Chpt. 5- Online Privacy
Best Practices for Cookies
(1) Do not store unencrypted PI (2) Provide adequate notice of their usage (3) Use a persistent variation only if the need justifies (4) Do not set long expiration dates (5) Disclose involvement of 3rd party cookie provider and opt-out (or opt-in in EU) mechanism for delivery from the 3rd party
Standard Practices to Protect PI Transmitted over the Web
(1) Login, password, PINs (2) Antivirus and firewall software (3) Caution over using wi-fi networks and Bluetooth (4) Restricted access to files with file sharing sites (e.g. BitTorrent) (5) Avoid using public computers (6) Be cautious about public charging stations (6) Don't provide PI on website unless you know it's secure
Categories of organizations that receive data
(1) Process data on behalf of original organization (2) Receive data related to the original data collection for a distinct reason (3) Receive the data and determine how it shall be used
Website Authentication Methods
(1) Two-factor authentication (2) Web forms with "password field" in HTML (characters displayed as asterisks when entered) Cookies = imprecise method b/c users can delete or block them and there is no accurate way to differentiate b/t individual users of a single machine
Threats to Online Privacy
(1) Unauthorized access (2) Social engineering (3) Technical based attacks
EU Directive 2009/136/EC
- "EU Cookie Directive" - Requires users give consent before having cookies placed on their computer (i.e. opt in program)
Common Features of Security Products
- Antivirus - Antispam - HTML tag removal - Script removal - Blocking of attachment files - Confidentiality checks - Disclaimer enforcement
Web Widgets
- Apps that can be installed on web page, blog, social profile, or HTML page - Typically executed by 3rd party - Used as tools/content to make site more dynamic
Full Notice
- Bottom layer of layered privacy notice - Comprehensive information disclosure articulating privacy notice in its entirety - Guides an org's employees on permitted practices - Can be used for accountability purposes by enforcement agencies or general public
Online Verification and Certification
- Can be done by 3rd party organizations (accreditation/assurance services, trust seal providers, etc.) - Evaluate activities against industry standards / best practices and confirm absence of viruses/spyware
Virtual Private Networks (VPN)
- Category of proxy servers - Encrypt info from the user to the org's proxy server - Masks both the content and web destinations of the user from the ISP
Maximizing Privacy and Reducing Exposure
- Collect only what's necessary and indicate what fields are required - Accompanied with link to privacy policy ("notice at point of collection") - Collection of sensitive PI should be protected by secure transmission - Autocomplete function should be disabled - Passwords should not be prepopulated - Session should timeout automatically
Online Advertising Networks
- Connect online advertisers w/ web publishers that host the advertisements - Enable media buyers to coordinate ad campaigns
Hyperlink
- Connects user to other websites, parts of websites, and/or web-enabled services - URL embedded in HTML code
Concerns with Search Engines
- Could reveal user's identity through "vanity" searches and searches based around a person's home/work - Content could be considered sensitive info (health info, political views)
Syndicated Content
- Developed by and/or purchased from outside sources - Might contain malicious code that gets incorporated into site's source code E.g. XSS allows attackers to inject scripts into web pages (takes advantage of user's trust in the site)
Mobile Ad Ecosystem
- Different from desktop/laptop due to (1) App-based usage and (2) Mobile browser settings - Each application run separately in mobile operating system - Rich source of location data
Privacy Notice Contents
- Effective date - Scope of notice - Types of PI collected - Information uses and disclosures - Choices available to end user - Methods for accessing, correcting, or modifying PI or preferences - Methods for contacting the organization or registering a dispute - Processes for how any policy changes will be communicated to the public
Transmission Control Protocol (TCP)
- Enables 2 devices to establish a stream-oriented reliable data connection - Data sent in the form of packets (contain message content and header specifying the destination)
Mobile Challenges
- How to provide notice on the small screens - Geolocation data is hard to anonymize b/c people return often to homes and workplaces - How to issue proper rules for the collection, use, and storage of location data, as well as limit access
CA's Privacy Rights for CA Minors in the Digital World
- Individuals under age 18 have right to request removal of info posted online - Prohibits online advertising to minors related to products that they are not legally able to buy - Restricts online ads based on minors' PI
Cascading Style Sheets (CSS)
- Language used to describe the presentation of web pages (including colors, layout, and font) - Allows for the adaptation of web page to different devices
Caching
- Local copy of downloaded content saved to web browser / proxy - Reduces need to download the same content again from the server - Pages that display PI should prohibit caching!!!
