CIPP Foundations II - A Survey of Global Privacy Laws and Industry Practices Flashcards
• Global perspectives and data protection models • The U.S. approach to information privacy • The EU Data Protection Directive • Data protection in Asia,Africa and the Middle East • Sectors of privacy law, including healthcare, financial, telecommunications, marketing, human resources
What are the infrastructure elements that require protection?
computer hardware, network hardware, network systems, computer platforms
What does network hardware refer to?
equipment such as routers, switches, gateways and access points that facilitate the use and management of a computer network.
What are network servers?
centralized computers that may contain business information accessible to many users, often simultaneously.
What are the two broad categories of network systems?
Local area networks (LANs) and wide area networks (WANs)
What is a LAN?
Local area network - exist within an operational facility, considered within local operational control and are relatively easy to manage.
What is a WAN?
Wide area network - may involve coordination between several groups, are considered outside of local operational control and are relatively difficult to manage.
What is the most common type of LAN connection?
Ethernet
What types of connections are becoming increasingly common with WANs?
Optical connections - they use complex light wave patterns to transmit information rather than electrical impulses.
What network systems must be managed in order to ensure effective information security?
Internet, the cloud, intranet, extranet, private branch exchange (PBX), remote access connectivity, mobile and wireless network connectivity, VoIP, email
When is an extranet formed?
When two or more corporate intranets are connected.
What do PBX systems control?
telephone interactions, store VM, and perform many other functions related to telephony.
What should be used to manage mobile connectivity?
Virtual Private Networks (VPNs)
What is a VPN?
A system that incorporates authentication and encryption schemes in order to create a secure connection to an organizational LAN that is made available to authorized users over the Internet.
What are two common threats to mobile and wireless network connectivity?
Data interception and data emmulation
What is VoIP?
Voice over Internet protocol - allows telephone calls to be made over a private WAN or the Internet itself.
What are the three general categories of computer platforms?
mainframes, servers, and desktops/smaller computers
Should business-critical information be exclusively stored on desktops or other personal computers?
No. Business-critical info should be managed in a centralized manner where it can be secured, backed up and included in a disaster recovery plan.
What are security controls?
The processes used to ensure the security of an information system. It is important that a control monitoring process be set up to provide prompt notification in the event that any of the controls fail.
What are the three main types of security controls?
Preventative, Detective & Corrective
What are the two types of data encryption - generally?
Encryption in communication AND encryption at rest (encryption on data stored locally)
What is decryption?
The function used to reverse the encryption of information and reveal it in plain text.
Is Encryption a good way to ensure authentication?
No, encryption is a good means of ensuring confidentiality, but it is not good for authentication as it does not verify that the person who claims to have sent the message is the true sender.
What is Encryption?
The process of obscuring information, often through the use of a cryptographic scheme, to make the data unreadable without special knowledge.
What is the dual purpose of information security systems?
Providing access to the end user while protecting the data from other end users.
What are some important things that retention schedules should address?
Record types (levels of sensitivity), retention periods (duration of storage), should be based on demonstrated business needs, should be based on any applicable regulatory requirements.
EXTRA CREDIT - How does a traditional computer hard drive work?
It uses a magnet to change the polarity of charged particles on the surface of the magnetic disc. (Remember the eBay example on pg. 91).
What is the measure by which information should be protected?
Information should be protected in accordance with the value of the asset - the higher the value, the greater the security
What are criteria on which asset value should be based for information security purposes?
(1) Sensitivity and confidentiality (2) potential liability (3) intelligence value (4) criticality to the business
What does effective risk management balance?
The potential for loss with the cost of security protection and management.
What are three of the most common information classification levels?
(1) confidential (2) sensitive (3) public
Define “Confidential” information
Information that, if disclosed, would cause the business to be seriously compromised or outright fail. - HIGHLY SECURE & PRIVATE
Define “Sensitive” Information
Important business information that it intended for internal use only. SHOULD REMAIN SECURE
Define “Public” information
information that may be safely shared with the public at large.
What are 9 terms that a contract for outsourcing IT functions should address?
(1) Security roles/responsibilities (2) Requirements for data protection that ensure the third party matches the standards of the organization (3) information ownership and appropriate use (4) physical and logical access controls (5) security control testing of the third party (6) service continuity (7) an incident coordination process (8) the right to conduct audits (9) a clear statement of respective liabilities
Should an employee ever have greater information access that is necessary to capably perform her or his job function?
No - access should be tied to the role the employee plays - and access may require further management approval.
What are three basic security principles upon which “role-based access controls” are based?
(1) Segregation of duties (2) least privilege (3) need to know or access
What is nonrepudiation?
The ability to ensure that neither the originator nor the receiver can dispute the validity of a transaction or access request.
What are the ways in which authentication identifies an individual account user?
What you know, what you have, who you are?
What is the concept of “out of wallet”
That your passwords or “what you know” (i.e. answers to verification questions) should not be knowable even if an outsider gains access to the information inside a user’s wallet.
What is multifactor authentication?
the use of two or more types of credentials for account authentication. Ex. a password combined with a passcard, biometric identifier, or out of band (e.g. when a bank sends a passcode to your phone to verify a new device being used to access account information). Two-factor schemes typically consist of what you know and what you have, and checks each before authenticating the access request.
