CIPT Flashcards
Accountability
The introduction of technical and organizational measures for appropriate handling of personal data according to the law, which is an idea mentioned in GDPR and the Fair Information Practice Principles.
Abstract
To restrict the level of detail shared when processing personal information.
Access control entry
An element that governs, oversees, or rec-ords access to an object by an identified user in an access control list.
Access control list
A list of access control entries that correspond to an object. This could be either discretionary, meaning controlling access, or system, meaning monitoring ac-cess via security event log or audit trail.
Active Data Collection
When an end user purposely provides information, usually through web forms, text boxes, check boxes, or radio buttons.
AdChoices
A Digital Advertising Alliance program that pro-motes awareness and choice for online adver-tising. Participating DAA members’ websites need an icon near their advertisements or the bottom of their pages. Users set preferences for behavioral advertising by clicking on the icon.
Adequate level of protection
Confirmation that a data transfer accounts for the rule of law and legislation, respect for human rights, data protection rules, professional rules and security measures, data subject rights, independent supervi-sory authorities, and any international commitments.
Advanced encryption standard
An encryption algorithm that the US government us-es for security sensitive non-classified material. NIST selected this algorithm in 2001 to replace the Data Encryption Standard (DES).
Adverse action
Any business, credit, or employment action that affects consumers negatively, such as denying or can-celing credit, insurance, employment, or promotion. A credit transaction where the consumer accepts a counteroffer would not count.
Agile development model
As opposed to the plan-driven development model, this process for software system and product design integrates new system requirements during the literal creation of the system, where specific portions are developed one at a time. The Scrum Model is one ex-ample.
Algorithm
A mathematical instruction applied to a set of data.
Anonymization
The process by which individually identifiable data is changed so that it can no longer be related back to any individual without affecting the usability of the data.
Anonymous information
Data that is not related to an identified or an identifi-able natural person, nor can it be combined with oth-er information to re-identify persons. Being made un-identifiable, it is not in scope for the GDPR.
Anthropomorphism
The act of placing human characteristics or behaviors on non-living things.
Anti-discrimination laws
Indications of special classes of personal data. If these exist based on a class or status, it is likely that the personal information is subject to more prescrip-tive data protection regulation.
Application or field encryption
The ability to encrypt certain regions of data, particu-larly sensitive data including health-related infor-mation.
Application-layer attacks
Attacks that take advantage of flaws in network server applications, which are present in applications such as web browsers, e-mail server software, and network routing software. Patches and updates to applications can help protect against such attacks.
Appropriation
Adopting one identity for another person’s uses.
Asymmetric encryption
A type of data encryption using two distinct but relat-ed keys to encrypt data: a public key for other par-ties, and a private key only for the first party. You need both keys to decrypt the data.
Attribute-based access control
A permission model for access control made by review-ing attributes given to users, data, and the context of requested access.
Audit trail
A track or record of electronic activity used for mon-itoring or validation in tracking customer activity or investigating cybercrimes.
Authentication
Determining whether an entity is who it claims to be.
Authorization
The process for deciding if the user should have access to a specific resource like an information asset or sys-tem containing and validating the identity of the user. The criteria could include things like organizational role, security clearance, and applicable law.
Automated decision making
The process of making a determination apart from human involvement.
Basel III
An inclusive list of reform measures created by the Basel Committee on Banking Supervision to build up the regulation, supervision, and risk management of the banking sector.
Behavioral advertising
Advertising targeted at individuals based on observa-tions about their activity over time, likely done via au-tomated processing of personal data, or profiling.
Big data
Large sets of information that organizations may collect due to the expansion of the amount and availability of data. It’s also referred to as “the three V’s”: volume, variety, and velocity, referring to the amount of data, the type of data, and the speed at which data can be processed.
Biometrics
Data that relates to the physical or behavioral charac-teristics of a person, for example fingerprints, voice, or handwriting. This is considered a special category of data with processing only permitted in certain cir-cumstances under GDPR.
Blackmail
The threat of sharing a person’s information against their wishes.
An
Breach disclosure
An organization must notify regulators and/or vic-tims of incidents that have impacted the confidenti-ality and security of personal data. This transparen-cy mechanism brings light to operational failures, helps mitigate harm, and assists in the identification of causes of failure.
Breach of confidentiality
Sharing a person’s personal information in spite of a promise otherwise.
Bring your own device
Allowing employees to use their own personal compu-ting device for work.
Browser fingerprinting
Differentiating between users from the instance of their browsers, which store information about webpages visited, making each unique due to ac-cess time and order.
