Chapter 4: Identity and Anonymity

Question 1

What is the strongest form of identity?

Answer 1

Identified individual

Question 2

What is a form of identity that is weaker than identified individual?

Answer 2

Pseudonymous

Question 3

What can be done with a pseudonym?

Answer 3

Link different data items about the same individual without knowing the actual person the data is about

Question 4

What is the weakest form of identity?

Answer 4

Anonymity

Question 5

Describe truly anonymous data

Answer 5

We not only do not know the individual the data is about, we cannot even tell if two data items are about the same individual

Question 6

Why are roles important in privacy?

Answer 6

Often, it is not important who an individual is, only that the person is authorized to perform an action

Question 7

Provide an example of how a role can be used to reduce the need to identify an individual?

Answer 7

A credit card account may have several authorized users, and the merchant only needs to know that one of the authorized users is making a purchase (a role), not which one (an identity)

Question 8

How can an individual increase their level of privacy when sending an email or when accessing services on the web?

Answer 8

Use a hash function to prove their identity without revealing it
Use a 3rd party to validate their identity

Question 9

Why would a system need to know a person’s identity?

Answer 9

• Access control
• Attribution - the ability to prove who performed an action
• Enhanced user experience and personalization

Question 10

How can you increase privacy but still personalize a website to each user?

Answer 10

Use a pseudonym

Question 11

What do you need to represent identity?

Answer 11

• A combination of information that is unique (name + DoB) - this typically results in an identified individual
• User-specified identifier (user ID)
• System-generated user IDs
• Externally created unique IDs (for example an email)
• Identity systems (google wallet, PKI)
• Biometrics

Question 12

What are the advantages of using user IDs?

Answer 12

• The system can guarantee uniqueness

* Provides pseudonymity

Question 13

What are the disadvantages of using user-specified user IDs?

Answer 13

• Users may want the same user ID
• Users who forget their user ID may try something generic like their last name and end up locking someone else out of their account after multiple tries

Question 14

What are the advantages of system-generated user IDs over user-specified user IDs?

Answer 14

• Provides greater privacy - a user-specified ID may include personal information like their name

Question 15

What are the advantages of using an externally created unique IDs?

Answer 15

• User friendly (user can reuse another identifier)
• Reduces the number of identifiers a user needs to remember
• The burden of providing uniqueness is outsourced
• Information can be linked across systems
• Easier to detect fraud or identity theft

Question 16

What are the dangers of using some biometrics as an identifier?

Answer 16

• Face recognition is not accurate enough in large groups of people - you might end up with false positives
• Using it for both identification and authentication could provide someone with inappropriate access

Question 17

What is the purpose of authentication?

Answer 17

Used to ensure that an individual performing an action matches the expected identity

Question 18

What are the 4 main categories of authentication mechanisms?

Answer 18

• What you know - passwords or personal information
• What you have - requiring an object
• Where you are - location
• What you are - biometrics

Question 19

What needs to be considered when deciding which authentication mechanism to use?

Answer 19

Challenges of creating and revoking the chosen credentials

Question 20

What is the advantage of using passwords?

Answer 20

High level of assurance that the correct individual is being identified

Question 21

What is the disadvantage of using passwords?

Answer 21

They can be easily broken

Question 22

List the 2 categories of password-based authentication attacks

Answer 22

• Attacks on the password itself

* Attacks performed directly through the system

Question 23

How can you avoid password guessing attacks and how could it negatively affect users?

Answer 23

Apply a limit on failed password attempts - places a burden on legitimate users who incorrectly enter their password

Question 24

Provide an example of a password guessing attack method

Answer 24

Dictionary attack

Question 25

Provide two examples of password-based attacks performed directly through the system?

Answer 25

• Man-in-the-middle attack

* Replay attack

Question 26

How can man-in-the-middle attacks be combated?

Answer 26

Encrypting the password

Question 27

How do replay attacks work?

Answer 27

• Usually combined with man-in-the-middle attack when the password is encrypted
• The hashed password is replayed to gain access

Question 28

How can you combat a replay attack?

Answer 28

Issue a unique challenge for each authentication

For example, using a different encryption key for each authentication attempt

Question 29

How are security questions typically implemented in today’s systems?

Answer 29

Normally as a secondary form of authentication - for example when a user needs to reset a forgotten password

Question 30

Devices fall into which category of authentication?

Answer 30

What you have

Question 31

Provide examples of devices used in authentication

Answer 31

• Identification badges or smart cards
• Radio Frequency Identification (RFID)
• Small devices with changing PINs
• Using the computer itself (ex. MAC address)

Question 32

What is the risk of using devices for authentication?

Answer 32

They can be lost or stolen

Question 33

How do you mitigate the risk of an individual losing their authentication device?

Answer 33

Combine authentication with another means such as a password

Question 34

Why is location a good method of authentication when used for corporate offices?

Answer 34

Requires an attacker to gain physical access as well as defeat other authentication (such as passwords)

Question 35

How should location be implemented in authentication?

Answer 35

Should almost always be viewed as a secondary form of authentication, used to provide stronger evidence that the primary form of authentication is correct

Question 36

Provide 3 examples of biometrics

Answer 36

• Fingerprints
• Face recognition
• Voice recognition

Question 37

What more advanced forms of facial recognition exist?

Answer 37

Expression and gaze - these prevent the use of static images to spoof the system

Question 38

What can you do to improve the security of voice recognition?

