Professional Documents
Culture Documents
MN30281Outline2019 0
MN30281Outline2019 0
Unit Convenor:
The aim of this unit is to examine in-depth current controversies, topics and theories in
the area of privacy in information systems and its relation to the subjects of trust and
security.
As information systems become more social, and personal, in nature, so almost all recent
developments in information technology pose critical questions around privacy, trust
and security issues. This unit begins by examining the nature of privacy and trust, taking
a multi-disciplinary look at how each can be discussed, particularly considering current
technology. A series of case studies (e.g. data mining; surveillance and the workplace,
cyber-crime, tracking of children, economics of privacy and security) are then used to
develop an understanding of the role of privacy, security and trust in the
implementation and acceptance of new technology. The regulatory and legal
environment (e.g. data protection laws) is also considered, alongside potential methods
for organizations to understand the role of privacy and security in their use of
information systems.
Some wide and important questions are addressed along the way, e.g.
Is privacy an important human right?
Is privacy over-valued in current debates?
Is technology fundamentally changing our attitudes towards privacy?
Are we building organizations that are inherently leak-prone?
Do attitudes towards privacy vary across cultures, and if so why?
What makes us vulnerable to scams?
How does encryption work and is it effective?
Unit Administration
The Moodle course for the unit will be the site where some reading will be made
available, copies of important documents, like this outline and the assignment
specifications, will be made available and assignments will be submitted and feedback
on them returned. An extended version of this document, including recommended
reading for all topics is included in this.
If you are not a member of the Moodle course, then please contact the unit convener
(contact details at the head of the document).
3 Privacy and technology, including the Consider the impact of big data – what
impact of big data kind of difference (if any) does it make
Introduction to the group assignment – to privacy.
what makes a good submission?
4 Privacy and law – the EU’s “right to be Consider the organization type that
forgotten” and the General Data Protection your group is selecting – what are the
Regulation and the US approach privacy concerns of its
Developments in the rest of the world. clients/customers?
My office hours are identified in Moodle, but please contact me in advance, via the
booking facility. The IDO group now inhabits an open plan office, so conversations with
students need to take place to a schedule in secluded meeting rooms.
Suggested background reading:
Topic-specific reading
Solove, Daniel J., "A Taxonomy of Privacy". University of Pennsylvania Law Review, Vol.
154, No. 3, p. 477, January 2006 Available at SSRN: http://ssrn.com/abstract=667622
Morozov, Evgeny (2013), The Real Privacy Problem, MIT Technology Review, October
2013.
Margulis, S.T. (2003). On the status and contribution of Westin’s and Altman’s theories
of privacy. Journal of Social Issues, 59, 411-429.
Warren, S., & Brandeis, L. D. (1890). The right to privacy. Harvard Law Review, 4, 193–
220.
Fromkin, A.M. (2000). The death of privacy? Stanford Law Review, 52, 1461-1543.
danah Boyd and Kate Crawford (2011), Six Provocations of Big Data, A Decade in
Internet Time: Symposium on the Dynamics of the Internet and Society,
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1926431.
Omer Tene & Jules Polonetsky (2012), Privacy in the Age of Big Data, Stanford Law
Review, http://www.stanfordlawreview.org/online/privacy-paradox/big-data
Gideon, J., Cranor, L., Egelman, S., Acquisti, A. (2006). Power strips, prophylactics, and
privacy, oh my! Proceedings of the second symposium on Usable privacy and security,133-
144.
Susan Landau, Making Sense from Snowden: what's significant in the NSA surveillance
revelations? (2013) IEEE Security and Privacy, July/August 2013, 54-63.(available from
http://www.computer.org/cms/Computer.org/ComputingNow/pdfs/MakingSenseFro
mSnowden-IEEESecurityAndPrivacy.pdf)
Arvind Narayanan and Dillon Reisman, The Princeton Web Transparency and
Accountability Project, http://randomwalker.info/publications/webtap-chapter.pdf .