Caching
Saving local downloaded copies so that there’s no need to keep downloading content, which should be prohibited on pages that display personal infor-mation.
California Online Privacy Protection Act
This act requires that all websites targeted to California citizens must provide a privacy statement to visitors with an easy-to-find link. Websites that collect personal data from individuals under 18 years of age must per-mit those children to delete their data. Websites are required to inform visitors of which Do Not Track mechanisms they support, if any.
CCTV
An acronym for “closed circuit television” which has become shorthand for any video surveillance sys-tem. These can be hosted via TCP/IP networks and accessed remotely, and the footage very easily shared.
Chat bots
Automated intelligence that mimics human interac-tions and can be used for simple customer requests and interactions.
Children’s Online Privacy Protection Act (COPPA)
Choice
U.S. federal law applying to operators of commercial websites and online ser-vices either directed to children under the age of 13 or known to collect per-sonal information from children under the age of 13. Operators are required under this law to post a privacy notice on the website, provide notice about collection practices to parents, obtain verifiable parental consent before col-lecting personal information of children, give parents the choice about wheth-er their child’s personal information will be shared with third parties, provide parents with rights to access, delete, and opt out of future collection or use of the information, and maintain the confidentiality, security and integrity of children’s personal information.
Choice
The concept that consent must be freely provided and data subjects have a true choice whether to provide personal data, without which it is unlikely the consent would be considered valid under GDPR.
Ciphertext
Data that is encrypted.
Cloud computing
Provisioning information technology services online from a third-party supplier or by a company for its in-ternal users. The services could be things like software, infrastructure, platforms, or hosting, with applications like email or data storage.
Code audits
The analysis of source code’s discovery of flaws, se-curity breaches, or violations in the technology eco-system.
Code reviews
Reports organized by code authors with a reader, moderator, and privacy specialist.
Collection limitation
The fair information practices principle which says that there should be limits in the collection of personal da-ta, where data should be gathered by fair and lawful means with the knowledge or consent of the data sub-ject.
Communications privacy
The class of privacy that encompasses protection of the means of correspondence, including mail, phone conversations, and email.
Completeness arguments
Assertions used to confirm compliance with privacy rules and policies in the design of new software sys-tems, where privacy rules are compared to the re-quirements used for a software system. This accounts for necessary technical safeguards and prohibits de-sign that would violate privacy regulations.
Computer forensics
Searching an information system for relevant clues after a compromise of security.
Concept of operations
An outline for the functionality of a software product or system as used in plan-driven development models to project design and implementation.
Confidentiality
The principal that data should be protected against unauthorized or unlawful processing.
Consent
The confirmation of an individual’s agreement to the collection, use, and disclosure of their personal data. There are two thoughts on this: opt-in (making an affirmative action) and opt-out (implied by lack of ac-tion).
Content delivery network
The servers containing the visible elements of a web page which would be signaled for those elements. In advertising, a general ad server would be signaled after a webpage is requested and search for information on the user trying to access the webpage.
Context aware computing
When a device adapts to its environment by changing location, video, audio, or brightness.
Context of authority
Resource access control on a network depends on the context in which the employee connects to the net-work.
Contextual advertising
Advertising using content from a visited webpage or user query. It’s a widely used form of online targeted advertising.
Contextual integrity
A way of ranking potential privacy risks in software systems and products considering how the product or system compares to consumer expectations. If a product or system differs from expectations, it’s possible that the consumer may perceive a privacy harm.
Cookie
A small text file stored on a client machine to be re-trieved by a web server. These keep track of the end user’s browsing activities and pool individual requests into sessions. They also allow users to stay signed in. Types include first party, third party, session, and per-sistent. Consent is required before collecting.
Coupling
The connection between objects within a technology ecosystem which controls the flow of information. Fo-cusing makes objects depend on the connection to other objects, while loosening eases the dependency, isolating processing to a specific group of classes and reducing the chance of accidentally re-purposing infor-mation.
Cross-site scripting
Code input by malicious web users into web pages that other users will view.
Cryptography
Hiding information, usually by transforming it with encryption, such as digital signature, or non-repudiation.
Cryptosystem
The information required to encrypt and decrypt a particular message, most often the encryption algorithm and the security key.
Customer access
A customer’s right to access, review, correct, and de-lete the personal information collected about them.
Customer data integration
The combination and management of all customer in-formation, a key element of customer relationship management.
Customer information
As opposed to employee information, this is data concerning the clients of private-sector organizations, healthcare patients, and the general public in relation to public-sector agencies.
