topic#3 - wordpress.com · surveillance technologies ! database surveillance: blacklist databases...
TRANSCRIPT
Anonymity, Security, and Privacy
Chapter 5 in “Ethical & Social Issues in the Information Age”, 5th edition.
Topic#3
By: Dr. Najla Al-Nabhan & Ms. Asma AlKhamis
A Modified Grading Method } Participation & Assignments [Tutorial]: 10 % } Quizzes: 5% } Midterm Exam: 25% è 20% (one midterm)
} Project: 15% } Presentation & Workshop: 10%
} Final Exam: 40%
The Outline
Ethical and Social...J.M.Kizza 3
} Introduction } Anonymity } Security } Privacy } Ethical and Social Issues
Introduction
Ethical and Social...J.M.Kizza 4
} Information has increased in value } The demand for information is high due to:
} High digitalization of information and increasing bandwidth. } Declining costs of digital communication. } Increased miniaturization/mobility of portable
computers and other communications equipment. } Greater public awareness by the news media of the
potential abuse of digital communication, especially the Internet.
} The danger for misuse is real
Anonymity
Ethical and Social...J.M.Kizza 5
} What is “Anonymity” ? } Absence of identity } The state of being nameless, having no identity.
} It is extremely difficult for anybody to live a meaningful life while one is totally anonymous.
} There are two common types of anonymity: } Pseudo identity. } Untraceable identity.
Anonymity
Ethical and Social...J.M.Kizza 6
} Pseudo Identity } An individual is identified by a certain pseudonym, code, or
number (similar to a writer’s pen name). } The most common variant of anonymity.
} Untraceable Identity } One is not known by any name including pseudo names.
Anonymity on the Internet
Ethical and Social...J.M.Kizza 7
} The nature of the Internet, with its lack of political, cultural, religious, and judicial boundaries, has created opportunities for all faceless people to come out in the open.
} In particular, the Internet provides two channels through which anonymous acts can be carried out:
1. Anonymous servers : (by encryption) ¨ 2 types of anonymous servers : Anonymous & Pseudonymous.
2. Anonymous users: } All anonymity types are not 100 % anonymous. } Anybody with a basic knowledge of computing networking would know,
there is always a possibility to find those who misuse the Internet.
Anonymity on the Internet
Ethical and Social...J.M.Kizza 8
1. Anonymous Servers (a) Full anonymity servers, where no identifying information is
forwarded in packet headers (b) Pseudonymous servers, which put pseudonym in forwarded
packet headers, keeping the real identity behind a pseudonym.
2. Anonymous Users - Another Internet channel to assure anonymity is for users to assume
pseudonyms and use internet services such as chat rooms and social online networks anonymously.
- Sensitive and sometimes highly personal information has been posted to popular user groups, news groups, and online social networks chat rooms.
- Some networking protocols, such as (SMTP), accept messages to servers with arbitrary field information.
Advantages & Disadvantages of Anonymity
Ethical and Social...J.M.Kizza 9
- Anonymity has its good and bad sides. Advantages: } Checking unhealthy activities within an organization. } National security. } Some relationships and security of some people. Disadvantages: } Criminals can use it to their advantage, especially in
online social networks.
Anonymity vs. Single Identity
Ethical and Social...J.M.Kizza 10
Legal View of Anonymity
Ethical and Social...J.M.Kizza 11
} Society may not be safe, if a lot of criminals use anonymity to hide their criminal activities.
} It brings suffering in social relations in society. (?) } It is necessary, either for a local authority or national
legislatures, to pass laws that regulate when and who can use anonymity legally.
} Currently, there are serious debates on the freedoms of individuals on the Internet and how these freedoms can be protected.
Ethical and Social...J.M.Kizza 12
Security
} In general, Security can be considered a means to prevent unauthorized:
} access, } use, } alteration, } and theft or physical damage
to a property.
Information Security
Ethical and Social...J.M.Kizza 13
} It involves these three elements: 1. Confidentiality - to prevent
unauthorized disclosure of information to third parties.
} Important! disclosure of personal information such as medical, financial, academic, and criminal records.
2. Integrity - to prevent unauthorized
modification of files. } Includes system, information, and personnel integrity.
3. Availability -: to prevent unauthorized withholding of information from those who need it when they need it.
} Denial of Service Attack (DoS)
Physical Access Controls
Ethical and Social...J.M.Kizza 14
} Physical Security Barriers } The area surrounding the facility can be secured using
locks and keys, window breakage detectors, infrared and ultrasonic detectors, interior microwave systems, animal like dogs, and human barriers like security guards and others.
