Ethics, Security & Privacy

Overview and Objectives

This module on Ethics, Security & Privacy emphasizes that cybersecurity extends beyond technical defenses to safeguarding human rights, dignity, and societal trust. In an era where data is a valuable asset, ethical considerations and legal compliance are crucial to prevent misuse, discrimination, and harm. Students will explore how laws and ethical frameworks guide security practices, ensuring systems respect privacy while balancing security needs. By the end of this module, students will be able to:

• Interpret key privacy laws like GDPR (General Data Protection Regulation) and Quebec's Law 25 (also known as Bill 64), applying them to real-world scenarios.
• Build privacy-by-design strategies to embed privacy protections from the outset of system development.
• Manage PII (Personally Identifiable Information) securely, including classification, storage, and disposal.

This module integrates ethical reasoning with practical compliance, drawing on case studies like the Cambridge Analytica scandal or recent AI privacy breaches. As of August 2025, with ongoing GDPR simplifications for SMEs and full enforcement of Law 25, emphasize adaptability to evolving regulations.

Estimated Time: 4-6 hours of lecture/discussion, plus case studies and policy drafting exercises.

Prerequisites: Introduction to Cybersecurity, Basic Data Management.

Assessment Ideas:

• Quiz on legal requirements and ethical dilemmas.
• Project: Conduct a Privacy Impact Assessment for a hypothetical app.
• Debate: "Should ethical hacking prioritize societal good over legal boundaries?"

Key Concepts and Explanations

1. Ethics in Cybersecurity

Ethics involves moral principles guiding decisions in security practices, such as balancing surveillance for safety against privacy invasion. Frameworks like utilitarianism (greatest good for the greatest number) or deontology (duty-based rules) help navigate dilemmas.

• Ethical Decision-Making: A structured process to evaluate actions' impacts. Steps include identifying stakeholders, assessing risks, considering alternatives, and justifying choices. In cybersec, this applies to issues like vulnerability disclosure (e.g., responsible disclosure vs. full disclosure).

  • Why it matters: Poor ethics can lead to reputational damage, legal penalties, or societal harm (e.g., biased AI in facial recognition).
  • Term to Explain: Responsible Disclosure – A practice where security researchers notify vendors of vulnerabilities privately before public release, allowing time for patches.

• Policy Drafting: Creating formal documents outlining organizational rules for security and privacy. Policies should be clear, enforceable, and aligned with laws, covering topics like data handling, access controls, and incident response.

  • Best Practices: Use templates from NIST or ISO 27701; involve stakeholders; review annually.
  • Example: A data retention policy specifying how long PII is kept and when it's deleted.

2. Privacy Laws: GDPR and Law 25

These laws protect individuals' data rights and impose obligations on organizations.

• GDPR (General Data Protection Regulation): EU law effective since 2018, applying to any entity processing EU residents' data. Key principles: Lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, accountability.

  • Interpretation: Controllers must obtain consent, appoint Data Protection Officers (DPOs) for large-scale processing, and conduct Data Protection Impact Assessments (DPIAs) for high-risk activities.
  • 2025 Updates: The European Commission adopted simplifications in May 2025, reducing record-keeping for SMEs. The EU Data Act, effective September 12, 2025, enhances data sharing rules for connected devices. Enforcement trends focus on cross-border transfers and AI compliance.
  • Fines: Up to 4% of global annual turnover.
  • Term to Explain: Data Controller vs. Processor – Controller determines the purpose/means of processing (e.g., a company collecting user data); Processor handles data on behalf of the controller (e.g., a cloud provider).

• Quebec's Law 25 (Bill 64): Modernizes Quebec's privacy framework, fully effective by September 2024. Modeled after GDPR, it applies to organizations handling Quebec residents' personal information.

  • Interpretation: Requires privacy governance, impact assessments, explicit consent for sensitive data, and automated decision-making transparency. Introduces rights like portability and de-indexing (right to be forgotten).
  • 2025 Status: Post-implementation, enhancements include stronger individual rights and accountability for public/private sectors. Businesses must appoint a Privacy Officer and report breaches within 72 hours.
  • Fines: Up to CAD 25 million or 4% of worldwide turnover.
  • Comparison to GDPR: Similar but tailored to Canadian context; Law 25 mandates privacy-by-default in tech design.

3. Privacy-by-Design Strategies

A proactive approach to integrate privacy into systems from inception, based on 7 foundational principles by Ann Cavoukian: Proactive not reactive; Privacy as default; Embedded into design; Full functionality; End-to-end security; Visibility/transparency; Respect for user privacy.