What is an example of “one-factor” authentication
A password
What are some industry-standard password conventions in use today?
system pws should be independently assigned and used, blank-field pws should never be used/allowed, at least 8 characters (or as long as the system supports), upper/lowercase/numbers/at least one special character, active cycling at least every 30 days, existing pws should be retired and replaced with new pws, inactive accts or accts of departed/terminated employees should be disabled completely, pws should not be broadly familiar to individuals, avoid common dictionary words or well-known numbers or bdays.
What is the intent of a complex password scheme?
To prevent “brute force” attacks.
What is PKI?
Public Key Infrastructure - a system of digital certificates, certificate authorities and other registration entities that verifies the validly of each party involved in an electronic transaction through the use of cryptographic (coded or encrypted) signatures.
What does PKI enable?
PKI enables users of insecure public networks (such as the Internet) to privately and securely authenticate with each other and to exchange electronic data and/or digital currency.
What are the two unique tokens (identifiers) PKI schemes permit a sender to create?
Public Key - allows anyone to encrypt data and send it securely to the recipient. Private Key - allows the recipient to unlock the data signature and view the contents of the message in a readable format such as plain text.
What are 4 assurances PKI can offer?
- Data has not been altered or corrupted in transit. 2. the source of the data is who or what it claims to be. 3. the transmitted data has remained private and secure while in transit. 4. the transmitted data may be introduced as evidence in a court of law.
What is a digital signature?
A means for ensuring the authenticity of an electronic document.
How does a digital signature work?
If the document is altered after the sig is attached then the value associated with the doc is altered and the signature is rendered invalid.
What is the certificate protocol most commonly used in connection with electronic docs?
DSS - Digital Signature Standard
What is the public-key cryptography on which DSS is based?
DSA - Digital Signature Algorithm.
How does the role of public and private keys differ between encryption and digital signatures?
Encryption - sender used recipient’s public key when sending the msg, and recipient uses their private key to decode. Digital Signature - sender first uses their own private key, and the recipient then uses the sender’s public key to decode the msg and determine its authenticity and that it hasnt been modified in transit.
What is Authorization?
The process of determining if the end user, once authenticated, is permitted to have access to the desired resource.
What is an important concept to consider with authorization?
Segregation of powers - limited power - no one person should have complete access to all business systems and for business continuity purposes, no one person should be the only person that can perform and single, essential function.
What changes as an employee’s role changes?
System access levels.
Describe some important concepts involved with HR information security.
Defining roles and responsibilities prior to employment, following policies and procedures, changes or termination of employment, outsourcing (formal vendor security qualification protocols and audits), disciplinary processes, HR roles in IS differing by stages of employment, background checks.
What is another element of IS besides technical and administrative controls?
Physical and environmental controls.
What are some of the simplest, yet dangerous, system vulnerabilities?
A logged-on, empty workstation and improper internet/email use.
Access to passwords should be treated like what?
Like access to the systems themselves.
What are straightforward, relatively easy to implement, protections against system intrusions of the software variety?
Antivirus solutions
What are some types of virus programs?
Backdoors, Trojans, keyloggers, etc.
What are two ways to deploy antivirus protection?
(1) maintaining a centralized mail server with antivirus capabilities that scan incoming and outgoing msgs (2) scanning all incoming data for virus signatures in data streams.
What is a firewall?
A software program that resides at the network router or server level and is configured with a policy that allows only certain types of traffic to access the network.
Should technical measures be used to block access to potentially dangerous sites?
Yes
What does it mean to “control the perimeter”?
Managing technologies and processes that are designed to secure an entire network environment by preventing penetration from the outside.
What are some different perimeter control methods?
network and host-based firewalls, malware detection and antivirus application suites, access control lists (with antispoofing) on networks, host and network-based IDSs, host and network-bases IPSs, connection encryption schemes such as VPNs, SSL and IPSEC protocols, strong user, email and device encryption.
How can IS professionals monitor the success of IDS, IPS, and other perimeter controls?
use and analysis of log files.
What are log files?
“Event reports” that are generated automatically based on the originating system, computer, software application or software tool.
What are the three log types?
Application log, system log, security log
What is recorded in the log files?
Natural and suspect events (anomalies) - many computer systems record such entries including UNIX, Linux and Windows.
What are some external threats?
Exploit tools, malicious code, layered attacks.
What is a network-layered attack?
These exploit the basic network protocol in order to gain any available advantage. The generally involve spoofing (falsifying a network address) or DoS attacks.
What is a DoS attack?
Denial of Service - a brute force method that overloads the capacity of a website’s domain to respond to incoming requests such that it renders the server inoperable.
What is a good preventative strategy to avoid vulnerabilities caused by applications that “listen to Internet server ports to track suspicious activity?
deactivate unnecessary network services and block unused or idle network ports.
What is a good methods for preventing network-layer attacks?
Firewalls on both network perimeters and hosts.
What is an application-layer attack?
These exploit flaws in the network applications that are installed on the network servers. These are the most common type of exploit because they give a hacker options.
What is a good way to prevent application-layer attacks?
Regularly apply all relevant and current patches and updates to applications. Disable all unnecessary services that listen for network traffic in case they contain a vulnerability that can be exploited.
What are some important concepts for disaster recovery?
Off-site storage of mission-critical systems, replication, data fail-over capacity, data/hardware AND application recovery.
What are two challenges to co-location?
Keeping the data synchronized and maintaining system security at multiple locations.
What are some important components of a Business Continuance Plan?
