1Creating and ImplementingPrivacy Awareness ProgramsDr K Rama SubramaniamDirector and CEO, Valiant Technologies Pvt Ltd, IndiaExecutive Director, Baker Tilly MKM, Abu DhabiChairman, Information Security and Cyber Crimes Research FoundationAdjunct Professor, Dept of Criminology, University of Madras
3AbstractThis work presents key considerations in creatingand implementing nation-wide privacy awarenessprograms. After discussing the need to createprivacy awareness, its suggested contents arerationalized. The choice of target audience andthe delivery mechanisms are considered from arelevance perspective. The need for feedbackand assessment of effectiveness of delivery isemphasized. Some key areas where it is difficultto clearly take a stand today are presented as areasrequiring further work.
5Dr. K Rama SubramaniamMBA(UK), Ph.D, FCA, FISC, CISA, CISM, CISSP, CEH, CHFI, CSQP, Security+Director & CEO of Valiant Technologies Pvt Ltd, IndiaExecutive Director, Baker Tilly MKM, Abu DhabiAdjunct Professor in the area of information security and cybercriminology at the University of Madras.IBM GIO Alumni.India’s country representative at International Federation of InformationProcessing (IFIP); serving on their Technical Committee TC-11 dealingwith information security.Chairman of ISCCRF, a not-for-profit trust carrying out research ininformation security and cyber crime prevention.He has been an information security consultant, audit and assuranceprofessional, trainer and educator for over two decades. He is a certifiedand experienced professional in the areas of creating and implementingsecure information security architecture; internal controls systems andprocesses; business continuity and disaster recovery plans; security auditsand certification of network infrastructure, ERP application, bespokeapplication development processes; multifactor authentication (includingPKI and X.509 compliant certification infrastructure); and certificationprocesses for SOX, COSO, COBIT, ITIL, PCI-DSS, ISM3, ISSAF, ISO-27001, ISO-17799, ISO-31000 and ISO-15408 compliant informationsecurity management systems.He has trained experts in many information security domains across Gulfnations, India, Far East and Africa. He is a consultant to a number oforganizations in the commercial, government, armed forces, judiciary andlaw enforcement segments in these countries.His current research and development interests are in the areas of creatingand implementing technolegal processes for data security and privacy.He was invited by ENISA, the European Union agency for InformationSecurity to address the EU Security Experts who had gathered inabout the author
6Athens, on the need for and process to guarantee data privacy in ITESbusinesses. He was invited to chair a session on security aspects of cybercrimes a Conference organized by the Stockholm University and theSwedish Police.He served earlier as Global Chair of the Education and AwarenessPrinciples Expert Group of Globally Accepted Information SecurityPrinciples (GAISP), based in the United States and is former Global Chairof the Accreditation Process committee of Open Information SystemsSecurity Group (OISSG), based in the UK where he established theircertification and accreditation processes. He is the charter President ofthe first chapter of ISSA (Information Systems Security Association) inAsia and served on the boards of Dubai, Chennai and Bangalore chaptersof ISACA.He was formerly Managing Director of Thewo Corporate Services basedin Lusaka, Zambia; Group Operations Director of Benetone Group ofCompanies based in Bangkok, Thailand and Commercial Director ofDynaspede Integrated Systems Ltd, based in Mumbai.
7First word-----------------------------------------------------091 Developments till Date--------------------------------112 Why this interest----------------------------------------153 How is Privacy Awareness relevant------------------194 Managing the Privacy Awareness Program---------315 Program Content and Delivery-----------------------416 Delivering the Program--------------------------------51Last word-----------------------------------------------------64contents
9first wordThe exponential growth of the Internet in the last fewyears has left most of us gaping for breath. It has capturedattention both in the commercial and in the personal space.Internet banking, travel booking, product purchase, electronicmail, voice chats, video chats, telephone communication,social networking sites – well it has really shrunk both time andspace. We are truly a global village. You can now access a bookin the third rack of the fourth floor building of an AmericanUniversity library sitting here in India, make margin notes,return the book; all without shifting a leg [read Google].But in the wake of all this, the internet has brought in a fairshare of troubles. In the anonymous world of the Internetevery act of ours is public. When it comes to privacy asthe common man understands, it’s a zilch. Take G-Mail forexample. When you receive or write a mail, on the right sidewindow you have a pane that carries advertisements relatingto the content you are writing! That’s big brother watchingyou, in one sense. And in a far more serious sense your privateinformation can and does get compromised. Sellers track yourbuying preferences, hackers hack your name, address, phonenumber and mail id and put it up for sale; others log into yourbank account and withdraw your money; yes on the other sideof the Net you don’t know who is sitting.The irony is that many of us don’t know that our privacy isbeing compromised and some don’t care until it becomes toolate. There is an urgent need for knowledge on this front andthe steps to be taken to stall privacy invasion. How do we goabout doing this is what this document outlines.
