Chpt. 5- Online Privacy

Best Practices for Cookies

(1) Do not store unencrypted PI (2) Provide adequate notice of their usage (3) Use a persistent variation only if the need justifies (4) Do not set long expiration dates (5) Disclose involvement of 3rd party cookie provider and opt-out (or opt-in in EU) mechanism for delivery from the 3rd party

Standard Practices to Protect PI Transmitted over the Web

(1) Login, password, PINs (2) Antivirus and firewall software (3) Caution over using wi-fi networks and Bluetooth (4) Restricted access to files with file sharing sites (e.g. BitTorrent) (5) Avoid using public computers (6) Be cautious about public charging stations (6) Don't provide PI on website unless you know it's secure

Categories of organizations that receive data

(1) Process data on behalf of original organization (2) Receive data related to the original data collection for a distinct reason (3) Receive the data and determine how it shall be used

Website Authentication Methods

(1) Two-factor authentication (2) Web forms with "password field" in HTML (characters displayed as asterisks when entered) Cookies = imprecise method b/c users can delete or block them and there is no accurate way to differentiate b/t individual users of a single machine

Threats to Online Privacy

(1) Unauthorized access (2) Social engineering (3) Technical based attacks

EU Directive 2009/136/EC

- "EU Cookie Directive" - Requires users give consent before having cookies placed on their computer (i.e. opt in program)

Common Features of Security Products

- Antivirus - Antispam - HTML tag removal - Script removal - Blocking of attachment files - Confidentiality checks - Disclaimer enforcement

Web Widgets

- Apps that can be installed on web page, blog, social profile, or HTML page - Typically executed by 3rd party - Used as tools/content to make site more dynamic

Full Notice

- Bottom layer of layered privacy notice - Comprehensive information disclosure articulating privacy notice in its entirety - Guides an org's employees on permitted practices - Can be used for accountability purposes by enforcement agencies or general public

Online Verification and Certification

- Can be done by 3rd party organizations (accreditation/assurance services, trust seal providers, etc.) - Evaluate activities against industry standards / best practices and confirm absence of viruses/spyware

Virtual Private Networks (VPN)

- Category of proxy servers - Encrypt info from the user to the org's proxy server - Masks both the content and web destinations of the user from the ISP

Maximizing Privacy and Reducing Exposure

- Collect only what's necessary and indicate what fields are required - Accompanied with link to privacy policy ("notice at point of collection") - Collection of sensitive PI should be protected by secure transmission - Autocomplete function should be disabled - Passwords should not be prepopulated - Session should timeout automatically

Online Advertising Networks

- Connect online advertisers w/ web publishers that host the advertisements - Enable media buyers to coordinate ad campaigns

Hyperlink

- Connects user to other websites, parts of websites, and/or web-enabled services - URL embedded in HTML code

Concerns with Search Engines

- Could reveal user's identity through "vanity" searches and searches based around a person's home/work - Content could be considered sensitive info (health info, political views)

Syndicated Content

- Developed by and/or purchased from outside sources - Might contain malicious code that gets incorporated into site's source code E.g. XSS allows attackers to inject scripts into web pages (takes advantage of user's trust in the site)

Mobile Ad Ecosystem

- Different from desktop/laptop due to (1) App-based usage and (2) Mobile browser settings - Each application run separately in mobile operating system - Rich source of location data

Privacy Notice Contents

- Effective date - Scope of notice - Types of PI collected - Information uses and disclosures - Choices available to end user - Methods for accessing, correcting, or modifying PI or preferences - Methods for contacting the organization or registering a dispute - Processes for how any policy changes will be communicated to the public

Transmission Control Protocol (TCP)

- Enables 2 devices to establish a stream-oriented reliable data connection - Data sent in the form of packets (contain message content and header specifying the destination)

Mobile Challenges

- How to provide notice on the small screens - Geolocation data is hard to anonymize b/c people return often to homes and workplaces - How to issue proper rules for the collection, use, and storage of location data, as well as limit access

CA's Privacy Rights for CA Minors in the Digital World

- Individuals under age 18 have right to request removal of info posted online - Prohibits online advertising to minors related to products that they are not legally able to buy - Restricts online ads based on minors' PI

Cascading Style Sheets (CSS)

- Language used to describe the presentation of web pages (including colors, layout, and font) - Allows for the adaptation of web page to different devices

Caching

- Local copy of downloaded content saved to web browser / proxy - Reduces need to download the same content again from the server - Pages that display PI should prohibit caching!!!

