CIPT

Four techniques of deidentification

1. Tokens 2. Anonymization 3. Pseudonymization 4. K-anonymity, l-diversity, t-closeness

What term is used when previously collected data is used for a purpose other than that for which it was initially collected? A. Retention B. Recycling C. Repurposing D. Reuse

C. Repurposing

Vulnerability is determined by what two factors? A. Probability and confidentiality B. Capability and portability C. Confidentiality and integrity D. Capability and probability

D. Capability and probability

True or False: While monitoring and analyzing data during runtime leads to the risk of inadvertent collection of personal information, privacy technologists cannot reduce this issue

False, programmers can reduce the risk through analysis, defect-tracking, and API

The technical investigation

examines how the existing technology supports or hinders human values and how the technology might be designed to support the values identified in the conceptual investigation.

Deidentification: Pseudonymization

replacing individual identifiers (such as names) with numbers, symbols, or a combination of these, such that data points are not directly associated with a specific individual

Governed and owned by AXELOS. Provides an overall measurable view of technology system, service, and functionality. It reports on services provided by technology system and helps organizations use technology to support change and growth. Limited view of risk management

ITIL

A marketing lead has collected a large data set of personal information and stored it in a shared folder. The marketing lead controls who has access to the shared folder. The type of access control being used is: A. Discretionary B. Mandatory C. Attribute-based D. Rule-based

A. Discretionary

Action by an external party, such as govt entity, that interferes w/ an individual's decision making regarding their personal affairs. Inaccurate data can lead to decisional interference

Decisional interference

Three types of interference:

Decisional, Intrusion, Self-representation

What term refers tot he overall organizational design of a system and recognizes the relationship between all elements of a system? A. Service-oriented architecture B. Enterprise architecture C. Client-based architecture D. Plug-in architecture

B. Enterprise architecture

Objective Lost opportunity

Employment, insurance, housing, education

Privacy Engineering Objective: Predictability

Enabling reliable assumptions by individuals, owners, and operators about data and their processing by a system

Privacy Engineering Objective: Disassociability

Enabling the processing of data or events without association to individuals or devices beyond the operational requirements of the system

Validation

Ensures the requirements satisfy the needs of the intended user base

Verfication

Ensures the resultant system performs the way is its suppose to perform

Objective harm

External to individual: lost opportunity, lost liberty/life, Social detriment

Works alongside compliance models to mandate notice choice and consent, access to information, controls on information, and how information is managed. High level abstractions of privacy, interpretation is necessary to determine application

FIPPS Fair Information Privacy Principles

True or false: The most efficient and cost-effective way for orgs to address evolving privacy laws and advancing technology is to design for just the org's requirements within their jurisdiction

False

Contextual Integrity: Actors, Transmission principles, Attributes

Actors: The senders and receivers of personal information Transmission principles: Those that govern the flow of information Attributes: The types of information being shared

Process-oriented strategies

- Enforce - Demonstrate - Inform - Control

Data-oriented strategies

- Separate - Minimize - Abstract - Hide

Data Inventories, knowing where data is....

-Collected -Processed -Stored -Classified

Examples of values for value sensitive design:

-Context specific -user specific -Malleable -Difficult to define

Privacy-enhancing technology (PET)

-Mix networks -Secure multiparty computation -Differential privacy -Anonymous digital credentials -Private information retrieval -Homorphic encryption

Cross-border data transfers in compliance with the law

-the recipient is subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection; -the data subject consents to their personal data being transferred to a third party in a foreign country; -the transfer is necessary for the performance of a contract between the data subject and the controller; -the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; -the transfer is for the benefit of the data subject, subject to certain restrictions.

Steps in mapping privacy risk to controls in a design methodology are?

1. Architect 2. Secure 3. Supervise 4. Balance

OWASP Top 10

1. Broken Access Control moves up from the fifth 2. Cryptographic Failures 3. Injection. 4. Insecure Design 5. Security Misconfiguration 6. Vulnerable and Outdated Components 7. Identification and Authentication Failures 8. Software and Data Integrity Failures 9. Security Logging and Monitoring Failures 10. Server-Side Request Forgery

Write Once Read Many (WORM)

A data storage device in which information, once written, cannot be modified. This protection offers assurance that the data originally written to the device has not been tampered with. The only way to remove data written to a WORM device is to physically destroy the device.