} Electronic Access Controls } With advances in technology, we are moving away,
though not totally, from the physical barriers to more invasive electronic controls
} Include card access control systems & firewalls, passwords...
Firewalls…
Ethical and Social...J.M.Kizza 15
} It is hardware or software used to isolate the sensitive portions of an information system facility from the outside world and limit the potential damage that can be done by a malicious intruder.
} Three types of firewalls: } Packet Filters: packet-level filters. } Proxy - individual client requests conform to the pre-set
conditions, then the firewall acts on the request
What does Proxy Mean?
Ethical and Social...J.M.Kizza 16
Source: https://en.wikipedia.org/wiki/Proxy_server
Passwords
Ethical and Social...J.M.Kizza 17
} password is a string of usually six or more to verify a user to an information system facility, usually digital system.
} Password security greatly depends on the password owner } Four “never” cardinal rules:
1. Never publicize a password. 2. Never write a password down anywhere. 3. Never choose a password that is easy to guess. 4. Never keep the same password for an extended period of
time. } Password security is :
} important to individuals whose files are stored on a system + } vital to the system as a whole.. Why?
èSystem security is the responsibility of every individual user of the system.
Information Security Controls
Ethical and Social...J.M.Kizza 18
} Information security includes the integrity, Confidentiality , and availability of information } At the servers, including information in files and databases } and in transition between servers and between clients and
servers.
} The security of information can be ensured in a number of ways. The most common are: } Cryptography for information transmission } Authentication and } Audit trails at the information source and information destination
servers.
Cryptography
Ethical and Social...J.M.Kizza 19
} Cryptography is the science of writing and reading coded messages, forms the basis for all secure transmission.
} Encryption } Encryption is a method that protects the communications
channel from sniffers } Sniffers: programs written for and installed on the
communication channels to eavesdrop on network traffic, examining all traffic on selected network segments.
} Cryptography uses an encryption algorithm and key to transform data at the source, called plaintext; turn it into an encrypted form called ciphertext, usually an unintelligible form.
2 Types of Encryption Methods :
Ethical and Social...J.M.Kizza 20
Authentication
Ethical and Social...J.M.Kizza 21
} Verifying the identity of a user
} Authentication is a process whereby the system gathers and builds up information about the user to assure that the user is genuine.
} Difficult, especially in the internet (remote users).
} In data communication: ensuring the digital message recipient of the identity of the sender and the integrity of the message.
Authentication: Digital Signatures
Ethical and Social...J.M.Kizza 22
} In computer systems, authentication protocols based on cryptography use either secret-key or public-key schemes to create an encrypted message digest that is appended to a document as a digital signature.
Authentication Methods
Ethical and Social...J.M.Kizza 23
} Authentication of users or user surrogates is usually based on checking one or more of the following user items } Username } Password } Retinal images } Fingerprints } Physical location } Identity cards
Implementing Security
Ethical and Social...J.M.Kizza 24
} A strong authentication method is the one that includes : } Something you “know”,
} Username, Passwords
} Something you “own”, and } ATM card, Employee card..
} Something you “are”. } Biometrics: fingerprint,
Operational Security
Ethical and Social...J.M.Kizza 25
} Operation security involves policies and guidelines that organizations, and employees, must do to secure the assets of the organization and its members.
} These policy guidelines are spelt out in a document we call a security policy.
} It also includes guidelines for security recovery and response in case of a security incident.
Part II: The Privacy
Ethical and Social...J.M.Kizza 26
Ethical and Social...J.M.Kizza 27
Privacy
} Privacy is a human value consisting of four elements (or rights):
} Right to control external influences on individual information:
1. Solitude - right to be alone 2. Anonymity – right to have no public identity 3. Intimacy – right not to be monitored
} Right to control personal information: 4. Reserve – right to control one’s information
Ethical and Social...J.M.Kizza 28
Types of Privacy
1. Personal Privacy: involves the privacy of personal attributes.
2. Informational Privacy: concerns the protection of unauthorized access to information itself.
} It includes: Personal information , financial information , Medical information, and the Internet.
3. Institutional Privacy: institutions and organizations want their data private. Why?
Ethical and Social...J.M.Kizza 29
Value of Privacy } Privacy has traditionally been perceived as valuable.
} Privacy has even gained more importance in the information age because it guards an individual’s personal identity, preserves individual autonomy, and makes social relationships possible.