Regular data backups. NOTE: Backups are only as good as their recoverability. Proper database management (this is central to ensuring effective privacy).
Describe the Life Cycle of Incident Management.
- Discovery of an incident 2. containment and analysis 3. notification 4. eradication and prevention.
Names some situations that might lead to discovering an incident.
- numerous failed login attempts 2. sudden use of an idle or long-dormant access account, use during off-hours, presence of an unauthorized access account, unfamiliar programs or files, weak user pws, changes in file permissions, social engineering, unknown devices, gaps in system logs (a common way of discovering an incident), alerts or red flags from data loss prevention software, device inventories do not match up with devices currently in circulation or storage.
What are two common, yet oft-overlooked, sources of data breaches?
third-party mistakes and employee negligence.
Is it important to establish a highly secure log host?
Yes
What is the next step after an incident is discovered?
Containment and analysis
What does the containment step of the incident management lifecycle entail?
stopping the unauthorized practice, recovering the records, shutting down the breached system, revoking access or correcting any weakness in physical security. It may also involve notifying the police if criminal activity was involved.
Why is an initial analysis necessary once an incident has been contained?
To determine which systems and networks were impacted.
What should be done if a system has been comprised?
It should be immediately disconnected for the network and powered down (take into account if wether shutdown would cause valuable data to be lost), the hard drive removed, and the data restored from backup onto a new drive. A full system audit must be performed to make sure that the vulnerability that was once exploited is not inadvertently restored or reactivated.
What is required after initial containment?
- An in-depth, complete analysis. 2. Documentation of the incident.
What are computer forensics?
The discipline of assessing and examining an information system for relevant clues after it has been compromised by an exploit.
What pieces of information should be gathered during the analysis of an incident?
- What type of information was affected 2. the number of people who were impacted 3. groups that were impacted. This analysis will inform the organization’s notification obligations.
What was the beginning of notification following a data breach becoming a legal requirement?
Senate Bill 1386 in California in 2003.
Know the states and countries that have a data breach notification requirement.
46+ States, Germany, Austria, South Korea, Mexico, many jurisdictions are considering federal and/or state or provincial laws. An EU-wide notification requirement is being considered. Many organizations and regulators consider notification mandatory even if not legally required.
Define Data Breach
An incident where PII had been lost or subject to unauthorized acquisition, access, disclosure or destruction in a manner that compromises its security, confidentiality or integrity.
What are some of the various provisions of breach notifications laws?
The trigger for notification, whom to notify, timing of notification, contents of notices, methods of providing notifications.
Are organizations always legally obligated to notify individuals affected by data breach?
No, in some jurisdictions organizations are legally required to notify affected individuals only if there is some degree of harm to the individual, while in other jurisdictions all data breaches must be notified.
Who are some possible recipients of a breach report?
Regulators, law enforcement, affected individuals, insurers, relevant service providers, the media, any other stakeholders.
When does a party have to notify affected individuals of a breach?
It depends - it may range from 24 hours to “in the most expedient time possible” to “within a reasonable amount of time.” Notification may be delayed when law enforcement is involved, or when delay is necessary to restore the reasonable integrity of the information systems.
What is included in a breach notification?
nature of the incident, type of PI breached, assistance the org is offering to the individual, steps an individual can take to protect themselves, point of contact.
How can parties affected by a breach be notified?
direct mail, telephone, email, fax, publication in a newspaper or on a company website.
Who generally is required to notify affected individuals of a data breach?
The organization in the direct relationship with the individual.
What is the final step of incident management?
Eradication and Prevention
What is the goal of investigating the root cause of a breach?
To ultimately take steps to remediate any gaps discovered in security, process or training.
Should internal reports of all data breaches be maintained?
Yes, such reports allow the organization to monitor for patterns that would underlie systemic issues.
What are some ways to prevent future breaches?
Implementing a comprehensive IS program, implement ATP safeguards that are proportionate to the needs of the org, encryption, updating privacy notices and retention schedules, etc.
What might be included when documenting a breach?
Who was notified and when, details on the cause and scope of the incident, data incident was discovered, how an incident was discovered, steps the org has taken to mitigate the harm.
When should employees be notified about an incident response protocol being changed?
Any time the protocol is changed.
What types of systems are important to build into your security program along with ATP controls?
Systems for monitoring and compliance.
For what should information privacy and security procedures be assessed?
Compliance with published policy as well as with applicable laws and regulations.
Are self-assessments or third-party audits more valuable to an organization trying to audit their security programs?
Both admin controls are important - self-assessments should be performed regularly as a best-practice and third-party audits can be very beneficial for numerous reasons, including the ability of an org to leverage the additional experience and expertise of the third-party.
What is IS a central business function?
Because IT enables virtually every other type of business activity within the organization. Security must be considered a formal business function for an org to be successful.
What serves as the bedrock of consumer and stakeholder trust established by the org?
Privacy and information security measures together.
What was the precursor to the Internet?
ARPAnet - a military computer network developed in the 1960s by ARPA.
What is the World Wide Web?
An information-sharing model that is built on top of the Internet.
What were the two key technologies on which the web functioned historically?
Hypertext transfer protocol (HTTP) - an application protocol that manages data communication over the Internet. It defines how messages are formatted and transmitted over a TCP/IP network for websites. It also defines what actions web servers and browsers take in response to various commands & HTML (hypertext markup language) - a content-authoring language used to create web pages.
Who developed HTML in the early 1990s?