Which of the following may pose a "client side" privacy risk? A. An employee loading personal data on a company laptop B. Failure of a firewall that is protecting the company's network C. A distributed denial of service (DDoS) attack on the org D. A remote employee placing communication software on a company server

A. An employee loading personal data on a company laptop

The first step in mapping privacy risk to controls in a design methodology is? A. Architect B. Balance C. Secure D. Supervise

A. Architect

An incident response plan for a privacy breach includes notification of affected individuals, law enforcement, and other agencies. What is the first step an organization should take when approaching notification? A. Consult with your org's legal team B. Notify individuals affiliated with the org C. Alert local media that a breach has occurred D> Notify individuals affiliated with the breach

A. Consult with your org's legal team

What measures can be put in place to secure data? Choose all that apply A. Data classification Policies B. Surveillance cameras C. Log-in requirements for accessing sensitive personal information D. Opt-in controls E. Data retention policies

A. Data classification Policies B. Surveillance cameras C. Log-in requirements for accessing sensitive personal information E. Data retention policies

What type of interference occurs when false or inaccurate information on a credit application results in denial of credit? A. Decisional B. Intrusion C. Disclosure D. Appropriation

A. Decisional

In creating a registration form for a mobile app directed at grade school children, what privacy engineering objective is addressed by asking for grade level instead of data of birth? A. Disassociability B. Manageability C. Security D. Predictability

A. Disassociability

Privacy engineering addresses the challenges of translating privacy principles and harms into engineering requirements. What key concepts within an organization help realize this? Choose all that apply A. Engineering development life cycle B. Privacy design patterns C. Manageability D. Technological controls E. Data governance

A. Engineering development life cycle D. Technological controls E. Data governance

Which of the following are risks inherent with internet-of-things (IoT) devices? A. Hackers may be able to alter devices, turning them into a means of surveillance B. Household members can monitor one another's comings and goings C. Collected data from wearable health devices is not covered under health information privacy laws D. Individuals feel a loss of control or the uneasy feeling that they are being surveilled by family members

A. Hackers may be able to alter devices, turning them into a means of surveillance B. Household members can monitor one another's comings and goings C. Collected data from wearable health devices is not covered under health information privacy laws D. Individuals feel a loss of control or the uneasy feeling that they are being surveilled by family members

In what ways can privacy technologists mitigate risk of interrogation? Choose all that apply A. Implement controls that allow users to opt in to providing information B. Limit the collection of data to only that which is necessary C. Implement controls that flag for explicit language D. Use encryption when collecting sensitive personal information

A. Implement controls that allow users to opt in to providing information B. Limit the collection of data to only that which is necessary

Low-level design focuses on improving the quality of programming practices through which of the following? Choose all that apply A. Loose coupling B. Integration testing C. Information hiding D. Reusing standard APIs E. Building frameworks that can be reused

A. Loose coupling C. Information hiding D. Reusing standard APIs E. Building frameworks that can be reused

Which privacy risk model or framework is described as maintaining personal information in alignment with the informational norms that apply to a particular context? A. Nissenbaum's Contextual Integrity B. Calo's harm dimensions C. Privacy by design D. Value-sensitive design

A. Nissenbaum's Contextual Integrity

What is the difference between objective harms and subjective harms? A. Objective harms are measurable and observable; subjective harms are only expected or perceived by the individual B. Only objective harms impact an individual's decision to use a software program C. Objective harms are the primary type of harm that should be considered when determining whether a privacy harm has occurred D. Objective harms impact individuals on a psychological and behavioral level while subjective harms can result in loss of business opportunities or consumer trust

A. Objective harms are measurable and observable; subjective harms are only expected or perceived by the individual

When purchasing a product from TripeType's website, a customer must enter basic information into a purchase form. A link to TripeType's privacy statement is provided on the purchase form. However, it does not disclose that it will use personal information for other purposes. The statement provides that TT will store the customer information in its database. A month later, TT's sales team wants to generate new leads and decides to use the information collected from customers. This is an example of what? A. Secondary Use B. Involuntary use C. Disapproved Use D. Selective Use

