近頃，媒體關注的資訊保護問題已顯示越來越多的民眾關切其個人資訊的保護和權利。許多組織亦因科技精進，得以驚人的速度快速搜集個人資料，製造商機。此時，正是管理線上資訊隱私、資訊安全及相關法制議題最佳化的時機。面對隱私侵害，臺灣開始思考資料保護法的法制規範，本文爰針對法律、實務問題和隱私保證的技術文獻，進行探討，希冀以積極態度探討侵犯隱私議題，提供政府思索管制個人資料的介入對策。
本文提出「P-P模型」共分兩個階段：績效評估分析階段及政策規劃管理階段。藉此模式提供管理者一個強化隱私保護政策的指導方針。本文除提供資訊管理人員一個強化隱私保護及資訊管理的做法與建議外，亦有助於釐清個資外洩的網絡犯罪事件調查。

Recent media attention to information protection issues has shown that citizens are increasingly concerned about personal information protection and their right to it. Many organizations have collected data about individuals at an increasing alarming rate. It’s about time to manage privacy and security of on-line information by reviewing their fundamentals and principles as well as relevant laws and regulations. Concerns of privacy harm have resulted in laws and regulations such as the privacy rules of Personal Information Protection Act (PIPA) in Taiwan. Taking a proactive stance against privacy invasion could help stave off government intervention to tighten controls over what can be done with an individual''s personal data. This proposed P-P model is divided into two phases: Performance Evaluation Phase, and Policy Management Phase. Each Phase is explored from the following issues: concern, issue, response, strategy, principle, focus, and element. That model is presented to provide managers guidance in dealing with privacy policy. The main contributions of this thesis lie in analyzing the internet privacy violation, conceptualizing a novel privacy-enhanced framework, providing the privacy strategy on the internet, and improving the ability on information security. The thesis closes with recommendations for privacy and security good practices for information managers. That also benefits the cybercrime investigation of data leakage.

摘 要 i
Abstract iii
Tables ix
Illustrations xi
Preface 1
1. Introduction 3
1.1 Phenomenon 4
1.1.1 An On-line Change in Privacy Rights 4
1.1.2 Taiwan’s Personal Information Protection Act 5
1.2 Motives 9
1.2.1 A Desire to Understand PIPA 9
1.2.2 The Importance of PIPA 10
1.3 Purpose 11
1.3.1 Insecure Internet of Identity Theft 11
1.3.2 Emergence Discussion of PIPA 12
1.4 Scope 14
1.4.1 Definition of Relevant Nouns 14
1.4.2 On-line Environment Records 17
1.5 Limitations 19
2. Reviews 23
2.1 Personal Information Protection 23
2.1.1 The Protection of Personal Information 23
2.1.2 Privacy Issues in Personal Information Protection 28
2.2 Privacy Principles 31
2.2.1 Regulate the Processing 33
2.2.2 Monitor the Set of Principles 34
3 Research Framework 39
3.1Research Structure 39
3.2 Case Study Research 41
3.3 Observation Research 42
3.3.1 Naturalistic Observation 42
3.3.2 Participant Observation 42
3.4 Case Study Research on Internet Privacy Violation 43
3.4.1 Taiwan Nails Major Hacking Ring Case 43
3.4.2 CIB Busts Fraud Ring Case 46
4. Discussions and Analyses 49
4.1 On-line Manager Guidance in Dealing with Privacy Policy 49
4.1.1 General PIPA Understanding in Taiwan 51
4.1.2 The Life Cycle of On-line Personal Information 64
4.1.3 Digital Investigation of Privacy Protection on the Internet 65
4.2 On-line Secure Policy 68
4.2.1 Privacy-specific Safeguards of Internet Activities 69
4.2.2 Personality Protection of Anonymous Technologies 70
4.2.3 Necessarily of Preparation 71
4.3 The SWOT Analysis on On-line PIPA Enhancement 74
4.3.1 Insufficient Laws and Regulations 75
4.3.2 The SWOT Analysis on PIPA Enhancement 76
5. P-P Model Examination on On-line Privacy Enhancement 81
5.1 Proposed P-P Model 81
5.1.1 Performance Evaluation Phase 84
5.1.2 Policy Management Phase 87
5.2 Performance Evaluation Phase 96
5.2.1 Internal Capability Factor: Privacy Concern 97
5.2.2 External Environment Factors: Customer Concern 98
5.3 Policy Management Phase 100
5.3.1 Prevention Strategy: Security Concern 100
5.3.2 Detection Strategy: Protection Concern 102
6. Conclusion 105
Bibliography 111
Appendix 1: Personal Information Protection Act 117
Appendix 2: Enforcement Rules of the Personal Information Protection Act 146
Appendix 3: Two Broken News on Taiwan Criminal Investigation Bureau Website 157
Appendix 4: Legal Statutes of Privacy Right 163
Appendix 5: The Principle of Clearness 169

Bibliography
一、 English Bibliography：
Baddeley, M., (2011, July).A Behavioral Analysis of Online Privacy and Security, Gonville and Caius College, University of Cambridge, UK.
