In: Computer Science
One of the security threats is confidentiality breach. Explain what it is, how it can be detected and how it can be prevented.
Risks of Access: Potential Confidentiality Breaches and Their Consequences:
tatistical and research agents must provide access to the data they collect. At the same time, however, they were accused of protecting the privacy of the data. Such charges are based on three basic assumptions: moral, legal, and practical. The ethical obligation, based on the Belmont Report (National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research, 1979), requires agencies to strive for a good balance of risk and harm to test respondents. Legally, they are bound by organizational rules to honor the confidentiality promises they make, with potential civil and criminal penalties if they fail to do so. At the pragmatic level, their ability to collect high quality data from respondents will be compromised by actual breach of privacy or visibility. This chapter explains in detail the three beliefs.
Confidentiality states that publicly available data - whether summarized or microdata data and including any data added to administrative records or other research - will be identified or otherwise concealed to ensure that it will not be used to identify a specific person, home, or organization indirectly with careless statistics. Such a guarantee would also mean that easily identifiable information would be available for research purposes only through limited access methods that impose legal obligations and risk reduction penalties for researchers who have access to such information that they could disclose to others. An example of information that easily identifies a household group-
Suggested Quote: "4 Access Risks: Potential Privacy Violations
and Consequences." National Research Council. 2005. Expanding
Access to Research Information: Risk Adaptation and Opportunities.
Washington, DC: National Academies Press. doi: 10.17226 / 11434.
×
Add a note to your bookmark
capture survey records that, although stripped of names and
addresses, contain codes for small residences.
The reason for the promise of confidentiality and strict procedures to prevent disclosure is that they improve the quality of data collected from individuals, homes, and firms. It is important for respondents to believe that they can provide complete information, without fear of the information being disclosed. Indeed, if the details are disclosed, the risk is likely to arise for each defendant. Many government-sponsored surveys ask about sensitive topics (e.g., income or alcohol consumption), as well as exclusion and even illegal behavior. Disclosure of such information may expose the defendant to loss of dignity, employment, or civil or criminal penalties. In addition, breach of confidentiality may violate the law of respect for those who agree to participate in the study, even if the disclosure involves innocent information that will not lead to social, economic, legal, or other harm (see National Research Council, 2003b: Ch. 5).
The emergence of violations threatens the research business itself, as concerns about privacy and confidentiality are among the most common reasons given by potential respondents for refusing to participate in research, and those concerns have been shown to affect ethics. Any known breach of privacy will likely increase that concern and, similarly, reduce the response rate in the study. Efforts to increase researchers' access to data should, therefore, address the need to avoid increasing the actual and perceived risks of breach of privacy.
This chapter begins with a review of research linking survey non-response to concern about confidentiality. The entire chapter discusses some of the possible ways in which breach of privacy may arise, with particular reference to how increasing access may increase the actual and perceived risks of breach of privacy. While much of this report focuses on the creation of statistics - recidivism of respondents or their attributes by comparing randomized research data with data obtained without research - these components serve as a reminder that statistical disclosure is not one, and perhaps not even the most important, where privacy can be violated. They also serve as a reminder that public perceptions that personal information is being misused may be a barrier to the participation of respondents as a breach of confidentiality.
Suggested Quote: "4 Access Risks: Potential Privacy Violations
and Consequences." National Research Council. 2005. Expanding
Access to Research Information: Risk Adaptation and Opportunities.
Washington, DC: National Academies Press. doi: 10.17226 / 11434.
×
Add a note to your bookmark
CONFIDENTIAL ANALYSIS AND DISCLOSURE OF RESPONSE TO MARKS AND
ASSESSMENT
The first indication that privacy concerns increase the refusal to
participate in government research comes from a National Research
Council funded by the US Census Bureau in the late 1970s (National
Research Council, 1979), but more evidence comes from a series of
studies conducted by the Census Bureau in the 1990s. In the 1990
census, for example, people who were concerned about
confidentiality and saw census as a secret attack were less likely
to regain their post-census form than those who had fewer privacy
and confidentiality issues (Artist, Mathiowetz, and Couper, 1993;
Couper, Singer, and Kulka, 1998). Although such attitudes describe
a small number of variance in population returns (1.3 percent),
this rate represented a large number of people who had to
personally follow to obtain the information needed for the
census.