10I recall the discussions I had some years ago with twoof my good friends, Nandakumar Saravade andK Ponnurangam, when they encouraged me to come up with aprivacy awareness program blue print. It did not then see thelight of the day but with my consulting experiences pointingto the devastating consequences of poor privacy awareness,I thought it was time to complete this so that it could helpthose who are working on privacy awareness issues. Lookingback, I appreciate their foresight in encouraging me to workon this significant and relevant area.The Trustees of Information Security and Cyber CrimesResearch Foundation (ISCCRF) readily came forward topublish this, for which I am indeed grateful.My sincerest thanks to my long time friend, V Pattabhi Ram,Chartered Accountant, for supporting this effort with hisexemplaryjournalisticskills,whichhasbroughtthispublicationto its present state and shape.K Rama Subramaniamrama@valiant-technologies.com
111Developments till DateJudge Louis Brandeis was on target when he said that“the makers of the (American) constitution conferred themost comprehensive of rights and the right most valuedby all civilized men - the right to be let alone.” He, alongwith Samuel Warren, articulated on Privacy way back in the1890 in their seminal work “Right to Privacy” that appearedin the Harvard Law Review. The next one hundred yearssaw various points and counter points being discussed onwhat is privacy; as in should it be enforced by the state; isit as fundamental a right as the right to life; is it somethingthat can be guaranteed so long as the state does not see anyhindrance to its governance role by acceding the right to Warren S. & Brandeis L.D.: ‘The Right to Privacy’ 4 Harvard Law Review (1890) 193-220
12privacy, etc. A defining moment came in the judgment ofthe US Supreme Court in Whalen vs. Roe (429 U.S. 589 (1977))when a distinction was made between two types of interestsin the case of a constitutionally protected privacy. First wasthe “individual interest in avoiding disclosure of personalmatters” and the second pertained to “independence inmaking certain kinds of important decisions.” When werefer to privacy today, we refer to the first of the two interestsenunciated in the Whalen vs. Roe judgment.While on the one hand, we have the likes of LouisBrandeis and Samuel Warrens as also the various courts thathave tried to define privacy with anatomical precision typicalof the legal fraternity, we also have on the other side AlanWestin’s celebrated book, Privacy and Freedom, that opensby lamenting that “Few values so fundamental to societyhave been left so undefined in social theory or have beenthe subject of such vague and confused writing by socialscientists.” Arguably the concept of privacy in the contextof personal information and organizational informationassets begs an academically rigorous definition. Westinattempts a good articulation when he writes that “Privacy isthe claim of individuals, groups, or institutions to determine Westin A.F.: ‘Privacy and Freedom’ Atheneum, New York, 1967
13for themselves when, how, and to what extentinformation about them is communicated toothers [pp. 7, 2].”Roger Clarkeseeks to evolve a workingdefinition of Privacy. Drawing on an earlierwork of W L Morison, Clarke proposesthat Privacy is the interest that individualshave in sustaining a ‘personal space’, free from interferenceby other people and organizations.DO YOUKNOW?India ranks5 in “Topmaliciousactivitycountry”. Roger Clarke: Introduction to Dataveillance and Information Privacy, and Definitions of Terms found inhttp://www.anu.edu.au/people/Roger.Clarke/DV/Intro.html Morison M. L.: Report on the Law of Privacy’ Govt. Printer, Sydney, 1973
15A large number of factors, chief among them beingtechnology driven proliferation of information about peopleand organizations, are driving the current flurry of interestin the area of privacy and security of information assetsthat includes e-mail records, chat transcripts, data held ondatabases and various web sites that are regularly accessed.In this chapter, we focus on privacy as an emerging conceptand its relevance in the context of a variety of informationsystems that handle Personally Identifiable Information (PII)with privacy implications. PII is understood as any pieceof information which can potentially be used to uniquelyidentify, contact, or locate a single person. There is a debate2Why this interest
16on whether an element of PII that may not be unique globallyshould be removed from PII . This debate is referenced forsake of completeness but will not be considered in this paperas its impact on creating and implementing an awarenessprogram is minimal.A distinction is made between personal information thathave privacy implications and personal information that haveno privacy implications while evolving an awareness program.Key dimensions relating to creation of awareness of privacyelements of information in the Indian context is the focus ofthe discussions that follow.From the perspective of determining how the conceptof privacy came into being, most scholars trace it back tothe social need of humans to acquire a “personal space” forthemselves. This takes us to a revisit of Abraham Maslow’sNeed Based Theory.. More recent developments can betraced to the pioneering work of human rights activistsand global organizations that have pioneered human rightsconcepts and have strongly factored the idea of privacy aspart of human rights. Article 12 of the Universal Declarationof Human Rights  states that “No one shall besubjected to arbitrary interference with his privacy, family,home or correspondence, nor to attacks upon his honor and See, for instance the discussion post at http://www.circleid.com/posts/82225_ip_addresses_personally_identifiable_information/ Maslow A.H.: ‘A Theory of Human Motivation’ Psychological Review 50 (1943) 370-396
17reputation. Everyone has the right tothe protection of the law against suchinterference or attacks.”This Declaration provides forprotection of privacy in a very genericform. The earliest attempt to define conditions where suchprivacy can be compromised, is found in Article 8 of SectionI of the European Convention on Human Rights . Itstates that “Everyone has the right to respect for his privateand family life, his home and his correspondence. There shallbe no interference by a public authority with the exerciseof this right except such as is in accordance with the lawand is necessary in a democratic society in the interests ofnational security, public safety or the economic well-being ofthe country, for the prevention of disorder or crime, for theprotection of health or morals, or for the protection of therights and freedoms of others.”We next move on to appreciate how an awareness ofprivacy is relevant in any and every sphere.DO YOU KNOW?Today’s maliciouscodes, particularlyTrojans, aredirected atviolating privacy. United Nations: Universal Declaration of Human Rights (1948) General Assembly Resolution 217 A (III)of 10 December 1948 Council of Europe: The European Convention on Human Rights (1950) Rome, as amended by fiveprotocols between 1952 and 1963
19These developments and the contemporary thoughtprocess on privacy find their origins in a number of wellevolved principles of governance, of human rights, ofconstitutional guarantees and a strong personal and socialneed. There have also been cases where privacy breacheshave impacted the victim’s life and social standing. Thesetoo have contributed to the development of increasinginterest in privacy related issues. Whereas the concept ofprivacy in itself is not new, it has acquired a renewed interestbecause of the open information networks that span theglobe, supported by cost-effective data carrier protocols thatreach out across the globe. The business applications built3How is Privacy Awarenessrelevant
20on open network architecture have opened a wide range ofbusiness and convenience opportunities and has broughtwith it a basket of woes; one among them being the challengeto privacy.A question that requires attention concerns thedistinction between business information and personalinformation. This distinction acquires significance sincebusinesses that have emerged as large repositories ofpersonal information have many instances where the sameinformation processing system stores both business dataand PII. A good example of this could be HR systemsthat have PIIs that require protection from unauthorizedaccess, yet be available for processing in the regular courseof business .As the number of people who handle PIIs increase,so does the obligation and responsibilities of those whohandle third party information that have privacy content.Developments in the recent past have pointed to a number ofsituations where, if the owner of the PII is not alert enough,his privacy has been trampled upon. The second reason forindividuals to protect their privacy is that privacy elements ininformation can today translate easily into money.Significant developments in the awareness of privacyrelated issues will be a sure protection against attempts