Sir Tim Berners-Lee
What was the first web browser application?
Mozilla - developed by the US-based National Center for Supercomputing Applications (NCSA)
Who developed Netscape?
Mark Andreessen - a young NCSA student and author of Mozilla.
What is the most recent version of the HTML standard?
HTML5
What is XML
Extensible markup language - another language that facilitates the transport, creation, retrieval and storage of documents. XML can potentially create automatic data processing scenarios so privacy issues are an important consideration.
Why is a web browser considered a “web client”?
Because it is used to navigate the web and retrieve web content from web servers for viewing.
What is the two-step process by which firewalls serve as a “web client”?
The firewall interacts with the inner web proxy as a client, and then relay the same request out to the web server. By forcing this two-step process the inner system never has a direct network connection to the external web.
What are two more common web browser-level functions?
URLs and Hyperlinks
What is a URL?
Uniform resource locator - the address of documents and other content that are location on a web server.
What are the components of a URL?
An HTTP prefix to indicate use of the protocol, www to signify a location on the World Wide Web, a domain name, and an indicator of the top-level domain (e.g. .com, .org, .edu or a two letter country code).
What is a hyperlink?
It is used to connect an end user to other websites, parts of websites, or web-enabled servers.
What are the hardware and software components that make up the web?
web servers, proxy servers, caching, web server log.
What are some important additional terms to consider with regards to privacy and the Internet?
IP, TCP, SSL, TLS, Javascript & Flash
What is a web server?
A computer that is connected to the Internet, hosts web content, and is configured to share that content.
What is a proxy server?
An intermediary server that provides a gateway to the web.
What are some of the general security functions of a proxy server?
logging each user interaction, filtering out malicious software downloads, improving performance by caching popular, regularly-accessed content (not necessarily a security function).
What is caching?
This occurs when web browsers and proxy servers save a local copy of the downloaded content, reducing the need to download the same content again.
What should be done with regards to caching to protect privacy?
pages that display PI should be set to prohibit caching.
What is a web server log?
This is sometimes automatically created when a visitor requests a web page. Web server logs can contain a ton of information, including IP addresses, date and time of page request, the URL of the requested file, etc. IP addresses, and thus the web server logs that contain them, are considered PI by some regulators, but not others.
Define IP
Internet Protocol - specifies the format of data packets that travel over the Internet and also provides the appropriate addressing protocol.
What is a Dynamic IP address vs. a Static IP address?
A dynamic IP address is when the address shifts with each session while a static IP address remains the same over time. This is the basis for why in some countries a static IP is considered Personal Information.
Define TCP
Transmission-Control Protocol - enables two devices to establish a stream-oriented reliable data connection.
What is TCP/IP
TCP/IP is used to send data over the Internet.
In what form is data sent over the Internet?
In packets - these packets contain message content and a heading that specifies the destination of the packet.
Define SSL
Secure socket layer - the protocol for establishing a secure connection for transmission and facilitates much of the online commerce that occurs on the Internet today.
What are three properties of the SSL Protocol
(1) the connection is private (2) the peer’s identity can be authenticated using asymmetric, or public key, cryptography (3) the connection is reliable.
Define TSL
Transport Layer Security - a successor to SSL - a protocol that ensures privacy between client-server applications and Internet users of those applications.
Define Javascript
A scripting language used to produce a more interactive and dynamic website.
What are two common malicious practices related to using Javascript?
cross-site scripting and infinite loops
Define Flash
A bandwidth-friendly interactive animation and video technology that has been widely used to enhance sites. Many security professionals discourages users from installing Flash - HTML5 may diminish the use of flash.
What are some common threats to online privacy?
unauthorized access, malware, phishing, spear phishing, social engineering, etc.
Define social engineering
A general term for how attackers can try to persuade a user to provide information or create some other sort of security vulnerability.
What is XSS?
Cross-scripting - code injected by malicious web users into web pages viewed by other users.
What is an example of a threat to online privacy that can come in the ordinary course of an organization’s use of PI?
Collecting more information about a visitor’s behavior than is permitted by law.
Can privacy notices be treated as enforceable promises by a company?
Yes - draft them carefully.
What is the purpose of a comprehensive privacy statement?
It is the standard mechanism by which an organization articulates their various information practices and communicates them to the public.
What are some elements of a privacy statement?
Effective date, scope of notice, types of PI collected, uses and disclosures, end user choices, contact, methods to access/correct/modify data, how policy changes are communicated to the public
Name 5 practices recommended by TRUSTe
Pg. 120
What is a Trustmark?
Images or logos that are displayed on sites to indicate that a business is a member of a professional organization or to show that it has passed security and privacy tests.
Give three examples of Trustmarks
TRUSTe, VeriSign, Better Business Bureau
What are some criticisms of privacy notices?
Lengthy, written in legalese, difficult to understand
What is a layered notice?
A notice that provides the key points on a short top layer and then allows users the option to click through to more detail on certain parts of the notice.
What are the two layers of a layered notice?
The short notice/top layer and the full notice/bottom layer
What does the full notice do for an organization?
It guides employees on permitted data practices and can be used for accountability by enforcement agencies or the general public.
What is “just in time” notice?
Notice that follows the principle of notice “at or before the point of information collection” or before a user accepts a service or product - this helps facilitate meaningful choice.
How large should a font be in a privacy notice?
No less prominent than other links on the page.