A. Secondary Use

Which of the following technologies allows individuals to participate in a salary survey without revealing the specific salary or personal information of any of the participants? A. Secure multiparty computation B. Digital rights management C. Ciphertext D. Homomorphic encryption

A. Secure multiparty computation

What elements of a design pattern describes the components of the design, their relationships, their roles, and how they interact? A. Solution B. Consequence C. Problem description D. Pattern name

A. Solution

What activity includes an evaluation of some aspect of the system or component? A. Testing B. Supervision C. Integration D. Obfuscation

A. Testing

Examine statements below and choose all those that are examples of appropriation A. Using a celebrity's image to endorse a product without their permission B. Revealing the security code to a home alarm system to a source outside the family without permission C. A politician distorting facts about their opponent to make them appear less credible D. Social media page using the names of friends to tempt users to follow a specific page

A. Using a celebrity's image to endorse a product without their permission D. Social media page using the names of friends to tempt users to follow a specific page

Four things to do with risk:

Accept, transfer, mitigate, and avoid

Type of asset: Customer and employee data, as well as backup copies of data-stored either onsite or offsite

Assets information

Type of asset: Software code, trade secrets

Assets intellectual

Information is expressed in a summary form that reduces the value and quality of data, as well as the connection between the data and the individual

Aggregation

On demand privacy

Allow users to seek out and review privacy info or their privacy settings and opt outs at any time

Web Beacon

Also known as a web bug, pixel tag or clear GIF, a web beacon is a clear graphic image (typically one pixel in size) that is delivered through a web browser or HTML e-mail. The web beacon operates as a tag that records an end user's visit to a particular web page or viewing of a particular e-mail. It is also often used in conjunction with a web cookie and provided as part of a third-party tracking service. Web beacons provide an ability to produce specific profiles of user behavior in combination with web server logs. Common usage scenarios for web beacons include online ad impression counting, file download monitoring, and ad campaign performance management. Web beacons also can report to the sender about which e-mails are read by recipients. Privacy considerations for web beacons are similar to those for cookies. Some sort of notice is important because the clear pixel of a web beacon is quite literally invisible to the end user.

Type of asset: Servers, workstations, laptops, portable storage devices

Assets physical

Internet monitoring types:

Authoritative, Behavioral, Wi-fi eavesdropping

Anchoring

Available information creates a reference point for future decisions. Ex: Information or judgements about other's disclosure behavior. Anchoring also manifests in ordering effects: Survey participants disclose more info when a survey starts w/ intrusive questions, and gradually reduces in sensitivity compared to a survey that gradually becomes more sensitive

Under the EU's General Data Protection Regulation (GDPR), which of the following types of information would NOT require notification to a supervisory authority in the event of a personal data breach? A. Pseudonymized data B. Anonymized data C. Reidentified data D. Deidentified data

B. Anonymized data

Surveillance happens at what point in the data life cycle? A. Use B. Collection C. Destruction D. Retention

B. Collection

What type of interference occurs when advertisers track a user's online behavior to design personalized ads that represents the user's interests? A. Decisional interference B. Intrusion C. Disclosure D. Self-representation

B. Intrusion

Which of the following is NOT an example of automated decision making? A. Receiving an answer to a support question utilizing a chat bot B. Obtaining approval for insurance through an online application C. Requesting an emailed catalog from an online retailer D. Setting airfare based on browser history and date of purchase

C. Requesting an emailed catalog from an online retailer

True or False: Manageability includes allowing individuals to have access to their information to make changes to inaccurate information

False, manageability assigns appropriate stakeholders to administer changes to an individual's information to ensure security and mitigate fraud