21to intrude into privacy of individuals and its abuse forillegal or unethical purposes; often driven by commercialconsiderations.This document looks at awareness from two differentviewpoints; one, the awareness to be raised among thosewhose PIIs need protection and two, the awareness amongstthose who design and manage systems that handle PIIs,as also to those who handle PIIs individually. Therefore,there is need to create different contents and adopt differentdelivery mechanisms to different classes of people, who mustbe reached. A recommended generic grouping, following therecommendations of NIST could be to group people whoare involved in the following actions or processes relating toinformation systems:• Manage• Acquire• Design and Develop• Operate• Review and Evaluate• UseThere could be individuals who qualify to fit into morethan one classification and the last group viz. those who useinformation are both the largest in volume and arguably the NIST: SP800-50 – Building an Information Technology Security Awareness and Training Program – 2003
22most vulnerable and therefore require the maximum exposureto privacy awareness initiatives.Stakeholders of information with privacy elementsembedded in it should realize that they have to consider theprivacy dimension not just when they use the informationbut also when storing it on systems owned and managed bythem, and when permitting the information to pass throughtheir active and passive network components.A quick analysis of the state of today’s connected worldidentifies a number of groups which handle informationassets – owners, users, custodians, processors andtransporters of information. Each of them have a role vis-à-vis privacy component found in the information handledby them. Covering all these groups as part of privacyawareness program will require consideration from differentperspectives, an illustrative list of which is considered here:LegalThe first formal look at Privacy came from the legal fraternityand today a good understanding of the legal framework thatgoverns reporting, follow up and protecting the chain ofevidence has to be covered as part of any awareness program.Law enforcement agencies and victims of privacy violationshave complained that they don’t know which law is to be
23invoked to prosecute perpetrators of privacy violations. Theawareness program must cover law enforcement personnel;particularly those who are the first point of contact forcomplainants so that they are aware of the process to beused while recording and investigating privacy violations.A good starting point in this direction is the India CyberLabs initiative of NASSCOM in association with state policeforces.TechnologicalPrivacy has a strong technology dimension especiallywhen we refer to privacy in a connected world. Lack ofunderstanding of technology that drives the Internet hascontributed to a variety of privacy violations; what with thescreen asking questions like “Do you want to install and runActive-X controls?” albeit without putting the user on notice,in a form that enables the user to make a conscious decision.For the less technologically initiated, this is a pretty complexquestion and the user often ends up letting cookies, appletsand the like, usurping PIIs from the computer. Creating abasic awareness of the underlying technology that drives theNet and the areas where caution has to be exercised shouldform part of the privacy awareness program. The argumentagainst this is invariably that technology becomes obsolete More information on India Cyber Lab can be found athttp://www.nasscom.in/Nasscom/templates/NormalPage.aspx?id=5952
24quite fast and with new technologies regularly being used,what is the point in creating awareness on a technology thatwill soon become obsolete. Admittedly the emergence ofnew technologies is rapid but that is no reason to defer oravoid training on current technologies since we will neverever come to a stage where the evolution of technologies hasstopped. Organizations like the International Association ofPrivacy Professionals (IAPP) have evolved, over a period oftime, programs that tend to be technology neutral to someextent .BehavioralPrivacy awareness, like security awareness, can be inculcatedas second-nature to the users. But such inculcation does nothappen overnight and requires steady and persistent efforts.As mentioned elsewhere in this document, in a multi-cultural society like ours where languages, culture and long-held beliefs play a significant role in individual responses tosituations, it is hard to prototype a one approach to privacyawareness that fits all. In addition to these issues thataffect behavioral response to privacy awareness, there arealso varying perceptions about Net based services that areinfluenced by peer groups and family members’ advice by Details of programs developed by IAPP can be found at https://www.privacyassociation.org/
25leveraging on knowledge acquired from popular literature.The influence of these factors can be quite strong and inmany cases, there may be a need to help the participantsunlearn principles and practices that have been picked upbased on incorrect or incomplete understanding of whatis involved. An exploratory study by Kumaraguru andCranor discuss attitudes of a cross section of Indiansociety towards privacy. While there is no attitudinal profiledrawn up of Indians towards privacy, the study points to an“overall lack of awareness of privacy issues and less concernabout privacy in India than has been found in similar studiesconducted in the United States”. (pp. 1, 12)CriminologicalPrivacy related issues may result in crimes that have attributesand characteristics that appear to be significantly differentfrom the traditional forms of crimes. While attempts havebeen and are being made to fit privacy related crimes intotime tested criminological paradigms, certain features ofprivacy do not permit a neat fit. First of all, it is still notclear if violation of privacy is a crime or an aberration of anestablished principle of behavior. The serrated boundaries ofprivacy needs to be rounded off well before we can attempt to Kumaraguru P and Cranor L: “Privacy in India: Attitude and Awareness” available at http://www.cs.cmu.edu/~ponguru/PET_2005.pdf
26test if we can take advantage of the results of good researchfindings in criminology and apply it to a better understandingof privacy issues resulting in creating an appropriate form ofawareness program .VictimologicalA concern that has attracted attention is the process that willempower victims of attacks with knowledge and skills torecognize that they have been victimized and also to knowthe process of reporting the attack. Unlike a conventionalcrime scene where the victim is most probably the firstperson to raise an alarm almost immediately after the attack,victims of privacy violations often find that out after a longtime gap; if at all they find it out. This presents a pressingneed to sensitize victims to a set of processes of finding outprivacy violations as soon as the violation had occurred.Ease-of-useNo awareness program can succeed if it cannot be presentedin a manner that can be easily understood by the targetaudience. However, the technology and implementationarchitecture of information systems that has enabled privacy Subramaniam, Rama K.: “Cyber Crimes – A Criminological Paradigm” – Chapter V in “Cyber Crime– Criminological, Victimological and Legal Perspective” unpublished PhD thesis, University of Madras,April 2006
27violations, are too complex to besimply explained. Designers of privacyawareness programs need to clearlyunderstand the challenges in increasingawareness of non-technical users ofnetworked information systems since they simply look atthe system as a value addition tool and not beyond that.The emergence of multi-lingual Internet enabled servicesand portals bring a new group of people to the user base,which may need awareness programs in languages that arecomfortable to them and are customized. The need to retainthe spirit and content at the same level in all languages needto be carefully addressed.EconomicWill a typical participant in a privacy awareness programconsider it being of sufficient value-add that he will pay forit? Perhaps not always; at least not as of now. This bringsforth the issue of economic implications of running a privacyawareness program. The process of designing and deliveringprivacy awareness program should be built on the assumptionthat it may not be sufficiently funded by the beneficiaries ofthe program. This realization will enable the managers ofsuch a program to look for resources and funding so thatthere is no disappointment when the program is deliveredDO YOU KNOW?Most of theattacks areaimed at inflictingdamage on thevictims financially.