What should a web privacy notice do at its core with regards to customer access to information?
It should lay out what sort of notice a customer will receive, and when and how they can access their records.
What is an important consideration for determining what method to use for providing access?
That an access request may be made by an authorized person.
What are four methods for triggering access?
(1) requiring the same information as the acct (2) requiring additional information about activity (3) requiring either option and sending the information to the account (4) requiring either option and sending a one-time access code to the account.
Describe some of the global variations with regarding to an individual’s right to access information about themselves.
EU Directive - Article 10 - the rights of data subjects to have access and rectify data concerning them. No exceptions are stated in Article 10, but does state that access and correction should be provided where necessary to “guarantee fair processing in respect of the data subject.” US Safe Harbor - access and correction are included. APEC Privacy Framework - affirms the basic access principle - there are exceptions - there are 3 stated (pg. 123). In the US - there is no general legal right for individuals to access or correct personal information held about them. Such rights do exist in the HIPAA context. The FCRA also contains detailed access and correction provisions.
How do security admins and attackers use software scripts for different purposes related to security vulnerabilities?
Admins use them to identify weakness and fix them, attackers use them to exploit system weaknesses. This has led to a “white hat” vs. “black hat” arms race.
What is one thing that a password should never be?
A dictionary word
Why is it important to have stringent web access policies?
Because website offer external visibility and makes them more vulnerable to compromise - both internally and externally. They can be easily accessed through a web browser application.
What is one tactic for masking passwords?
Use a web form that uses the “password field” in HTML. The characters are then displayed as asterisks and bullets.
What are some of the limitations of using web cookies as a means for authenticating and authorizing end user access?
They can be deleted or blocked by a user. Web cookies also lack an accurate means of differentiating individual users of a single machine.
What are some of the benefits of SSL/TLS?
SSL/TLS is a standard method for encrypting the transmission of PII over the web - including the verification of end user information required for website access. It is widely used for handling transmission of sensitive online data, provides some level of comfort in the web page delivery process, and provides actual security if a web page hosting the web form is secured in SSL and the resulting data transmission supports the protocol.
Describe best practices with regards to login/pws/PINs in protecting the privacy of information transmitted over the web.
Use unique pws, change them regularly, never use the “remember my password” feature, memorize them or keep them in secure storage. Try not to document them or provide them to others.
What are best practices with regards to software in the context of safeguarding the privacy of information transmitted over the web?
Use antivirus and firewall software, keep it up to date, keep computer and server operating system software current - installing patches consistenty.
What are some privacy protection best practices related to wireless networks (Wi-Fi) and Bluetooth?
always update yourself on current vulnerabilities - these types of communications are very prone to interception.
What are some privacy protection best practices related to file sharing?
Peer-to-peer websites or services can give exploits or hackers an entry point into your computer. If you use these services, utilize options made available to restrict what files and directories can be accessed by the websites and services.
What are some best practices related to privacy protection in the context of public computers?
Just be very careful - be cautious of the info you provide through devices that are used by others since you don’t know how these machines have been configured, who have used them, or what software (or malware) they might host.
What is a good rule of thumb for PI with regards to online privacy protections?
Be VERY careful of providing PI on a site unless you know the website is secure.
Is CIA important for email?
Yes, Confidentiality of email requires protecting them from unauthorized access. Integrity of email guarantees that it has not been modified or destroyed by an unauthorized individual. Availability of email requires that mail servers remain online and able to service the user community.
What are some common features of email security?
content filtering services such as antivirus/spam, HTML tag removal, script removal, attachment blocking by file type, scanning of inappropriate content, confidentiality checks and disclaimer enforcement.
What are some antispam methods supported by current products?
real-time blackhole lists, heuristics, confirmation process, Bayesian filtering, open relay protection, size and bandwidth control and encryption.
What are some distinct privacy issues related to children being online?
- they may not understand what data is being collected and use issues. 2. they cannot give meaningful “consent” 3. children can easily fall victim to criminal behavior online.
what is an important source of protection for children online?
parents installing filtering software on the household computer to block access to certain sites. Many websites block access themselves.
What law was passed in the US specifically dealing with children’s use of the Internet?
COPPA Children’s Online Privacy Protection Act - particularly websites and services targeted towards children.
What does COPPA require?
- website operators must provide clear and conspicuous notice of data collection methods employed by the site - this includes functional hyperlinks to the site privacy policy on every web page where personal information is collected. 2. Consent by parents prior to collection of personal information for children under the age of 13.
What is the most common mechanism for capturing end user information online?
web forms
What is a web form?
A portion of a web page that contains blank fields, text boxes, check boxes, or other input areas that end users complete by providing data.
Name some features of web forms
One-line text boxes, scrolling text boxes, check boxes, radio buttons.
What is one privacy consideration for one-line text boxes?
Ensure that they are used only as intended (e.g. max 14 character for a first name).
Why are scrolling text boxes problematic?
Little control exists over what information a user submits.
What is the difference between a check box and a radio button?
Check boxes allow multiple answers to be selected out of a list of items. Radio buttons limit the user to one answers.
Why are radio buttons and check boxes more secure than fields that require the user to type to text?
the input is limited to the given options and the content of the answer is not communicated over the web.
What happens when a user completes and submits the web form?
it is sent to a web server that processes and stores the submitted information in a database. The info is the subsequently used to process any number of requests.
What are two methods of data collection commonly employed by web forms?