Answer 38

• Make it text-dependent - a user enrolls a specific passphrase (this also provides the ability to change it if it is compromised)
• Another method is having the system ask the user to read something out - this mitigates the risk of replay attacks if someone recorded the individual

Question 39

Why does the use of biometric data raise inherent privacy concerns?

Answer 39

• A fingerprint or picture are individually identifiable

* Some individuals may also not want to show their face

Question 40

What options exist for providing continuous authentication?

Answer 40

Based on behaviour such as typing rate or mouse movement

Provides a degree of confidence that the user hasn’t walked away and someone else has stepped into the account

Question 41

What is multifactor authentication?

Answer 41

Systems that require 2 or more different mechanisms to authenticate

Question 42

How can multifactor authentication be transparent to the user?

Answer 42

Using cookies to confirm that the user has previously logged in using that device

Question 43

Provide an example of authentication being separate from the system requiring authenticity

Answer 43

Single sign-on

Question 44

What is the scope of application for GDPR?

Answer 44

Personal data

Question 45

What is the scope of the US Healthcare Insurance Portability and accountability Act (HIPAA)?

Answer 45

Protected health information

Question 46

What is browser fingerprinting?

Answer 46

In an effort to personalize or customize the user experience, websites can track the user with browser cookies or other techniques

Question 47

Why are IP addresses considered PII?

Answer 47

Evidence has shown that even dynamically assigned IP addresses do not change frequently, allowing a client computer to repeatedly be linked to the same IP address for long periods of time
IPv6 uses 64-bit numbers derived from a computer’s hardware address

Question 48

Provide examples of strong identifiers

Answer 48

National identification
Passport or credit card number
Names can be, but common names may not be uniquely identifying

Question 49

What are weak identifiers?

Answer 49

Identifiers that must be used in combination with other information to determine identity

Question 50

What are quasi-identifiers?

Answer 50

Data that can be combined with external knowledge to link data to an individual

Question 51

List 3 approaches to anonymization

Answer 51

• Suppression
• Generalization
• Noise addition

Question 52

Describe suppression as an anonymization approach

Answer 52

Removing identifying values from a record

Names and identifying numbers are typically handled through suppression

Question 53

Describe generalization as an anonymization approach

Answer 53

Replacing a data element with a more general element; for example, by removing the day and month from a birth date

Question 54

Describe noise addition as an anonymization approach

Answer 54

Replacing actual data values with other values that are selected from the same class of data

Question 55

What is a microdata set?

Answer 55

A microdata set contains the original records, but the data values have been suppressed or generalized, or noise has been added to protect privacy

Question 56

What is data imputation?

Answer 56

Replacing suppressed values with plausible data to mimic the actual dataset

Question 57

What is value swapping?

Answer 57

Switching values between records in ways that preserve most statistics but no longer give correct information about individuals

Question 58

Provide examples of generalization in anonymization

Answer 58

• Generalizing values to ranges (e.g., birth decade rather than birth year)
• values are often top- and bottom-coded (e.g., reporting all ages over 80 as “>80” as opposed to reporting decade)
• Rounding can also be used as a form of generalization (e.g., to the nearest integer, or nearest 10)
• Removing the last three digits of the postal code or more general if this does not yield a region containing at least 20,000 people

Question 59

What is k-anonymity?

Answer 59

Requires that every record in the microdata set must be part of a group of at least k records having identical quasi-identifying information

Question 60

What is l-diversity?

Answer 60

Extends k-anonymity by further requiring that there be at least l distinct values in each group of k records

Question 61

What is t-closeness?

Answer 61

Ensures that the distribution of values in a group of k is sufficiently close to the overall distribution

Question 62

What is the key issue when releasing aggregated data?

Answer 62

Determining whether the data is frequency or magnitude data

Question 63

How do you determine whether aggregated data is frequency or magnitude?

Answer 63

Determine whether individuals contribute equally or unequally to the value released

For example, a count of the number of individuals at a given income and age is frequency data: Each individual contributes one to the cell they are in

A table giving average income by age is magnitude data: Someone with a high income will affect the average much more than an individual whose income is close to the average

Question 64

How should you anonymize magnitude data?

Answer 64

Noise addition or entire suppression of the cell is typically needed to ensure privacy

Question 65

How should you anonymize frequency data?

Answer 65

Rounding techniques may well be sufficient

Question 66

What is database reconstruction?

Answer 66

Builds a dataset that would generate the aggregate statistics

In many cases, it can be shown that such a reconstructed database is unique, or at least that many of the individual records in the dataset are unique

Question 67

How can you mitigate the risk of database reconstruction?

Answer 67

Techniques such as top- and bottom-coding, rounding and suppression do not guarantee protection against database reconstruction
The only way to provide guaranteed limits on the risk of database reconstruction is noise addition

Question 68

What is a differentially private algorithm?

Answer 68

Its behavior hardly changes when a single individual joins or leaves the dataset – anything the algorithm might output on a database containing some individual’s information is almost as likely to have come from a database without that individual’s information

Question 69

What client-side techniques can be used to increase anonymity?

Answer 69

• Proxy servers
• Onion routing and Crowds
• Tools that generate “cover queries” - fake query traffic that disguise the actual request
• Noise addition

Question 70

How does a proxy server provide anonymity?

Answer 70

They hide the IP address of a request by replacing it with that of the proxy server

Question 71

What is TOR?

Answer 71

Tor is a peer-to-peer network where each request is routed to another peer, which routes it to another peer, and so on until a final peer makes the actual request

Encryption is used to ensure that only the first peer knows where the request came from, and only the last peer knows the server to which the request is being routed