Ch. 5: Online Privacy

Question 1

Internet/WWW Background

Answer 1

• the Internet today has the same basic architecture as when it was first designed. Data on the vast network is transferred by shuttling small pieces of information known as data “packets” from one computer to the next. Data is disassembled into packets on transmission, scattered through the network while in transit and then dynamically reassembled upon arrival at the destination computer.
• WWW is an information sharing model built on top of the physical Internet.

Question 2

WWW Tech Development

Answer 2

• Historically functioned on 2 technologies: Hypertext Transfer Protocol (HTTP) and Hypertext Markup Language (HTML).

HTTP - manages data communications over Internet, defines how messages formatted and transmitted, defines actions web servers and web browsers take in response to various commands.
HTTPS = protocol that allows encryption of data.

HTML - content authoring language used to create web pages. Document “tags” can be used to format and lay out a web page’s content and to “hyperlink”—connect dynamically—to other web content. Today is HTML5 version (no plug ins necessary - those are software pieces that run in browsers and allow for video or audio.

Extensible markup language (XML) - While HTML uses tags to describe the contents of a web page or file in terms of how it should be displayed, XML describes content of a webpage in terms of the data that is being produced.
This enables automatic processing of data in large volumes, necessitating attention to privacy issues.

Question 3

Web server

Answer 3

computer that is connected to the Internet, hosts web content and is configured to share that content.

Question 4

Proxy server

Answer 4

an intermediary server that provides a gateway to the web.

A proxy server typically masks what is happening behind the organization’s firewall, so that an outside website sees only the IP address and other characteristics of the proxy server, and not detailed information about which part of an organization is communicating with the outside website.

Question 5

Virtual Private Network

Answer 5

important category of proxy server, widely used in the United States for employee web access, but not nearly as widely used by consumers.

VPNs encrypt the information from the user to the organization’s proxy server, thus masking from the ISP both the content and web destinations of that user

Question 6

Caching

Answer 6

web browsers and proxy servers save a local copy of the downloaded content, reducing the need to download the same content again from the web server.

To protect privacy, pages that display personal information should be set to prohibit caching.

Question 7

Web server log

Answer 7

A web server log is sometimes automatically created when a visitor requests a web page.

Examples of the information automatically logged include the IP address of the visitor, the date and time of the web page request, the URL of the requested file, the URL visited immediately prior to the web page request, and the visitor’s web browser type and computer operating system.

Depending on how the web server is configured, it is possible for personal information such as a user name to appear in web server logs.

IP addresses themselves, and thus web server logs containing them, are considered personal information by some regulators but not by others

Question 8

Internet Protocol (IP)

Answer 8

specifies the format of data packet that travels over the Internet and also provides the appropriate addressing protocol.

An IP address is a unique number assigned to each connected device—it is similar to a phone number because the IP address shows where data should be sent from the website.

IP addresses used to be more dynamic (changing from session to session) but today are generally static, so your device always has the same one.

Question 9

Internet Service Provider (ISP)

Answer 9

is an organization that provides services for accessing, using, or participating in the Internet. I

Question 10

Transmission Control Protocol

Answer 10

• enables two devices to establish a stream-oriented reliable data connection.
• A combination of TCP and IP is used to send data over the Internet.
• Data is sent in the form of packets, which contain message content and a header that specifies the destination of the packet

Question 11

Transport layer security (TLS)

Answer 11

Ensures privacy between a user and a web server.

When a server and client communicate, TLS secures the connection to ensure that no third party can eavesdrop on or corrupt the message.

TLS is a successor to secure sockets layer (SSL).

Question 12

Javascript

Answer 12

cripting language used to produce a more interactive and dynamic website.

But has vulnerabilities and problems interacting with some programs and systems - privacy issues.

Question 13

Cascading Style Sheets (CSS)

Answer 13

= language used to describe the presentation of web pages. This includes colors, layout and font.

This language allows for adaptation of the web page to different types of devices.

CSS and HTML are independent of each other.

Question 14

Flash

Answer 14

• Flash is a bandwidth-friendly interactive animation and video technology plug-in that has been widely used to enliven web pages and advertisements. Compatibility and security problems, however, have led to a decrease in use

Question 15

Social engineering

Answer 15

= a general term for how attackers can try to persuade a user to provide information or create some other sort of security vulnerability.

The social engineer is intent on gaining access to private information and targets an individual or group within an organization that may have such access.

Techniques include using an assumed identity in communications, eavesdropping on private conversations or calls, or impersonating an employee or hired worker.

Contrasts with technically based attacks.

Question 16

Technically based attacks

Answer 16

Examples = structured query language (SQL) injection, cookie poisoning or use of malware.

In these attacks, the attacker exploits a technical vulnerability or inserts malicious code.

One technical but common threat to online privacy is XSS. XSS is code injected by malicious web users into web pages viewed by other users. Often, the unauthorized content resulting from XSS appears on a web page and looks official, so the users are tricked into thinking the site is legitimate and uncorrupted.

XSS is the basis for many convincing phishing attacks and browser exploits.