Privacy Issues with Children

- May not understand what data is being collected and how it's used - Cannot give meaningful consent even if they understand the collection/use

Common Commercial Email Principles

- No false/misleading header info - No deceptive subject lines - Opt-out mechanism in each message - Notification that email message contains an ad or promo info - Info about sending org

Co-branded Sites

- Online partnerships b/t 2+ content or service providers - Sharing often allowed as long as it's disclosed in privacy notice

COPPA (Children's Online Privacy Protection Act)

- Passed in 1998 to protect children from the gathering of their personal information without parental consent - Required to be followed by all websites geared toward children under 13 REQUIRES - Clear and conspicuous notice of the data collection methods employed - Consent of parents required for collection of PI for child under the age of 13

CAN-SPAM

- Passed in 2003 - Requires clear and conspicuous way for user to unsubscribe from future emails - Enforcement has resulted in high fines and jail sentences

TrustArc Privacy Notice Recommendations

- Privacy statement says what organization does (then DO what's stated) - Tailor disclosures to org's business operations model - Don't treat privacy statements as disclaimers - Revisit policy statement frequently and revise to reflect current practices - Communicate privacy policies to entire company

GAO Recommendations for Financial Software

- Protect against unauthorized access - Prevent introduction of unauthorized changes - Provide segregation of duties involving application programming, system programming, computer operations, information security, and quality assurance - Ensure recovery of processing operation in case of disaster or unexpected interruption - Ensure adequate info security management program

"Do Not Track" Approach

- Recommended by FTC - Allow individuals to make a single choice not to be subjected to target advertising

Persistent Cookie

- Set to expire at some point in the future but allows planting organization to recognize it's the same cookie on the same device each time the user visits a site - Standard method for authenticating return visitors - Enable personalization (e.g. shows news stories about fav sports team) - Used by online advertising networks to tailor ads based on ads previously sent to device

Privacy Notice

- Should provide easy-to-follow guidance as to how info is being accessed, used, and protected - Treated by regulators / courts as enforceable promises made by a company

Flash Cookie

- Stored and accessed by Adobe Flash - Internet browser collects and stores info from sites visited in form of cache/cookies - Can't be deleted b/c stored outside of browser's control - Privacy concerns b/c user not notified when stored & they don't expire

Session Cookie

- Stored only while user connected to the particular web server - Solve basic problem that website has no way to automatically know that it's the same device and user asking for the pages (e.g. online shopping carts, chats sessions, interactive opinion surveys) - Do not identify a device over time b/c they expire when browser closes

Transport Layer Security (TLS)

- Successor to secure sockets layer (SSL) - Secures connection to make sure no 3rd party can eavesdrop or corrupt the message **Standard method method to encrypting the transmission of PII over the web

Short Notice

- Top layer of layered privacy notice - Summarizes the notice scope and basic points about an organization's practices for PI collection, choice, use, and disclosure

Cons of Targeted Ads

- Unclear notice to users - Unaware that browsing habits tracked - Concerns about cross-device tracking and cross-context tracking

Pros of Targeted Ads

- Users benefit from seeing more relevant content/ads - Higher ad revenues supports wider range of free content - Support websites and advertising ecosystem

Deterministic Tracking

Ability to connect user's devices via login

Uniform Resource Locations (URLs)

Address of documents/content located on a server CONTAINS: - HTTPS prefix to indicate its use of the protocol - "www" to signify location on World Wide Web - Domain name - Indicator of top-level domain (.com, .org, .gov, .edu)

Pop-up Ads

Advertising messages that appear to the end user in a separate browser window in response to browsing behavior or viewing of a site - Sometimes a symptom of spyware or malware

Confidentiality

Protect against unauthorized access

Javascript

Scripting language used to produce dynamic websites

White Hat

Security Practictioners

HTML5

-Ability to run video, audio, and animation directly from website w/out need for a plug in (good for mobile devices that don't support Flash) -Increases security -Ability to store info offline in applications that run when not connected to the internet

AdChoices

-Developed by the Digital Advertising Alliance - Icon program for users to use on how to exercise choice re: online behavioral advertising

Mozilla

-First web browser application -Developed by the National Center for Supercomputing Applications (NCSA)

ARPAnet

-Precursor to the internet -Military computer network developed in the 1960s -Established secure means for the exchange of military information -Expanded to scientific research in the 1970s

Data Packets

-Small pieces of info used to transfer data on vast network PROCESS: Data disassembled into packets --> scattered through network while in transit --> reassembled upon arrival at destination computer

Layered Notice

-Type of privacy notice -Offers "layers" that provide key points but give user option to read the longer notice

Active Data Collection

End user deliberately provides info through an input mechanism

Dynamic IP Address

A temporarily assigned IP address that shifts with each session

Digital Fingerprinting

A unique profile built by companies to track every website you have been to and record what you do online - Log includes IP address, date/time stamp, URL of requested page, visitor's web browser type version, user's computer operating system

Hypertext Transfer Protocol Server (HTTPS)

Allows the transfer of data from a website to a website over an encrypted connection

Static IP Address

An IP address that is manually assigned to a device and remains constant until it is manually changed EU / other regulators --> persistent link to device make IP address PI b/c greater likelihood that data can be linked to particular user

Cross-Site Scripting (XSS)

An attack that injects scripts into a Web application server to direct attacks at clients -Other users tricked into thinking site is legitimate and uncorrupted

Web Server Log

File that is automatically generated by a server that contains information on the activity of a particular website - Info can include IP address, date and time of the request, URL of requested file, URL visited before, browser type and operating system - Considered PI by some regulators, but not others

Hypertext Transfer Protocol (HTTP)

Application protocol that manages communications over the internet - Defines how messages are formatted and transmitted over a TCP/IP network - Defines what actions web servers and web browsers take in response to various commands

Social Engineering

Attackers try to persuade user to provide info or create some sort of security vulnerability w/ intent of gaining access to private info - Using assumed identity in communications, eavesdropping on private calls, impersonating employee, etc.