Beresford, A. Preibusch, S. & Kubler, D. (2011, July). Unwillingness to pay for privacy: A eld experiment.IZA Discussion Papers 5 D.017, Institute for the Study of Labor (IZA).
Bonneau, J. & Preibusch, S. (2009). The Privacy Jungle: On the Market for Data Protection in Social Networks. In The Eighth Workshop on the Economics of Information Security (WEIS).
Brenner, S. W., Carrier, B., & Henninger, J. (2005). CERIAS Tech Report: The Trojan Horse Defense In Cybercrime Cases. Purdue University, West Lafayette.
Brown, C. L.T. (2006). Computer Evidence: Collection & Preservation. MA: Charles River Media, INC.
Bygrave, L. A. (2002). Data Protection Law – Approaching the Rationale, Logic and Limits. MA:Norwell, Kluwer Law International.
Casey, E. (2010). Handbook of Digital Forensics and Investigation. MA: Burlington, Academic Press.
Chang, R. (2012, October), Personal data protection act goes into effect, though certain clauses exempted.Retrieved March 30, 2013, from http://www.taipeitimes.com/News/taiwan/print/2012/10/01/2003544108
Cotter, A. M. (2004). Law Society of Ireland - Information Technology Law. Cavendish Publishing Limited.
Daniel, J. S., Marc, Rotenberg., & Paul, M. S.(2006). Information Privacy Law.(2nd ed.). New York, NY:Aspen Publishing Co.
David Bernard Thaw. (2011 Spring). Characterizing, Classifying, and Understanding Information Security Laws and Regulations: Considerations for Policymakers and Organizations Protecting Sensitive Information Assets, University of California, Berkeley.
Dennis T. C. (2009). Taiwan Proposes Amendments to its 1995 Data Protection Act: Scope Expanded but no Supervisory Authority.Privacy Laws & Business International Newsletter 97:19-20.
Ekberg, A. G. S. (2003). Invasion of Privacy: Spam – one result of bad privacy protection, Department of Software Engineering and Computer Science, Blekinge Institute of Technology, Sweden.
Federal Trade Commission. (2010). Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers, A Preliminary Federal Trade Commission Staff Report, December.
Jewkes, Y. & Devon, G. (2009). Handbook of Internet Crime. Willan Publishing.
Jonathan, C. (2010). Principles of Cybercrime. Cambridge, Cambridge University Press.
Fujiwara, B. (2006, November). Cyber Security: Threats and Countermeasures. Global Business Dialog on Electronic Commerce (GBDe) 2006 Issue Group. Retrieved March 26, 2013, from http://www.gbd-e.org/pubs/Taipei_ Recommendationl_Nov2006.pdf
Gina Stevens. (2011, April). Privacy Protections for Personal Information Online, Congressional Research Service Report.
Gross, G. (2009). FTC Sticks With Online Advertising Selfregulation, IDG News Service, Febrary.
Grabosky, P. (2007). Masters Series in Criminology: Electronic Crime. NJ: Pearson.
Hagan, F. E. (2003). Research Methods in Criminal Justice and Criminology. MA: Pearson.
Holt, T.J. (2005). Hacks, Cracks, and Crime: An Examination of the Subculture and Social Organization of Computer Hackers. MO: University Of Missouri - Saint Louis.
James, S. H. & Nordby, J. J. (2005). Forensic Science: An Introduction to Scientific and Investigative Techniques (2nd Ed.), FL: CRC Press.
Jone, K.J., Bejtlich, R. & Rose, C.W. (2006). Real Digital Forensics: Computer Security and Incident Response. New York:Person Education.
Jones, R. (2006). Internet Forensics. O’Reilly Inc.
Kao, D. Y. & Wang, S. J. (2005, August). Evidences and Forensics at IP Address Clue in Cyber-crime. 17th Meeting of the International Association of Forensic Sciences, Hong-Kong.
Lu, C., Jen, W., Chang, W., & Chou, S. (2006, September) Cybercrime & Cybercriminals: An Overview of the Taiwan Experience. Journal of Computers, 1(6). 11-18. Retrieved March 22, 2013, from http://academypublisher.com/jcp/vol01/no06/jcp01061118.pdf
Marcella, A. J. (2008). Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Florida, Auerbach Publisher.
McCallister, E., Grance, T. & Scarfone, K. (2010). Guide to Protecting the Confidentiality of Personally Identifiable Information(PII). Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, Gaithersburg.
National Institute of Justice. (2007). Investigations Involving the Internet and Computer Networks, Washington DC, U.S. Department of Justice.