Active and passive data collection.
What is active data collection?
This occurs when the end user deliberately provides information to the website through the use of one of the input methods described earlier (one-line or scrolling text boxes, radio buttons or check boxes).
What is passive data collection?
This occurs when information is gathered automatically - often without the end-users knowledge - as the user navigates from page to page on a site. This is typically accomplished through web cookies.
What are some best practices for web forms?
They should have a functioning link to the privacy statement. It should only require the info genuinely needed. The auto-complete function should be disabled. Single sign-on services (which allows one universal service to confirm user authentication) should be used with caution - sessions should be set to time-out automatically to reduce risk.
What is Privacy by Design?
The concept of privacy being built into desktop products and web interfaces at the development phase to encourage safe and appropriate usage.
What are some technological areas where Privacy by Design should be considered?
Office productivity applications - especially cloud services. Media player applications. Financial software.
Name some of the features a company might use to control financial data evaluated by the US Government Accounting Office?
the ability to protect data and application programs from unauthorized access, segregation of duties (app and system programming, computer operations, info security, QA), ensure recovery of computer processing operations in case of a disaster or other unexpected operation, adequate info security management programs.
What is it important for privacy professionals to understand third-party interactions?
Because they are a major source of privacy threats. It should be clear to end users which entities are capturing or receiving PI and that they accept accountability and fulfill their obligations under contract and applicable law.
What is syndicated content?
Content not created by the host site but content that is developed and/or purchased/licensed from outside sources such as news organizations.
What is a big concern with syndicated content?
That it might contain malicious code that is then unwittingly incorporated into the org’s own website source code.
What is one attack that is common with syndicated content?
Cross-site scripting (XSS) - this allows attackers to inject scripts into web pages for malicious purposes, taking advantage of the trust that users have for a given site.
What are some other third-party interactions besides syndicated content?
Web services, co-branded sites, online advertising networks, web widgets, agent and vendor contracts.
What is a web service and what is one of its risks?
Web services facilitate direct communication between computer. They can put both ends of the communication at a greater risk.
What is a co-branded site?
An online partnership between two or more content or services providers. Sharing of information is often allowed as long as it is disclosed in the privacy notice.
What do online advertising networks do?
They connect online advertisers with web publishers that host advertisements on their sites. They enable media buyers to coordinate ad campaigns across sites.
What is a web widget?
Applications that can be installed on a web page, blog, social profile or other HTML page. They are typically executed by the third party though they appear on the page itself. They can be executed by the owner of the page to deliver new website features or increased functionality.
What are some of the unique issues presented by agent and vendor contracts?
Language holding software vendors liable for problems that lead to security breaches is becoming more common. Contracts may require breaches notification or patch installation.
What is onward transfer?
Onward transfer is when information moves from the original organization that holds the data to a third party.
What are three settings in which onward transfer can occur?
- Processors - orgs that act on behalf of and are subject to the direction of the controller. 2. Orgs may receive and use data about the individual data subjects to complete a transaction. 3. Other third parties may also receive data to do their own marketing or for other purposes.
Is consent needed when controllers hire processors?
Not typically - this occurs all the time without consent from the individual data subject. Consent is also often not sought when third-parties are used for the purposes of completing a transaction.
What are some protections that need to occur with regards to data transfers between an orgs website and third parties?
Protection must be assured contractually and procedurally, consumers must be explicitly notified when such transfers occur that (1) their PI will be in the custody of a third party engaged by the host site, and (2) they have the ability to make a choice, typically by opting out, if they desire to prevent the onward transfer.
What are some attacks Internet users face?
spam, phishing, spyware
What is Spam?
unsolicited commercial email.
When was the term “spam” first used?
In the early 90s in response to an online marketing campaign from a US immigration law firm.
What is the amount of spam traffic estimated in 2010?
100 and 200 billion spam emails sent globally each day - about 80% of global emails according to 2011 estimates.
What does a spam filter do?
They examine the content of emails to block messages containing known viruses and other malicious code.
What does CAN-SPAM require?
It requires a commercial email to have a clear and conspicuous way for the user to unsubscribe from future emails.
What system is used in the EU to protect from spam?
An opt-in consent system.
What does Article 13(1) of the Directive on Privacy and Electronic Communications prohibit?
It prohibits unsolicited commercial communications by email, automated calling machines, fax, or other electronic messaging system, unless the recipient provides prior consent. Exceptions do exist for certain conditions.
What does Article 13(4) prohibit?
The sending of anonymous electronic emails for the purpose of direct marketing in which recipients have no means of opting out of the emails. Recipients must be given an option to unsubscribe from these msgs in each email sent.
What are some common commercial email principles often found in codes of conduct/self-regulatory frameworks of business groups?
no false or misleading headers, no deceptive subject lines, opt-out mechanisms in each msg, notification that the msg contains an ad or promo, info about the sending org.
What is phishing?
The practice of sending a spam email that lures users to a fake website in order to fraudulently capture sensitive personal information.
What is spear phishing?
Whereas earlier phishing was a mass spam email that imitated a widely used brand name, spear phishing specifically targets the recipient.
What is spyware?
Software that is downloaded covertly, without the end user understanding or consenting to the actions of the software.
What is a “drive by download”?
A method of installing spyware whereby the end user never provides consent to the download or is tricked into downloading the software. This often occurs when spyware is bundled with other software that the user actually wants.
How is spyware defined?