Question 17

Web Access Best Practices

Answer 17

• Infosec training
• Security plan - combat variety of attacks.\
• More sensitive the website, the stronger the authentication should be (2 factor, eg), and mask passwords.
• Dont’ use cookies for authenticating and authorizing end-user access.

Question 18

Protecting Online Identity - Best Practices

Answer 18

Login/password/PINs - unique passwords, change regularly, decline “remember my password” and memorize or keep in secure storage (password manager app, eg).

Software - Use antivirus and firewall software. install patches.

Wireless networks and Bluetooth. Keep current on known vulnerabilities.

File sharing - use options available to restrict what files and directories can be accessed by the website and services.

Public computers - be cautious.

Public charging stations - be cautious

Ditto for PI on websites.

Question 19

Commercial email codes of conduct (in addition to CAN-SPAM requirement of opt-out)

Answer 19

Many business groups have codes of conduct and self-regulatory frameworks in place for commercial email. Common commercial email principles include:
• No false or misleading header information
• No deceptive subject lines
• Opt-out mechanism in each message
• Notification that the message contains an advertisement or promotional information
• Information about the sending organization39

Question 20

Whaling

Answer 20

Whaling is a specialized type of spear phishing that is targeted at C-suite executives, celebrities, and politicians. The aim is the same as spear phishing—to use an email or website to obtain personal and/or sensitive information from the victim. The inappropriately obtained information is then used for fraud or other criminal activity.

Question 21

Spyware

Answer 21

Spyware is software that is downloaded covertly, without the understanding or consent of the end user. Spyware is used to fraudulently collect and use sensitive personal information such as bank account credentials and credit card numbers.

Spyware is often installed by “drive-by downloads,” where the user never provides consent to the download or is tricked into downloading the software.

It is important to understand that defining software as spyware is dependent in large part on the intent and knowledge of the user, and whether it is reasonable to believe the user wished to have the information transmitted back to the remote location.

Question 22

Ransomeware

Answer 22

Ransomware is a type of malware with which the malicious actor either (1) locks a user’s operating system, restricting the user’s access to their data and/or device, or (2) encrypts the data so that the user is prevented from accessing his or her files.

As the name implies, the victim is then told to pay a ransom to regain access.

For victims who choose to pay the ransom, access may or may not be returned.

Question 23

Location Based Services (LBS)

Answer 23

Another set of privacy issues concerns the proper rules for collection, use and storage of location data by mobile phone companies, operating system and application developers, or others who may be authorized to know the location of the device in order to provide mobile service.

An additional set of privacy issues concerns the ability of other parties to access that location data or to pay those with location data to place advertisements.

Question 24

Children’s Online Privacy

Answer 24

• COPPA opt in and transparency requirements
• States stepped in for those between 13 and 18-
• California Privacy Rights for California Minors in the Digital World -
  (1) those under 18 have right to request removal of information posted online on them.
  (2) online advertisers prohibited from advertising to minors for products they are not legally permitted to buy.
  (3) restricts certain online advertising practices based on minors PI.

(Delaware has similar law)

Question 25

Privacy Notice should include

Answer 25

• Effective date
• Scope of notice
• Types of personal information collected (both actively and passively)
• Information uses and disclosures
• Choices available to the end user
• Methods for accessing, correcting or modifying personal information or preferences
• Methods for contacting the organization or registering a dispute
• Processes for how any policy changes will be communicated to the public
• Say what the organization does and do what is stated
• Tailor disclosures to the actual business operations model
• Do not treat privacy statements as disclaimers
• Revisit the privacy statement frequently to ensure it reflects current business and data collection practices
• Communicate these privacy practices to the entire company

Question 26

Overarching principles for mobile environment privacy concerns

Answer 26

• Privacy by Design
• Simplified consumer choices.
• Greater transparency

Question 27

Customer Access to Information

Answer 27

APEC Framework references as best - see that from Ch. 1.

Notes that is difficult issue to authenticate person asking for access.

Question 28

Active vs. Passive Data Collection

Answer 28

• Active data collection occurs when the end user deliberately provides information to the website through the use of one of the input mechanisms described above.
• Conversely, passive data collection occurs when information is gathered automatically— often without the end user’s knowledge—as the user navigates from page to page on a website. This is typically accomplished through the use of web cookies or other types of mechanisms that identify a device.

Question 29

Third Party Interactions

Answer 29

Websites use content from others, so to the extent technically feasible, it should be clear to end users which entities are capturing or receiving personal information in each of these 3rd party scenarios—and that such entities accept accountability and fulfill their obligations under contract and applicable law.

Question 30

Syndicated content

Answer 30

= developed by and/or purchased or licensed from outside sources such as news organizations. One concern with such content is that it might contain malicious code that is then unwittingly incorporated into the organization’s own website source code.

Like XSS, or slipping in cookies.

Question 31

Other 3rd party interactions

Answer 31

Web services, co-branded sites, web widgets, online advertising networks.

Question 32

Onward Transfers of PI collected online

Answer 32

In the United States, the FTC considers onward transfer to be the responsibility of the host website—not the third party—and has issued guidance and brought enforcement actions toward this end.

