Ch. 12: Privacy and Security

Video lecture: stream download

  1. Privacy.
    1. Folks generally prefer to keep personal information from parties who are unknown or untrusted.
    2. People disclose in order to receive something.
      1. Cash or discounts.
      2. Consideration for a loan, position, reimbursement, etc.
      3. Proper medical treatment.
    3. People expect to give information voluntarily.
    4. People expect the receiver to use the information only for the declared purpose.
    5. Transactions generate information.
      1. What was purchased, who purchased it, when.
      2. Cash is usually anonymous; not other payments.
      3. Both sides of the purchase have the information, but a store can collect a larger volume than an individual.
    6. Modern technology is hard on privacy.
      1. Fewer cash transactions.
        1. People don't expect them anymore.
        2. Impossible online.
      2. Greater ability to collect and analyze data from transactions.
        1. Transaction is usually recorded on a computer.
        2. Computer files are easily transferred, therefore data can be sold.
        3. Credit card numbers allow one person's transactions to be related.
        4. Online systems may collect data which you are not aware.
      3. Monitoring of activities that now move online: Web searches; social media.
      4. Discreet surveillance cameras and microphones.
    7. Sources of threat.
      1. Government, legitimate business, snoops or thieves.
      2. Information taken without consent.
      3. Information taken with consent, then misused.
      4. Information unnecessarily required by government.
    8. OECD Fair Information Practices.
      1. Limited Collection. Collection should be “limited”, legal and not secret.
        Why “limited” and not “minimal”?
      2. Purpose. The purpose for the collected data is stated.
      3. Quality. The data should be relevant to the purpose, accurate, and up-to-date.
      4. Limitation. No use or disclosure contrary to the collection purpose, without new permission.
      5. Security. Holder of the data is responsible to secure against disclosure, corruption or destruction.
      6. Openness. The existence and purpose of the database, and contact information for the administrator should be published.
      7. Participation. You may discover what they have recorded about you.
      8. Accountability. The holder is responsible for the above.
    9. Legalities.
      1. US uses several narrow federal acts, plus a few state laws.
      2. EU has a comprehensive law based on the OECD guidelines.
      3. Voluntary privacy policies: enforcement through embarrassment.
    10. Opt-in v. opt-out.
      1. The default setting on your permission to use data.
      2. Marketers prefer opt-out.
      3. Privacy mavens prefer opt-in.
      4. If most folks cared, it would not be an issue.
    11. Links. Choose your paranoia level.
      1. Association for Computing Machinery (US)
      2. Electronic Frontier Foundation
      3. The Direct Marketing Association
  2. Tracking
    1. On-line
      1. Cooperating web sites share information about your purchases.
      2. Browsers can send a “do not track” header with your requests.
      3. Nothing forces the web site to honor it.
    2. Cell phone.
      1. Phone location is naturally indicated by tower location.
      2. Government collects a lot of this data.
  3. Cookies.
    1. A server may ask a client to set a cookie. Has a name and a value.
    2. Used to keep track of login sessions, shopping carts, etc.
      1. User fills out account name and password, which go to the server.
      2. Server creates a record of the login, and returns a cookie giving the location of the record.
      3. All subsequent requests return the cookie. The server uses it to find the session which the client belongs to.
    3. Cookies are only returned to the domain which first sent them.
    4. Third-Party Cookies.
      1. Images are separated downloads, and these requests can use cookies, too.
      2. Images, including ads or even invisible images may send cookies to a different domain than the page you are looking at.
      3. Third party can track your activities without cooperation of the web sites you visit.
  4. Right to be forgotten.
    1. Newer notion notion advancing in Europe.
    2. Search engines can be legally required to remove entries about you.
      1. Formal charges of which you were cleared.
      2. It all happened 20 years ago.
      3. You were a minor back then.
    3. Some obvious sources of abuse.
  5. Identity theft.
    1. Fraudulently claim to be someone else.
    2. Usually due to information theft.
    3. Could be due to misuse or sale of legitimately-collected information.
  6. Computer Security
    1. Someone might “break in” to your computer. That means he/she manages to run any desired software on your machine.
    2. This can be done over the Internet.
    3. Risks
      1. Mischief. Some folks just like to be obnoxious.
      2. Information theft. Passwords. Account numbers. SSNs.
      3. Spying. Use the camera or microphone. Capture keystrokes.
      4. Resource theft. Use the computer to send spam or launch an attack.
      5. Your hacked computer is remarkably useful to the bad guys.
    4. How can this happen?
      1. Some software has a bug.
      2. An exploit is a carefully crafted input which causes your program to serve the hacker.
      3. For a web browser, an exploit might be part of a malicious web page.
      4. For a word processor, an exploit might be an email attachment which needs to be viewed in the word processor.
      5. Many exploits require the user to to something, such as visit a web site or open an email attachment.
      6. Some rely on what the computer will do anyway; these are usually on the server side.
    5. Malware: Any sort of deliberately harmful software.
      1. Virus: Malware inserted as part of another program that runs when it runs. Travels in downloads or email.
      2. Worm: Malware that actively spreads itself over the network.
      3. Trojan: A program which does something you want, but also something you don't. A game that that also finds passwords and sends them to the owner.
      4. Backdoor: A surreptitious means of access planted through some exploit.
      5. Rootkit: Malware that modifies your system software to cripple its ability to diagnose malware.
    6. Defenses.
      1. Keep updated (patched). Prevent the bugs.
      2. Use anti-virus software.
      3. Use a firewall (guards your network connection).
      4. Don't click on email links or attachments unless you know where they came from.
      5. Distrust pop-ups.
      6. Be careful where you are going, and make sure the URL is what you expect.
  7. Encryption.
    1. Used to prevent unauthorized parties from receiving your information.
    2. Often used for net transmission.
    3. Sometimes used for files.
    4. Terms
      1. cryptosystem: the combination of encryption and decryption methods.
      2. plaintext or cleartext: the unencrypted message.
      3. cyphertext: the encrypted message.
    5. Computer encryption is numeric.
      1. The message is represented in ASCII or other coding scheme.
      2. The characters are grouped.
      3. The characters in a group are appended make a number.
      4. The encryption and decryption works on these numbers.
    6. Classical cryptosystems.
      1. Encryption and decryption with the same key.
      2. Problem on net: how do you transmit the key?
      3. XOR operation used in symmetric systems.
        11001001 ⊕ 01011110 = 10010111
        10010111 ⊕ 01011110 = 11001001
        1. Same bits produce zero.
        2. Different bits produce one.
        3. Property: abb = a.
        4. How to think of it: The one bits in the key mean to invert, the zero bits mean to keep the same.
    7. Public-Key cryptosystems.
      1. Encryption and decryption keys differ.
      2. The two keys Kpub and Kpri are produced at the same time by a single process.
      3. Encryption key usually published; called the public key.
      4. Decryption key kept secret: the private key.
      5. Message can only be decrypted by one who knows the private key.
      6. Standard technique: RSA encryption.
      7. Strong encryption
  8. Backup
    1. Data on computers is important.
    2. Many terrible things can happen to that data.
      1. Hardware failure.
      2. Software errors or infection.
      3. Operator errors.
      4. Vandalism or sabotage.
      5. Physical accident: fire, flood, etc.
    3. Make backup copies which can be restored later.
      1. Perform the copy periodically. Businesses: daily or more often.
      2. Tapes, writable CDs, into the cloud.
      3. Best to keep copies remote from originals.