Appearing in Cerquitelli, Tania, Quercia, Daniele, Pasquale, Frank (2017) Transparent
Data Mining for Big and Small Data.
Waldman AE. (2018), Privacy, Notice, And Design, 21 Stan. Tech. L. Rev. 129,
https://law.stanford.edu/wp-content/uploads/2018/01/Waldman_FINAL-Formatted-
011818.pdf
Bennett, C. and Raab, C. (1997), The Adequacy of Privacy: The European Union Data
Protection Directive and the North American Response, The Information Society Volume
13, Issue 3, pp. 245-64.
Pearce, G. and Platten, N. (1998), Achieving Personal Data Protection in the European
Union. Journal of Common Market Studies, vol. 36 pp. 529–547.
Bergkamp, L. (2002), The Privacy Fallacy: Adverse Effects of Europe's Data Protection
Policy in an Information-Driven Economy, Computer Law & Security Report, 18 (1), pp.
31-47.
Esteve, A. (2017), The business of personal data: Google, Facebook, and privacy issues in
the EU and the USA. International Data Privacy Law, 7(1).
Waldman, AE (2016). Privacy, Sharing, and Trust: The Facebook Study, 67 Case W. Res.
L. Rev. 193, https://scholarlycommons.law.case.edu/caselrev/vol67/iss1/10
Sultan, F., Urban, G.L., Shankar, V. & Bart, I.Y. (2002) Determinants and role of trust in e-
business: A large scale empirical study. MIT Sloan School of Management working paper
4282-02. Available online at https://dspace.mit.edu/bitstream/1721.1/1826/2/4282-
02.pdf
Paine, C.B.& Joinson, A.N. (2008). Privacy, Trust and Self-Disclosure. In A.Barak (Ed.),
Psychological Aspects of Cyberspace: Theory, Research, Applications. Cambridge:
Cambridge University Press.
Papadopoulou, P., Andreou, A., Kanellis, P., Martakos (2001). Trust and relationship
building in electronic commerce. Internet Research, 11, 322 - 332
Michelle Carter, Ryan Wright, Jason Bennett Thatcher & Richard Klein, Understanding
online customers’ ties to merchants: the moderating influence of trust on the
relationship between switching costs and e-loyalty, European Journal of Information
Systems, 2014, 23: 185-204.
Resnick, P., Zeckhauser, R., Friedman, E., & Kuwabara, K. (2000). Reputation systems.
Communications of the ACM, 43 (12), 45-48.
Bhattacherjee, A. (2002) Individual trust in online firms: Scale development and initial
test. Journal of Management Information Systems, 19, p.211-241
Morey, T. et al (2015), Customer Data: Designing for Transparency and Trust, Harvard
Business Review, vol 93: 5 97-105.
Spagnoletti, Paolo and Resca, Andrea (2008) The duality of Information Security
Management: fighting against predictable and unpredictable threats. Journal of
Information System Security, 4 (3). p. 46-62.
Schneier, B. (2004), Secrets and Lies: Digital Security in a Networked World, Wiley,
Chichester.
Adams, A. and Sasse, M. A. 1999. Users are not the enemy. Communications of the ACM
42, 12 (Dec. 1999), 40-46.
West, R. (2008). The Psychology of Security. Communications of the ACM, 51 (4), 34-40
Flechais, I., Riegelsberger, J., and Sasse, M. A. 2005. Divide and conquer: the role of
trust and assurance in the design of secure socio-technical systems. In Proceedings of
the2005 Workshop on New Security Paradigms (Lake Arrowhead, California, September
20- 23, 2005). NSPW '05. ACM, New York, NY, 33-41
Dhamija, R., Tygar, J.D., & Hearst, M. (2006). Why phishing works. Proceeding CHI
2006, ACM Press (2006), 581-590.
Anderson, R. & Moore, T. (2006). The Economics of Information Security, Science, Vol.
