Successfully reported this slideshow.

Ch. 12 FIT5, CIS 110 13F

861 views

Published on

Presentation slides from Ch. 12, Fluency w/ Information Technology 5ed (Pearson)

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

Ch. 12 FIT5, CIS 110 13F

  1. 1. Chapter 12 Privacy and Digital Security Friday, December 6, 13
  2. 2. Information Privacy & Security Learning Objectives • Privacy: safeguards for Personally Identifying Information (PII) & Personal Identifiers (PIDs) • OECD Fair Information Practices (FIPs) • U.S. privacy: Opt-in/Opt-out, compliance/enforcement • Computer Security • public key cryptosystems (PKCs) Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  3. 3. Privacy: Whose Information Is It? • Buying a product at a store generates a transaction, which produces information. • If you do this online, you supply even more PII • Even if you don’t “sign in”, your browser reveals information about you Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  4. 4. How Can the Information Be Used? • Transaction information – normal part of business – information belongs to the store • based on your purchases – store sends you ads for other items, – standard business practice Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  5. 5. Controlling the Use of Information • Who controls transaction information? 1. No Uses. The information ought to be deleted when the store is finished with it. 2. Approval or Opt-in. The store can use it for other purposes, but only if you approve. 3. Objection or Opt-out. The store can use it for other purposes, but not if you object. 4. No Limits. The information can be used any way the store chooses. Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  6. 6. Controlling the Use of Information 5. Internal Use. – store can use the information to conduct business with you, but for no other use – It would not include giving or selling your information to another person or business – may not require your approval Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  7. 7. Controlling the Use of Information • Outside the US the law and standards would place it between (1) and (2), but very close to (1). • In the US, the law and standards would place it between (3) and (4), but very close to (4) Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  8. 8. A Privacy Definition • Privacy: The right of people to choose freely under what circumstances and to what extent they will reveal personally identifying information to others. Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  9. 9. Fair Information Practices • There must be clear guidelines adopted for handling private information: -> Fair Information Practices (FIPs). Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  10. 10. OECD Fair Information Practices • 1980: the Organization for Economic Cooperation & Development (OECD) developed an 8-point list of privacy principles => became known as the Fair Information Practices => now, widely accepted standard Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  11. 11. OECD Fair Information Practices • The public has an interest in these principles becoming law • The principles also give a standard that businesses and governments can meet as a “due diligence test” for protecting citizens’ rights of privacy Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  12. 12. OECD Fair Information Practices An important aspect of the OECD principles is the concept that – a data controller: (the person or office setting the policies) – must interact with individuals about their information – must be accountable for those policies Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  13. 13. OECD’s Fair Information Practices • The standard eight-point list of privacy principles. – – – – – – – – Limited Collection Principle Quality Principle Purpose Principle Use Limitation Principle Security Principle Openness Principle Participation Principle Accountability Principle Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13 13
  14. 14. Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  15. 15. Privacy Worldwide • Privacy is not enjoyed in much of the world at the OECD standard • Privacy often comes in conflict with private or governmental interests: – Example, the United States has not adopted the OECD principles, because many U.S. companies profit by buying and using information in ways that are inconsistent with the OECD principles Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  16. 16. Privacy Worldwide • Many non-EU countries have also adopted laws based on OECD principles – One provision in the EU Directive requires that data about EU citizens be protected by the standards of the law even when it leaves their country Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  17. 17. U.S. Privacy Laws • The US failure to meet the requirements of the EU Directive concerns information stored by businesses Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  18. 18. U.S. Privacy Laws • US Sectoral Laws and Privacy: – Electronic Communication Privacy Act (‘86) – Telephone Consumer Protection Act of (‘91) – Driver’s Privacy Protection Act (’94) – Health Insurance Privacy & Accountability Act (’96) • The sectoral approach provides very strong privacy protections in specific cases Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  19. 19. Privacy Principles: Abroad • Three weaknesses in US privacy laws: 1. Opt-in/Opt-out (the US default is opt-out) 2. Enforcement There is no office of data controller in the US The FTC proposes that U.S. companies “comply voluntarily” 3. Coverage Countries adopting the Fair Information Practices have everything covered Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  20. 20. Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  21. 21. Cookies • Cookies are exchanged between the client and the server on each transmission of information, allowing the server to know which of the many clients is sending information Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  22. 22. Cookies • Many sites use cookies, even when the interaction is not intended to be as secure as a bank transaction (National Air and Space Museum sent the above) • The meaning of the fields is unimportant • The first is the server and the last is the unique information identifying the session Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  23. 23. Cookie Abuse • There is a loophole called a third-party cookie • A cookie is exchanged between the client and server making the interaction private • But, if the Web site includes ads on its page, the server may direct it to link to the ad company to deliver the ad • This new client/server relationship place a cookie on your computer Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  24. 24. Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  25. 25. Flash Cookies Flash Cookies (LSO) Congressmen Seek Answers to ‘Supercookies’ (WSJ) Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  26. 26. FIPS in the News Hazards of the FaceBook Generation FTC Fair Information Practices (FIPs) Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  27. 27. Tracking • Tracking is the practice of a Web site automatically sending details about a visit to other content providers • This is an emerging problem of concern to privacy experts • The consequences of being tracked are not yet fully understood • HTTP has a tracking flag telling servers what your tracking preferences are Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  28. 