Cyberbullying
Releasing a person’s private information or re-characterizing the individual online.
Dark patterns
Habitual means to mislead individuals into sharing personal information.
Data aggregation
Combining data sets to analyze trends while maintaining individual privacy using groups of individuals with similar characteristics. The data set needs to come from a large number of individuals, be broadly categorized, and exclude data unique to a single individual.
Data breach
The unauthorized collection of computerized data that interrupts the security, confidentiality, or integrity of personal information maintained by a data col-lector.
Data centers
Facilities where data and critical systems are stored and managed, either centralized for one organization’s data management needs or operated by a third-party provider.
Data controller
The natural or legal person, public authority, agency or any other body who alone or together decides the intentions and means of personal data processing.
Data elements
A piece of data with a distinct definition which can’t be whittled down further. Examples include date of birth, numerical identifier, or location coordinates. In isolation these may not be considered personal data but they would be when combined.
Data flow diagrams
A graphical depiction of how data flows in an information system and how the system runs to fulfill its purpose. These would be used by systems analysts creating information systems and management recreating the flow of data within organizations.
Data loss prevention
A term for the strategy to keep end users from sharing sensitive information with external ineligible sources and the software systems that help control what data end users can transfer.
Data masking
The means of de-identifying, anonymizing, or other-wise obscuring data to retain the structure but re-move the sensitivity of the content to create a data set for training or software testing.
Data matching
Comparing personal data collected from multiple sources to make decisions about the identified individuals.
Data minimization
The idea that data controllers would simply collect and process personal data that is relevant, necessary, and adequate to fulfill the specified purposes.
Data processing
Any operation or set of operations performed on personal data including alteration, collection, recording, restriction, storage, use, retrieval, disclosure, dissemination, combination, organization, erasure, or destruction, whether by automated means.
Data processor
The natural or legal person public authority, agency or other body not employed by the controller who processes personal data as instructed by the controller.
Data Protection Authority
Independent public authorities that oversee the application of data protection laws in the EU through guidance on data protection issues and complaints made by individuals of GDPR violations. One per EU member state with extensive enforcement power to impose fines of up to 4% of a company’s global annual revenue.
Data quality
The fair information practices principle that says personal data should be relevant, accurate, up-to-date, and complete. Four questions to consider: does it meet the business needs; is it accurate; is it complete; and is it recent?
Data recipient
The natural or legal person, public authority, agency, third party, or another body getting personal data by disclosure. This would not apply to public authorities getting personal data in the context of an EU or member state law inquiry.
Data schema
All of the constraints, entities, and relationships used to separate customer information.
Data subject
An identified or identifiable natural person about whom the organization has personal information.
Declared data
Personal information shared on a social network or website.
Deep learning
A subset of artificial intelligence and machine learning where tasks are performed repeatedly with increasing layers of data.
Demographic advertising
Online advertising based on an individual’s age, height, weight, geographic location, or gender.
Design patterns
Shared solutions to recurring problems which enhance program code maintenance by applying a common mental measure.
Design thinking process
A five-phase process of empathize, define, ideate, pro-totype, and tested, used alongside value-sensitive de-sign.
Differential identifiability
Establishing rules that limit the confidence that an in-dividual has assigned to an aggregated value.
Digital Advertising Alliance
A non-profit organization that creates standards for consumer privacy, transparency, and control in online advertising and enforces the self-regulatory standards created by the Digital Advertising Alliance including AdChoices.
Digital fingerprinting
Using log files to identify a website visitor, mostly for security and system maintenance purposes. A log file is typically made up of the IP address, a time stamp, the URL of the requested page, a referrer URL, and the visitor’s web browser, operating system, and font preferences.
Digital rights management
Overseeing access to and use of digital information and devices after sale. Usually done using access con-trol (denial) technologies for defending copyrights and intellectual property, claims that may be considered controversial because they prevent users from lawful use of the information and devices.
Digital signature
A means of ensuring the legitimacy of an electronic document, such as an e-mail, text file, spreadsheet or image file, so that anything added afterward makes it invalid.
Directive on privacy and electronic communications act 2002/58EC
A policy directive for the EU Member States recognizing how cookies help modern websites function and the user’s right to opt out. It was amended by the Cookie Directive 2009/136EC, which added a requirement for all websites using tracking cookies to obtain user consent unless the cookie is “strictly necessary.”
Disassociability
Reducing connections between data and individuals as much as possible in relation to the system opera-tional requirements.
