?” Assume that most clerks, as individuals, will identify with your concerns, and you will discover that many of them do. Be persistent. Be prepared to try three or four times before the organization caves in. * Ask to inspect and correct files about yourself where federal law permits this – credit reports, consumer investigations, school records, federal-agency files, cable TV providers, and criminal records. A dozen states provide these rights for insurance files and 15 states have these rights for personal information stored by state agencies. This is required by federal regulation (HIPAA) for medical records. * Ask the post office not to disclose your new address to commercial mailers when you file a change-of-address form. Better still, make your change of address temporary not permanent. A temporary forwarding instruction is good for one year, and the Postal Service does not forward temporary change-of-address information to commercial list users and direct marketers. 5

* Ask to inspect your own medical file and to add information to it if necessary. A federal regulation give you this right and most professional medical organizations endorse this right. Remove from your file any information involving another patient, not you. * Organize your telephone service for your own convenience. Have your landed telephone number listed without an address in the directory. This will provide much of the same protection that you seek from an unlisted number – and for no charge – because marketers are not interested in collecting phone numbers without addresses. This will keep you out of the address and telephone directories on the World Wide Web. For a nominal monthly fee, phone companies will provide you a second phone number that will ring with a distinctive sound. You can make this your “public number” that you provide to businesses and government agencies. Reserve your original telephone number for friends and relatives, and then you will know when they are calling. In addition, ask the major mailers to delete your landed and cell phone numbers from their telephone and mailing lists. Remember that cellular, mobile, and cordless phones are not secure. Cell phones allow for tracking your approximate location. Neither are electronic mail or instant messages or texting; regard them as you would a postcard. Remember that a recipient of your e-mail correspondence can pass it on to the whole world, inadvertently or intentionally. You have to respond to email carefully to avoid sending responses to persons you did not intend to receive it. If it’s important to you, ASK recipients of your email correspondence not to pass it on without your consent. Do not ever use telephones and computers at work for sensitive or embarrassing communications. Federal law permits employers to monitor business-related calls and correspondence. * Demand that a telemarketing company that calls you add your

name to a do-not-call list. Call 888/382-1222 from the number you wish to register and get on the federal do-not-call registry in seconds. Or go to www.donotcall.gov. By federal law, a telemarketing company must abide by that list. The same law prohibits recorded advertisements and fax advertisements into your home unless you consent. Many states have government-run donot-call lists as well. * Learn all you can about new technologies that affect your privacy – automated telephone devices, the Internet, social-media sites, blogs, genetic tests, electronic mail, bar codes, automated collection of highway tolls, radio frequency identification tags (RFID), contactless credit cards, skin implants for identification, two-way cable television, face recognition, digital driver’s licenses, airport-screening devices, and biometric identification devices like hand scans and eye scans. Know how they work – what they can do and can’t do. *Subscribe to PRIVACY JOURNAL newsletter for great tips each month and the latest news you need to know to protect yourself. Ask for our reduced special rate for individuals. Click on the order form in the right column. * Protect against theft of identity. This crime is the impersonation of you by a stranger to get identity documents or use your credit accounts. The main vehicle for it is the circulation of your Social Security number or carelessness with it by organizations. Keep your SSN out of general circulation as much as you can. And your children’s numbers. Keep your SSN off your driver’s license and your personal checks. Be aware of “phishing,” the practice of impersonating a legitimate company or Web site and inducing you to provide personal information, like account numbers. Be aware that entrepreneurs create Web sites to suck you in when you misspell a legitimate 7

Web site you intend to visit. *Use caution in enrolling in social-media sites. Employers, schools, U.S. border guards and others consult them. Some employers demand your Facebook password when you apply for a job. Read the privacy policies of these sites very carefully and chose your options very carefully. Be prepared to take an hour or more to get it right! * Use search engines like Google, Yahoo, MSN Search, and Bing to discover all you can about where your name is mentioned and accessible to others - on the World Wide Web. You will be surprised. Correct damaging or inaccurate information if you can. * Inspect your credit report once a year, or more often if there are frequent new accounts in your life. It’s free. Be sure to start with the federal government Web site, www.AnnualCreditReport.com (877-322-8228, Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281), and none other! There are lots of impostors, and the credit reporting agencies themselves like to trap consumers. Often they trap you into a yearly service that costs money. Avoid the credit-monitoring services that are offered. * Think of Noah’s Ark. To protect your privacy, think in twos. Rip in half any documents with vital personal information on them, including Social Security numbers, bank-account information, or credit-card numbers. Deposit them in separate side-by-side trash containers. Empty each trash can at alternating times, so that these sensitive documents can not be reconstructed after you dispose of them. Or use a paper shredder. Use two personal phone numbers, one for your friends and another for commercial transactions and public circulation. Use a personal mailing address and a “public” mailing address, which can be a post office box, a commercial mail-receiving firm, an office address, or