It really depends on the intent and knowledge of the user. Think about legitimate software that performs user activity monitoring as intended (think about TeamViewer).
What are 3 examples of third parties that provide online verification and certification services?
TRUSTe, VeriSign, BBBOnline
What are examples of self-regulatory regimes?
Network Advertising Initiative, the US Direct Marketing Assoc, Japan Information Processing Development Center, EuroPriSe, the Health Information Trust Alliance and American Institute of CPAs.
What is “Do Not Track”?
An approach to dealing with targeted online advertising and web user tracking that the FTC and others have suggested that would allow individuals to make a single choice not to be subjected to targeted online advertising.
What is the Digital Advertising Alliance?
A big self-regulatory initiative on the online advertising front - this is a coalition of media and advertising orgs that has developed an icon program that users click on to obtain info on how to exercise choice with respect to online behavior advertising.
What does the “Cookie Directive” require?
The “Cookie Directive” or Directive 2009/136/EC requires that users give consent before having cookies placed on their computers, thereby preventing any tracking of their online activities if they do not “opt in.”
What are two online advertising techniques used in addition to cookies?
Pop-up ads and adware
What are pop-up ads?
Advertising messages that appear to the end user in a separate browser window in response to browsing behavior or viewing of a site.
What is adware?
Software that is installed on a user’s computer, often bundled with freeware (free software), such as peer-to-peer file sharing programs or online games. Without clear consent such adware could be considered spyware by privacy enforcement agencies.
Where does the word “cookie” come from?
Cookie comes from “magic cookie” which is a term in programming language for a piece of information shared between cooperating pieces of software.
How are cookies used on the Internet?
To enable someone other than the user to link a computing device to previous web actions by the same device.
What is another name for a standard cookie?
An HTML cookie
What is an HTML cookie?
A small text file that a web server places on the hard drive of a user’s computer.
What are some of the functions that cookies enable?
Authentication of web visitors, personalization of content, delivery of targeted advertising.
What is one of the big issues with cookies?
When and whether information contained in cookies should be considered personal information.
Give an example of where a cookie may contain PI.
A website that has an identified transaction with a user, such as a credit card transaction that shows the user’s name. If that credit card purchase is linked in the company’s database with the information collected through cookies, then all of that information is identifiable.
What position has the EU taken on cookies?
In the Electronic Privacy Directive of 2002, the EU takes the position that information stored in cookies are generally “personal data” - so individual consent is required before a cookie can be placed on the user’s hard drive. A big issue - how and when to implement such consent.
What are some of the user controls created for web browsers to address privacy issues related to cookies?
Individuals can choose when to have explicit notice that a cookie is being set, can view cookies stored on their hard drive, and can choose whether or not to permit cookies to be set by default, users can also delete cookies stored on their hard drive.
What are some best practices associated with web cookies?
Web cookies should: not store unencrypted PI, provide adequate notice of their usage, use a persistent variation only if the need is justified, not set long expiration dates, disclosure the involvement of a third party cookie provider (if applicable) as well as an opt-out (or in Europe and opt-in) mechanism for delivery from that third party.
What are some variations of the standard HTML cookie?
Session-based cookies, persistent cookies (related to the time and duration of cookie deployment), first and third party cookies (relating to the origination point of cookie file delivery).
What is a session cookie?
A cookie that is stored only while the user is connected to the particular web server. It is deleted when the user leaves that website or closes the web browser.
What are some common uses of session cookies?
Online shopping carts, managing chat sessions, and supporting interactive opinion surveys conducted by market research orgs. They are not the subject of most privacy debates as they expire when the web browser closes.
What is a persistent cookie?
A cookie that is set to expire at some point in the future (e.g. minutes, days, years). Until expiration, the org that set the cookie can recognize that it is the same cookie on the same device, and thus often the same user, that earlier visited the website.
What are persistent cookies used for?
They are the standard mechanism for authenticating return visitors to websites where a user has an account. They enable “personalization” to that the website displays different content or in a different format based on prior interactions with the site. Ad networks use them to tailor ads to a user on subsequent visits.
What is a first-party cookie?
A cookie that is set and read by the web server hosting the website that the user is visiting.
What is a third-party cookie?
A cookie that is set and read by or on behalf of a party other than the web server that is providing a service. (e.g. widgets that appear on a first-party’s website, but interacts with a third party, which may set a third-party cookie.
What is a Flash Cookie?
This cookie is differentiated from the earlier cookies discussed - HTML cookies. Flash cookies are stored and accessed by Adobe Flash, a browser plug-in commonly used by many Internet sites.
In what form does an Internet browser collect and store information from sites visited?
A cache - or cookies.
Can traditional HTML cookies be deleted?
Yes
Can Flash Cookies be deleted directly through the browser?
No, they are stored outside of the Internet browser’s control.
Are individuals notified when Flash Cookies are stored?
No
Do Flash cookies expire?
No
What can Flash cookies be used for?
To track an individual’s actions and to store the same information stored in a normal HTML cookie.
What can a Flash cookie do when an individual deletes and HTML cookie?
Websites can use Flash cookies to “respawn” the information that was stored in the HTML cookie.
Does current tech allow users control over the user of Flash cookies?
Not really - this allows users privacy choices about cookies to be circumvented.
What is a web beacon?
Another form of online identification mechanism. It is a clear graphic image of a 1x1 pixel that is delivered through a web browser or HTML-complaint email client application to an end user’s computer.