You have been tasked with developing an incident response process for your employer, BrandEnt Company, a media entertainment company. As the senior manager of information privacy, you have been creating privacy-related procedures for the company. There has been an uptick in the number of privacy-related questions being sent to customer service through the website's generic portal, and the customer service reps are unsure of what to do with the questions. This has led to the director of privacy asking that you work with the IT department to identify, track and resolve privacy-related incidents, as well as with the Information Security team to leverage their existing incident-management process. As you review the questions, you notice that many customers are asking what personal information BrandEnt has collected about them. You grow concerned as you notice that customer service representatives are not always responding to these inquiries. The website doesn't have a portal dedicated to asking privacy-related questions, and instead a general customer service portal form is being used. This form only requests the customer's name and their email address. The site does not require authentication to get to this portal. For responses that have been processed, the customer service representatives sent compressed files containing all data collected regarding the individual and sent it to the email provided. You reach out to the Information Security team to request access to their incident ticketing system to determine if the existing process can be leveraged. As you review the incident tickets, you notice several security incidents related to data breaches. After speaking with the Information Security team lead, you learn that the tickets were closed after the vulnerabilities were patched and the system owners were notified. What follow up should be done regarding the data breaches that have already occurred? A. Review the fixes applied for the vulnerability and verify that it was applied on all affected systems. B. Review the information that was breached and determine what levels of notification are required. C. Send a notification to all customers notifying them of the breach. D. Nothing is required as the security team reviewed and closed the incident

B. Review the information that was breached and determine what levels of notification are required.

What type of privacy violation occurs when the recipient of personal information shares it outside of the expectations of the individual who provided their information? A. Surveillance B. Secondary Use C. Distortion D. Exclusion

B. Secondary Use

What is an example of a federated identity? A. National ID number B. Single sign-on credentials C. Corporate ID number D. A token

B. Single sign-on credentials

Low-level design concerns the details of the overall design of the system and focuses on improving the quality of programming practices through each of the following mechanisms EXCEPT: A. Information holding B. Threat Modeling C. Reusing existing standard API libraries D. Loose coupling

B. Threat Modeling

Which of the following circumstances would best be addressed by utilizing radio frequency identification (RFID) technology? A. An org has a high error rate for entering credit card data into POS system B. An org requires two-way communication between its discoverable devices C. An org needs to develop an encryption-supported network D. An org's inventory process is taking too long

D. An org's inventory process is taking too long

An organization wants to enter into a contract with a third-party cloud provider for storage of client personal information. The business head is entering into this agreement to eliminate risk associated with a data breach by transferring the information to the third-party processor. She asks you if this a good way to eliminate breach risk. Please choose the BEST response from the choices below: A. Third party processors have sole liability for the data they process, because the data is in their possession. We can rely on the security program of the third party since they did not report a data breach in the previous 12 months B. Under most privacy and data protection laws, following a data breach, an organization retains liability for personal data that it has collected and transferred to third party processors. Third party processors may share liability for the breach as well. We should routinely validate data protection controls of third parties we are doing business with to make sure our client data is protected properly C. Organizations can transfer data to a third party to avert all liability for damages resulting from a data breach. We can use contract language to eliminate the need for third party due diligence D. Organizations can only be liable for data breaches if an individual brings a lawsuit. A government agency is able to investigate the organization but can only issue orders to the organization to correct deficiencies in the information security program. Money penalties are only available to individual plaintiffs, or as a result of a class action

B. Under most privacy and data protection laws, following a data breach, an organization retains liability for personal data that it has collected and transferred to third party processors. Third party processors may share liability for the breach as well. We should routinely validate data protection controls of third parties we are doing business with to make sure our client data is protected properly

Objective lost liberty/life

Bodily injury, death, incarceration

In the event of an incident, what privacy attribute allows personal information to be accessed if an individual is not able to consent? A. Integrity B. Network centricity C. Availability D. Mobility

C. Availability

You are browsing the web and shopping for new furniture. You then open your favorite social media to scroll through the posts. While doing so, you start noticing ads for furniture. This is an example of what? A. Direct Marketing B. Individual advertising C. Behavioral advertising D. Indirect Marketing

C. Behavioral advertising

Vulnerability is determined by what two factors? A. Detection and prevention B. Governance and oversight C. Capability and probability D. Operation and maintenance

C. Capability and probability

This form of automated decision-making acts as a subset of machine learning in that it learns by performing a task repeatedly, adjusting along the way to deepen and improve the outcome A. Chatbots B. Context-aware computing C. Deep learning