a landlord’s address. This second address will not disclose your physical whereabouts, or that of your children. Have two Internet service providers and electronic mail providers, one for sensitive uses and the other for “public” uses. Have two credit cards, one for customary use and one for online use. If something goes wrong online, you can promptly cancel that credit card with no inconvenience. Use a second, out-of-town doctor to disguise certain sensitive treatments, if necessary. * Zealously protect the identities and addresses of your children. Avoid having them enumerated until they reach an age when they are seeking employment. This will keep them out of dangerous databanks and locator services. Take advantage of tax credits and deductions without providing SSNs for your children, if you can; otherwise be willing to do without the tax benefits. Keep them off mailing lists by using an adult’s name on magazine lists and directmail purchases. Don’t provide their names on any applications that parents submit. Do not permit them to provide family information – or information about their physical whereabouts or real names – on the Internet. *Resist surveillance in the community. Make it clear to law enforcement and businesses what you think of the presence of camera surveillance everywhere. Demand that they prove that it is effective. Point out its cumulative effect on the culture and the community. Point out that most communities that launched camera surveillance have found it ineffective, and many have abandoned it. * Take time to devise in your mind a strategy for dealing with the press if you should be suddenly thrust into a newsworthy situation. Select in your mind a trusted friend you would call upon, to advise you, to be a liaison between you and news reporters, and to assure that you disclose to the public exactly what you want to and keep private exactly what you want to. * Shop ahead. When you seek insurance, a mortgage, retail credit, 9

a bank account, or other important transaction, be prepared to dicker. Provide the least amount of personal information possible to get the transaction. Be prepared to be asked for more. Provide a little more, if you wish, and be prepared to be asked again to provide more information. Shop around for a transaction you really donâ&#x20AC;&#x2122;t need, simply to practice your technique of negotiating for the least amount of privacy sacrifice. Most important, be fully prepared to do without the transaction or to shop elsewhere if you believe that you are being asked for too much personal information. You will feel good about yourself. If you are dealing with a dominant business or a monopoly, be prepared to complain to the state agency that regulates the business. It may have guidelines that help you or it may be willing to intervene on your behalf. * Shop Around. The new century has brought a few new products and services that actually enhance your privacy â&#x20AC;&#x201C; e-mail forwarding services that protect your anonymity, encryption software, innovative telephone-answering machines, shredders, mail receivers, anonymous search engines, user-sensitive social networking. Seek them out. Paying by ATM card at the point of sale protects your privacy better than using a credit card. Merchants can track addresses of credit card users, but not ATM card users. In an airport, use your passport (with no address or Social Security number on it), not your driverâ&#x20AC;&#x2122;s license. * It is going to cost you. In the information age, privacy comes with a cost. You can expect to pay slightly more for some of the duplicative services you need, and you may pay a premium for dealing with an organization that respects your personal information. You may have to do without some of the enticing discounts that require you to agree to be bombarded by commercial messages in the future. The rewards for paying these additional costs are immense. They bring an increased sense of control and dignity to your life. In addition, you will find that you can accomplish a whole lot more or have more leisure time after you take precautions to ration the interruptions and intrusions in your

life. One of the richest men in America, Paul Mellon, once said, “The idea of power never appealed to me. What has appealed to me is privacy. To me, privacy is the most valuable asset that money can buy.” * Choose your battles. Not every collection of personal information or every intrusion is worth expending your energy. Decide which information is most sensitive to you and which moments in your life are most important to protect. However, you should err on the side of protectiveness, because you cannot anticipate which information about you will become crucial in the future. Remember that nearly all of the personal information that businesses and government agencies collect concerns how we spend our money. Organizations don’t keep information about who we really are. Work hard to limit it to that. Organizations (except for social networking sites that we chose to participate in) have not yet been able to intrude into the really important aspects of our lives – our spirituality, our beliefs, our sexuality, our home life, our creativity, our fantasies, our sorrows, and our joys. Using laws where they exist and common sense and determination where they do not, we must preserve our right to privacy for ourselves, our neighbors, and those still to come. Model Policies for Organizations 1. Organizations establishing privacy policies should incorporate the elements of the widely accepted *Code of Fair Information Practice: * The existence of all data systems with personal information in them should be publicly disclosed, and the purpose for which information is gathered about people should be disclosed. This is the principle of openness or transparency. * There must be a way for an individual to find out what information about him or her is in a record and how it is used. * There must be a way for an individual to prevent information 11

about him or her that was obtained for one purpose (which was stated when the information was gathered) from being used or made available, either within the organization or outside, for a purpose that is incompatible with the original purpose, without getting the consent of the individual. This is the principle of secondary use. * There must be a way for an individual to correct or amend a record that contains information that is identifiable to him or her. * The organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability, accuracy, security and timeliness of the data. In other words, the custodian of information that is disseminated has an obligation to the individual to make sure it is accurate, secure, and not misused. This obligation ought not be delegated to another entity.* __________________ 2. An organization must make sure that other entities handling personal information in behalf of the first organization are bound by these same principles. 3. An organization must conduct periodic risk assessments, balancing the possibility or probability of unauthorized access or disclosure against the cost of security precautions and the expected effectiveness of the precautions. In some cases, it will be necessary to establish an audit trail so that records are kept of disclosures of personal information, both within the organization and outside. 4. An organization should collect a complete inventory of federal, state, and local laws affecting its collection and use of personal information. It should be aware of â&#x20AC;&#x153;case lawâ&#x20AC;? (court decisions) affecting its information collection. It should scrutinize and any guidelines or ethical principles developed by trade associations on the collection of personal information. 5. Organizations must take special precautions in collecting