Discretionary access control
A type of access control that permits the owner of an object to approve access to a computer-based information system.
Distortion
Disseminating false or incorrect information about someone.
Demilitarized Zone Network
A firewall configuration to protect local area net-works with a number of computers acting as a broker for traffic between the LAN and the external network.
Do Not Track
A potential policy allowing consumers the right to opt out of web tracking, in the same vein as the existing US Do-Not-Call Registry.
E-commerce websites
Websites offering online ordering, which allows access to information related to user purchases and payments for targeted advertising.
Electronic communications data
Defined by the ePrivacy Directive to include the content of a communication, traffic data, and location data.
Electronic communications network
Things that would fall under this definition include net-works used for radio and television broadcasting; trans-mission systems, switching or routing equipment, and other resources that send signals by electromagnetic means; electricity cable systems; fixed and mobile terrestrial networks; and cable television networks.
Electronic communications service
Any service allowing users to send or receive wire or electronic communications.
Electronic surveillance
Digital monitoring, such as location-based services, stored communications, or video surveillance.
Encryption
Obscuring information so that it can’t be read without a key or other specific knowledge, usually with a cryptographic scheme.
Encryption key
A cryptographic algorithm used on plain text to mask value or used on encrypted text to make it plain again.
End-user license agreement
A contract made between the user and the software application owner where the user promises to pay for the use of the software and comply with any restrictions.
Enterprise architecture
An abstract outline or blueprint of the structure and operation of an organization, usually in an effort to achieve current and future goals.
EU Data Protection Directive
The first EU-wide legislation protecting personal data use and privacy which was adopted in 1995 and re-placed by GDPR in 2018.
Exclusion
Denying an individual knowledge about or participation in data processing.
Exposure
Sharing information that would normally be kept private, including physical details about bodies.
Extensive markup language
Also referred to as XML, this markup language allows for the transport, creation, retrieval and storage of files from tags that identify the contents. The content of a web page is described in terms of the data produced as opposed to how it should be displayed, which is done in HTML.
Extranet
A network system made by connecting corporate intranets. These come with inherent security risks despite meeting organizational goals, including backdoors into the internal network and trust for third parties. Risk management would rely on a business contract to restrict access to data, list security controls in place, establish how shared devices will be managed, and create procedures for cooperating with technical staff.
Factors Analysis in Information Risk (FAIR) model
A framework that separates risk by frequency of action and breadth of violation.
Federated identity
A model to confirm a person’s identity using a credible centralized service.
Financial Instruments and Exchange Law of Japan
A Japanese legislation for the financial services sector that created a cross-sectional legislative framework to protect investors, strengthened disclosure requirements, provided directions for financial exchange self-regulatory operations, and established strict rules to stop unfair trading.
First-party collection
A data subject gives personal data through a form or survey sent to the collector upon submission.
Flash
Software used to place animation and other visual effects on web-based content.
Frequency data
The number of times a particular value exists in the data set.
Functional system requirements
The details for implementation related to how a system should work, which inputs create which outputs, and elements of design.
Geo-social patterns
Data related to mobility, social patterns, and behaviors that comes from smartphones and other devices when people share their emotions, opinions, experiences and locations. Artificial intelligence and machine learning use these to identify meaningful patterns and trends.
GET Method
Attributes from this method, as opposed to the POST HTML method, prescribe how form data is provided to a URL, particularly in name/value pairs showing pass-words and other sensitive information in the browser’s address bar.
Global Privacy Enforcement Network
The collection of data protection authorities set by an OECD recommendation for collaboration among member countries on enforcing privacy laws, developing common priorities, sharing best practices, and sup-porting joint enforcement and awareness activities.
Globally unique identifier
An identifier that is special to an individual user.
Harm dimensions
Distinctions between types of dimensions of privacy harms—namely objective and subjective. Perceived harm can have the same privacy impact as experienced harm.
Hashing functions
Also called hashing, this refers to removing personal in-formation from user identifications using an organized system but retaining activity tracking. It can be used to encrypt or map data and in other information security applications.
Hide
Personal information is rendered unconnected or invisible to others.
High-level design
How the system’s front and back ends collaborate to create the desired system behaviors.
Homomorphic
Allowing encrypted data to be viewed or changed without decryption.
Hyperlink
A graphic or text linked to a website or web-enabled service via URL in the HTML code. Upon selecting the right words or images, the end user is sent to the in-tended website or page.
Hypertext Markup Language (HTML)
A language for content authoring used to make web pages and render content. Some of the details that can be input include hyperlinks, pictures, headings, and text with minimal commands.