28. Do Not Track Notice that Google’s Chrome browser does not support user requests not to track. Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  29. 29. Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  30. 30. Digital Security • Computer security is a topic that is in the news almost daily. • Remember the “dos and don’ts” for online behavior: – Do check with the sender before opening an attachment you’re unsure about – Don’t fall for phishing emails Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  31. 31. Cryptology The scientific study of cryptography and cryptanalysis Cryptography: creating secret codes encryption Cryptanalysis: breaking secret codes decryption Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  32. 32. Encryption • Information that is recoded to hide its true meaning uses encryption • A major component of encryption is the key • They come in two forms: – Private – Public Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  33. 33. Symmetric-key Encryption • The key is a “magic number” used to transform plain text into cipher text • Both the sender and receiver must possess the key • The process of sending an encrypted message is a five-step algorithm Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  34. 34. Symmetric-key Encryption • 5-Step Encryption algorithm: 1. The sender breaks the message into groups of letters 2. “Multiply” each group of letters times the key 3. Send the “products”/results from the “multiplications” to the receiver 4. The receiver “divides” the “products” by the key to recreate the groups 5. Assemble the groups into the message Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  35. 35. Symmetric-key Encryption • This works because the math works • The “reversibility” of encryption makes them 2-way ciphers – Only the sender and receiver know the key, making the products useless numbers • This is a secure communication • This is called private key encryption, or symmetric-key cryptography Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  36. 36. Encryption Example Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  37. 37. Symmetric-key Schematic Diagram Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  38. 38. Private Key Encryption • Real encryption systems use much longer blocks (hundreds of letters) and larger keys • Multiplication, division are not the only operations that can be used for encryption • All that is needed is for an operation to have an inverse (divide is the inverse of multiply) Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  39. 39. Symmetric-key Encryption • Effective only if the symmetric key is kept secret by the two parties involved • Problem: The sender and receiver have to agree on the key, which means they need to communicate somehow • Usually, they meet face-to-face (they can’t email, they don’t have a key yet!) Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  40. 40. Public Key Encryption • To avoid that face-to-face meeting, publish the key! • Use public key encryption – Two special prime numbers multiplied together Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  41. 41. Public Key Encryption Steps • After, the receiver publishes the special key, K, the following happens: 1. The sender breaks up the message into blocks as before 2. The sender cubes each block, and divides by K, keeping only the remainders 3. The remainders are transmitted Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  42. 42. Public Key Encryption Steps • After, the receiver publishes the special key, K, the following happens: 4. The receiver raises each remainder to a high power determined by the prime numbers and known only to him 5. The receiver divides by K, too, and saves only the remainders, which are the original blocks. 6. The receiver assembles the message. Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  43. 43. How Do We Know It Works? • K, the magic public key, is just two prime numbers, p and q, multiplied together • It is possible to figure out those two numbers from the published key in theory. • This process, called factoring, is tough if the numbers p and q are large (60 digits apiece) • It is impractical to factor them no matter how powerful the computer! Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  44. 44. Web Field Trip Public-Key Cryptography (Mozilla Developers Network) • • • • • • Read the following sections: Introduction Internet Security Issues Encryption & Decryption Symmetric-Key Encryption Public-Key Encryption Key Length & Encryption Strength Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  45. 45. Web Field Trip Public-Key Cryptography (Mozilla Developers Network) Symmetric-key encryption plays an important role in the SSL protocol, which is used for encryption over TCP/IP networks. SSL also uses techniques of public-key encryption Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  46. 46. Web Field Trip Mozilla Developers Network • Public-key encryption requires more computation than private-key encryption • Therefore, use public-key encryption to send a symmetric key, which can then be used to encrypt additional data • This is the approach used by the SSL protocol Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  47. 47. Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  48. 48. Back Up your Personal Computer • First, you need a place to keep the copy, and you need software to make the copy. • The two easiest “places” to keep the copy are on an external hard disk or “in the cloud” • The “cloud” company’s computers store the information for you and they take responsibility of keeping it available to you Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  49. 49. System Backup Utilities • OS X: Time Machine • Windows: Backup and Restore Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  50. 50. Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  51. 51. Summary • Revealing personal information can be beneficial (e.g., Facebook, Google, etc.) • Organizations that receive the information must keep it private & secure • Guidelines for keeping data private have been created by several organizations, including the Organization for Economic Cooperation and Development (OECD) Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  52. 52. Summary • Guidelines often conflict with the interests of business and government, so some countries like the United States have not adopted them. Because the United States takes a sectoral approach to privacy, adopting laws only for specific business sectors or practices, much of the information collected on its citizens is not protected by OECD standards. Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  53. 53. Summary • The shortcomings for privacy conditions in the United States are Opt-in/Opt-out, compliance/enforcement, and coverage. • The “third-party cookie” loophole allows companies to gather information; identity theft is an unresolved problem. The best way to manage privacy in the Information Age is to have OECD-grade privacy laws. Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  54. 54. Summary • Public key cryptography (PKC) is a straightforward idea built on familiar concepts. • Computer scientists have not yet proved the invincibility of the RSA scheme, but it can be “made more secure” simply by increasing the size of the key. Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13
  55. 55. Ch. 12 Assessment: Learning Outcomes - Know the following Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Friday, December 6, 13

×