28and the participants are reluctant to pay for it or when it takestime to get beneficiaries to pay for it. There is another schoolof thought which strongly believes that any ‘free’ programdoes not make the participant feel that they got value out ofit. While there is merit in this argument, it may be difficultto ‘commercially sell’ privacy awareness programs; at least asof now.An area that requires considerable work is to determinehow best to fund these privacy awareness programs at anational level; and if there are significant regional differencesin the programs, some regionally operating fundingpossibilities need to be considered. Any effort at creatingand implementing a nationally relevant privacy awarenessprogram cannot yield the desired results unless it is adequatelyfunded. As privacy awareness programs are conceptualized,adequate funding should be established so as not to let theprogram momentum to deteriorate. The forms of fundingprivacy awareness programs are in themselves an area thatcan justify a complete study.One source of funding privacy awareness programscould be to utilize a portion of the penalties imposed onoffenders under the information technology law and onviolators of privacy legislation and regulations. This wouldnot be an immediate solution but could yield results in the
29long term. Conceptually this is a bitquestionable since we are presuming thatthere would be a number of violationsresulting in penalties being imposed andrecovered.Beneficiary profileOne way to differentiate the set of persons who need to beaddressed by these awareness programs is between individualsand businesses. While the general perception is that privacyawareness is more focused on individual users of informationsystems, small and medium businesses will benefit from theefforts at creating and sustaining a generic privacy awarenessprogram. Individuals can be classified as youth, adults andsenior citizens, more popularly referred to as silver surfers, inInternet related literature . The business segment can becategorized as micro organizations (small professional firmsand individual traders or experts operating as a specialistservice provider), small and medium businesses. It is assumedthat large enterprises will have an in-house process to createand sustain privacy awareness across the organization.DO YOU KNOW?The users oflaptop connectand use it inlocations thatoften do not havethe requisitesecurity andprotectionperimeter. The term ‘silver surfers’ is being increasingly used to refer to senior citizens using the Net. It is founditself into common newspaper reporting. See for instance, http://www.dailymail.co.uk/sciencetech/article-477140/Silver-surfers-beat-young-Web-wizards.html.
30The recommended set of broad contents of privacyawareness program is discussed elsewhere in this document.The above classification of beneficiaries of the awarenessprogram will help in arriving at the optimal mix of contentand the depth of their coverage for beneficiary grouping.
31Awareness is the first line of defense against privacyviolations. Creating a national level privacy awarenessprogram and delivering it to all those who need this awarenessis a huge task, given the geographical spread of the nationand the burgeoning internet penetration across the country.The reducing tariffs for Internet access and the increasingrealization of its benefits keeps increasing the size of thetarget group that needs to be covered by the awarenessprogram.4Managing the PrivacyAwareness Program Multiple view points have been expressed converging on the idea that “awareness is the first line ofdefense against privacy violations.” See Frye, D.W.: “Network Security Policies and Procedures” Chapter12 – The Human Element); An interesting counter view is expressed by Motall, A. Z. A.: “The legalprotection of the right of privacy of networks” available at http://webworld.unesco.org/infoethics2000/documents/paper_motaal.rtf.
32A number of stakeholders can be identified for creating,implementing, sustaining and monitoring a nationallevel privacy awareness program. The stakeholder groupwould include the IT departments of the central andstate governments, the central and state informationcommissioners, industry bodies like NASSCOM, the cybercrime cells of police forces, ISPs, educational institutions,judiciary, not-for-profit organizations and public trusts thatwork in the area of information privacy and security. Aproject management approach is needed for creating andimplementing the program. Following are some steps to beconsidered in this context:• Formnon-formalworkinggroupswithrepresentativesfrom all stakeholder segments. The preference fornon-formalworkinggroupasagainstaformalworkinggroup is driven by the need to integrate flexibility inapproach with speed and ease of communicationamongst members. Non-formal groups will alsoenjoy the benefit of lesser regimentation in adding tothe membership or altering the composition of thegroup. The most significant benefit of course willbe the ability to come together quickly when a mid-course correction or change needs consideration.Further, the response to feedback from the usersand stakeholders of the awareness program can be
33interpreted and acted upon faster when entrusted toa non-formal group.• In consultation and collaboration with thestakeholders, determine the ultimate state of privacyawareness to be achieved. Determination of this endpoint will be a good starting point for strategizingthe overall program and will also contribute tothe determination of the metrics to measure theeffectiveness of the awareness program.• Successful awareness program management involvesbuilding competencies in the areas of: program design management of delivery channels determining beneficiary profile and constantlyupdating the attributes that will determinethis profile test checking on actual delivery forconformance to appropriate controls andefficiencies of that delivery channels (eg., ifthe delivery is via a direct interaction betweenthe specialist and the beneficiary, does thespecialist conform to International Board
34of Standards for Training, Performance andInstruction IBSTPI standards?) reviewing feedback and using it to fine tunethe contents and delivery mechanism structuring and implementing measures toassess the effectiveness of the program• Clearly define roles, responsibilities, deliverables andaccountability measurement of all involved in theprogram• Build sufficient flexibility to cater to differentstakeholders’ requirements• Establish and maintain a communication channelthat is open, clear and meets time lines.The program design and implementation should be such asto result in obtaining the following benefits:• In addition to creating awareness on privacy, theprogram should become a focal point for theconvergence of all initiatives already in placeto increase the privacy awareness of informationsystem users
35• Minimize the number of privacyviolations and increase thenumber of cases where peoplehave responded to privacyviolationsbyassertingtheirrightsto privacy, thus being a deterrentto those who may attempt anyviolations on privacy, in future• Function as a well knit and efficient communicationchannel for quick dissemination of methods andapproaches to thwart new attempts at privacyviolations• Constantly update and disseminate information onemergingformsof privacyviolations,countermeasuresand controls to minimize the damage• Educate individuals about their roles and obligationsin preserving the privacy of information undertheir control and encourage them to go beyondpracticing ‘minimum-adherence’ to privacy mandatesand policies.• Create a culture where all participants will respectprivacy and encourage all connected entities, systemsand people to respect privacy.DO YOU KNOW?Public computerslike the ones thatare installed incyber café canpose a threatby exposingthe personalinformation of theusers.