Hypertext Transfer protocol
A networking language that controls data packets via Internet. It sets rules related to the formatting and transmission of messages and actions to be taken by web servers and browsers according to commands.
Hypertext Transfer protocol secure
A network communication technique where HTTP is placed on top of the SSL/TLS to apply security capabilities.
Identifiability
The specificity to which a user is recognized by an authentication system. A user is more easily tracked or targeted with greater specificity and more easily falsely authorized with less.
Identifiers
Codes or strings that correspond to an individual, de-vice, or browser.
Information governance
Technical solutions, security measures, and privacy compliance efforts taken by stakeholders involved in the processing of personal data.
Information hiding
Dividing data into different levels of classification and restricting access to that data using class functions.
Information Life Cycle
This approach recognizes different values of data and data handling through an organization between collection and deletion. The stages involved are: collection, processing, use, disclosure, retention, and destruction.
Information Privacy
The class of privacy which refers to the right of individuals, groups, or institutions to determine when, how, and to what extent information about them is dis-closed to others.
Information Security
Protecting information in order to prevent loss, unauthorized access, and misuse. This includes measuring threats and risks to information and the processes and measures to be taken to preserve the confidentiality, integrity and availability of information.
Information utility
The ability for a business to use the information it’s collected in as many ways as possible to improve its services and products.
Insecurity
Failure to appropriately protect collected personal in-formation.
Interactive advertising bureau
The trade association for businesses in the advertising industry that creates industry standards, leads research, and supplies legal support.
Internet of Things
A term referring to the myriad of devices people own that connect to the internet and are subject to automation and remote access.
Internet Protocol Address
A unique string of numbers tied to a computer on the Internet or other TCP/IP network. This is considered a type of personal information.
Internet Service Provider
A company giving Internet access to homes and businesses via modem dial-up, DSL, broadband, or wireless connections.
Interrogation
Probing or leading individuals down a line of question-ing to ascertain their personal information with the possibility of risking individual privacy and social norms if a person is compelled to answer.
Intrusion reports
The result of auditing a system for threats to network security.
ISO 27002
A code of practice for information security made up of potential controls and mechanisms for implementing effective organizational and security management practices.
IT Architecture
Also called enterprise architecture, this is made up of policies, principles, services, and products adopted by IT providers.
IT Department
The part of an organization charged with overseeing the technology used to create, store, transfer, and use information.
Javascript
A computer programming language that creates interactive effects on web browsers.
Just-in-time notification
Distinct information practices shared along with a con-sent request before information is collected.
K-anonymity
A practice where direct identifiers are replaced with generalized, truncated, or redacted identifiers.
L-diversity
A practice where at least “l” distinct values are used on top of replacing direct identifiers with generalized, truncated, or redacted identifiers in every group of k records for sensitive attributes.
Layered notice
A privacy notice with sections of different lengths–a shorter version with key points and a longer, more de-tailed version.
Layered security policy
A layered approach with three levels of security policies: a high-level document including the policy statement; the controls to be followed to meet the policy statements; and the operating procedures, about how the policy statements will be achieved in practice.
Least privilege
A security control allowing access according to the lowest possible level to complete the required action.
Linkability
The capacity for identifiers used to track an individual to be combined with outside information and identify an individual.
Local area network
Networks located inside the operational facility which are easy to manage and subject to local control.
Local shared objects
Also known as flash cookies, these data files are made to track user preferences and used by Adobe Flash Player. They are different from HTTP cookies in being saved to the computer’s hard drive.
Location-Based Service
Services that use location information to provide applications and services, including gaming, social networking, and entertainment, usually needing geolocation to identify the real-world geographic location.
Logs
A record of all events that take place in a computer system (usually an operating system). An application log includes events tracked by applications; a system log includes events recorded by the operating system; and a security log includes security events
Low-level design
The specific details describing a high-level de-sign system.
Magnitude data
Data where the quantity of interest is presented over all units of analysis. A table showing average income by age is one example.
Manageability
The ability to govern personal information in a detailed way, through things like correction, transfer, and deletion.
Mandatory access control
An access control system where the system restricts access to data.
Metadata
A piece of data that pertains to other data.
Microdata sets
Anonymized groups of information about individuals, where the individuals can’t be identified.
Mobility
The capability of a system to change locations, like that of laptops or mobile phones.
Multi-factor authentication
The authentication process using multiple verification methods, like a password and code sent to a phone number, or log-in and biometric identifier.
