Online Privacy Flashcards
World Wide Web
collection of information that is accessed via the internet
is system most people use to access the internet
clients/servers
computers connected to internet
web client
device or software used to connect an individual to the internet
refers both to the internet connected device as well as the software used to connect to the internet(ex. Google Chrome, FireFox, Safari)
web browser
software that is used to connect to the internet and interpret files in order to present them to a user(ex. Chrome, Safari)
web server
computer that stores files that may be accessed via the internet (form the basis for website and applications)
packets
transmission of small chunks of data over internet
protocols
ground rules for transferring data over the internet
ex. TCP/IP, HTTPS, SMTP
hypertext transfer protocol (HTTP)
simple application level protocol
language by which a web client can communicate with WWW (interfaces with the internet, or the network and transport layers of the internet)
hypertext transfer protocol server (HTPPS)
predominate application- level protocol
transfers data over an encrypted connection
Transmission Control Protocol and internet protocol (TCP/IP)
main communication protocols of internet that sets forth system of rules that facilitate communication and information sharing
allows 2 devices to establish reliable data connection which allows steaming of data
process
1. TCP protocol breaks down info into packets and addresses them to appropriate location
2. packets travel across internet form router to router under IP protocol
3. TCP protocol is used to reassemble the packets of data before being received by client or server
transport layer security
provides communication security by allowing web user (client) to remain private from web server or vice versa
3rd parties can’t intercept or interfere with connection
when client contacts server “handshake” occurs where client and server authenticate each other and select encryption algorithm
internet protocol address (IP address)
unique number assigned to each device connected to internet, including web servers
IPv6- most recent version of IP protocol
dynamic IP address
created when internet service provider assigns a new IP address upon the beginning of each new web session
static IP address
more likely to be considered personal information because it is more easily associated with specific individual
uniform resource locator (URL)
domain name and web address of files and other materials located on web server
each URL is associated with IP address that points to specific web server
http://instagram.com
domain name server (DNS)
converts domain name (URL) to IP address associated with domain name
aka telephone book of internet
proxy server
intermediary web server that provides gateway to web
can mask what occurs behind firewall, be used to log each users interaction, serve as added security measure
used in large organizations
virtual private network (VPN)
established encrypted connection known as tunnel through which data can travel between user and proxy server
server log (web log/web server log)
record of visitors to requested web page
includes information regarding
- visitors IP address
-data and time of page request
-URL of requested file
- visitors browser type
- URL visited immediately prior to accessing the URL (referring page)
cache
copy of downloaded content that is stored locally on web client
this allows web client to eliminate need to download same content again from web server (don’t need to download next time user visits website)
programming languages
used to create list of commands to be executed by specific server or client
scripts
where list of commands or file commands are saved for programming languages
browser side- programming language
aka front side
contained in scripts run by web client after script has been downloaded off of the web server
include:
- HTML
- CSS
- javascript
hypertext markup language (HTML)
used to create structure of webpages
HTML 5 is newest version
cascading style sheets (CSS)
used to dictate presentation of webpage
ex. color background, size of text etc
javascript
allows for interactive websites
dictates how a website responds to user interactions
ex. box you can click on
server side- programming languages
aka back end
run by an interact directly with web servers- web server will run server side script before sending any browser side script to web client
used when dynamic content is needed for webpage (ex. latest real estate listing
includes PHP
PHP
general purpose programming language originally designed for web development
relies on both HTML and CSS + structured query language
passive data collection
automatic data collection of user data
no express consent
active data collection
collected with users knowledge- generally through use of web forms
web form
part of webpage that allows user to input data in text field, drop down menu, radio buttons, or other means then submit info to web server to process info or store info in database
issue: potential to create security vulnerabilities since user can submit data directly to server or data base (ex. text box)
solution: place limits on text fields to ensure they are used as intended
syndicated content
content developed by 3rd parties and purchased or licensed for presentation directly by host site
possible for it to contain malicious code that collects data in different ways than set forth in host site’s privacy notice
co-branded website
partnership between 2 organizations where both provide content or services on single website
have own privacy notices so it is clear to users that content belongs to and users are interacting with both partner entities
web services
program contained within website that allows 2 organizations to directly communicate between their computers or servers
application program interface- set of protocols routines functions and or commands that programmers use to develop software or facilitate interactions between distinct systems
web widget
graphical interface on website that is controlled by 3rd party
ex. tweet displayed on different website- if tweet was deleted on twitter it would no longer appear on 3rd party website
iframe
HTML element that permits an external webpage to be directly embedded into a website
website doesn’t control content of 3rd party website only where on website iframe is located
3rd party marketing