36While designing programs to minimally achieve the benefitslisted above, considering the following will enhance theoverall effectiveness of the program:• Whether the program should confine itself tocreating awareness or will it extend to training andeducation which, in turn, will reinforce the awarenesscreated and increase the skill levels to fight privacyviolations. For instance, creating awareness aboutphishing and introducing the participants to astructured set of Do’s and Dont’s will satisfy theawareness process. Additional efforts at educatingand training them will result in building capabilitiesof identifying new versions of phishing and be ableto follow a digital forensic trail to trace the attacker.However three factors merit consideration when anawareness program is extended to cover training andeducation – the justification for such extensions, thecompetence of the recipient group to respond totraining initiatives and finally, additional resourcesneeded.• Considerations that will determine the frequency ofrepeating an awareness program include the recallquotient of the program (tested via standardizedtests),theneedtoupdateinordertofightobsolescenceof the program contents and any possible adverse
37feedback on the delivery of theprogram.• Determine and freeze thedepth of underlying technologyand / or legal framework thatshould be presented to the participants. It will beadvantageous to have a structured approach to matchthe depth of presentations with the audience profilethat can be accommodated in one of the many pre-defined classes. This pre-supposes that there wouldbe different contents for different target audiencegroups.• In addition to the usual practice of presentingthe technical and legal aspects of privacy, there ismerit in presenting essentials of criminological andvictimological aspects of privacy so that victimassisted violations are minimized and participantswill be sensitized to the need to quickly realize if theirprivacy is violated and if so, have before them a clearcourse of action.• It is well accepted that the goal of the program isto raise the privacy awareness levels across the entirespectrum of the population. While that by itself isa sufficient objective to justify this program, there isDO YOU KNOW?Installing apatch or hot fixon a system isregarded as anecessity forbetter security.
38merit in asking if the program could aim at attaininga ‘significant’ change in attitude of the participantssince privacy is, like security, more of a mental-statethan just a technological issue.• Given the size and spread of the country, there is astrong case for decentralizing the privacy awarenessinitiative and making it relevant to the local cultureand language. ISPs that are locally present and otherinterest groups can be encouraged to develop privacyawareness programs with regional flavor and have itvetted by DSCI . Upon approval, locally organizedawareness groups should be encouraged to sustain theprogram. The advantage in decentralizing deliverywith a centralized superintendence over scope andcontents will facilitate the awareness program tobe implemented on a recurring basis. One of themetrics that can be used to measure the effectivenessof the awareness program will be determining theactual and incremental number of participants whocome forward with complaints of privacy violations.As with most other measurement systems, thesemeasurements will have a limitation when it comesto establishing a base line against which incrementscan be computed.
39• The privacy awareness program can be managed bya number of interested groups or individuals. Reachcan be achieved through Not-for-profit bodies working in theareas of information security, cyber crimemanagement, digital forensics, digital rightsmanagement and privacy issues Industry associations and chambers ofcommerce University departments of Computer Scienceand Engineering, Criminology and Law Human Rights Activist groups Cyber Crime cells working in Metropolitancities Legal Aid Societies Private enterprises who have significantemployee strength Media Outreach programs of public enterprises,private banks, mobile operators and ITESbusinesses
40 Community centers and schools Corporateandotherinstitutionalsponsorshipsthat can result in organizing seminars andconferencesonprivacyawarenessandsupportto different privacy awareness initiatives.
41What should be covered by the privacy awareness creationprocess? As with the case of difficulty in deciding on the mixof delivery mechanisms, it is very hard to find a one-content-fit-all solution. Having said that, we shall none the less identifya set of areas where the participants need familiarity if theprogram should create the right degree of awareness. Anyawareness program on privacy cannot be devoid of interfaceswith technology, legal systems and business models thathandle data with privacy content.An issue that is being debated is the difference betweenprivacy and security. One school of thought is that you5Program Contentand Delivery
42cannot consider privacy per se without reference to the overallinformation security framework. This stems from thebelief that privacy is one of the attributes of informationsecurity. The other view point is that while privacy may havea relationship with security, privacy can stand on its ownwhen it comes to sensitizing users whose privacy is beingdiscussed . This view point is fortified by the belief thatin order to understand your privacy rights and obligations,you need not concern yourself with other attributes ofinformation security like confidentiality, integrity, availabilityand, to some extent, authentication and non-repudiation.While admitting that there could be some merit in de-linkingprivacy from security at least in the context of creatingawareness and sensitizing users, there is no denying the closerelationship between security and privacy.A case in point could be determining the sensitization ofindividuals to the need to maintain their passwords as aclosely guarded secret. This is a definite need when it comesto creating awareness on privacy issues since consequentialcollateral damages resulting from loss of passwords canbe catastrophic. Password related issues have a place ofsignificance in any information security program. We See, for instance the position of Price, S: “Protecting Consumer Privacy Information” available at:http://www.infosectoday.com/Articles/Protecting_Customer_Privacy_Information.htm
43cannot, however, lose sight of the subtledifferences in the ways in which passwordrelated issues will be addressed in the twodifferent awareness programs.There is a good scope for entering intoan intellectually stimulating discussionon whether or not the content in a typicalprivacy awareness program should havesimilarities to security awareness programs. This documentsteers clear of it and confines to broadly presenting somesuggested content for privacy awareness programs. Thesuggested contents are not presented in the traditional wayscontents are understood. In other words, the followingtable does not say, in detail, ‘what’ is required to be covered.Instead it discusses ‘why’ that content is relevant. The actual‘content’ can be discussed and finalized after freezing targetaudience and delivery mechanism.DO YOU KNOW?In the UnitedStates, federalagencies maybe authorized toengage in wiretapsby the US ForeignIntelligenceSurveillanceCourt, a courtwith secretproceedings.
44ContentAreaWhy is this content relevant to privacyawareness?1 Using andManagingPasswordsPasswords have two roles to play in privacy relatedenvironments. It by itself is a PII (when combined withuser names of such other identifiers) and it is arguablyone of the most frequently used means of protectingaccess to PIIs. An inadequate awareness of the natureand advantages of using good passwords is a sure firststep in losing one’s privacy on the anonymous Internet.With the Internet being used by the common person fora variety of efficiency enhancing operations, businesstransactions and knowledge sharing, there is a need forgood password management.2 Maliciouscodes –viruses,worms andTrojansMalicious codes have presented themselves in varyingmanifestations to the users over the past two decades.With time, the virility of these malicious codes havecontinued to increase; so have their capabilities, interalia, to violate privacy information of users of infectedsystems. Today’s malicious codes, particularlyTrojans, are directed at violating privacy. The problem isaggravated by the fact that we don’t have comprehensivesolutions against Trojans. Awareness and the need tosensitize users to refrain from doing something or takeaffirmative action under certain conditions is a sure wayto minimize the chances of attacks by malicious codesand content.