and using personal information about children, both those 13 or younger and those 18 or younger. 6. An organization should openly disclose its policies and practices with regard to electronic surveillance of its employees’ and customers’ telephone calls, electronic mail, Internet usage, changing rooms, and rest rooms. It must articulate in advance the reasons for the surveillance. 7. An organization should collect only that personal information that is PROPORTIONAL to the purpose of the information. It must scrutinize each demand for information to determine that it is relevant and necessary. 8. An organization should designate an individual or office (whether full-time or part-time) to handle privacy issues by (a) acting as an ombudsman for customers or employees, (b) assessing the privacy impact of new undertakings, (c) assuring that the organization complies with all laws and trade-association standards; and (d) informing the organization of the latest technology and policies that affect the privacy of customers or employees. An organization, if it utilizes “opt-out” for customers to stay out of certain uses of their information, should make exercising “opt-out” easy, as easy as clicking a button or checking a box, without the need to write a letter or to communicate with another office. 9. An organization should not permit sensitive personal information to be transferred to or stored in portable media like laptops and hand-held devices. An organization should not post personal information on unprotected Web sites. 10. An organization should conduct periodic training of its employees (and volunteers) to assure that they know (1) applicable laws on confidentiality that govern the organization, (2) the organization’s policies and actual practices, (3) the rationale for protecting confidentiality and the sensitivity of personal information, 13

(4) the ability to recognize possible breaches and to report them to the proper person. An organization may chose to certify that employees who handle personal information are properly trained. 11. If one organization must comply with a principle of data protection, all organizations in the same field should have to as well, either through industry codes or government regulations. ___________________ * The Code of Fair Information Practice [see link below] was first established by the U.S. Department of Health, Education, and Welfare in its report on Records Computers and the Rights of Citizens (1973) and ratified by a similar study by IBM Corp. The Business Roundtable in the U.S. endorsed the code in the 1970s and it became a part of all data protection laws in Europe and most of the privacy laws in the U.S.

Rights to Access to Government Documents For more than 25 years, Access Reports has been the news source of choice for professionals concerned with access to government information. Access Reportsâ&#x20AC;&#x2122; publications keep subscribers up to date on all freedom of information and privacy issues, tracking policy trends while summarizing and analyzing court decisions, legislation (federal and state), regulations, and agency guidance. Access Reports provides the most comprehensive coverage available of access issues in the United States, Canada, and abroad: The Freedom of Information Act The Privacy Act The Sunshine Act The Federal Advisory Committee Act Classification Access to court records and proceedings The cost and value of information dissemination The role of the private sector in information policy

What is a CCTV? CCTV is an acronym for Closed Circuit Television . “ Closed circuit “ as in, an installation of directly connected components creating a circuit which cannot be viewed by anybody outside of the circuit. This is different to a terrestrial television broadcast system which can be viewed by anybody with an arial/antenna or other reception equipment . CCTV systems are customised to suit the nature of the premises and the security needs of the customer. The ideal CCTV system should provide excellent quality pictures in both daylight and darkness, be easy and flexible to use and provide high quality images for recording evidence or to help analyse an event. How Does CCTV Work? There are many different types of CCTV systems available—analog and digital, wired and wireless—and their modes of operation vary; however, the basic components are in essence the same: a CCTV camera, a CCTV camera lens, a CCTV monitor, and (for wired systems) cables that carry the signal from one place to another.

The images collected are sent to a CCTV monitor and recorded on video tape via a VCR or as digital information via a DVR (Digital Video Recorder). The CCTV camera lens will determine how far and much detail the CCTV camera can see. The CCTV camera picks up the signal from the area being monitored, and in a wired system, the CCTV camera sends the signals through a coaxial cable to the CCTV monitor; in wireless systems, no cable is needed, instead the CCTV camera broadcasts the signal. Monitors can be watched by CCTV controllers or left unmonitored. Recent advances in technology and software mean many DVRs are now equipped with advanced features such as Motion Recording and Event Notification. When set to motion record devices will only record when the CCTV camera detects motion. This saves storage space because the device is not recording during periods of inactivity. Event Notification is the process of sending a text message, recorded telephone messages or email when motion is detected. This is particularly useful for unmanned systems. The recorded information can be stored and/or reviewed by those who have access to the recordings at their convenience. Many of the latest DVRs also have network connections so that saved and live footage can be accessed remotely via a PC over the internet.

Who needs CCTV? CCTV systems can be found virtually everywhere these days. You will have seen CCTV surveillance systems operating in town centres, football stadiums, high street shops, sports centres, petrol stations, on roads and public transport - the list is endless. And CCTV is becoming increasingly more common in a domestic situation. CCTV systems are no longer considered an expensive luxury item, especially when you consider the increased level of security they provide. In the commercial (business) sector, they can be used for Health and Safety purposes, so that members of the general public can prove that an incident happened or, on the other hand, for employees to fight against fraudulent claims. It also provides security/crime prevention .

International Journal of Information Security and Privacy As information technology and the Internet become more and more ubiquitous and pervasive in our daily lives, there is an essential need for a more thorough understanding of information security and privacy issues and concerns. The International Journal of Information Security and Privacy (IJISP) creates and fosters a forum where research in the theory and practice of information security and privacy is advanced. IJISP publishes high quality papers dealing with a wide range of issues, ranging from technical, legal, regulatory, organizational, managerial, cultural, ethical and human aspects of information security and privacy, through a balanced mix of theoretical and empirical research articles, case studies, book reviews, tutorials, and editorials.publishes a full spectrum of high quality papers dealing with a wide range of issues, ranging from technical, regulatory, organizational, managerial, cultural, ethical, and human aspects of information security and privacy. This journal encourages submission of manuscripts that present research frameworks, methods, methodologies, theory development and validation, case studies, simulation results and analysis, technological architectures, and infrastructure issues in design, and implementation and maintenance of secure and privacy preserving initiatives. 19

