CSE-07: Privacy Rights in Cyberspace | Cybersecurity Ethics

Cybersecurity Ethics — Week 3 · Module 07

Privacy Rights in Cyberspace

A right with constitutional roots, statutory layers, and a substrate of metadata that no framework anticipated. Where security operations meet the limits of what we are permitted to know.

13 slides~13 minSpinello Ch. 5

Slide 2 of 13 · Why this matters here

Privacy Is Where Security Earns or Loses Trust

The frame: security cannot be done without seeing user activity. The ethical question is what the security function is permitted to see, what it must look away from, and what it must reveal when asked.

Slide 3 of 13 · Constitutional baseline

The Fourth Amendment in Cyberspace

State action requirement: like the First Amendment, the Fourth binds the state, not private actors. Your employer's monitoring of corporate devices is generally not a Fourth Amendment matter; the same monitoring under government compulsion may be.

Slide 4 of 13 · The doctrinal shift

The Third-Party Doctrine and Carpenter

Why Carpenter matters: the Court signaled that digital data's pervasive, automatic, and detailed nature can defeat the "voluntarily shared" framing. Subsequent litigation has tested how far — cloud data, app telemetry, IoT signals. The doctrine is in motion.

Slide 5 of 13 · The US patchwork

US Sectoral Privacy Statutes

Statute	Sector	Security operations effect
HIPAA / HITECH	Healthcare	Security Rule: admin/physical/technical safeguards on PHI; Breach Notification Rule timelines
GLBA	Financial services	Safeguards Rule requires written info-sec program; FTC's revised Safeguards Rule (announced 2021, compliance deadline June 2023) added specific control requirements
FERPA	Education records	Limits disclosure; institutions must protect student records; affects EdTech security architecture
COPPA	Children under 13	Parental consent for data collection; affects user-onboarding and age-gating
ECPA / SCA	Electronic communications	Governs interception (Wiretap Act), stored content access, pen registers; framework for lawful access

Slide 6 of 13 · The state layer

State Comprehensive Privacy Laws

California

CCPA (2018, effective 2020), expanded by CPRA (effective 2023). Established consumer rights to know, delete, opt out of sale/sharing. Created the California Privacy Protection Agency (CPPA).

Other early states

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA) all passed comprehensive consumer privacy laws in the early 2020s. Each with rights, business obligations, enforcement.

The proliferation

By the mid-2020s, more than a dozen US states had enacted comprehensive consumer privacy laws. The patchwork is real and continuing to grow.

The compliance reality: a US business of any scale operates under multiple state privacy regimes simultaneously. Architectural decisions about data segregation, deletion, and consent management are now load-bearing.

Slide 7 of 13 · GDPR specifics

GDPR — Operational Requirements

Slide 8 of 13 · The conceptual frame

Helen Nissenbaum's Contextual Integrity

Nissenbaum (2010): privacy is not secrecy — it is appropriate flow. A breach is a violation of contextual norms, not just exposure. "User agreed to ToS" is not sufficient ethical analysis if the data flow violates the norms of the original context.

Slide 9 of 13 · The notification clock

The Breach Notification Clock

Slide 10 of 13 · Reference case

Schrems II (2020)

Slide 11 of 13 · The professional collaboration

The Security Pro and the Privacy Office

Privacy by design

Security architecture decisions encode privacy choices. Data minimization, retention limits, pseudonymization, access controls — all are privacy controls security implements.

DPIA collaboration

Data Protection Impact Assessments are formally privacy-office work but require security input on threat models, control effectiveness, residual risk. Joint authorship is the practice.

Incident handling

Breach response is privacy-office territory; incident response is security territory. They collide in every actual breach. Pre-defined roles avoid confusion at the worst possible moment.

The professional ethics layer: codes (CSE-02) require respect for privacy as an explicit principle. The privacy office is the security professional's natural ally in honoring that principle — and natural counterweight when security operations would expand beyond what privacy norms permit.

Slide 12 of 13 · CSF anchor

CSF Mapping — PR.DS Plus ID.GV-3

PR.DS — Data Security (paraphrased)

CSF: information and records (data) are managed consistent with the org's risk strategy to protect confidentiality, integrity, availability. Includes data at rest (PR.DS-1), in transit (PR.DS-2), formal asset management, capacity, leakage protections.

ID.GV-3 — Privacy & civil liberties

CSF: legal and regulatory cybersecurity requirements — including privacy and civil liberties obligations — are understood and managed. CSE-02 already established this; this module fills in privacy-specific content.

Slide 13 of 13

Module 07 Takeaways

1Fourth Amendment protects against state action; reasonable expectation of privacy (Katz 1967).

2Carpenter v. US (2018) declined to extend third-party doctrine to comprehensive location histories — the doctrine is in motion.

3US sectoral patchwork: HIPAA, GLBA (revised Safeguards Rule effective June 2023), FERPA, COPPA, ECPA — plus growing state patchwork.

4GDPR operationally: data subject rights, 72-hour breach notification, cross-border transfer mechanisms, DPIA, DPO.

5Contextual integrity (Nissenbaum 2010): privacy is appropriate flow, not secrecy. Compliance can still violate context.

6Schrems II (2020): invalidated Privacy Shield; the EU-US Data Privacy Framework (2023) is in force but contested.

Next up: CSE-08 — Cybercrime & Cybersecurity as Moral Obligation. Spinello Ch 6.