314, pg 610-613.
Goucher, W., (2010). The Battle for Autonomy. Computer Fraud and Security, 2010,
issue 9, pp. 5-7.
Anderson, R., Stajano, F and Lee, J (2002), Security Policies, Advances in Computers,
http://www.cl.cam.ac.uk/~fms27/papers/2001-AndersonStaLee-policies.pdf.
Boh, W., Sia, S., Soh, C. & Tang, M., ed. 2000. A Contingency Analysis of Post-Bureaucratic
Controls in IT-Related Change. ICIS 2000, December 10-13, 2000, Brisbane, Australia.
Brewer, D.F.C & Nash, M.J.(1989). The Chinese Wall security policy. IEEE, p. 206-214.
Clark, D. D. & Wilson, D. R., ed. 1987. A Comparison of Commercial and Military
Computer Security Policies., p. 184-194.
Chen, Yan; Ramamurthy, K.; Wen, Kuang-Wei, 2012. Organizations' Information Security
Policy Compliance: Stick or Carrot Approach? Journal of Management Information
Systems. Winter 2012, Vol. 29 Issue 3, p157-188.
Siponen, Mikko; Adam Mahmood, M.; Pahnila, Seppo, 2014. Employees’ adherence to
information security policies: An exploratory field study. Information & Management.
Mar2014, Vol. 51 Issue 2, p217-224.
Stahl, Bernd Carsten; Doherty, Neil F.; Shaw, Mark (2012). Information security policies
in the UK healthcare sector: a critical evaluation. Information Systems Journal. Vol. 22
Issue 1, pp. 77-94.
Ethics and Information Technology, vol 7, no 1 (2005) Special Issue on Privacy and Data
Privacy Protection in Asia
Milberg, S.J., Burke, S.J., Smith, H.J. and Kallman, E.A. (1995), Values, personal
information privacy, and regulatory approaches, Communications of the ACM, vol 38, 12,
65-74.
Milberg, S.J., Burke, S.J. and Smith, H.J (2000), Information Privacy: Corporate
Management and National Regulation, Organization Science, vol. 11, 1, 35-57.
Francis Harvey, (1997) "National cultural differences in theory and practice: Evaluating
Hofstede’s national cultural framework", Information Technology & People, Vol. 10 Iss:
2, pp.132 – 146
Kennedy, G. et al, (2009), Data protection in the Asia-Pacific region, Computer Law &
Security Review 25, 59–68
8. Criticisms of Privacy
Etzioni, A. (2007). Are New Technologies the enemy of privacy? Knowledge, Technology
and Policy, 20 (2), 115-119.
Etzioni, Amitai, Ultimate Encryption (May 11, 2015). South Carolina Law Review, Vol.
67, No. 3. Available at SSRN: https://ssrn.com/abstract=2605153
Dulipovici, A. and Baskerville, R. (2007). Conflicts between privacy and property: The
discourse in personal and organizational knowledge, The Journal of Strategic
Information Systems 16 (2)187-213.
Posner, Richard A., (1978), The Right of Privacy. Sibley Lectures. Paper 22.
http://digitalcommons.law.uga.edu/lectures_pre_arch_lectures_sibley/22
Joinson, A., & Whitty, M. (2008). Watched in the workplace, Infosecurity, Volume 5,
Issue 1, January-February 2008, Pages 38-40.
Handy, C. (1995). Trust and the virtual organization. Harvard Business Review, 73, 40–
50.
Hoffman, D.L., Novak, T.P. and Peralta, M. (1999) Building consumer trust online.
Communications of the ACM, 42, 80-85
Bos, N., Olson, J.S., Gergle, D., Olson, G.M., and Wright, Z. (2002). Rich Media Helps
Trust Development. In Proceedings of CHI 2002, 135-140. New York: ACM Press.
Jarvenpaa, S.L., Knoll, K. and Leidner, D.E. (1998) Is anybody out there? Antecedents of
trust in global virtual teams. Journal of Management Information Systems, 14, 29-64.