Privacy Issues - Anti - terrorism - Border and Travel Surveillance - Communications Data Retention - Communications Surveillance - Consumer Protection - Data Protection and Privacy Laws - Developing Countties - Development and Humanitarian Aid - DNA - Financial Policy - Freedom of Expression - Government Transparency - Human Rights and Constitutional Protections - ID - Visual Surveillance

Anti - Terrorism In response to the increased threat of terrorism, governments around the world have granted security services and law enforcement agencies significant new powers of surveillance, often with limited oversight. Anti-terrorism laws are often rushed through Parliaments with limited debate under the pretext of national security â&#x20AC;&#x201C; but few of the powers they grant are restricted to combating terrorism. Instead, sweeping powers of surveillance are given to those responsible for low-level administrative and policing work. These laws and policies require the indiscriminate accumulation of vast amounts of information, and the mass analysis and profiling of data, while reducing safeguards against abuse. We aim to identify areas where there is the greatest risk of abuse, and advocate for better safeguards and protections.

Border and Travel Surveillance There are few places in the world where an individual is as vulnerable as at the border of a foreign country. When travelling across the world, people are being subjected to multiple forms of tracking and profiling by unaccountable state agencies. Local and international travel is changing radically as concerns about terrorism and migration increase. Security agencies require access to travellersâ&#x20AC;&#x2122; information before they leave their homes, compulsory identification of travellers now includes the collection of fingerprints and facial images, and secret watchlists, dossiers and profiles are being developed. These policies and procedures are extremely costly, the potential for abuses and miscarriages of justice is high, and the benefits are debatable. Our work includes investigating the systems that are planned and deployed, evaluating the methods and techniques, raising awareness about the implications of these new policies for the human rights of citizens and foreigners, and advocating for policy change.

Communications Data Retention The mass retention of individualsâ&#x20AC;&#x2122; communications records, outside the context of any criminal investigation or business purpose, amounts to the compilation of dossiers on each and every one of us, our friends, family and colleagues. Under the justification of tackling terrorism and crime, several countries worldwide have implemented regulation that obliges providers of communication services or networks to retain traffic and location data generated by mobile and landline phones, fax and email. For example, the Data Retention Directive, approved by the European Union in 2006, requires that every telecommunications company in Europe must retain their customersâ&#x20AC;&#x2122; records for a period of between six months and two years. The mass collection and retention of information creates challenges for the right to privacy. Broad-ranging data retention policies result in the indiscriminate creation of vast dossiers of information on everyoneâ&#x20AC;&#x2122;s activities, including location data and communications with friends, families and work colleagues. There are alternative methods of surveillance that are less disproportionate, for example, requiring a court order to allow operators to retain data related just to a specific individual suspected of criminal activity. We scrutinize the deployment and abuses of data re23

tention policies, and oppose certain policies when we believe them to be dangerous. We work closely with civil society groups and industry to minimize harm, and we closely monitor attempts to expand the reach of data retention policy into new forms of communications, e.g. search engines and social networking.

Communications Surveillance Interception and monitoring of individualsâ&#x20AC;&#x2122; communications is becoming more widespread, more indiscriminate and more invasive, just as our reliance on electronic communications increases. Nearly all major international agreements on human rights protect the right of individuals to be free from unwarranted surveillance. This guarantee has trickled down into national constitutional or legal provisions protecting the privacy of communications. In most democratic countries, intercepts of oral, telephone and digital communications are initiated by law enforcement or intelligence agencies only after approval by a judge, and only during the investigation of serious crimes. Yet government agencies continue to lobby for increased surveillance capabilities, particularly as technologies change. Communications surveillance has expanded to Internet and digital communications. In many countries, law enforcement agencies have required internet providers and telecommunications companies to monitor usersâ&#x20AC;&#x2122; traffic. Many of these activities are carried out under dubious legal basis and remain unknown to the public. We have conducted investigations to uncover communications surveillance schemes and the technologies that enable communications surveillance. We 25

also work with technology providers to promote the use of secure communications technologies, and have worked with human rights groups to train them in securing their communications. We continue to monitor the use of communications surveillance, advocate for transparency and independent authorization and oversight, and promote other safeguards against abuse.

Consumer Protection Corporations are collecting unprecedented levels of personal information on consumers â&#x20AC;&#x201C; companies now know more about their customers than governments could ever dream of knowing about their citizens. Companies that collect and sell personal information make up one of the most lucrative industries in the world, and marketplace dynamics pose serious threats to consumer privacy. There have been several recent cases of â&#x20AC;&#x2DC;races to the bottomâ&#x20AC;&#x2122;, in which companies compete with each other to collect more and more valuable data on their users and customers. Certain companies are leading the charge with abusive and invasive profiling of data and innovative new methods of grabbing information from seemingly innocuous interactions. These practices tend to create short-term competitive disadvantages for the privacy-friendly companies, although in the long-term customer loyalty and goodwill may prove more valuable. It is crucial to raise awareness amongst consumers about the commercial surveillance to which they are subjected on a daily basis, in order to all them to make better-informed decisions about whether or not to share personal information with certain companies. Equally, companies need to be more open about why they collect information and how it is processed. We monitor industry practices and advocate for change 27

when we see a downward spiral beginning. We often seek regulatory action against new business models and practices that pose significant risks to privacy principles or that risk setting dangerous precedents. We also work with companies to help them understand the risks of their products and services.