National Initiative for Cybersecurity Education’s Cybersecurity Workforce
This framework created common terminology in cyber-security for all sectors.
National Institute of Standards and Technology (NIST) framework
A risk management tool used to establish guidelines and best practices to the management of cybersecurity-related risks, help organizations communicate and plan around privacy risk, and build privacy governance pro-grams.
Natural language generation
Information made into content, which allows things like text-to speech, automation of reports, and mobile applications content.
Natural language understanding
Machine reading comprehension via algorithms used to find and extract language that the computer can interpret.
Network centricity
The degree to which personal information stays local.
Network devices
The components allowing two devices to connect for sharing electronic files, such as printers and fax ma-chines. The most common ones make Local Area Net-works using a hub, a router, a cable, a modem, and network cards.
Network encryption
Protecting data transfers at the network transfer layer via encryption that is invisible to the end user.
Network-layer attacks
Attacks abusing the basic network protocol for ad-vantage, mostly through spoofing a network address to send data to an intruder instead of the intended recipient or service disruptions through a denial-of-service attack that overloads the capacity of a website’s domain with brute force.
Noise addition
The type of anonymization where certain identifying values from one data subject are swapped with identifying values from another subject from the data set.
Non-functional system requirements
Abstract concepts informing the functional requirements for a new software, system, or product being developed—as in how a system should work instead of the technical processes or functions.
Obfuscation
Making something harder to understand in order to hide its meaning.
Objective harm
Harm that is measurable and observable resulting from privacy violations to a person.
OECD Guidelines
A universal set of internationally accepted privacy principles and guidance for countries developing regulations related to cross-border data flows and law-enforcement access to personal data. The principles are Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Openness, Individual Participation, and Accountability.
Omnibus Laws
Laws covering a wide range of organizations or natural persons, not simply a specific market sector or population.
Online behavioral advertising
Websites or online advertising services that track and analyze search terms, demographics, online activity, offline activity, browser or user profiles, location data, or preferences, to offer advertising.
Online data storage
Third-party vendors storing data accessible via Internet as an alternative to local storage on a hard drive or portable storage on a flash drive.
Open source vs. closed source
Software that can be simply viewed, shared, or edited compared to that which can only be fixed and updated by the vendor.
Opt-in
One of two approaches to choice, where an individual makes an affirmative indication of agreement, like checking a box to allow the business to disclose the in-formation to third parties.
Opt-out
One of two approaches to choice, where the lack of action on the part of the individual is taken as their implication of choice, so for example, their information will be shared with third parties if they don’t uncheck a box.
Organization for Economic Cooperation and Development
An international organization that supports policies created to boost employment, sustainable economic growth, and the standard of living.
Passive collection
Collecting data unbeknownst to the data subject.
Patches
Making program changes to update or fix a system.
PCI Data Security Standard
A self-regulatory system of security standards for payment card data drafted by the Payment Card Industry Security Standards Council. Compliance necessitates companies above a certain threshold to conduct third party security assessments.
Perimeter controls
Technologies and processes intended to secure the network by stopping access from the outside.
Persistent storage
Storing data in a stable medium such as a hard drive. An alternative to random access memory, which loses data whenever the device is disconnected from power.
Personal information
Also called personal data, a term defined by CCPA as information that identifies or could be linked to a particular consumer.
Pharming
Corrupting a host file or network router to send an authentic internet request to a malicious website.
Phishing
Communication meant to trick a user to give a pass-word, account number, or other information to a web-site managed by the attacker. It’s called “spear ” when the attack is targeted to a specific user, like an e-mail that looks like it’s from the user’s boss.
Plan-driven development model
As opposed to the agile development model, this strategy to creating software and systems involves fully de-signing the system and functions before creation, one example being the Spiral model.
Platform for privacy preferences project
A project intended to introduce user privacy into web protocols. The most successful protocol from this project is XACML.
Polymorphic
An algorithm changed when the code is copied, while the encryption stays the same for each key.
POST Method
As opposed to those of the GET method, this method’s attributes specify how form data is given to a web page in a more secure way.
Predictability
An indicator of the reliability of assumptions made about a system, specifically the data it holds and how it is processed.
Premium advertising
The costliest and most pronounced type of web advertising displayed on a website’s homepage which only big name companies can afford.
Privacy by Design
Generally regarded as a synonym for Data Protection by Design, this is an approach where privacy is embedded into technology, systems, and practices from early de-sign stage to include privacy requirements in the processing of personal information. It ensures the existence of privacy from the outset.