453 E-mailsand attach-mentsWith the ubiquitous reach and cost-effectiveness ofe-mails come a whole horde of vulnerabilities and eachof these are easily exploited by intruders since theuninitiated users are not always aware of the risks inusing e-mails without adherence to secure practices.Such insecure use of e-mail systems can result in anumber of privacy infractions not just of the users’ PIIbut also of PIIs of others stored on the system.4 Webbrowsingand otherusage ofweb ser-vicesSimple web browsing a k a ‘vanilla browsing’ can beharmless from a privacy perspective so long as theusers have taken basic precautions like running anupdated AV system and installing a well configuredfirewall. However, with the range of opportunities toavail of value added services, many services requireidentification and authentication of the users. Lack ofawareness on ‘safe net-use’ practices could result incompromise of privacy.5 Spam Spam could represent an already compromised privacy.The fact that spam has addressed a non-public mailID sometimes influences users to give credence to thespam mail. Awareness about the privacy implications ofspam mails need to be created from both dimensions;namely of receiving of spam and also of creating /propagating spam. The fact that it is hard to preciselydefine spam is demonstrated by our inability to design azero-defect spam control mechanism.
466 Social En-gineeringThere are no proven structured processes to countersocial engineering attacks aimed at compromisingprivacy information of victims. Increased awarenessleading towards a higher level of consciousness ofsocial engineering as a possible attack pattern will go along way in helping users to protect their privacy. Theabsence of technology dimension in social engineeringmakes it hard to build an robust content for this elementof awareness program and will therefore need quite abit of creative approach to create awareness. Certainforms of social engineering attacks (eg., phishing) canbe countered through a combination of attitudinal andtechnological countermeasures.7 ShouldersurfingShoulder surfing happens when an unauthorized personwatches the operation of a user and acquires access toinformation to which the person does not have access.For instance, a person watching the key strokes of theuser and comes to know of the password being typed,has performed shoulder surfing. The incidence ofthis form of attempt to compromise privacy may notbe frequent since significant awareness exists aboutshoulder surfing. One reason is the changing socialfabric, at least in urban India, where it is regarded asa socially unacceptable behavior. However, there arepeople who indulge in this practice sometimes out ofsheer curiosity rather than with any malicious motive.Creating awareness on this and making such awarenesswork is far easier than other cases.
478 IncidentResponse– recogniz-ing andreportingincidentsRecognizing an incident that warrants attention is a verygood first step in combating the effort of the attacker. Anincident could have multiple consequences, includingviolating privacy information of the victim. Due tothe significant differences in skill and competenciesbetween the attacker and the victim, the incident cango un-noticed; often unreported. This is an area wherelot of efforts need to be expended to develop and offera high level of awareness so that incidents that threatento disclose privacy information is quickly identified.In addition to helping identify incidents that requirehandling at a level different from that of the affectedperson, awareness creation is needed that will assistin determining the right reporting and / or escalationprocess. Awareness in this area will also add to theutility of national or regional level Computer EmergencyResponse Teams (CERT) or equivalent initiatives .9 Phishing This is perhaps the most direct attack on the privacy ofindividuals by seeking to motivate the victim to part withPIIs, which has more value than just identification of theindividual. The uniqueness of this form of attack is thatit motivates victims to engage in an affirmative actionof compromising their privacy. Most of the attacks areaimed at not just compromising privacy but take it to thenext level of using the compromised privacy for inflictingfurther damage on the victims; often financially.10 PDAs andother handheld de-vicesThe proliferation of Personal Digital Assistants (PDA)and other hand held devices have added more people tothe exposure of attacks on PIIs. While this proliferationis good from a number of perspectives, most of thosewho use their PDAs to connect to open informationnetworks may not have had the requisite exposure toprivacy issues because of their first time exposure tousing open networks .
4811 Encrypteddata andcommuni-cationUsers of Internet based information systems are oftenled to believe that their PIIs are safe because they arecommunicating toserversusing a‘secure’or‘encrypted’path. There is truth in this assertion but there are stillareas where the users must know that their PIIs are notsecure end-to-end in the transmission over the opennetworks. Users need to understand the limitations ofstandard secure communication channels when beingused to carry PIIs.12 Laptop us-age – espe-cially whileon travelLaptops undoubtedly store PIIs; perhaps more PIIs thanany other class of devices excepting authenticationservers. Laptops, by their very nature, are personallycarried by their owners across locations and with itgo a whole lot of PIIs. The users of laptop connectand use it in locations that may not have the requisitesecurity and protection perimeter. A case in point couldbe connecting the laptop to the Internet via connectionprovided by a Hotel where you do not know the securitysettings of the Hotel’s network connection.13 Permittinguse of yourcomputersby othersThis happens very often. Many enterprise securitypolicies have restrictive clauses in this matter but therearesituationsandcircumstancesthatwarrantoverlookingthese restrictive clauses. Privacy awareness initiativesas contemplated here may not have a direct relationshipto this issue but creating and enhancing awareness ofthe need to protect PIIs stored on a computer used byanother person will significantly reduce the exposure insuch cases.
4914 Repair-ing yoursystems– patchesand hotfixesInstalling a patch or hot fix on a system is regarded as anecessity for better security. There are a few applicationvendors who insist on your connecting to their servers todownload and implement the patch or hot fix while beingso connected to their servers. This could have privacyimplications since some of these download ask eitherdirectly or may collect, clandestinely, PIIs stored on thesystem. Awareness in this area will help strike a balancebetween the importance of patching the applicationsand a possible compromise of privacy15 Acknowl-edgementusing PIIsAcknowledgement using the PII of the user is the orderof the day in many of the applications and networkinterfaces. The acknowledgement seekers need the useof PII to protect their interests while those who share thePII need to sensitize themselves to the risks of using theirpersonal information when acknowledging anything on anetworked information system. The awareness will helpusers carefully balance between the need to participatein the acknowledgement process; yet keep their privacyinformation as confidential as possible under the givencircumstances. This is not limited to networked systemsand can affect voice communication too . The process ofidentifying yourself when speaking to customer servicepersonnel of your credit card issuing Bank invariablyinvolves the provision of PIIs on a voice network.
