Ch. 5: Online Privacy Flashcards

You may prefer our related Brainscape-certified flashcards:
1
Q

Internet/WWW Background

A
  • the Internet today has the same basic architecture as when it was first designed. Data on the vast network is transferred by shuttling small pieces of information known as data “packets” from one computer to the next. Data is disassembled into packets on transmission, scattered through the network while in transit and then dynamically reassembled upon arrival at the destination computer.
  • WWW is an information sharing model built on top of the physical Internet.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

WWW Tech Development

A
  • Historically functioned on 2 technologies: Hypertext Transfer Protocol (HTTP) and Hypertext Markup Language (HTML).

HTTP - manages data communications over Internet, defines how messages formatted and transmitted, defines actions web servers and web browsers take in response to various commands.
HTTPS = protocol that allows encryption of data.

HTML - content authoring language used to create web pages. Document “tags” can be used to format and lay out a web page’s content and to “hyperlink”—connect dynamically—to other web content. Today is HTML5 version (no plug ins necessary - those are software pieces that run in browsers and allow for video or audio.

Extensible markup language (XML) - While HTML uses tags to describe the contents of a web page or file in terms of how it should be displayed, XML describes content of a webpage in terms of the data that is being produced.
This enables automatic processing of data in large volumes, necessitating attention to privacy issues.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Web server

A

computer that is connected to the Internet, hosts web content and is configured to share that content.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Proxy server

A

an intermediary server that provides a gateway to the web.

A proxy server typically masks what is happening behind the organization’s firewall, so that an outside website sees only the IP address and other characteristics of the proxy server, and not detailed information about which part of an organization is communicating with the outside website.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Virtual Private Network

A

important category of proxy server, widely used in the United States for employee web access, but not nearly as widely used by consumers.

VPNs encrypt the information from the user to the organization’s proxy server, thus masking from the ISP both the content and web destinations of that user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Caching

A

web browsers and proxy servers save a local copy of the downloaded content, reducing the need to download the same content again from the web server.

To protect privacy, pages that display personal information should be set to prohibit caching.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Web server log

A

A web server log is sometimes automatically created when a visitor requests a web page.

Examples of the information automatically logged include the IP address of the visitor, the date and time of the web page request, the URL of the requested file, the URL visited immediately prior to the web page request, and the visitor’s web browser type and computer operating system.

Depending on how the web server is configured, it is possible for personal information such as a user name to appear in web server logs.

IP addresses themselves, and thus web server logs containing them, are considered personal information by some regulators but not by others

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Internet Protocol (IP)

A

specifies the format of data packet that travels over the Internet and also provides the appropriate addressing protocol.

An IP address is a unique number assigned to each connected device—it is similar to a phone number because the IP address shows where data should be sent from the website.

IP addresses used to be more dynamic (changing from session to session) but today are generally static, so your device always has the same one.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Internet Service Provider (ISP)

A

is an organization that provides services for accessing, using, or participating in the Internet. I

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Transmission Control Protocol

A
  • enables two devices to establish a stream-oriented reliable data connection.
  • A combination of TCP and IP is used to send data over the Internet.
  • Data is sent in the form of packets, which contain message content and a header that specifies the destination of the packet
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Transport layer security (TLS)

A

Ensures privacy between a user and a web server.

When a server and client communicate, TLS secures the connection to ensure that no third party can eavesdrop on or corrupt the message.

TLS is a successor to secure sockets layer (SSL).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Javascript

A

cripting language used to produce a more interactive and dynamic website.

But has vulnerabilities and problems interacting with some programs and systems - privacy issues.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Cascading Style Sheets (CSS)

A

= language used to describe the presentation of web pages. This includes colors, layout and font.

This language allows for adaptation of the web page to different types of devices.

CSS and HTML are independent of each other.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Flash

A

• Flash is a bandwidth-friendly interactive animation and video technology plug-in that has been widely used to enliven web pages and advertisements. Compatibility and security problems, however, have led to a decrease in use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Social engineering

A

= a general term for how attackers can try to persuade a user to provide information or create some other sort of security vulnerability.

The social engineer is intent on gaining access to private information and targets an individual or group within an organization that may have such access.

Techniques include using an assumed identity in communications, eavesdropping on private conversations or calls, or impersonating an employee or hired worker.

Contrasts with technically based attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Technically based attacks

A

Examples = structured query language (SQL) injection, cookie poisoning or use of malware.

In these attacks, the attacker exploits a technical vulnerability or inserts malicious code.

One technical but common threat to online privacy is XSS. XSS is code injected by malicious web users into web pages viewed by other users. Often, the unauthorized content resulting from XSS appears on a web page and looks official, so the users are tricked into thinking the site is legitimate and uncorrupted.