Privacy engineering
A concept in which privacy values and principles are considered in technology systems and programs while protecting security and mitigating risk, requiring engineers and privacy professionals to work together.
Privacy notice
A statement provided to the data subject explaining how an organization collects, uses, stores, and discloses personal information.
Privacy nutrition label
A standard label designed to make privacy policies more understandable, developed by the lab at Carnegie Mellon University.
Privacy Officer
An individual designated as the head of privacy compliance and operations in an organization. The US federal government sees this person as the official in charge of the implementation and management of all privacy and confidentiality efforts.
Privacy patterns
Borrowing from design patterns, these are common solutions to privacy problems encountered in software design.
Privacy policy
An internal statement that explains an organization or entity’s handling of personal information to the members of the organization interacting with the personal in-formation, informing them about the collection, use, retention, and destruction of the data and data subject rights.
Privacy review
An analysis of how well new comply with the organization’s privacy policy to minimize potential privacy risks.
Privacy risk
A formula used to determine the impact a new project may have on the privacy of the consumer base involved. In the evaluation, the likelihood of the threat taking place should be considered along with its potential impact. Then, projects should be compared in terms of their resulting risk.
Privacy standard
The minimum level of privacy protection to be placed in all new projects, applications, and services both in terms of internal organizational policy and external regulations. There should be guidelines to help reach adherence.
Privacy technologist
A term for technology professionals who play a role in protecting privacy in technology. These could be audit, risk and compliance managers; data scientists; soft-ware engineers; or privacy engineers.
Protected health information
Any individually identifiable health information created, received, transmitted, or stored by a HIPAA-covered entity or its business associate or employee which can be used to identify the individual is created or received by a covered entity or an employer and is related to any physical or mental condition or payment or provision of healthcare.
Protecting Canadians from Online Crime Act
An act that criminalizes cyber bullying and allows police to obtain warrants for telecommunications and internet data and hold onto electronic evidence.
Pseudonymous data
Data points no longer directly associated with an identified person although it’s known whether multiple of the data points relate to the same person. An ID is used instead of PII to tell if data has the same source. Examples include IP address, GUID, and ticket numbers.
Psychographic advertising
Sending a user content based on their interest deter-mined by their known preferences online rather than their interactions with web pages and advertisements.
Public key infrastructure
A system composed of digital certificates, authorities, and other registration entities that uses cryptography to check the authenticity of each party participating in an electronic transaction.
Public records
Information gathered and stored by a government entity that it makes available to the public.
Quality attributes
Software development issues that cannot be fixed by one design element or function alone, one example being privacy. Implementing Privacy by Design in soft-ware development will help to account for the issues in all system functions.
Quantum encryption
The use of quantum mechanics principles to encrypt messages so that no one other than the intended recipient can view them.
Radio-Frequency Identification
Technologies that identify people or objects with microchips using radio waves.
Re-identification
The action of reapplying characteristics to pseudonymized or de-identified data that could be used to identify an individual. There is risk in undoing the de-identification actions applied to data.
Remnant advertising
The simplest form of web advertising, lacking personalization because no data about the user or webpage is used.
Repurposing
The secondary use of information collected for a different purpose.
Retention
The part of the information life cycle that pertains to organizations keeping personal information only as long as required to fulfill the intended purpose.
Right of access
The right of an individual to ask and obtain their person-al data from a business or other organization.
Role-based access control
Access policies following the restriction where no employee can gain greater information access than what is necessary to perform their job.
RSA Encryption
The most prevalent inter-net encryption and authentication system which uses an algorithm to generate a public key, which is then used to encrypt data and decrypt an authentication, and a private key, which can decrypt the data and encrypt an authentication.
Run time behavior monitoring
Auditing and evaluating data collected from an operating system.
Seal programs
Programs requiring participants to follow codes of in-formation practices which will be monitored. The companies that comply with the terms will show the pro-gram’s seal on their website.
Secondary use
The use of an individual’s information for purposes that are unrelated to the original processing purpose without consent.
Secret key
A cryptographic key that corresponds to a private cryptographic algorithm, connected to one or more entities. The key should be protected from disclosure.
Security policy
Internal security measures that prevent unauthorized or unnecessary access to corporate data or resources, which may be either physical, technical, or organizational. Protected resources may be intellectual proper-ty, financial data, or personal information.
Security safeguards
The fair information practices principle establishing that personal data be protected by acceptable security safeguards from risks of loss or unauthorized access, destruction, use, modification, or disclosure of data.
Separate
Processing personal data in a way that prevents identification of the individual, either using physically separate locations or isolating the data by purpose.