5016 DesktopPrivacyThe earliest attempts at desktop privacy aimed atestablishing clear screen policy, which required thatwhenever a computer screen is left unattended it isblanked out. Desktop privacy is no longer limited tojust clear-screen policy. It involves understanding thevarious forms in which PIIs can be disclosed when adesktop is inappropriately handled – facilitating piggybacking, allowing remote desktop functions, and thelike. What facilitates loss of privacy via inappropriatelymanaged desktops is the inability to see through thepossible ways in which something as innocent as adesktop can be exploited by those who seek to violateprivacy of users17 Destroyingmedia withPIIsCorporatemediacontaining privacydatawillbegovernedby an appropriate enterprise security policy on securedisposal of media. Not all individuals may have theawareness to securely dispose off media that containPII. Awareness in this area will contribute significantlyto the reduction of loss of privacy via data scavengingor similar attempts.18 Troubleson using“public”computersPublic computers like the ones that are installed incyber café can pose a threat by exposing the personalinformation of the users. This can happen in a varietyof ways including the installation of key-loggers orspyware that detect, record, and transmit the personalinformation of the users to destinations outside thelocal host network or secure it in the local host forlater retrieval. Even when the owners of the “public”computers take precaution to ensure that such spywareare not present on their system, the fact that thesecomputers are connected to the internet can open apath for installation of malicious programs in the form ofTrojans that can hide in the system and go undetectedduring a normal scan but continue to spy on the users.
51A variety of channels are available for considerationwhile determining effective ways to reach the target audiencewho need to be sensitized on the privacy issues. Obviously,a large program such as this cannot rely on just one deliverychannel and it is expected that a combination of differentchannels will normally be used. Some of the possiblechannels are:• Computer based program – both offline and on-line• Video based programs• Using regular educational delivery channels like6Delivering the Program
52schools and colleges by integrating privacy awarenessinto their core curriculum• Event based – using conferences, seminars, publiclectures, fairs and other popular events• Print and Electronic media (including TV and Radio)in the form of sponsored programs and infotainmentpresentations, newsletters and moderated blogs• Fact sheets, posters and brochures (print andelectronic) aimed at targeted audience• Pop-ups on popular web sitesReliance on just one of the channels will not meet theobjectives of the program fully. A combination of channelsis required. As a national level initiative is being planned, theadvantages and disadvantages of each of these channels ofdelivery and their relative relevance to the target audienceneed detailed consideration.Whatever be the combination of channels used, some of thekey factors to be considered to enhance the effectiveness ofcommunication include:• The success of the campaign is directly related to itsability to change the way participants perceive andhandle privacy issues. Awareness process should
53get the target group to changeits ways of seeing-and-doingthings in the recommended way.The program will not succeedif it merely elicits a theoreticalconcurrence to what is said.• The success of the program can be enhanced if theprogram consists of case studies that focus on reallife issues. For example, the program can start byasking the audience – “Are you sure of what happensin the 5 minutes between handing over your creditcard to the waiter in a restaurant and till he returnsafter swiping it?”• If the participants in an awareness program canbe made to experience “hands-on” the effects ofneglecting privacy considerations, such an experienceis more likely to leave an indelible impression onthem. For instance, if the participants can be made tobelieve that they are on the net (while actually beingconnected to a locally hosted web service) and madeto go through a typical transaction, it is likely thatthey would bypass good privacy practices and theconsequences can be explained in detail. This requirescareful planning to avoid possible complacence at theend of the session. This is similar to the trainingDO YOU KNOW?Hacking originallymeant makingfurniture withan axe.
54methodology that teaches network defense by askingthe participants to build defense mechanisms ona classroom network and attack it successfully toexplain the vulnerabilities.• Being directed at a multi-cultural society with widevariations in perceptions of privacy, the programhas to recognize the subtle differences in approachthat will appeal to the beliefs and faiths long held bycertain target groups.• The approach should steer clear of using threats andshould refrain from being alarmist in nature. Thereare a number of benefits in carefully strategizingto handle the first resistance when participants say‘this has not happened to me for the past 20 years!’Alarmist approach can also create a mind set andactionpaththatwilldenyusersof informationsystemsthe complete benefit of technology proliferation. Ifsuch a thing should happen, the program would havecreated greater disservice to the user community thanhaving helped them preserve their privacy• Design the message and choose the communicationchannel in such a way that multiplier effect can beused.
55• The program has to considermulti-lingual delivery mecha-nism. We often hear peoplerejecting multi-lingual require-ment contending that most ofIT is still in English and thosewho use English language sys-tems can and should be trained or oriented in thatlanguage. While conceding the merit in this argu-ment, we must recognize that the purpose of privacyawareness programs is not to educate them but tobring about a change in the way they perceive privacy.A language in which they can be reached comfortablywill be a good option.• Where a personal touch is given to the spreadof privacy awareness, the person spreading theawareness message should carry adequate credibilityamongst the target audience. When the presenteris drawing lessons or examples from the success ofimparting privacy awareness among another group orin another location as reinforcement for the learningin the program, such reinforcement will be effectiveif the audience do not doubt the credibility of what isstated. Thiswillbeparticularlytruewhenthepresenteris quoting and relying on unpublished experiences.DO YOU KNOW?Computer hackingwas started bya group of MITstudents whenthey prepared topunch cards tomanipulate anIBM mainframe.
56Every awareness program that is designed should fullyconsider the following:1 Define target audience. This is perhaps the mostimportant step given the geographical spread of thecountry, its multi-cultural characteristics and differingdegree of technology reach. While this is the mostimportant task, this is also the most difficult task.2 The complexity in understanding the variousattributes of the target audience, as presented abovealso presents issues on determining what could bethe need of a given target group form the point ofview of privacy awareness. One way to handle this isto start with a set of well reasoned assumptions andthen fine tuning it based on feedback obtained fromthe target group.3 The choice of the right mix of channel used fordelivering privacy related messages is a key factorand hence needs to be chosen carefully. That mixof channels should fully meet the needs of the targetaudience and their comfort level with the chosen mixof channels.4 This privacy awareness program cannot be a single-content-fit-all type. It is this absence of ubiquitythat provides both the challenge and also the charm.