• Building Strategies: Start with data mapping, minimize collection, use pseudonymization/anonymization, and implement access controls. In software dev, apply during SDLC (Software Development Life Cycle).
  • Why it matters: Prevents costly retrofits; complies with GDPR/Law 25.
  • Example: Designing an app with opt-in consent and automatic data deletion after purpose fulfillment.
  • Term to Explain: Pseudonymization – Replacing identifiable data with pseudonyms (reversible), vs. Anonymization (irreversible, removing identifiability).

4. Managing PII Securely

PII includes any data identifying an individual (e.g., name, email, SSN, biometrics).

• Secure Management: Classify PII (sensitive vs. non-sensitive), encrypt in transit/rest, use secure storage (e.g., hashed passwords), and limit access via RBAC (Role-Based Access Control).

  • Challenges: Insider threats, third-party risks, emerging tech like AI processing PII.
  • Term to Explain: Sensitive PII – Data revealing racial/ethnic origin, political opinions, health, etc., requiring extra protections under GDPR/Law 25.

• Privacy Impact Assessment (PIA/DPIA): A systematic process to evaluate privacy risks in projects. Mandatory under GDPR for high-risk processing; recommended in Law 25.

  • Steps: Describe processing, assess necessity/proportionality, identify risks, propose mitigations.

• Breach Notification: Reporting data breaches to authorities and affected individuals.

  • GDPR: Notify supervisory authority within 72 hours; individuals if high risk.
  • Law 25: Similar 72-hour timeline to Quebec's Commission d'accès à l'information.
  • Process: Detect, contain, assess, notify, document.

Visualizations Using Mermaid Script

Use these in slides; students can practice recreating them.

Visualization 1: Breach Notification Process

Flowchart for GDPR/Law 25 breach response.

flowchart TD
    A[Breach Detected] --> B{Assess Risk?}
    B -->|Low Risk| C[Document Internally]
    B -->|High Risk| D[Notify Authority <72 hrs]
    D --> E{Impacts Individuals?}
    E -->|Yes| F[Notify Affected Persons Without Delay]
    E -->|No| G[Document & Mitigate]
    F --> G
    subgraph "Key Steps"
    D
    F
    end
    style A fill:#f66,stroke:#333
    style G fill:#6f6,stroke:#333

Explanation in Class: Discuss timelines and what constitutes "high risk" (e.g., identity theft potential).

Visualization 2: Privacy-by-Design Principles

Mind map of the 7 principles.

mindmap
  root((Privacy-by-Design))
    Proactive["Proactive not Reactive"]
    Default["Privacy as Default Setting"]
    Embedded["Privacy Embedded into Design"]
    PositiveSum["Full Functionality (Positive-Sum)"]
    Lifecycle["End-to-End Security Lifecycle"]
    Transparency["Visibility & Transparency"]
    Respect["User-Centric Respect"]

Explanation in Class: Link each to examples, like "Default" meaning opt-out not required for privacy features.

Visualization 3: Ethical Decision-Making Framework

Sequence for resolving dilemmas.

sequenceDiagram
    participant SecurityPro as Security Professional
    participant Stakeholders
    SecurityPro->>SecurityPro: Identify Ethical Issue
    SecurityPro->>Stakeholders: Gather Facts & Perspectives
    Stakeholders->>SecurityPro: Input on Impacts
    SecurityPro->>SecurityPro: Evaluate Options (Utilitarian/Deontological)
    SecurityPro->>SecurityPro: Decide & Justify
    SecurityPro->>Stakeholders: Implement & Monitor

Explanation in Class: Apply to a scenario like deciding to report a zero-day vulnerability.

Hands-On Activities and Examples

• Lab 1: Draft a privacy policy for a fictional e-health app, incorporating GDPR/Law 25 requirements.
• Case Study: Analyze the 2023 Meta GDPR fine (1.2 billion EUR) for data transfers; discuss ethical implications.
• Group Exercise: Perform a PIA on a university database; identify PII risks and mitigations.
• Simulation: Role-play a breach notification scenario, timing the 72-hour response.

Key Skills Development

• GDPR & Law 25: Interpret via compliance checklists; compare in tables.
• Privacy Impact Assessment: Conduct mock assessments using ENISA templates.
• Breach Notification: Practice reporting formats.
• Ethical Decision-Making: Use frameworks in debates.
• Policy Drafting: Create and peer-review policies.

Resources and Further Reading

• Books: "Privacy is Power" by Carissa Véliz; "The Ethics of Cybersecurity" by Markus Christen et al.
• Online: GDPR.eu; Quebec's Commission d'accès à l'information site; OWASP Privacy Risks.
• Videos: TED Talks on data ethics; Coursera courses on GDPR compliance.
• Tools: Free PIA templates from CNIL (France) or IAPP.

Stay current with sources like the EDPB website or privacy newsletters, as laws like the EU Data Act evolve. End with discussions on emerging issues like AI ethics in 2025.