Privacy Issues with Children
- May not understand what data is being collected and how it's used - Cannot give meaningful consent even if they understand the collection/use
Common Commercial Email Principles
- No false/misleading header info - No deceptive subject lines - Opt-out mechanism in each message - Notification that email message contains an ad or promo info - Info about sending org
Co-branded Sites
- Online partnerships b/t 2+ content or service providers - Sharing often allowed as long as it's disclosed in privacy notice
COPPA (Children's Online Privacy Protection Act)
- Passed in 1998 to protect children from the gathering of their personal information without parental consent - Required to be followed by all websites geared toward children under 13 REQUIRES - Clear and conspicuous notice of the data collection methods employed - Consent of parents required for collection of PI for child under the age of 13
CAN-SPAM
- Passed in 2003 - Requires clear and conspicuous way for user to unsubscribe from future emails - Enforcement has resulted in high fines and jail sentences
TrustArc Privacy Notice Recommendations
- Privacy statement says what organization does (then DO what's stated) - Tailor disclosures to org's business operations model - Don't treat privacy statements as disclaimers - Revisit policy statement frequently and revise to reflect current practices - Communicate privacy policies to entire company
GAO Recommendations for Financial Software
- Protect against unauthorized access - Prevent introduction of unauthorized changes - Provide segregation of duties involving application programming, system programming, computer operations, information security, and quality assurance - Ensure recovery of processing operation in case of disaster or unexpected interruption - Ensure adequate info security management program
"Do Not Track" Approach
- Recommended by FTC - Allow individuals to make a single choice not to be subjected to target advertising
Persistent Cookie
- Set to expire at some point in the future but allows planting organization to recognize it's the same cookie on the same device each time the user visits a site - Standard method for authenticating return visitors - Enable personalization (e.g. shows news stories about fav sports team) - Used by online advertising networks to tailor ads based on ads previously sent to device
Privacy Notice
- Should provide easy-to-follow guidance as to how info is being accessed, used, and protected - Treated by regulators / courts as enforceable promises made by a company
Flash Cookie
- Stored and accessed by Adobe Flash - Internet browser collects and stores info from sites visited in form of cache/cookies - Can't be deleted b/c stored outside of browser's control - Privacy concerns b/c user not notified when stored & they don't expire
Session Cookie
- Stored only while user connected to the particular web server - Solve basic problem that website has no way to automatically know that it's the same device and user asking for the pages (e.g. online shopping carts, chats sessions, interactive opinion surveys) - Do not identify a device over time b/c they expire when browser closes
Transport Layer Security (TLS)
- Successor to secure sockets layer (SSL) - Secures connection to make sure no 3rd party can eavesdrop or corrupt the message **Standard method method to encrypting the transmission of PII over the web
Short Notice
- Top layer of layered privacy notice - Summarizes the notice scope and basic points about an organization's practices for PI collection, choice, use, and disclosure
Cons of Targeted Ads
- Unclear notice to users - Unaware that browsing habits tracked - Concerns about cross-device tracking and cross-context tracking
Pros of Targeted Ads
- Users benefit from seeing more relevant content/ads - Higher ad revenues supports wider range of free content - Support websites and advertising ecosystem
Deterministic Tracking
Ability to connect user's devices via login
Uniform Resource Locations (URLs)
Address of documents/content located on a server CONTAINS: - HTTPS prefix to indicate its use of the protocol - "www" to signify location on World Wide Web - Domain name - Indicator of top-level domain (.com, .org, .gov, .edu)
Pop-up Ads
Advertising messages that appear to the end user in a separate browser window in response to browsing behavior or viewing of a site - Sometimes a symptom of spyware or malware
Confidentiality
Protect against unauthorized access
Javascript
Scripting language used to produce dynamic websites
White Hat
Security Practictioners
HTML5
-Ability to run video, audio, and animation directly from website w/out need for a plug in (good for mobile devices that don't support Flash) -Increases security -Ability to store info offline in applications that run when not connected to the internet
AdChoices
-Developed by the Digital Advertising Alliance - Icon program for users to use on how to exercise choice re: online behavioral advertising
Mozilla
-First web browser application -Developed by the National Center for Supercomputing Applications (NCSA)
ARPAnet
-Precursor to the internet -Military computer network developed in the 1960s -Established secure means for the exchange of military information -Expanded to scientific research in the 1970s
Data Packets
-Small pieces of info used to transfer data on vast network PROCESS: Data disassembled into packets --> scattered through network while in transit --> reassembled upon arrival at destination computer
Layered Notice
-Type of privacy notice -Offers "layers" that provide key points but give user option to read the longer notice
Active Data Collection
End user deliberately provides info through an input mechanism
Dynamic IP Address
A temporarily assigned IP address that shifts with each session
Digital Fingerprinting
A unique profile built by companies to track every website you have been to and record what you do online - Log includes IP address, date/time stamp, URL of requested page, visitor's web browser type version, user's computer operating system
Hypertext Transfer Protocol Server (HTTPS)
Allows the transfer of data from a website to a website over an encrypted connection
Static IP Address
An IP address that is manually assigned to a device and remains constant until it is manually changed EU / other regulators --> persistent link to device make IP address PI b/c greater likelihood that data can be linked to particular user
Cross-Site Scripting (XSS)
An attack that injects scripts into a Web application server to direct attacks at clients -Other users tricked into thinking site is legitimate and uncorrupted
Web Server Log
File that is automatically generated by a server that contains information on the activity of a particular website - Info can include IP address, date and time of the request, URL of requested file, URL visited before, browser type and operating system - Considered PI by some regulators, but not others
Hypertext Transfer Protocol (HTTP)
Application protocol that manages communications over the internet - Defines how messages are formatted and transmitted over a TCP/IP network - Defines what actions web servers and web browsers take in response to various commands
Social Engineering
Attackers try to persuade user to provide info or create some sort of security vulnerability w/ intent of gaining access to private info - Using assumed identity in communications, eavesdropping on private calls, impersonating employee, etc.