57Appropriate choice of contents(suggested list discussed inSection – 5 earlier) can beconsidered as one of the criticalsuccess factor in achieving theobjectives.5 It is important to identify an owner for each of theform and channel of delivery. This ownership willbe useful in constantly monitoring the effectivenessof the program and will serve as a single pointof reference to initiate and finalize mid coursecorrections while delivering the awareness programs.It will also come in handy when major changes areto be made in the structure, content and deliverychannels based on feedback and measurement ofprogram effectiveness.6 Establish a clear feedback mechanism where thetarget group members can get back with what theyfeel about the program. To assist them in providingstructured feedback, it is important to providethem with tools, formats and checklists to evaluatethe effectiveness of delivery and also state theirexpectations for future delivery of the program.• It will be a productive exercise if a definiteDO YOU KNOW?A hacker, JohnDraper inventeda whistle thatemits a 2.6 kHztone used inAT&T’s trunk callswitching system.
58time slot is devoted for participant’s feedback.This would be an interactive or moderatedsession where candid feedback from theusers can be gathered and such feedback willform the bedrock on which to design futureprograms. This method has significant meritover the more common form of asking theparticipants to fill in a feedback form sincemost forms filled cannot be revalidated withthe participants while a feedback sessionprovides such an opportunity. Of coursethis will be possible only where the deliverymechanism involves personal meeting withthe participants• In cases where personal meeting is not theway a delivery channel is designed, it will bea good idea to have a follow up structuredinterview with the participant’s (either via aphone or an interactive net / chat session) sothat the feedback can be quickly validated.• Feedbacks are valuable lessons from whichdesigners of future programs can learn alot. As with any other feedback, the valuablelessons will be lost if it were not to be
59carefully documented,analyzed, interpreted andthe results integrated intofuture program design.7. When to deliver the program is asimportant as how and where todeliver the program. Determining the most receptivetime for each target group and also determining thefrequency of repeating the program to reach thethreshold recall levels are important considerations.8. Designers of the program must recognize thatthe potential beneficiary is the recipient of a largenumber of information sharing and skill transferprograms in the normal course of his activities. Anadditional program on creating privacy awarenesswill be effective only if the message is delivered in aproactive way and the process is compelling enoughfor the beneficiary to pay attention to it.Every delivery of an awareness program, irrespective of thenature of delivery mechanism, must consider the followinggeneral issues in addition to what has been discussed above.1. The greatest weakness found in most awarenessprograms is that it focuses on “what” rather than“why” of the subject matter on which awareness isDO YOU KNOW?Hacking first wentHollywood in a1983 movie WarGames, about akid who breaks aDoD computer.
60being created. As an example consider the awarenessabout usage of good passwords. This is a verycommon topic in quite a few awareness programs.Most users of information systems can very wellanswer the question – “What” are the good practicesin constructing and using effective passwords. It ishowever not the case when asked “Why” are youdoing this? As an example, most people know thatthe optimal size of passwords is eight but most don’tknow the rationale in choosing it. In a typical privacyawareness program, it is important that the participantunderstands why he or she is encouraged to do orrefrain from doing a few things. If the answer tothe question “why” is not convincingly presented,however attentive the participant may be in theprogram and however well received the program maybe, its benefits will be short lived.2. A significant part of any privacy awareness programwill have technology content; and technology willkeep changing rapidly. Changes in technology shouldbe quickly and completely captured in the form ofupdates to the awareness program.3. As with technology, changes in the legal frameworkthat impacts privacy issues need to be quickly capturedand integrated into the program.
614. Privacy awareness programsshould not end up creatinginformation overload. Programsshouldhaveonlysomuchcontentas is comprehensible to the targetaudience and as will be withinthe threshold at which rejectionof information starts in different forms – outrightrejection, casual attention, incomplete attention orsuperficial attention to what is being delivered.The size and complexity of a national level privacy awarenessprogram requires good validation process. The size andcomplexity also poses a significant challenge to creating avalidation process. Privacy awareness program covering allusers of information systems and all stakeholders needs toconsider the following issues when attempting to validate thecompetencies of delivery mechanism:• If the delivery involves human effort, can we validatethese efforts to meet baselines established fordelivery of facilitator led programs? An example of aframework could be IBSTPI. Seeking to validate thedelivery performance against this framework wouldguarantee minimum standards of performance whichcan then be revalidated using the feedback received.DO YOU KNOW?In 1988, Robert T.Morris, inventedthe worm or self-replicating code,purportedly toassess Internetsecurity.
62• If the delivery mechanism involves the use of publicor mass media like the Radio and / or the Television,the media has good methods of determining thereach and intake of contents using listeners / viewerssurveys which could form the basis of determiningthe competencies of the media and the presenter.• If awareness is sought to be enhanced throughComputer Based Training (CBT) or Web BasedTraining (WBT) process, objectively measuring theireffectiveness is difficult except through interactivetesting process and ideally the rigor of suchtesting process should change with the degree ofunderstanding demonstrated by the beneficiary sothat the correct intake is assessed. Though such aprocess can be established and integrated into theCBT or WBT, the challenge will be in assembling theresults of all these assessments done across multiplelocations, multiple times and under multiple learningenvironments.• Wheretheoptionusedisintegratingprivacyawarenessinto college and school curriculum, their effectivenessis best assessed by seeking help from the educationalinstitutions to determine to what extent the programshave changed the attitude and understanding of thebeneficiaries as far as privacy is concerned. If the
63educational institution decidesto use the conventional exam-driven means of assessingeffectiveness of the program,the results may not be relevantsince passing an examination onprivacy may not be the same asacting in the best recommendedway to protect one’s privacy.• Automated tools and processes will impact mostparts of creating the program, introducing andupdating the contents of the program, distributingit across the country, actually delivering the program,collecting feedback, assessing the efficacy of thechannel of delivery and finalizing on the changes tobe incorporated for future. These tools and processesrequire a centralized approval and a decentralizedimplementation.DO YOU KNOW?It was rumoredthat agents ofChina’s PLAhacked theU.S. power gridand triggered amassive blackoutthroughout NorthAmerica in 2003.
64This document considered the issue of creating andimplementing privacy awareness programs from multipleview-points. By no stretch of claim is this the mostcomprehensive approach paper on this subject. Thereare a number of areas, referenced in this document, thatrequires further study and analysis before a comprehensivenational level privacy awareness program can be successfullyimplemented. Having said that, it is important to point outthat the lack of a comprehensive approach to awarenessprograms should not deter one from starting it. As with mostother learning experiences, an early start is a good ingredientfor success; as they say ASAP.last word