Data Protection and Privacy Laws Effective legislation helps minimize monitoring by governments, regulate surveillance by companies and ensure that personal information is properly protected. Laws for the protection of privacy have been adopted worldwide. Their objectives vary: some have attempted to remedy past injustices under authoritarian regimes, others seek to promote electronic commerce, and many ensure compliance with pan-European laws and to enable global trade. Regardless of the objective, data protection laws tend to converge around the principle that individuals should have control over their personal information. Interest in the right to privacy increased in the 1960s and 1970s with the advent of information technology. The surveillance potential of powerful computer systems prompted demands for specific rules governing the collection and handling of personal information. The genesis of modern legislation in this area can be traced to the first data protection law in the world, enacted in the Land of Hesse in Germany in 1970. This was followed by national laws in Sweden (1973), the United States (1974), Germany (1977) and France (1978). Two crucial international instruments evolved from these laws: the Council of Europeâ&#x20AC;&#x2122;s 1981 Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data, and the Organi29

zation for Economic Cooperation and Development’s 1980 Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data. These rules describe personal information as data that are afforded protection at every step, from collection to storage and dissemination. Although the expression of data protection requirements varies across jurisdictions, all require that personal information must be: • • • • • • •

obtained fairly and lawfully used only for the original specified purpose adequate, relevant and not excessive to purpose accurate and up to date accessible to the subject kept secure destroyed after its purpose is completed

We work with regulators and other institutions to advance the implementation and practices of data protection and privacy laws and to analyse how new policies and technologies may affect them. We also aim to hold companies and governments to account by filing briefings and complaints on how their practices can - or cannot - be reconciled with legal frameworks.

Developing Countries Some of the worldâ&#x20AC;&#x2122;s most invasive surveillance systems are being deployed in countries where individuals are most at risk. Developing countries are considered growth markets for biometric systems, health informatics, visual surveillance and expansive communications surveillance technologies, and citizens of these countries tend to lack the legal and technical means to defend themselves. It has been argued that privacy is a Western luxury, and even a potential impediment to progress. Yet privacy is a universal human right, and our experiences in developing countries have shown us that, despite cultural differences, there is a deep common interest in information privacy and personal data protection amongst citizens and consumers in every economy. Privacy helps create a sense of human autonomy and dignity, and is therefore in many ways synonymous with progress. However, local NGOs advocating for privacy in developing countries often struggle with uninterested governments and uncomprehending courts. There is comparatively little understanding of the nuanced relationships between privacy, security and development, or of the complex technologies involved. The default position of the authorities is often to collect as much information on as many people as possible, and human rights are rarely taken into account. 31

Our work in developing countries focuses on increasing the capacity of local groups and institutions to understand new risks and respond to developments in their countries. We help them to raise awareness of privacy issues in the local population, and to ensure that the public debate on privacy is well-informed and accurate. We also review key policy developments in a number of countries and assess their compliance with national constitutional requirements, international human rights conventions, and consumer protection norms.

Development and Humanitarian Aid New technologies have revolutionised the impact and effectiveness of development and humanitarian interventions, and their adoption is a key priority for modern development actors. However, their adoption raises new challenges for the protection and promotion of human rights, in particular the rights to privacy and the protection of personal data. The data collected or processed by humanitarian organisations can be extremely sensitive. In some contexts, even basic information about beneficiaries on location, ethnicity, religion, or gender falling into the wrong hands could place lives at risk. So while both the public and private sectors are increasingly building privacy protections and safeguards into their policies, humanitarian and development organisations are lagging behind. Since much aid is distributed in situations where there are weak legal and institutional protections for individualsâ&#x20AC;&#x2122; privacy, humanitarian organisations need to consider whether they might be facilitating a legacy system for state surveillance. And when working with private sector partners, they must think carefully about the implications of corporate access to personal data and the potential for its abuse. The very existence of and possible access to the data collected by humanitarian organisations can encourage 33

its use for other purposes than those for which it was collected. Political, religious or ethnic groups can be tracked using mobile phone data; when paired with other data, anonymised data can be deanonymised and used to locate individuals. Further, given the difficulties of collecting accurate data in humanitarian situations, the data could contain errors that are difficult for beneficiaries to correct, but that flawed data could later form the basis for important policy decisions. The humanitarian principle of â&#x20AC;&#x153;do no harmâ&#x20AC;? entails protecting beneficiaries from such risks by incorporating privacy considerations into the design and implementation of humanitarian and development aid programmes. Safeguards around privacy should be implemented and respected, particularly when working with vulnerable groups such as ethnic minorities, disaster survivors or those living in conflict-stricken areas. These should include only collecting necessary data and putting in place effective data security measures. Privacy International is leading the discourse on promoting privacy and data protection in the development and humanitarian fields. We are working with humanitarian and development organisations and practitioners to provide assistance to the development of their own internal policies on privacy, as well as promoting the development of international standards around data protection by contributing to the discussions about the UNâ&#x20AC;&#x2122;s post-2015 development agenda and the preparation of the 2016 World Humanitarian Summit.