Cross Device Tracking
Mapping as users move b/t 2 devices -Combines info about each device to get history of user's internet activity
Flash
Bandwidth-friendly interactive animation and video technology - Decreased use due to compatibility and security issues (used in less than 10% of websites)
Cross Context Tracking
Mapping as users move b/t online environments like search engines and social media sites
Web Beacons
Clear one-pixel-by-one-pixel graphic image delivered through a web browser or HTML-compliant email client application (usually as part of a web page request or HTML email message) - Aka web bug, pixel tag, or clear GIF - Provide ability to produce specific profiles of user behavior w/ web server logs (e.g. download monitoring, ad campaign performance management, etc.)
Internet Service Provider (ISP)
Company that provides access to the internet for a monthly fee - Often assigns new IP address on session-by-session basis
Web Server
Computer that is connected to the Internet, hosts web content, and is configured to share that content
Security Plan
Document that details the security controls established and planned for a particular system CONSIDERATIONS: - Employees should be trained in security and aware of org's policies - Should extend to multiple areas - Org should anticipate that attacker will use more than one method
Defining Software as Spyware
Consider: (1) Intent/knowledge of the user; and (2) Whether it's reasonable to believe that the user wished to have the information transmitted back to the remote location
Hypertext Markup Language (HTML)
Content-authoring language used to create webpages -Links documents, allowing users to move from one to another simply by clicking on a hot spot or link
integrity
Guarantee data/message has not been modified/destroyed by unauthorized individual
Black Hat
Hackers and exploit artists
Trustmarks
Images/logos displayed on websites to indicate business is a member of a professional organization or to show it's passed security and privacy tests - Examples = TrustArc, Norton, Better Business Bureau
Availability
Make sure servers / sites remain online and available for access
Malware
Malicious software designed to disrupt or damage
Ransomware
Malware in which attacker either (1) locks a user's operating system or (2) encrypts the data to prevent a user from accessing the files
Passive Data Collection
Info gathered automatically as user navigates from page to page (e.g. through web cookies)
Proxy Server
Intermediary server - Employee access usually goes through proxy - Generally logs each user interaction, filters out malicious software downloads, and improves performance by caching regularly fetched content
Extensive Markup Language (XML)
Language that facilitates the transport, creation, retrieval, and storage of documents - Similar to HTML b/c it uses tags to describe content of web page or file - Different from HTML b/c it describes content of web page in terms of data that's being produced (enables automatic processing of data in large volumes and necessitates attention to privacy issues)
Spear Phishing
Phishing attack tailored to an individual user (e.g. email appears to come from a user's boss)
Web Form
Portion of a web page that contains blank fields, text boxes, etc. that end users complete by providing data
Phishing
Sending spam email or using fake website to fraudulently capture sensitive PI - Attacks are easy/cheap to orchestrate and hard to trace - Attractive to criminals b/c even minimal responses can yield high returns
Third-party Cookie
Set and read by or on behalf of a party other than the web server that is providing the service (e.g. Google Analytics)
First-party Cookie
Set and read by the web server hosting the website that the user is visiting
Delaware's Online and Personal Privacy Protection Act
Similar requirements to CA's Privacy Rights for CA Minors in the Digital World
Web Services
Small pieces of code that are accessed via the application server which permit interoperable machine-to-machine interaction over a network - Facilitate direct contact b/t computers - Linking orgs needs to be conscious of material flowing b/t the computers
HTML Cookie
Small text file that a web server places on the user's hard drive - Standard type of cookie
Adware
Software installed on user's computer that is often bundled with freeware (e.g. online games) - Monitors online behavior so advertising can be targeted based on specific interests and behaviors - May be considered spyware by enforcement agencies unless there is clear consent
Internet Protocol (IP)
Specifies the format of data packet that travels over the internet and provides the appropriate addressing protocol -Unique number assigned to each connected device
Spyware
Type of Malware that locates and saves data from users without them knowing about it -Often installed as "drive-by download"
Whaling
Type of spear phishing targeted at C-suite execs, celebrities, and politicians
Spam
Unsolicited commercial email
Location Based Services (LBS)
Use location data to inform users about what nearby activities they can do, etc.
Drive-by Download
Use of malicious software to attack a computer by downloading harmful programs onto a computer, without the user's knowledge, while they are surfing a website
"Web client" application
Used by computer / device to navigate web and retrieve content from web servers for viewing (e.g. web browser software, web server firewalls)
Technical Based Attack
·Attacker exploits a technical vulnerability or inserts malicious code - SQL injection, cookie poisoning, use of malware, etc.