C. Deep learning

How does employing the objective of predictability benefit an organization? Choose all that apply A. It assigns appropriate stakeholders to administer changes to an individual's information B. It increases the need for advances in techniques that disassociate individuals from their information C. It supports trusted relationships between stakeholders and individuals, thereby enabling operators to implement innovative changes to a system to provide better services D. It helps stakeholders adequately describe what is happening with the personal information in their possession from a value statement on transparency to a requirements-based program that explains how personal information is managed

C. It supports trusted relationships between stakeholders and individuals, thereby enabling operators to implement innovative changes to a system to provide better services D. It helps stakeholders adequately describe what is happening with the personal information in their possession from a value statement on transparency to a requirements-based program that explains how personal information is managed

Which of the following is an objective for privacy engineering? A. Encryption B. Anonymization C. Manageability D. Audit

C. Manageability

When creating a data inventory, it is important to include a range of detailed information on the company's data assets. This information should include how the data is accessed and by whom, how the data is managed, who owns it, where the data is stored, and the ____ that defines the individual data records and what they contain A. Structured data B. Schema C. Metadata D. Dictionary

C. Metadata

Which of the following privacy practices would be most useful to users who are not knowledgeable about protecting their personal information? A. Choice B. Control C. Notice D. Consent

C. Notice

What is NOT a data-based technique used to protect privacy? A. Encryption B. Aggregation C. Process Documentation D. Deidentification

C. Process Documentation

You have been tasked with developing an incident response process for your employer, BrandEnt Company, a media entertainment company. As the senior manager of information privacy, you have been creating privacy-related procedures for the company. There has been an uptick in the number of privacy-related questions being sent to customer service through the website's generic portal, and the customer service reps are unsure of what to do with the questions. This has led to the director of privacy asking that you work with the IT department to identify, track and resolve privacy-related incidents, as well as with the Information Security team to leverage their existing incident-management process. As you review the questions, you notice that many customers are asking what personal information BrandEnt has collected about them. You grow concerned as you notice that customer service representatives are not always responding to these inquiries. The website doesn't have a portal dedicated to asking privacy-related questions, and instead a general customer service portal form is being used. This form only requests the customer's name and their email address. The site does not require authentication to get to this portal. For responses that have been processed, the customer service representatives sent compressed files containing all data collected regarding the individual and sent it to the email provided. You reach out to the Information Security team to request access to their incident ticketing system to determine if the existing process can be leveraged. As you review the incident tickets, you notice several security incidents related to data breaches. After speaking with the Information Security team lead, you learn that the tickets were closed after the vulnerabilities were patched and the system owners were notified. Which common privacy principle is missing at BrandEnt? A. Use limitation. B. Collection limitation. C. Security safeguard. D. Data quality

C. Security safeguard.

Privacy technologists ensure that collected data is which of the following? (Choose all that apply) A. Repurposed and used in as many ways as possible B. Retained indefinitely C. Used only for the purposes for which it was collected D. Destroyed in accordance with organizational guidelines

C. Used only for the purposes for which it was collected D. Destroyed in accordance with organizational guidelines

Testing during software development generally consists of which two sets of activities? A. Implementation and deployment B. Alpha and beta testing C. Validation and verification D. Runtime monitoring and auditing

C. Validation and verification

Authentication can be accomplished by a variety of mechanisms. Which are the four main categories? A. What you know, when you know, where you are, what you are B. What you know, what you have, when you know, where you are C. What you know, what you have, where you are, what you are D. What you know, what you have, where you are, when you know

C. What you know, what you have, where you are, what you are

Destruction of portable media:

CDs, DVDs, flash drives need to physically destroyed, maybe professionally

Comprehensive program that helps with management of a technology system that allows for technology governance

COBIT

Destruction of hard copy:

Challenge lies in what needs to be destroyed and when, should have established guidelines in place for document destruction

Subjective Behavioral

Changed behavior, reclusion

Data life cycle:

Collection -> Use -> Disclosure -> Retention -> Destruction

Technology architecture Back end

Collection, Use, Disclosure, retention

Process-oriented strategy: Enforce

Commit to processing personal data in a privacy friendly way and enforce this -Create: Decide on a privacy policy that describes how you wish to protect personal data -Maintain: Maintain the privacy policy created -Uphold: Ensure that policies are adhered to by treating personal data as an asset and privacy as a goal to incentivize as a critical feature