Single-factor authentication
The standard authentication technique where a user name and password are provided for access.
Single-sign-on
An authentication method where the user provides one set of credentials to access multiple applications.
Social engineering
A term for a security vulnerability created by attackers persuading a user to provide information.
Software requirements specification
Formal documentation of a software system or product with functional and nonfunctional requirements that cover the needs of the customer.
SPAM
Commercial e-mail that is unsolicited.
Spear phishing
Phishing that is meant to reach a group of people connected to a specific organization.
Speech recognition
Voice command technology permitting users to speak to technologies in order to control them.
SQL injection
Targeting SQL forms with commands entered into in-formation entry boxes which may alter the system. This could erase data sets or over load servers if the SQL is left vulnerable.
Storage encryption
Using encryption to protect stored or backed-up data in transit and at rest.
Structured query language
A programming language made by IBM that uses inter-active forms into which users can insert or edit data to be made into usable data sets by the system administrators. It’s now an international standard for the col-lection and use of information.
Subjective harm
Only an expectation of harm existing, lacking anything perceptible or quantitative.
Super cookie
A tracking tool that remains in a device even after deleting all cookies, kept in different types of storage.
Surveillance
Capturing or watching an individual’s activities.
Surveillance collection
Collection of data made by observing a data subject without interfering in their activity.
Symmetric key encryption
A form of encryption where a single secret key is used to both encrypt and decrypt data, also called Secret Key Encryption.
Syndicated content
Content that is created, bought, or licensed from a third party that may introduce malicious code into the organization’s website code. Cross-site scripting (XSS) attacks may take advantage of this vulnerability.
Systems development life cycle
A conceptual model used to follow an information system development project through various stages.
T-closeness
Decreasing the detail of the data in a data set to extend l-diversity.
Terms of service
A set of rules governing the use of a service to which a user agrees implicitly or explicitly before participating.
Third-party collection
Data taken from a source that is not the data subject.
Tokenization
Replacing random tokens for true data as way of de-identifying data.
Transfer
Moving information from one organization to another intended recipient.
Transient storage
Short-term data storage such as that used by a session cookie stored on a browser which will be erased once the browser is closed.
Transmission control protocol
A protocol allowing two devices to connect and transfer data. TCP and IP are combined to send data over the Internet in the form of a packet, made up of content and a destination.
Transport layer security
A protocol that maintains separation between client-server applications and Internet users. The connection is secured to make sure no third party has access when a server and client communicate.
Trojan horse
A type of malware where bad software looks like beneficial software.
Ubiquitous computing
Processing information connected to an encountered activity or object.
Unified modeling language
A notation language used to detail the elements of a system design for software development.
Uniform resource locator
The letter and number coordinates that an end user in-puts into a web browser to get to a website; for example, https://privacyref.com.
User stories
Stipulations for new software systems or products created using the Agile Development Model, typically comprised of a few sentences on how a consumer would use the system or product and its intended functionality. This is a way of informing the developers about how a system or product should operate while they are design-ing it.
User-based access controls
Determining whether to grant or deny access to the re-source based on the identity of the user.
Value-added services
Non-core services that are outside of voice calls and fax transmissions available at almost no cost to pro-mote the business.
Value-sensitive design
An approach to design with moral and ethical values in mind like privacy, trust, courtesy, or freedom from bias for both technologies and stakeholders.
Virtual private network
A network that mostly uses public telecommunication infrastructure such as the Internet to allow remote users access to a central organizational network. The re-mote user is typically authenticated and data is se-cured using encryption technologies to prevent unauthorized disclosure of information.
Voice over internet protocol
A technology to let phone calls be made over an LAN or the Internet, in a similar risk to network-connected PBX systems but with the extra risk of data interception if using an unsecured connection.
Vulnerability management
Evaluating and creating plans for the possibility that a threat actor will succeed.
Web beacon
Also called a web bug, pixel tag or clear GIF, this is a clear graphic image delivered via web browser or e-mail which records a user’s visit or views. It may be used along with a web cookie for third-party tracking. They can be used to create specific profiles of user behavior or reports on what e-mails are opened. Similar privacy considerations should be made here to those for cookies.
Whaling
Phishing targeted at wealthy individuals.
Wide area network
A non-localized network for sending data across far distances.
Worm
A computer program or algorithm that clones itself over the network and completes malicious actions.
Write once read many
A data storage device that doesn’t allow information to be modified after it is written to ensure that the data originally written to the device won’t be manipulated. The data can only be destroyed if the whole device is destroyed.