Cross Device Tracking

Mapping as users move b/t 2 devices -Combines info about each device to get history of user's internet activity

Flash

Bandwidth-friendly interactive animation and video technology - Decreased use due to compatibility and security issues (used in less than 10% of websites)

Cross Context Tracking

Mapping as users move b/t online environments like search engines and social media sites

Web Beacons

Clear one-pixel-by-one-pixel graphic image delivered through a web browser or HTML-compliant email client application (usually as part of a web page request or HTML email message) - Aka web bug, pixel tag, or clear GIF - Provide ability to produce specific profiles of user behavior w/ web server logs (e.g. download monitoring, ad campaign performance management, etc.)

Internet Service Provider (ISP)

Company that provides access to the internet for a monthly fee - Often assigns new IP address on session-by-session basis

Web Server

Computer that is connected to the Internet, hosts web content, and is configured to share that content

Security Plan

Document that details the security controls established and planned for a particular system CONSIDERATIONS: - Employees should be trained in security and aware of org's policies - Should extend to multiple areas - Org should anticipate that attacker will use more than one method

Defining Software as Spyware

Consider: (1) Intent/knowledge of the user; and (2) Whether it's reasonable to believe that the user wished to have the information transmitted back to the remote location

Hypertext Markup Language (HTML)

Content-authoring language used to create webpages -Links documents, allowing users to move from one to another simply by clicking on a hot spot or link

integrity

Guarantee data/message has not been modified/destroyed by unauthorized individual

Black Hat

Hackers and exploit artists

Trustmarks

Images/logos displayed on websites to indicate business is a member of a professional organization or to show it's passed security and privacy tests - Examples = TrustArc, Norton, Better Business Bureau

Availability

Make sure servers / sites remain online and available for access

Malware

Malicious software designed to disrupt or damage

Ransomware

Malware in which attacker either (1) locks a user's operating system or (2) encrypts the data to prevent a user from accessing the files

Passive Data Collection

Info gathered automatically as user navigates from page to page (e.g. through web cookies)

Proxy Server

Intermediary server - Employee access usually goes through proxy - Generally logs each user interaction, filters out malicious software downloads, and improves performance by caching regularly fetched content

Extensive Markup Language (XML)

Language that facilitates the transport, creation, retrieval, and storage of documents - Similar to HTML b/c it uses tags to describe content of web page or file - Different from HTML b/c it describes content of web page in terms of data that's being produced (enables automatic processing of data in large volumes and necessitates attention to privacy issues)

Spear Phishing

Phishing attack tailored to an individual user (e.g. email appears to come from a user's boss)

Web Form

Portion of a web page that contains blank fields, text boxes, etc. that end users complete by providing data

Phishing

Sending spam email or using fake website to fraudulently capture sensitive PI - Attacks are easy/cheap to orchestrate and hard to trace - Attractive to criminals b/c even minimal responses can yield high returns

Third-party Cookie

Set and read by or on behalf of a party other than the web server that is providing the service (e.g. Google Analytics)

First-party Cookie

Set and read by the web server hosting the website that the user is visiting

Delaware's Online and Personal Privacy Protection Act

Similar requirements to CA's Privacy Rights for CA Minors in the Digital World

Web Services

Small pieces of code that are accessed via the application server which permit interoperable machine-to-machine interaction over a network - Facilitate direct contact b/t computers - Linking orgs needs to be conscious of material flowing b/t the computers

HTML Cookie

Small text file that a web server places on the user's hard drive - Standard type of cookie

Adware

Software installed on user's computer that is often bundled with freeware (e.g. online games) - Monitors online behavior so advertising can be targeted based on specific interests and behaviors - May be considered spyware by enforcement agencies unless there is clear consent

Internet Protocol (IP)

Specifies the format of data packet that travels over the internet and provides the appropriate addressing protocol -Unique number assigned to each connected device

Spyware

Type of Malware that locates and saves data from users without them knowing about it -Often installed as "drive-by download"

Whaling

Type of spear phishing targeted at C-suite execs, celebrities, and politicians

Spam

Unsolicited commercial email

Location Based Services (LBS)

Use location data to inform users about what nearby activities they can do, etc.

Drive-by Download

Use of malicious software to attack a computer by downloading harmful programs onto a computer, without the user's knowledge, while they are surfing a website

"Web client" application

Used by computer / device to navigate web and retrieve content from web servers for viewing (e.g. web browser software, web server firewalls)

Technical Based Attack

·Attacker exploits a technical vulnerability or inserts malicious code - SQL injection, cookie poisoning, use of malware, etc.