Internet Monitoring - Behavioral

Companies may monitor browsing history and behavior for targeted advertising. History relates to the types of sites users are visiting or purchases they are making, while behavior relates to how long a user stays on a page or hovers over links before clicking

System testing

Completed portions of the whole system. This ensures that an individual's information was not exposed throughout the network traffic, files, or any part of the system

What is value-sensitive design? A. An investigative process intended to establish the ROI for each potential design option B. An iterative design process in which designers focus on the users and their needs in each phase of the design process C. A design process with a focus on the potential return on investment (monetary value) of each design feature D. An iterative investigative approach to design that takes human values into account during the design process

D. An iterative investigative approach to design that takes human values into account during the design process

What type of encryption uses one key for encryption and another key for decryption? A. Application B. Field C. Symmetric D. Asymmetric

D. Asymmetric

Which of the following explains why it is difficult to regulate what individually identifiable data is? A. Many people mistakenly expose personal information online B. Personal information means different things to different people C. Most legislative bodies are hesitant to enact laws about identifiable data D. Data that is not overly identifiable can be combined to identify individuals

D. Data that is not overly identifiable can be combined to identify individuals

Pseudonymization is a type of A. Label B. Anonymization C. Algorithm D. Deidentification

D. Deidentification

The small piece of data that controls an algorithm's execution is called a: A. Pseudo-identifier B. Label C. Token D. Key

D. Key

Which of the following privacy-related principles would be the main concern during the data usage stage of the data life cycle? A. Transparency B. Data Minimization C. Storage Limitation D. Purpose Limitation

D. Purpose Limitation

Ubiquitous computing can raise significant concerns about the sheer volume of data that can be collected by a system. Each of the following are necessary considerations when utilizing a data collection process that falls into this category EXCEPT which? A. The system should provide end-users with both feedback and control B. The system should have obvious value C. The retention of data by the system should be limited D. The data collected by system should be aggregated and made available to all users

D. The data collected by system should be aggregated and made available to all users

What is the primary purpose of a privacy by design framework? A. To outline the legal and ethical expectation of a robust privacy program B. To provide a framework of steps that should be incorporated into the creation of any new design C. To specify the technology and procedures that should be used to ensure personal information is protected D. To provide guidance for proactively incorporating privacy from the beginning to the end of the design process

D. To provide guidance for proactively incorporating privacy from the beginning to the end of the design process

Key Concepts of Privacy Engineering

Data governance, Technological Controls, Engineering Life Cycle

Knowing where data is -Collected -Processed -Stored -Classified

Data inventories

Used to separate customer information. It formulates all the constraints to be applied on the data and defines its entities and the relationships among them

Data schema

Two types of privacy by design strategies:

Data-oriented and process-oriented

Setting parameters that limits the confidence that any particular individual has contributed to an aggregated value.

Differential identifiability

The management of access to and use of digital content and devices after sale. DRM is often associated with the set of access control (denial) technologies. These technologies are utilized under the premise of defending copyrights and intellectual property but are considered controversial because they may often restrict users from utilizing digital content or devices in a manner allowable by law

Digital rights management

Deidentification: Anonymization

Direct and indirect identifiers have been removed, and mechanisms have been put in place to prevent reidentification

Direct versus Indirect design affecting users

Direct: Interact with system Indirect: How stakeholders configure, use, or are otherwise affected by the technology

Destruction for digital content:

Disks should be formatted. Hard drives, tapes, and other magnetic media will need to be degaussed

Availability heuristic

Due to uncertainty about privacy risks, people may look for other available cues to judge probability of risk and guide their behavior. Ex: Rather than read the privacy policy, people rely on readily available clues, such as store's visual design, presence of a privacy policy, vendor's reputation, or even just company name

True or False: It is illegal across all 50 states for law enforcement to use drones for search or surveillance without obtaining a search warrant prior

False

True or False: To successfully identify an individual by piecing together information from different sources, one of the identifiers must be the individual's name

False

ITIL and COBIT

Frameworks to help with security and privacy

What term is used when individuals share information such as location, emotions, opinions, and experiences via their mobile devices, which enables a better understanding of human behaviors and activities, meaningful patterns and detectable trends? A. Web tracking B. Geo tagging C. Geo social patterns D. Natural language generation

Geo social patterns

Example of privacy law

HIPAA, GDPR

Integration testing

How components interact between other groups of components. Ensures the function of one unit interacts correctly with other components

Something a privacy impact assessment (PIA) does not accomplish?