Ridings, C.M. et al. (2002). Some antecedents and effects of trust in virtual communities.
Journal of Strategic Information Systems, 11, 271-295
Papadopoulou, P., Andreou, A., Kanellis, P., Martakos (2001). Trust and relationship
building in electronic commerce. Internet Research, 11, 322 – 332
Govani, T. and Pashley, H. (2007), Student Awareness of the Privacy Implications When
Using Facebook, available in Moodle.
boyd, dn and Ellison, N. B. (2007), Social network sites: Definition, history, and
scholarship. Journal of Computer-Mediated Communication, 13(1).
Houghton D. and Joinson, A. (2010), Privacy, Social Network Sites, and Social Relations,
Journal of Technology in Human Services, 28: 1, 74-94.
Joseph Bonneau and Sö ren Preibusch (2010), The Privacy Jungle: On the Market for Data
Protection in Social Networks, in Moore, T., Pym, D. Ioannidis, C., Economics of
Information Security and Privacy, online at
http://link.springer.com/chapter/10.1007/978-1-4419-6967-5_8# (ensure you are
within the University of Bath network when accessing this resource).
Ben Light, Kathy McGrath, (2010) "Ethics and social networking sites: a disclosive
analysis of Facebook", Information Technology & People, Vol. 23 Iss: 4, pp.290 – 311
Laura Brandimarte and Alessandro Acquisti (2012), The Economics of Privacy, in Martin
Peitz and Joel Waldfogel, The Oxford Handbook of the Digital Economy, OUP. (See also
articles in the same book on subjects such as price discrimination, reputation on the
Internet and advertising on the Internet).
MN30281 Privacy, Trust and Security in Information Systems
Semester 1 2017/8
The essay should not exceed 3500 words, excluding references and diagrams. No
extensions of this word limit will be accepted.
Feedback will come via Moodle within 3 semester weeks, i.e. by the end of the
examination period.
You are encouraged to narrow the field of analysis to address specific industries
and/or organisations, but you should also make it clear what the resulting limitations
are for your conclusions. If you are keen to develop a topic outside of these areas or
address a different question within them, please contact me and we can discuss it.
Summative Feedback
An annotated copy of the essay, together with feedback against the assessment
criteria will be provided via Moodle.
In assessing the work two key factors will be taken into account:
The depth of the investigation - has it gone well beyond the description of the
topic and beyond the coverage in the course itself and the primary reference
works?
Quality of the argument – can the reader follow you through to your
conclusion, while being confident that you have considered alternative views?
There is also a Moodle guide to essay writing at Topic 2 of the Academic Writing
course: http://moodle.bath.ac.uk/mod/imscp/view.php?id=183199 .
1. Privacy in society
Are traditional definitions of privacy still valid with 21st Century technology? Answer
with respect to one or two (not more) forms of IT use in contemporary society.
OR
OR
OR
Discuss the criticisms made of the attention given to privacy by either Amitai Etzioni
or Richard Posner. Are these views becoming more or less valid with the
development of technology?
The EU and the USA have different approaches to the data protection. Which, if
either, is likely to be more sustainable in the future?
OR
Are there any implications of Britain’s exit from the European Union for the regulation
of data protection?
OR
“The days of you having a different image for your work friends or co-workers and for
the other people you know are probably coming to an end pretty quickly…Having two
identities for yourself is an example of a lack of integrity.” (Mark Zuckerberg)
OR
OR
Are there good reasons for including privacy provisions in Codes of Practice of IT
professional bodies such as the BCS?
Should different or extra restrictions apply to the use of personal data by state, as
distinct from private sector, organisations?
OR
The EU has recently proposed extending its Data Protection Directive, including
instituting a “right to be forgotten”. Can this be implemented effectively?
8. Economics of Information
9. Security of Information
Are we creating organisations that are inherently insecure in their use of information?