OECD. (2002, February). OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. OECD Publishing.
Preibusch, S. (2010). Experiments and Formal Methods for Privacy Research. University of Cambridge.
Seier, S., Greer, G., & Manes, G. (2006). Linking Individuals to Digital Information. IFIP International Conference on Digital Forensics:131-140. FL: Orlando.
Shifreen, R. (2006). Defeating the Hacker: A Non-technical Guide to Computer Security. UK: John Wiley & Sons Ltd.
Solm, S. V., Louwrens, C., Reekie, C., & Grobler, T. (2006). A Control Framework for Digital Forensics. IFIP International Conference on Digital Forensics: 343-355. FL: Orlando.
Spafford, E. (2006). Some Challenges in Digital Forensics. IFIP International Conference on Digital Forensics: 3-9. FL: Orlando.
Stevens, G. (2011, April). Privacy Protections for Personal Information Online, Congressional Research Service Report.
Taiwan Criminal Investigation Bureau. (2013). Criminal Investigation Bureau News. Retrieved March 30, 2013, from http://www.cib.gov.tw/
Thomas, M. L. & Rubin, P. H. (2007 August). Privacy and the Commercial Use of Personal Information: The Case of Customer Proprietary Network Information, Technology Policy Instutute, Washington, D.C., USA.
TW Ministry of Justice, (2010 May). Personal Information Protection Act. Laws & Regulations Database, Republic of China.
United States Department of Justice. (2013). Prosecuting Computer Crimes. Retrieved March 10, 2013, from http://www.usdoj.gov/criminal/ Cyber-crime/ccmanual/ index.html
USA White House, (2011 April). National Strategy for Trusted Identities in Cyberspace - Enhancing Online Choice, Efficiency, Security, and Privacy.
USCERT. (2013). Computer Forensics. Retrieved Feburary 28, 2013, from http://www.us-cert.gov/reading_room/forensics.pdf
Wang, Y. & Kobsa, A. (2009). Privacy-enhancing technologies. In Gupta, M. & Sharman, R., editors, Social and Organizational Liabilities in Information Security, 203–227. IGI Global.
Wikimedia Foundation, Inc. (2013). Wikipedia, the Free Encyclopedia. Retrieved March 30, 2012, from http://en.wikipedia.org/wiki/Main_Page
Yeung, D. & Lowrance, J. (2006). Computer-Mediated Collaborative Reasoning and Intelligence Analysis. In S. Mehrotra et al. (Eds.): IEEE International Conference on Intelligence and Security Informatics, ISI 2006: 1-13. CA: Springer Press.
Yin, R. K. (2009). Case study research: Design and methods (4th ed.). Thousand Oaks, CA: Sage.
 
二、中文書目
(一)專書：
高大宇、張鈞綸、林美倫，2011，《警察資訊科技專業法規彙編》，桃園：中央警察大學。
許文義，2000，《個人資料保護法論》，台北：三民書局。
(二)期刊文章：
司法院司法行政廳，2001，〈個人資料保護─以個人資訊自決權為中心〉，《司法院研究年報》，第21輯第17篇，頁140-143。
吳兆琰， 2007年11 月，〈論政府資料探勘應用之個人資料保護爭議〉，《科技法律透析》，第19卷第11 期，頁36-37。
林素鳳，2003，〈日本個人資訊保護法制之展望與課題〉，《中央警察大學法學論集》，第8期。
───，2005，〈日本現行個人資訊保護法制之初探〉，《中央警察大學法學論集》，第10期。
許宗力，2003，〈基本權的保障與限制(下)〉，《月旦法學教室》，第14期，頁54。
陳秀峰，2002，〈線上個人隱私之保護〉，《月旦法學雜誌》，第82期，頁209。
陳愛娥，2000，〈基本權作為客觀法規範─以『組織與程序保障功能』為例〉，李建良、簡資修主編，《憲法解釋之理論與實務（第二輯）》，台北：中央研究院中山人文社會科學研究所，頁235-272。
劉佐國，2005，〈我國個人隱私權益之保護─論「電腦處理個人資料保護法」之立法與修法過程〉，《律師雜誌》，第307期，頁42-51。
(三)學位論文：
呂信瑩，2012，〈個人資料保護法上目的拘束原則之探討〉，中興大學法律研究所碩士論文。
陳虹年，2005，〈政府對資訊之取得與運用－以隱私權為中心〉，銘傳大學法律研究所碩士論文。
熊愛卿，2000，〈網際網路個人資料保護之研究〉，國立台灣大學法律學研究所博士論文。
三、網路資源：
立法院，〈第7屆法律提案審議進度追蹤系統〉，http://lis.ly.gov.tw/，2008 年5 月28日。
法務部，〈全國法規資料庫〉，http://www.moj.gov.tw/) ，2013 年5 月28日。