A postal return analysis of a sample of respondents in the 2000 census revealed similar results.Once again, respondents with a major privacy and confidentiality problem were less likely to return their census forms by mail. The differences in population census described by theories about privacy and confidentiality were very similar to those found in 1990 (Artist, Van Hoewyk, and Neugebauer, 2003). In 2000, respondents with a major privacy and confidentiality problem were less likely to give an address to Gallup interviewers in order to match their survey responses to a retrieval file, and they were less likely to answer a question about their salary.
One way to look at the effect of privacy concerns is to look at the relationship between beliefs that census can be misused for the purpose of enforcing the law and the tendency to reverse the census form. Of the 478 respondents in the 2000 Gallup poll that believe that census data was not used for three purposes (identifying illegal immigrants, tracking people in conflict, and applying census responses to respondents), 86 percent returned their census form of people by post. Percent dropped to 81 percent of those who chose one-third (N = 303), to 76 percent to those who chose two items (N = 255), and 74 percent to 171 respondents who chose all three items (Artist, Van Hoewyk, and Neugebauer, 2003). In 1990, rehabilitation rates dropped from 78 percent to 55 percent in the same index of privacy concerns (Artist, Mathiowetz, and Couper, 1993). Considering the cost of obtaining personal information that can be sent by post, this reduction in the chances of retrieving the census form has significant consequences. Other research with
Suggested Quote: "4 Access Risks: Potential Privacy Violations
and Consequences." National Research Council. 2005. Expanding
Access to Research Information: Risk Adaptation and Opportunities.
Washington, DC: National Academies Press. doi: 10.17226 / 11434.
×
Add a note to your bookmark
The 2000 census is consistent with these findings: one study
(Hillygus et al., 2006) concludes that the 2000 census rate would
be about 5 percent if there were no public concern about privacy
and what the media and other political leaders perceive as
unnecessary "confusion".
There is also indirect evidence that requests for information on the respondent census form that they consider critical lead to high levels of non-response to all critical issues and the entire questionnaire. For example, a 1992 survey involving the Census Bureau's request for Public Security numbers resulted in a 3.4 percent decrease in census returns and a 17 percent increase in the number of returned questionnaires and missing data (Dillman, Sinclair, and Clark, 1993). Experiments involving the application of Social Security numbers conducted during the 2000 census led to similar results (Guarino, Hill, and Woltman, 2001: 17).
Of particular interest in this context is the finding that concerns about confidentiality and a negative attitude towards data sharing increased significantly between 1995 and 2000 (Singer et al., 2001: Tables 2.16-17, 2.21-29). Individual commitment to providing their Social Security numbers has also declined, from 68 percent in 1996 to 55 percent in 1999 (Singer et al., 2001: Table 2.45). Several studies (summarized in Bates, 2005) have also shown that it is becoming increasingly difficult for the Census Bureau to obtain Social Security numbers. In the Survey of Income and Program Participation, there was an increase in refusal to grant them from 12 percent on the 1995 panel to 25 percent on the 2001 panel; In the Current Population Survey, there was an increase in rejection from about 10 percent in 1994 to about 23 percent in 2003.
Evidence of the effects of concerns about privacy and confidentiality in response to non-governmental research is provided by a series of small trials conducted in the context of the Survey of Consumer Attitudes (SCA). The SCA is a national survey conducted monthly at the University of Michigan, in particular to measure expectations and economics.
The first trial, conducted in 2001, was designed to investigate the risks and benefits that respondents perceive in two specific studies - the National Survey of Family Growth (NSFG) and the Health and Retirement Study (HRS) — and how these ideas affected their willingness to participate in the study. After hearing the description of each study, respondents were first asked whether they would agree to participate in the study or not, and if not, why not; They were then asked if they thought each of these groups (family, business, employers, and law enforcement) could find their answers and how much they could think if they did. Both are a significant risk of abandonment
Suggested Quote: "4 Access Risks: Potential Privacy Violations
and Consequences." National Research Council. 2005. Expanding
Access to Research Information: Risk Adaptation and Opportunities.
Washington, DC: National Academies Press. doi: 10.17226 / 11434.
×
Add a note to your bookmark
Confirmation (how it is possible for different groups to appear to
have access to respondents' responses and their names and
addresses) and the apparent damage of disclosure (how many
respondents would enjoy such disclosure) strongly predicted
people's willingness to participate in the study described. The
benefits received, as well as the amount of risk that gained, were
also significant.