How does a web beacon usually travel to a users computer?
Through a web page request (in the case of a web browser) or in an HTML email message (in the case of an HTML complaint email client application)..
What is another name for a web beacon?
web bug, pixel tag, clear GIF
What does a web beacon do?
It operates as a tag that records an end-user’s visit to a particular web page. They provide the ability to produce specific profiles of user behavior in combination with web server logs.
With what is a web beacon often used in conjunction?
A web cookie - and provided as part of of a third-party tracking service.
What are some common usage scenarios with web beacons?
online ad impression counting, file download monitoring, ad campaign performance management (click-through rates, etc.) They can also report to the sender which emails are read by recipients.
What are the privacy considerations for web beacons?
They are similar to that of cookies - namely, how to meet a jurisdictions requirements.
Why is some sort of notice important with web beacons?
Because the clear pixel is basically invisible to the end user.
What can digital fingerprinting do?
Identify a device based on information revealed to the website by the user.
When a website is requested is there automatic identification of who is seeking to download content?
No
When a web page is requested what does the web server do?
It receives certain information and maintains logs.
What are logs maintained by a web server used for?
Security and system maintenance
What information do log files generally include?
The IP address of the visitor, the data and time stamp of the page request, the URL of the requested page or file, the URL the visitor came from immediately prior to the visit (e.g. the referral URL), the visitor’s web browser type version, and the web user’s computer operating system.
What other types of information might a website receive from a requesting computer?
particular fonts used by the requesting computer - these can be used to “fingerprint” a device. This more detailed info varies among computers in a manner that two devices are unlikely to be the same.
What is one instance of digital fingerprinting?
When a financial institution asks you additional security questions when you log on from a new device.
What is one concern of privacy enforcement agencies with regards to digital fingerprinting?
what would constitute sufficient notice and consent for digital fingerprinting techniques to be used for targeted advertising.
Are the privacy issues concerning search engines generally similar to those presented by cookies?
Yes
What are some privacy issues specific to search engines?
Search content may give clues to a user’s identity (e.g. vanity searches, searches about a user’s address or workplace), content of searches may include information considered sensitive for privacy purposes in a particular country.
What have some major search engines done to address privacy concerns surrounding sensitive information?
The anonymization of searches after a defined period of time.
What is one major privacy issue with online social networking?
The inconsistency and evolving nature of privacy control mechanisms on online social networks.
What are some privacy vulnerabilities associated with online social networks?
the transmittance of personal information to unwanted third parties, information can potentially be passed on or solid to advertisers, intruders may steal passwords or other unencrypted data.
Where does the word “cloud” come from in the tech world?
From computer network diagrams which depict the Internet as a large cloud shape. This is because the many computer components in a network are obviously too numerous to be illustrated individually.
To what does cloud computer refer?
The storage, processing, and access to data and applications on remote servers accessible by the Internet, rather than on a single computer or network.
What does the nature of cloud computing allow a user?
on-demand access to data/applications wherever there is access to the Internet.
What are the 5 essential characteristics of cloud computing?
On demand self-service, broad network access, resource pooling, rapid elasticity, measured service.
What are the three service models of cloud computing?
Software as a service (SaaS), Platform as a service (PaaS), Infrastructure as service (IaaS).
What is SaaS?
Software as a service - with SaaS, the cloud provider hosts the software so that the user does not need to install or manage it and does not even need to purchase the hardware.
What is PaaS?
Platform as a service - provides a service through which web developers build and publish applications using the cloud provider’s cloud infrastructure.
What is IaaS?
Infrastructure as a Service - IaaS providers own and maintain key computing resources that users rent. The providers rent users web storage, network capacity, and other resources.
What are the 4 deployment models of cloud computing?
- private cloud 2. public cloud 3. community cloud 4. hybrid cloud
What is a private cloud?
In a private cloud the infrastructure is owned or leased by a single organization.
What is a public cloud?
In a public cloud, large-scale infrastructure is available and sold to the public on a self-service basis.
What is a community cloud?
A community cloud infrastructure is shared between organizations in a specific community.
What is a hybrid cloud?
The hybrid cloud is an infrastructure composed of two or more clouds.
What are some concerns with privacy and cloud service providers?
How data is stored on servers (e.g. is there encryption?), will CSPs disclose user data to third parties for marketing, advertising or other purposes, will CSPs disclosure user data in response to government requests for information.
What are some privacy benefits with CSPs?
Security can be increased because cloud computing can provide organizations with better and more comprehensive data protection mechanisms that cover all data stored in the cloud.
What are some of the privacy concerns associated with mobile devices?
The use of geo-location data (this is a category of PI that did not exist before users owned mobile devices), issues surrounding the proper rules for collection, user and storage of location data by mobile phone companies or other parties authorized to know the device’s location to provide service, issues surrounding the ability of other parties to access that data or pay to leverage it (e.g. for ads).
What is LBS?
Location-based services - an evolving industry where privacy and security must be address. LBS inform users about things they can do or purchase close to their current location and creates business opps for both local businesses and the intermediaries that link users to businesses.
What is one unique challenge associated with notice in the context of mobile devices?
The screens for mobile devices are typically much smaller than desktops or laptops. As mobile devices grow in use and power - so too will the complexity of mobile privacy issues.
Is it easy to anonymize location data?
No, people return often to their homes and workplaces allowing for linkage between location data and identity.