Implements controls on data collection

-Discovery -Containment -Analyze and notify -Repercussions -Prevention -Third parties

Incident Response Plan

Unit testing

Individual functions and system components. This determines whether a unit, with a predefined input, will yield an expected output

Process-oriented strategy: Inform

Inform data subjects about the processing of their personal data -Supply: Inform users when personal data is processed, including policies, processes, and potential risks -Notify: Alert data subjects whenever their personal data is being used or breached -Explain: Provide information in a concise and understandable form, and explain why processing is necessary

Subjective harm

Internal to individual: Psychological, behavioral

Disturb an individual's solitude or tranquility. Can be physical, psychological, or informational. Does not need personal information for this interference type, as you do not need someone's name to knock on their door to try to sell them something

Intrusion interference

Julie needs to securely transfer a file containing personal data to Katelyn. They decide to use asymmetric encryption. What are the correct steps they should follow?

Julie encrypts the file using Katelyn's public key, Katelyn decrypts using her private key

Disclosure of specific information practices posted, usually accompanied by a consent request, at the point of information collection.

Just-in-time-Notification

Statutory and regulatory mandates systems that handle personal information -Type of data collected -What the system does with that data -How the data is protected, stored, and disposed of

Legal compliance

Preventative Privacy Internal Control

Limit access of personal data to authorized personnel only

Preventative Security Internal Control

Limit access of sensitive data to authorized personnel only

Data-oriented strategy: Abstract

Limit as much as possible the detail in which personal data is processed -Group: Aggregate data over groups of individuals instead of processing data of each person separetely (those who bought hammers also bought nails) -Summarize: Summarize detailed information into more abstract attributes(age range 20-28) -Perturb: Add noise or approximate the real value of a data item ie -> pothole app, delay in sending information/reports

Data-oriented strategy: Minimize

Limit as much as possible the processing of personal data -Exclude: Refrain from processing a data subject's personal data (don't need it, don't collect it) -Select: Decide on a case-by-case basis to only process relevant personal data ex customer picking up or delivery, only need address for delivery -Strip: Remove, partially, unnecessary attributes. Stripping data allows the removal of unnecessary data for future processing or distribution -Destroy: Remove completely personal data as soon as they become unnecessary, three times when orgs will want to destroy ~ 1. Inadvertently collected 2. Data no longer necessary 3. Individual requests deletion

List objective harms

Loss of business opportunity, loss of consumer trust, social detriment

Subjective Psychological loss

Loss of trust, embarrassment, anxiety, suicide

Objective social detriment

Loss of trust, shunning, ostracism, banishment

Maintaining personal information in alignment with the informational norms that apply to a particular context

Nissenbaum's Contextual Integrity

Technology Architecture Front end

Notification, Consent, Tutorials

Even when a user has indicated a decision, _____ is an attempt to get them to reconsider to an alternative that may be less privacy friendly

Nudging

At setup interfaces

Often shown on initial use. However, only info and choices that are truly essential before use should be communicated at setup because users' attention is typically focused on the primary UX at this point

Example of privacy policy

Org policy

Representative heiristic

People may perceive privacy intrusions as low-probability events bc they rarely encounter privacy intrusions online. However, privacy intrusions, such as behavioral tracking and targeting, may occur frequently or continuously but may just not be visible to the individual

Privacy Engineering Objectives

Predictability, Manageability, Disassociability

The acronym PGP stands for:

Pretty Good Privacy

Informs consumers about practices, values, and commitments of privacy

Privacy Notice

Misdirected emails, denial of service, unauthorized disclosure, hacking attempts, lost devices are all examples of .......?