ads that appear on webpages
usually controlled by online advertising networks- connect online advertisers with website owners who host ads on their websites
cyber threats
- spam
- malware
- phishing
- structured query language injection
- cross site scripting (XSS)
- cookie poisoning
- unauthorized access
spam
unsolicited commercial emails or messages
often contain viruses and other malware or direct a user to a website containing such malware
malware
software designed for malicious purposes
2 types
1. spyware
2. ransomware
spyware
specific form of malware downloaded covertly and without the consent or understanding of the user
ransomware
permits malicious actor to loc a users operating system or encrypt data on a device, preventing access by the user to his/her files
then malicious actor demands ransom to allow user to access data
phishing
communications that are designed to trick users to believe that they should provide information to the sender
usually send through email and targeted
types
1. spear phishing- targeted at 1 person
2. whaling- targeted at important individuals (ex. politician)
structured query language injection
malicious actor attempts to provide a database command to a web server through input fields contained in web form on website
cross site scripting (XSS)
malicious code is injected into a webpage
results in unauthorized content appearing on webpage or tricks user into thinking that the site is corruptedc
cookie poisoning
cookie is modified in order to gain unauthorized access to information about user or towards some other nefarious end
ways to avoid cyber threats
- two factor authentication
- user required to provide more than one form of authentication - data validation
- ensuring data conforms to identified requirements and quality benchmarks
- ex. if inputing email then must verify there is @ with words before and after it - data sanitization
- takes data input by user and modifies it by removing potentially harmful input characters
steps to minimize possibility of human error
- passwords are unique, not shared across users, and regularly changed
- antivirus/firewall systems are updated regularly
- employees training should include instruction on not using public computers or public charging stations and only using secure and familiar private wi-fi networks
behavior advertising
targeted ads based on info associated with an individual
government entities that address concerns about such advertising include
1. FTC do not track
- consumers can make single choice to opt out of such ads
- digital advertising aliance- ad choices
- icon that permits consumers the ability to exercise choice with respect to behavior advertising - EU- directive 2009/136/EC- EU cookie directive
- requires users to give consent before having cookie placed on their computers
- prevents cookie tracking without consent
consumer tracking - cross device tracking
mapping user as he moved between devices
accomplished through deterministic tracking or probabilistic tracking
deterministic tracking
allows organizations to track users device based upon where he logs into services
ex. log into on computer to purchase product from company and later logs into another computer to purchase product from same company- can tell both computers associated with same person
probabilistic tracking
connects users devices based upon assessment of probabilities and proprietary algorithms drawn from info collected on multiple devices
consumer tracking- cross site tracking through tracking cookies
small text file placed on hard drive of device by web server
3rd parties can link device to prior activity through tracking cookies
may be considered as personal information
best practices for using cookies:
- never be used to store unencrypted personal info
- provide notice when cookies are being used
- should disclose 3rd party cookies providers
- opt-out function where practicalt
session cookie
stored only while user is connected to specific web server and is deleted when user closes his web browser
persistent cookie
set to expire at some point in future according to predefined time
identifies particular device for user authentication
persistent cookies should be only used where necessary and are set to expire after reasonable length of time
1st party cookie
set and read by web server that is hosting the website being visited
3rd party cookie
set and read by party other than web server hosting the visited website
flash cookies
stored outside of internet browsers control and is controlled and accessed by adobe flash
difficult for users to delete, do not expire, users not provided notice of their use
may be used to respawn a deleted HTML cookie (ex. zombie cookie)
consumer tracking- cross site tracking through web beacons
dear one pixel by one pixel graphic image delivered by web server
purpose is to record consumers visit to web page and measure digital advertising performance
notice to users is important to provide
bluetooth beaconing is where low energy bluetooth signal is sent from beaconing device and picked up by mobile device setting in motion process that displays ad to owner of mobile device
consumer tracking- cross site tracking- adware
software that monitors end users behavior so that advertisers can better target advertisements toward a user
location based advertisements- rely on mobile device GPS receiver, Wi-fi, and bluetooth
consumer tracking- cross site tracking- digital fingerprinting
uses IP address, referring URL page, and browser type being used to identify user
can be used to increase security (ex. require additional authentication if user logs in from device organization doesn’t recognize based on fingerprint)
children’s online privacy laws/regulations
- COPPA (federal, protects children under 13)
- GDPR (orgs that collect info on EU residents must not process data of children under 16 unless parental consent)
- Digital World Act (CA state, under 18 have right to request removal of info posted by them online, and no online advertising of products children are not legally permitted to purchase)
- Delaware online and personal privacy protection act (DOPPA) (state, similar to digital world act)
- California consumer privacy act (no sale of PI of CA consumers under 16 without appropriate consent)
- 13-15 consent must may be obtained directly from child through opt in
- 13 and under- consent must be obtained by parent or guardian