Protection of personal information must be assured—contractually and in practice—in data transfers between an organization’s website and such third parties.

Moreover, standard practice in many settings is for consumers to be explicitly notified when such transfers occur that (a) their personal information will be in the custody of a third party engaged by the host site and (b) they have the ability to make a choice, typically by opting out, if they desire to prevent the onward transfer.
[TL: When not compatible with context collected, like payment processing or delivery].

Question 33

Digital Advertising Privacy Issues

Answer 33

• Sheer volume of ads - half of all advertising (2/3rds mobile).
• While fuels the Internet in many ways, privacy issues abound.
• Lack of awareness of tracking, how to control, cross device tracking, cross context tracking (social media and search, eg), adware (monitors so target ads, but considered spyware by many enforcement agencies).
• Digital Advertising Alliance has developed a Do Not Track icon.
• GDPR requires opt-in consent.

Question 34

Flash Cookie

Answer 34

Flash cookies are stored and accessed by Adobe Flash, a browser plug-in historically used by many Internet sites. While online, an individual’s Internet browser collects and stores information from sites visited in the form of cache, or cookies.
Traditional HTML cookies, as previously discussed in this chapter, can be deleted. A Flash cookie, however, is stored outside the Internet browser’s control, meaning individuals cannot delete the Flash cookies directly through the browser. Additionally, individuals are not notified when Flash cookies are stored, and these cookies do not expire. Flash cookies can be used to track an individual’s actions and to store the same information stored in a normal HTML cookie. Thus, when an individual deletes the HTML cookie, websites can use the Flash cookies to “respawn” the information that was stored in the HTML cookie

Question 35

Web Beacon

Answer 35

Used with cookies often, and similar function.

Privacy issues similar as for cookies.

Operates as a tag that records an end user’s visit to a particular web page.

Used to produce profiles of a specific user’s online behavior, in combo with web log.

Question 36

Digital Fingerprintig

Answer 36

Used to identify a device based on info revealed to the website by the user.

Web log plus detailed info like fonts used, can identify device, and can distinguish one device from another, and notify someone if their account was logged in from different device.

used for security enhancement.

Question 37

Search engine privacy issues

Answer 37

Content of searches can give clues as to identity - vanity searches, eg. or search patterns around someone’s work or neighborhood .

Searches can reveal politics, beliefs, sensitive data.

so most major search engines have addressed by encrypting search data and anonymizing after X period.

Question 38

Read sections on social media, desktop/laptop adv ecosystem, and mobile ecosystem

Answer 38

Sandboxing in mobile environment.

Question 39

Read this notice:
Our website uses cookies. Cookies allow us to identify the computer or device you’re using to access the site, but they don’t identify you personally. For instructions on setting your Web browser to refuse cookies, click here.
What type of legal choice does not notice provide?

A. Mandatory
B. Implied consent
C. Opt-in
D. Opt-out

Question 40

When did organizations begin to post public privacy notices on their websites?

Answer 40

Mid-1990s.

Question 41

What purpose do privacy notices serve?

Answer 41

Help inform customers about how their PI was being collected and used, as well as helping with enforcement purposes.

Question 42

How do privacy notices help with enforcement?

Answer 42

If a company promised a certain level of privacy or security on a company website or elsewhere, and the company did not fulfill its promise, then the FTC considered that breach of promise a “deceptive” practice under Section 5 of the FTC Act.

Question 43

Is there an omnibus federal law requiring companies to have public privacy notices?

Answer 43

No, Sector-specific statutes such as HIPAA, GLBA, and COPPA impose notice requirements

Question 44

Where there is no legal requirement to do so, do the vast majority of commercial websites post privacy websites?

Answer 44

Yes, according to an FTC survey conducted in 2000.

Question 45

What does the FTC investigate when a company posts a privacy notice?

Answer 45

Whether they adhere to their own policies; if not, the FTC will bring an enforcement action for deceptive trade practices.

Question 46

The Children’s Online Privacy Protection Act of 1998 (COPPA)

Answer 46

FTC has regulatory authority over COPPA. COPPA does not apply to most nonprofit organizations. Federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13.

Organizations in Scope:

1. Commercial sites that are direct at children under the age of 13
2. Commercial sites with knowledge of use by children under 13

Question 47

COPPA Requirements

Answer 47

1. To post a privacy notice on the homepage of the website
2. Provide notice about collection practices to parents
3. Obtain verifiable parental consent before collection personal information from children
4. Give parents a choice as to whether their child’s PI will be disclosed to third parties;
5. Provide parents access and the opportunity to delete the child’s PI and opt out of future collection or use of the information and maintain the confidentiality, security, and integrity of PI collected from the children

Question 48

COPPA Security Requirements

Answer 48

1. Protect the confidentiality, security, and integrity of personal information
2. Delete information when no longer needed
3. Do not require that children provide unnecessary information

Question 49

COPPA Safe Harbor

Answer 49

Encourage self-regulatory programs to limit legal exposure