Privacy incidents

Internal practice to inform employees of best practices

Privacy policy

Data-oriented strategy: Hide

Protect personal data or make it unlinkable or unobservable; make sure it does not become public or known -Restrict: Prevent unauthorized access to personal data -Mix: Process data randomly within a large enough group to reduce correlation -Obfuscate: Prevent understanding of personal data; Number of different techniques, like encryption and hashing -Disassociate: Remove the correlation between data subjects and their personal data

Process-oriented strategy: Control

Provide data subjects control over the processing of their personal data

Privacy Engineering Objective: Manageability

Providing the capability for granular administration of data, including collection, alteration, deletion, and selective disclosure

Occurs when another alters how an individual is represented or regarded.

Self representation

Data-oriented strategy: Separate

Separate the processing of personal data as much as possible to prevent correlation -Distribute: Process personal data (for one task) in separate locations. Taking data from a source and either logically or physically separating data(or both) Doesn't involve further processing of data -Isolate: Processing data already distributed, process independently in separate databases or systems

Differential identifiability

Setting parameters that limits the confidence that any particular individual has contributed to an aggregated value.

Process-oriented strategy: Demonstrate

Show you are processing personal data in a privacy-friendly way -Log: Track all processing of data and reviewing this information gathered for any risks -Audit: Audit processing of personal data regularly -Report: Analyze collected information on tests, audits, and logs periodically, and report to the people responsible

Persistent privacy indicators

Shown whenever a data practice is active. Ex: A visible light when camera is on

Internet Monitoring - Authoritative

Some countries, employers, and schools monitor network traffic to enforce policies for security and appropriate behavior. Certain keywords or addresses could be monitored for and added to a blacklist or access control list to block access to websites that may be considered inappropriate

Distortion

Spreading false and inaccurate information about an individual.

Cross-border Data Transfers

The transmission of personal information from one jurisdiction to another. Many jurisdictions, most notably the European Union, place significant restrictions on such transfers. The EU requires that the receiving jurisdiction be judged to have "adequate" data protection practices.

What is the main benefit of using a private cloud? A. The ability to use a backup system for personal files. B. The ability to outsource data support to a third party. C. The ability to restrict data access to employees and contractors. D. The ability to cut costs for storing, maintaining and accessing data.

The ability to restrict data access to employees and contractors

Recognizes that data has different value, and requires approaches, as it moves through an organization from collection to deletion. The stages are generally considered to be: Collection, processing, use, disclosure, retention, and destruction.

The information life cycle

Deidentification: k-anonymity, l-diversity, t-closeness

Three techniques that have been developed to reduce the risk of anonymity of data being compromised by someone who might combine it with known information to make assumptions about individuals in a data set

Context-dependent interfaces

Triggered by certain aspects of the user's context. Example: Proximity to IoT device

True or False: Although hackers cannot readily access closed-source software, it should not be considered more resistant to attacks than open-source software

True

True or False: Dark patterns are schemes used in decisional interference

True

True or False: Natural language generation uses voice recognition to produce an executable command, such as voice to text, while natural language understanding extracts language that the computer can understand and transforms the command into an executable output

True

True or False: Privacy technologists can comply with privacy laws in their design and use those laws as a basis for implementing technological controls to align with the privacy goals of an organization

True

Internet Monitoring - Wi-fi Eavedropping

Unsecured communication that is sent over or shared wireless networks can be easily intercepted via packet sniffing and analysis tool

Periodic reminders

Useful to remind users about data practices that they agreed to previously and renew consent

Deidentification: Tokens

Uses random tokens as stand-ins for meaningful data

Components of front end

Web browser and web server

Components of back end

Web service

The components of the data life cycle

collection, use, disclosure, retention and destruction

Methods of collection

either active or passive. Active collection is when the data subject is aware that collection is taking place and takes an action to enable the collection, such as filling out and submitting an online form. Passive collection occurs without requiring any action from the participant and is not always obvious, such as background collection of a user's web browser version and IP address

The empirical investigation

focuses on how stakeholders configure, use or are otherwise affected by the technology

The conceptual investigation

identifies the direct and indirect stakeholders, attempts to establish what those stakeholders might value, and determines how those stakeholders may be affected by the design.

Relies on the creation of generalized, truncated, or reduced quasi identifiers as replacements for direct identifers

k-anonymity

The data life cycle

refers to how data flows through an organization, including business processes and technology systems

truncated

to shorten