DNA Genetic samples are some of the most sensitive forms of personal data. DNA holds the key to a personâ&#x20AC;&#x2122;s identity and as such must be protected with the utmost care. DNA profiling can be useful in criminal investigations, and for medical purposes like paternity testing, but increasingly governments are seeking the ability to search vast databases of DNA profiles in the hope of solving future crimes. In addition to the DNA of convicted criminals, police forces are also demanding access to the genetic profiles of innocent people who were once wrongfully arrested, or those who have donated DNA on an (ostensibly) anonymised basis for health research. Over 60 countries worldwide have developed DNA databases to detect, investigate and prosecute crime. The United Kingdom holds the largest database of this kind. Although this information is legitimate and relevant for the protection of public safety, these databases must be tightly regulated to ensure compliance with human rights. The collection of genetic samples must be limited to serious crimes in which DNA is relevant to the investigation, genetic information must be used in a proportionate manner, and profiles must not be retained beyond what is necessary in a democratic society. 35

We have worked with leading organisations to build awareness of the risks of collecting and retaining DNA for forensic purposes. We also conduct research on the emergence of these policies and help our international partners to engage in the subsequent debates. Where necessary, we have filed briefs with international human rights courts.

Financial Privacy Financial institutions handle huge amounts of important information about their customers, and they are increasingly being required to collect information that far exceeds their legitimate purposes in order to assist governments and companies to build profiles. Potential infringements of financial privacy arise during the tracking of foreign transactions, the development of payment systems that monitor and report on cash transactions and the sharing of financial information with third parties. Governments and other institutions seek access to financial information in order to administer taxes, prevent and identify money laundering, develop credit profiles and, increasingly, for intelligence purposes. Customersâ&#x20AC;&#x2122; information held by financial institutions must be limited to what is necessary to serve the purpose of the commercial relationship between the customer and the institution. It must not be used for other commercial transactions between the institution and any third parties with whom the customer does not have a relationship. We engage with technology communities and industry on payments systems that seek to change the ways in which financial transactions take place. We have pursued legal actions against the Bush Administrationâ&#x20AC;&#x2122;s policy of accessing global financial flows for intelligence purposes, which led to regulatory and policy action across Europe 37

and Canada. We continually monitor the various laws and institutions that promote the collection and analysis of financial information.

Freedom of Expression Freedom of expression and privacy are two sides of the same coin â&#x20AC;&#x201C; and we need both for full participation in democratic society. Surveillance techniques that prevent individuals remaining anonymous when producing or accessing information both infringe privacy and have a chilling effect on free expression. Building an unfettered public debate requires a private sphere in which citizens can express themselves without intervention or interference. The increasing importance of Internet communications for those living under repressive regimes has served to highlight the fundamental dependence of free expression upon information security. Privacy is also vital to the protection of journalistic integrity; when journalistsâ&#x20AC;&#x2122; privacy is routinely undermined, whistleblowers and other anonymous sources will refrain from sharing information about wrongdoing and corruption because they fear for their livelihoods or their lives. The right to protection of sources is well recognized in international law. The United Nations, the Council of Europe, the Organisation of American States, the African Union, and the Organization for Security and Co-operation in Europe, have specifically guaranteed it. The European Court of Human Rights has found in several cases that privacy is an essential part of freedom of expression. We campaign around the world on the protection of free 39

expression through the protection of privacy. We have conducted global studies on censorship practices and on the protection of journalistic sources, and critically assessed technologies and laws that promote censorship and place individuals under surveillance in order to chill their rights to free expression.

Government Transparency Protecting privacy involves watching the watchers. We use public information and freedom of information requests to monitor surveillance practices and policies, uses of new technology and the security of government-held information. In recent years, nations around the world have made great strides in giving their citizens access to government records as a means of fighting abuse of authority and corruption, and promoting freedom of the press. Public records also present some of the most difficult privacy challenges. On one hand, they may assist individuals in ensuring that a government remains transparent and accountable. On the other, they may be converted from this tool of citizen empowerment to one that empowers governments and businesses to track citizens. Public records laws are also vital to the enforcement of critical privacy rights such as guarding against the creation of secret databases, enforcing the right to correct inaccurate information, and knowing when, where, and how information collected on citizens is used.

Human Rights and Constitutional Protections Human rights conventions and national constitutions almost universally call for the protection of the right to privacy â&#x20AC;&#x201C; the challenge is ensuring that governments comply with this requirement, particularly with respect to new technologies and in countries that lack the rule of law. The modern privacy benchmark at an international level can be found in Article 12 of the 1948 Universal Declaration of Human Rights, which specifically protects territorial and communications privacy. Numerous other international human rights treaties recognize privacy as a right: Article 17 of the International Covenant on Civil and Political Rights 1966, Article 14 of the United Nations Convention on Migrant Workers, and Article 16 of the UN Convention of the Protection of the Child. Regional conventions that recognize the right to privacy includes Article 10 of the African Charter on the Rights and Welfare of the Child, Article 11 of the American Convention on Human Rights, Article 4 of the African Union Principles on Freedom of Expression, Article 5 of the American Declaration of the Rights and Duties of Man, Article 21 of the Arab Charter on Human Rights, and Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms.

Constitutions regulate the relationship between citizens and the State and thus form the bedrock of civil, political and human rights protections. Constitutional protections of privacy have enabled human autonomy and curtailed significant government initiatives to interfere with individual rights in many countries around the world. We work closely with international institutions to protect the right to privacy as enshrined in international conventions. We also work with groups in various countries to draw attention to how their national governmentsâ&#x20AC;&#x2122; surveillance measures may not comply with international human rights, or with the language of their constitutions. We aim to help governments and legal institutions understand how privacy and technological change should be reflected in their constitutional frameworks.