XSS is the basis for many convincing phishing attacks and browser exploits.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Web Access Best Practices

A
  • Infosec training
  • Security plan - combat variety of attacks.\
  • More sensitive the website, the stronger the authentication should be (2 factor, eg), and mask passwords.
  • Dont’ use cookies for authenticating and authorizing end-user access.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Protecting Online Identity - Best Practices

A

Login/password/PINs - unique passwords, change regularly, decline “remember my password” and memorize or keep in secure storage (password manager app, eg).

Software - Use antivirus and firewall software. install patches.

Wireless networks and Bluetooth. Keep current on known vulnerabilities.

File sharing - use options available to restrict what files and directories can be accessed by the website and services.

Public computers - be cautious.

Public charging stations - be cautious

Ditto for PI on websites.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Commercial email codes of conduct (in addition to CAN-SPAM requirement of opt-out)

A

Many business groups have codes of conduct and self-regulatory frameworks in place for commercial email. Common commercial email principles include:
• No false or misleading header information
• No deceptive subject lines
• Opt-out mechanism in each message
• Notification that the message contains an advertisement or promotional information
• Information about the sending organization39

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Whaling

A

Whaling is a specialized type of spear phishing that is targeted at C-suite executives, celebrities, and politicians. The aim is the same as spear phishing—to use an email or website to obtain personal and/or sensitive information from the victim. The inappropriately obtained information is then used for fraud or other criminal activity.

21
Q

Spyware

A

Spyware is software that is downloaded covertly, without the understanding or consent of the end user. Spyware is used to fraudulently collect and use sensitive personal information such as bank account credentials and credit card numbers.

Spyware is often installed by “drive-by downloads,” where the user never provides consent to the download or is tricked into downloading the software.

It is important to understand that defining software as spyware is dependent in large part on the intent and knowledge of the user, and whether it is reasonable to believe the user wished to have the information transmitted back to the remote location.

22
Q

Ransomeware

A

Ransomware is a type of malware with which the malicious actor either (1) locks a user’s operating system, restricting the user’s access to their data and/or device, or (2) encrypts the data so that the user is prevented from accessing his or her files.

As the name implies, the victim is then told to pay a ransom to regain access.

For victims who choose to pay the ransom, access may or may not be returned.

23
Q

Location Based Services (LBS)

A

Another set of privacy issues concerns the proper rules for collection, use and storage of location data by mobile phone companies, operating system and application developers, or others who may be authorized to know the location of the device in order to provide mobile service.

An additional set of privacy issues concerns the ability of other parties to access that location data or to pay those with location data to place advertisements.

24
Q

Children’s Online Privacy

A
  • COPPA opt in and transparency requirements
  • States stepped in for those between 13 and 18-
  • California Privacy Rights for California Minors in the Digital World -
    (1) those under 18 have right to request removal of information posted online on them.
    (2) online advertisers prohibited from advertising to minors for products they are not legally permitted to buy.
    (3) restricts certain online advertising practices based on minors PI.

(Delaware has similar law)

25
Q

Privacy Notice should include

A
  • Effective date
  • Scope of notice
  • Types of personal information collected (both actively and passively)
  • Information uses and disclosures
  • Choices available to the end user
  • Methods for accessing, correcting or modifying personal information or preferences
  • Methods for contacting the organization or registering a dispute
  • Processes for how any policy changes will be communicated to the public
  • Say what the organization does and do what is stated
  • Tailor disclosures to the actual business operations model
  • Do not treat privacy statements as disclaimers
  • Revisit the privacy statement frequently to ensure it reflects current business and data collection practices
  • Communicate these privacy practices to the entire company
26
Q

Overarching principles for mobile environment privacy concerns

A
  • Privacy by Design
  • Simplified consumer choices.
  • Greater transparency
27
Q

Customer Access to Information

A

APEC Framework references as best - see that from Ch. 1.

Notes that is difficult issue to authenticate person asking for access.

28
Q

Active vs. Passive Data Collection

A
  • Active data collection occurs when the end user deliberately provides information to the website through the use of one of the input mechanisms described above.
  • Conversely, passive data collection occurs when information is gathered automatically— often without the end user’s knowledge—as the user navigates from page to page on a website. This is typically accomplished through the use of web cookies or other types of mechanisms that identify a device.
29
Q

Third Party Interactions

A

Websites use content from others, so to the extent technically feasible, it should be clear to end users which entities are capturing or receiving personal information in each of these 3rd party scenarios—and that such entities accept accountability and fulfill their obligations under contract and applicable law.

30
Q

Syndicated content

A

= developed by and/or purchased or licensed from outside sources such as news organizations. One concern with such content is that it might contain malicious code that is then unwittingly incorporated into the organization’s own website source code.

Like XSS, or slipping in cookies.

31
Q

Other 3rd party interactions

A

Web services, co-branded sites, web widgets, online advertising networks.

32
Q

Onward Transfers of PI collected online

A

In the United States, the FTC considers onward transfer to be the responsibility of the host website—not the third party—and has issued guidance and brought enforcement actions toward this end.