OR
Very Outsta
Very poor Poor Adequate Good
Good nding
Demonstrates no Demonstrates good
knowledge, knowledge,
understanding of understanding of the
the subject matter subject matter
Merely a description A highly critical
of the subject evaluation of the
(task, situation subject (task,
etc.) situation)
No discernible or Logical and insightful
meaningful conclusions that clearly
conclusions and emerge from the
reflections to the analysis.
work
No evidence of Has understood and
wider reading. incorporated a range of
wider reading
Poorly written – Very clearly expressed
hard to understand and well written
Background
Your group work task (contributing 30% of the overall module mark) is to develop a video on
a topic related to the course content aimed at people working in a particular industry or type
of organisation which explains to people working within it why and how they should take
account of privacy of personal data. Points made should be aimed at being relevant to that
industry or organisation and in a form which is meaningful to the intended audience.
The industry or organisation may be from the private, public or voluntary sectors. Be really
clear at the start who your audience are. You should ensure that you cover not only the
procedures or access rights, but also the reasons why they are important. Consider what kind
of security conventions are appropriate in that setting and what kind of threats they would
need to counter.
The video should be no more than 5 minutes long. It can take whatever form you think best
communicates the message.
Submission
By 12.00 on Monday 4th December 2017, you must upload your completed video to the
Learning Materials Filestore (http://www.bath.ac.uk/lmf/welcome). It must be shared with
Richard Kamm. Further instructions as to how to do this will be posted if necessary.
The full showing of all the videos will take place to the whole class in the lecture session on
Wednesday 6th December 2017.
The group should also submit a link to an e-portfolio. This will go to an assignment
submission facility in Moodle by the 12.00 on Monday 4th December 2017. Only one link is
needed.
The role of the video is to be a clear and coherent explanation of relevant points for the target
audience. It should be a realistic view which is appropriate for the type of organisation: what
kinds of issues are relevant for privacy in this context?
The role of the e-portfolio is to explain your approach to the understanding the needs of the
audience, why you selected the content of the video and the presentational style. Principles
and theory, e.g. on definitions of privacy, are relevant here, to explain the underpinning of the
video, rather than in the video itself. It should not contain more than 1200 words, but can
contain links, images, clips and other ways of getting points across.
Types of video:
You may adopt a speaking-to-camera style or use a mix of images and text. There are also
ways of creating animations and uploading them.
A video using animation (working to a different specification to the one used this year) is at
http://people.bath.ac.uk/mnsrmk/AnimatedVideoEg.mp4
There are also other examples of student video work, including:
http://www.youtube.com/watch?v=TEXPM2NM_7c
http://www.youtube.com/watch?v=dGCJ46vyR9o&feature=channel
Technology
Cameras: Can be booked via the Library AV (ground floor). They are standard mini-DV
cameras (you can also book a tripod – recommended). You’ll then need to capture the video
into a PC/Mac. Ipad/Iphone may also produce usable video.
Software:
Adobe AfterEffects seems popular. Plenty of others – iMovie for the Mac or iOS, lots of
cheap or free trials for Windows PCs, Microsoft Movie Maker
(http://windows.microsoft.com/en-GB/windows7/products/features/movie-maker)
These will allow the editing of video files, insertion of clips and the creation of music or
voice soundtracks.
If you have video from a camera that does not easily convert to a format which may be used
in an editing programme, contact the unit convenor, who has some software that may do this.
Alternatives:
Camtasia (screen capture – i.e. make a Powerpoint presentation, then
capture the slideshow and add sound)….a v.easy solution, but you need a really good, clear
idea to do it well. Or you can output Keynote or Powerpoint presentations as videos with
some sound running alongside.
Animation – a variety of free animation services are now available. You usually have to
register an account.
What is an e-Portfolio?
https://www.youtube.com/watch?v=xvqBORISA5k
https://youtu.be/KOFSrV3QOWM