ID Identity card programmes not only cost governments billions, but also give rise to significant human rights problems and potential miscarriages of justice Nationwide ID programmes are established for a variety of reasons – race, politics and religion often drive their deployment. Studies of national ID card programmes have consistently found that certain ethic groups are disproportionately targeted for ID checks by the police. During the Rwandan genocide, ID cards designating their holders as Tutsis cost thousands of people their lives. An ID card enables disparate identifying information about a person that is stored in different databases to be easily linked and analyzed through data mining techniques. This creates a significant privacy vulnerability, especially given the fact that government usually outsource the administration of ID programmes to unaccountable private companies. ID cards are also becoming ‘smarter’. For example, biometrics identification is widely used today. Biometrics is the identification or verification of someone’s identity on the basis of physiological or behavioral characteristics. It involves comparing a previously captured unique characteristic of a person to a new sample provided by the person. This information is used to authenticate or verify that a person is who they say they are.

We have campaigned across the world against the introduction of multi-purpose identification policies. We coordinated actions and led research initiatives in Australia, Canada, the Philippines, the UK and the US and led an international coalition against the International Civil Aviation Organisationâ&#x20AC;&#x2122;s policy on biometric passports. We work with our international partners to ensure that debates over identity systems are sufficiently informed about the risks of abuse and the challenges in deploying identity systems.

Visual Surveillance Surveillance cameras and facial recognition are used to monitor public and private spaces and to identify people. The effectiveness of this technology is up for debate, but it is nevertheless becoming both more pervasive and more invasive. Surveillance cameras (also known as Closed-Circuit Television or CCTV) are increasingly being used to monitor public and private spaces throughout the world. The leader in this trend is the United Kingdom. Governments and law enforcement authorities have used video surveillance in various circumstances ranging from the investigation of crimes, the protection of urban environments and government buildings, traffic control, the monitoring of demonstrators and in the context of criminal investigations. Proponents contend that video surveillance is both a deterrent to criminals and an aid to solving crime. Camera systems are usually rolled out with little prior research into the effectiveness or appropriateness of the technology, in many cases simple because the impression of heightened security is good PR for local government. Studies of the efficacy of CCTV in preventing crime have been inconclusive at best. Facial recognition systems use computerized pattern-matching technology to automatically identify peoplesâ&#x20AC;&#x2122; faces. While still very much in its infancy, it raises

significant public policy questions because it enables the covert identification and classification of people in public.

Analysis

What happen in Malaysia Surveillance policies Lawful Access Powers of Government Agencies The Malaysian Anti-Corruption Commission Act 2009 empowers the Attorney General to authorize the phone intercepts and wiretapping in corruption investigations. Information obtained in this manner are admissible evidence in a corruption trial. The Communications and Multimedia Act 1997 empowers a public prosecutor to allow law enforcement agents to perform a lawful interception on the condition that communications might contain relevant information for the purposes of an investigation or offence under the Act or under subsidiary legislation (section 252). Intelligence and Surveillance Oversight The primary intelligence agency in Malaysia is the Roy-

al Malaysian Policeâ&#x20AC;&#x2122;s Special Branch. Modeled after the British Special Branch, this department is empowered to acquire and cultivate intelligence on internal and foreign threats to the country, including espionage, subversive activities, extremism and sabotage. This department is part of the Royal Malaysian Police, which in turn comes under jurisdiction of the Ministry of Home Affairs. It serves not only to gather intelligence in the interest of the nation but also empowered to investigate, analyse and advise the government on the necessary course of action on the police force as well as related agencies. Malaysiaâ&#x20AC;&#x2122;s military intelligence service is Kor Risik DiRaja, also known as the Royal Intelligence Corps. Set up in 1969, it specializes in intelligence gathering, analysis, reconnaissance, surveillance, psychological warfare and counter-intelligence efforts, on top of the propaganda efforts of the Malaysian armed forces. It often operates within the context of defence and national security. The Special Branch comes under the purview of the Ministry of Home Affairs, which is headed by the Home Minister who is in turn a member of the ruling Cabinet and an elected parliamentarian. The military operates in theory under the aegis of the King, but operationally it has a chain of command that ultimately answers to the Executive (the Prime Minister). In practice, there are no effective oversight bodies that 49

monitor the legality of their activities and in some respects there are draconian laws in place that empower services, rather than provide a check against possible abuses. There is no single law that restricts these activities and in effect, action is almost nonexistent in the event of transgressions by these agencies. Immigration and Privacy As of August 2011, the Malaysian government was undertaking a large scale exercise to biometrically register immigrant workers in the country. This registration is not without glitches because of its large scale. Prior to this, passports and/or working permits of immigrants were deemed sufficient. One of the reasons for this registration is the presence of a large number of illegal workers as well as workers who violate permit conditions. Travel and Borders The Malaysian Passport as well as the MyKad (national identity card) contain smart chips with biometric information that is scanned at entry/exit points at all the country borders. The customs/immigration authorities as well as the security authorities routinely check and inspect any cargo, luggage and personal effects of travelers if deemed necessary. Profiling/Data Mining The Personal Data Protection Act 2010 was aimed at

regulating the processing of personal data in the context of commercial transactions by data users, and providing a safeguard for the interests of data subjects. This includes commercial transactions and matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance. The act offers new legal rights and obligations in connection with the employer-employee relationship, mergers and acquisition transactions involving staff issues, and also governs the discharge of certain professional services. The mandated rights include provisions such as individuals being informed about personal data as well as the right to access, correct and control the processing of their personal data by other parties. There are also rights specifically relating to the processing of personal data for direct marketing purposes. This Act is expected to have an impact in the practice of data mining (especially for commercial interests) and may change marketing and direct selling strategies. Communications Surveillance and Data Retention Section 73 of the Communications and Multimedia Act 1998 empowers the gathering of all relevant communications from individuals and organisations. This section applies to any person if the Commission has reason to believe that the person: has any information (including but not limited to accounts and 51