Protection of personal information must be assured—contractually and in practice—in data transfers between an organization’s website and such third parties.

Moreover, standard practice in many settings is for consumers to be explicitly notified when such transfers occur that (a) their personal information will be in the custody of a third party engaged by the host site and (b) they have the ability to make a choice, typically by opting out, if they desire to prevent the onward transfer.
[TL: When not compatible with context collected, like payment processing or delivery].

33
Q

Digital Advertising Privacy Issues

A
  • Sheer volume of ads - half of all advertising (2/3rds mobile).
  • While fuels the Internet in many ways, privacy issues abound.
  • Lack of awareness of tracking, how to control, cross device tracking, cross context tracking (social media and search, eg), adware (monitors so target ads, but considered spyware by many enforcement agencies).
  • Digital Advertising Alliance has developed a Do Not Track icon.
  • GDPR requires opt-in consent.
34
Q

Flash Cookie

A

Flash cookies are stored and accessed by Adobe Flash, a browser plug-in historically used by many Internet sites. While online, an individual’s Internet browser collects and stores information from sites visited in the form of cache, or cookies.
Traditional HTML cookies, as previously discussed in this chapter, can be deleted. A Flash cookie, however, is stored outside the Internet browser’s control, meaning individuals cannot delete the Flash cookies directly through the browser. Additionally, individuals are not notified when Flash cookies are stored, and these cookies do not expire. Flash cookies can be used to track an individual’s actions and to store the same information stored in a normal HTML cookie. Thus, when an individual deletes the HTML cookie, websites can use the Flash cookies to “respawn” the information that was stored in the HTML cookie

35
Q

Web Beacon

A

Used with cookies often, and similar function.

Privacy issues similar as for cookies.

Operates as a tag that records an end user’s visit to a particular web page.

Used to produce profiles of a specific user’s online behavior, in combo with web log.

36
Q

Digital Fingerprintig

A

Used to identify a device based on info revealed to the website by the user.

Web log plus detailed info like fonts used, can identify device, and can distinguish one device from another, and notify someone if their account was logged in from different device.

used for security enhancement.

37
Q

Search engine privacy issues

A

Content of searches can give clues as to identity - vanity searches, eg. or search patterns around someone’s work or neighborhood .

Searches can reveal politics, beliefs, sensitive data.

so most major search engines have addressed by encrypting search data and anonymizing after X period.

38
Q

Read sections on social media, desktop/laptop adv ecosystem, and mobile ecosystem

A

Sandboxing in mobile environment.

39
Q

Read this notice:
Our website uses cookies. Cookies allow us to identify the computer or device you’re using to access the site, but they don’t identify you personally. For instructions on setting your Web browser to refuse cookies, click here.
What type of legal choice does not notice provide?

A. Mandatory
B. Implied consent
C. Opt-in
D. Opt-out

A
40
Q

When did organizations begin to post public privacy notices on their websites?

A

Mid-1990s.

41
Q

What purpose do privacy notices serve?

A

Help inform customers about how their PI was being collected and used, as well as helping with enforcement purposes.

42
Q

How do privacy notices help with enforcement?

A

If a company promised a certain level of privacy or security on a company website or elsewhere, and the company did not fulfill its promise, then the FTC considered that breach of promise a “deceptive” practice under Section 5 of the FTC Act.

43
Q

Is there an omnibus federal law requiring companies to have public privacy notices?

A

No, Sector-specific statutes such as HIPAA, GLBA, and COPPA impose notice requirements

44
Q

Where there is no legal requirement to do so, do the vast majority of commercial websites post privacy websites?

A

Yes, according to an FTC survey conducted in 2000.

45
Q

What does the FTC investigate when a company posts a privacy notice?

A

Whether they adhere to their own policies; if not, the FTC will bring an enforcement action for deceptive trade practices.

46
Q

The Children’s Online Privacy Protection Act of 1998 (COPPA)

A

FTC has regulatory authority over COPPA. COPPA does not apply to most nonprofit organizations. Federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13.

Organizations in Scope:

  1. Commercial sites that are direct at children under the age of 13
  2. Commercial sites with knowledge of use by children under 13
47
Q

COPPA Requirements

A
  1. To post a privacy notice on the homepage of the website
  2. Provide notice about collection practices to parents
  3. Obtain verifiable parental consent before collection personal information from children
  4. Give parents a choice as to whether their child’s PI will be disclosed to third parties;
  5. Provide parents access and the opportunity to delete the child’s PI and opt out of future collection or use of the information and maintain the confidentiality, security, and integrity of PI collected from the children
48
Q

COPPA Security Requirements

A
  1. Protect the confidentiality, security, and integrity of personal information
  2. Delete information when no longer needed
  3. Do not require that children provide unnecessary information
49
Q

COPPA Safe Harbor

A

Encourage self-regulatory programs to limit legal exposure