In January and April 2003, two similar tests were performed, at SCA (Singer, 2004). The introduction of both surveys revealed the possibility of a record connection - medical records in the case of the NSFG and government (financial) records
Respondents who indicated they would not be willing to participate in the defined study (48% of the sample) were asked why they would not do so. The most common reasons given - 59 percent of all the reasons mentioned earlier - were that these surveys were not personal or intervening or that they objected to providing financial or medical information or providing access to medical or financial records. As in the previous trial, perceptions of disclosure risk, disclosure risk, individual benefit and well-being, and the amount of risk exposure were strong and important predictions of people’s willingness to participate. Similarly, a 2000 census-related study found that respondents began to look at privacy issues with higher levels of non-response to questions of a longer census form than the control group (Hillygus et al., 2006).
This study identifies the significance of the risk perceptions of disclosure, as well as the actual risk. Public awareness of secret violations in non-government surveys can negatively affect perceptions of the risks involved in participating in government investigations. That is, public information about breach of the privacy of an employee of a state benefit agency or private insurance company may raise concerns about such violations by government statistical agencies, such as the Census Bureau. Similarly, public knowledge of the legal requirements for referenced records, such as subpoenas of personal information by law enforcement agents or attorneys for defendants or defendants, may raise such concerns. Concerns and similar consequences may result from identity theft, with unauthorized access to a personal credit card account and Social Security numbers; on the misuse of medical records by organizations (e.g., insurance companies) that have a right of access to them for administrative purposes; or the misuse of administrative records or survey records by data collection staff. And, as noted above, such concerns about privacy have a negative impact on government research opportunities.
Suggested Quote: "4 Access Risks: Potential Privacy Violations
and Consequences." National Research Council. 2005. Expanding
Access to Research Information: Risk Adaptation and Opportunities.
Washington, DC: National Academies Press. doi: 10.17226 / 11434.
×
Add a note to your bookmark
WHY IT HAPPENS THAT THIS SECURITY IS POSSIBLE
Neglect and illegal court appearances:
Researchers have found a variety of ways in which the privacy of individual respondents may be violated. Perhaps the most obvious and common threat to confidentiality of research data comes from simple negligence - not deleting identifiers from queries or electronic data files, leaving cabinets unlocked, encrypting files containing identifiers, talking about certain respondents and others not authorized to have this information. While there is no evidence that respondents have been harmed by such negligence, it is important that government data collection agencies and private testing organizations identify these issues, provide staff guidelines for data management, and ensure that guidelines are observed.
Confidentiality can also be violated due to illegal access to data. For example, in 1996, ten Social Security employees (bribed by outsiders) were found stealing personal information from agency computers. The key piece of information was the names of the mothers' daughters, who were kept in a database with password protection but a stronger security than protecting salary statements and other confidential information. The information was used to create credit cards for residents of the New York area. Theft of your personal information has been growing in the news ever since.
As detailed information collected under securities becomes increasingly available to researchers through licensing agreements or research data centers, the chances of sudden disclosure due to negligence and unintentional risk can also increase unless strong academic and observational efforts go hand in hand with this approach.
However, the magnitude of the problem is not readily available, either by examining past information or predicting future results. Many media outlets have reported damage to the theft of data from sources such as credit card and banking information. In contrast, there is no documentary evidence of injury to misuse of research data or negligence by investigators or others. All in all, very little is known about the extent to which breach of trust may have occurred in such cases or the actual loss of persons. In most cases, trying to break it is hard to find, and relying on your own reporting is a problem. For example, a July 1993 study by Harris reported that 3 to 15 percent of the population, depending on the individual or organization in question
Suggested Quote: "4 Access Risks: Potential Privacy Violations
and Consequences." National Research Council. 2005. Expanding
Access to Research Information: Risk Adaptation and Opportunities.
Washington, DC: National Academies Press. doi: 10.17226 / 11434.
×
Add a note to your bookmark
about, they believe that medical information about them was ever
misinterpreted, and about one-third of these claims were harmed by
their disclosure (Artist, Shapiro, and Jacobs, 1997). But the
accuracy of these reports is unknown. In addition, disclosure of
medical information to an insurance company may not be permitted by
law but may be considered invalid by study respondents.