records) or any document that is relevant to the performance of the Commissionâ&#x20AC;&#x2122;s powers and functions under this Act or its subsidiary legislation; or is capable of giving any evidence which the Commission has reason to believe is relevant to the performance of the Commissionâ&#x20AC;&#x2122;s powers and functions under this Act or its subsidiary legislation. Section 77 of the Communications and Multimedia Act 1998 provides for the retention of data and documents as long as the Multimedia Commission deems necessary. No time frame is provided for the retention of such data. Visual Surveillance CCTVs are used is many public spaces, including government buildings, banks, hotels, public spaces and pedestrian malls and roads. In mid-2004, the government introduced CCTVs in many public spaces in an effort to curb snatch thefts. The Government is considering rolling out Facial Recognition (FR) and Automated Plate Number Recognition (APNR) systems to boost crime prevention, border control and enforcement of traffic laws. The biggest concern on the FR and the APNR system is the privacy concern that the governments would abuse the ability to track their citizens at all times. In the APNR system, data could be obtained illegally by hackers and used for other purposes. The policy is under consideration, and there have been no recent developments regarding both systems from the Government. Cybercafes and Internet Services There are no identity requirements for access to cybercafes. Individuals are not required to provide identity when accessing services, and bloggers and social networkers are not required to identify themselves using government identification.

Cyber Security Cyber security is governed by the Malaysian Communications and Multimedia Commission (MCMC) via a two-pronged approach. The Communications and Multimedia Act 1998 empowers instruments to be issued either by the Minister or the Commission in the form of a Direction or a Determination. The Minister in charge can issue a Determination on any matter specified in the Communications and Multimedia Act 1998 as being subject to Ministerial Determination without consultation with any licensees or persons. The MCMC can also issue Directions to any person regarding the compliance or non-compliance of any licence condition, and including but not limited to the remedy of a breach of a licence condition. The government has the ability to block a website or websites if they deem the content sensitive (Section 211 of Communications and Multimedia Act 1998).

Privacy Issues Identity management The National identity card (MyKad) is issued to all citizens who apply for them and the minimum age for obtaining a MyKad is 12. The MyKad is a mandatory form of identification: there is a duty to carry and produce the MyKad, and failure to do so is punishable by sanctions such as fines, or even imprisonment. Most official transactions require the MyKad to be furnished. Biometric information is contained within the MyKad. Medical Privacy and Health Management The Private Healthcare Practitioners Act, public health laws, and insurance laws all touch on privacy in the access of medical and health care services. There are no requirements to disclose or collect information, such as HIV registration. There is, however, a move towards digitising health records. Two hospitals in Malaysia have already gone paperless; one primary healthcare facility also has an electronic health record and does not maintain a paper record. In addition, in 1985 a Teaching Hospital in Kuala Lumpur developed a Health Information Management Administration System (HIMAS) using an IBM mainframe computer covering patient admission, transfer, and separation (ATS), appointment scheduling and a medical records tracing system.

Data Sharing The PDPA does not meet the standards set out by Article 29 of the European Union Working Party, which means Malaysia would not be able to process any transaction involving personal data coming out of the EU. Financial Privacy Banks in Malaysia are required to have a copy of the customerâ&#x20AC;&#x2122;s MyKad information, including card number, customerâ&#x20AC;&#x2122;s name, age, sex, race, address, and email. The Banking and Financial Institutions Act 1989 requires banks to report suspicious transactions to the Bank Negara (Central Bank). The Inland Revenue Board can access financial information with a court order. The same applies to the Police and the Securities Commission when investigating white collar crimes like fraud, insider trading and other finance-related crimes. Consumer Privacy Although consumer privacy is an issue in Malaysia, particularly with respect to advertising through mobiles phones, it has not garnered any significant public attention. There has yet to be a case litigated on this subject, consumer issues are addressed in the Data Protection Act. 55

Gender In the context of sex offence, Malaysian Courts often hold trials on camera, with strict injunctions barring media from mentioning the names of persons of interest in the case. The media too exercises discretion by not running the victim’s name and picture. However, this remains a discretion and is not legislated. However, there was a case in 2009 where a female politician’s intimate pictures were distributed online in what was clearly a violation of privacy, but there was never any prosecution carried out of the alleged perpetrator or efforts made to bring him back from Indonesia where he reportedly fled after the pictures were distributed on Malaysian blogs. This created a public uproar, underscoring the need for a privacy law. Similarly, another politician was forced to resign from a major political party after footage illegally made of him and his partner made the rounds on the Internet. Similarly, this case did not result in a prosecution and scant attention was paid to the fact that the politician’s right to privacy was violated. International Obligations Pertaining to Privacy Malaysia has participated in the APEC’s Electronic Commerce Steering Group’s Data Privacy Subgroup since 2003. This subgroup developed the APEC Privacy Framework that named nine privacy principles including the prevention of harm, notice, collection limitation, uses of personal information, choice, integrity of

personal information, security safeguards, access and correction, and accountability. APEC adopted the Privacy Framework in 2004, and it was subsequently endorsed by member countries. Malaysia acceded to the UN Convention on the Suppression of Financing of Terrorism in May 2007. Malaysia is not a signatory of the Convention on Cybercrime.

Research Images