Ethical and Social...J.M.Kizza 30
Value of Privacy } We consider three attributes of privacy: 1. Personal identity: safeguard personal identity
2. Autonomy: preserve individual autonomy in decision-making:
} Less known information, more autonomy
3. Social relationships: support social relationships
Privacy Implications of Database System
} Information Gathering: } Have you paid enough attention to the number of junk mail,
telephone calls during dinner, and junk emails you have been getting?
} Information gathering is a very serious business that is increasingly involving a growing number of players that traditionally governments gathering mostly defensive information on weapon systems.
} Who has your name on a list and what they're doing with it?
Ethical and Social...J.M.Kizza 31
Ethical and Social...J.M.Kizza 32
Information Gathering, Databases, and Privacy
} With globalization and the Internet, the doors to the information gathering field have been cast open.
} Now individuals, companies and organization, and of course governments are all competing, sometimes for the same information.
} Who has your name on a list and what they're doing with it?
} companies you have done business with. } Individuals } Government agencies
Surveillance technologies
} Database Surveillance: Blacklist databases & data theft
} Internet Surveillance: Tracking users’ info through cookies
} Video Surveillance: CCTV cameras to discourage criminals
} Satellite Surveillance: GPS takes images of our personal lives
} Mobile Surveillance: 3G mobiles with video camera & internet
} ID Cards Surveillance: ID cards include microchips with personal & biometric info of user’s authentication
33
Ethical and Social...J.M.Kizza 34
Information Gathering, Databases, and Privacy
} The U.S. Graham-Leach-Bliley Financial Services Modernization Act - protect the customer through three requirements that the institutions must disclose to us:
} Privacy Policy: through which the institution is bound to tell us the types of information the institution collects and has about us and how it uses that information.
} Right to Opt-Out: through which the institution is bound to explain our recourse to prevent the transfer of our data to third party beneficiaries.
} Safeguards: through which the institution must put in place policies to prevent fraudulent access to confidential financial information.
Ethical and Social...J.M.Kizza 35
Privacy Violations } Intrusion – wrongful entry ( hacking) } Misuse of information
} we involuntarily give off personal information } businesses collect it
} Interception of information } eavesdropping
} Surveillance } Information matching using unrelated databases -
usually illegally
Ethical and Social...J.M.Kizza 36
Privacy Protection
} Is it possible?
} Rapid advances in computer technology, and in particular the advent of the Internet, have all created an environment where detailed information on individuals and products can very easily and cheaply be: moved, merged, marched, compared and shared.
} Guidelines and structures that safeguard and protected privacy rights.
Ethical and Social...J.M.Kizza 37
Privacy Protection } These structures and guideline, on the average fall
under the following categories (see pages 92-94): } Technical - through the use of software and other technical
based safeguards and also education of users and consumers to carry out self-regulation.
} contractual –through which information like electronic publication and how such information is disseminated are given contractual and technological protection against unauthorized reproduction or distribution.
} legal – through the enactment of laws by national legislatures and enforcement of such laws by the law enforcement agencies.
} Through individual efforts (be vigilant)
Ethical and Social...J.M.Kizza 38
Ethical and Social Issues } The ethics of privacy - with the advent of the Internet
and electronic messages, confidentiality is a great concern. } Computer technology has raised more privacy questions than
it has found answers to
} The ethics of security - the Internet is an insecure communications channel when it is used by a criminal.
Is it computers problem?
} You may be tempted to say that computers are not really the problem or the cause of the problem.
} It is individuals and organizations that are creating, gathering, exchanging, and using information.
} Computers, according to this argument are simply tools.
} If someone to be blamed, it is the people who use computers, not the computers themselves.
39 Dr. Hassan Abdullah lecture note
Role of Computer Professionals
} Computer professionals can play an important role, individually and collectively.
} First and foremost, individual professionals must not wash their hands off privacy issues.
} A computer professional can point out privacy matters to clients or employers when building databases containing sensitive information.
40 Dr. Hassan Abdullah lecture note
Role of Computer Professionals – cont.
} The original ACM Code of Professional Conduct (passed by the ACM Council in 1973) specified that: An ACM member, whenever dealing with data concerning individuals shall always consider the principle of the individuals‘ privacy and seek the following: } To minimize the data collected. } To limit authorized access to the data. } To provide proper security for the data. } To determine the required retention period of the data. } To ensure proper disposal of the data.
41 Dr. Hassan Abdullah lecture note
Role of Computer Professionals – cont.
} The Guidelines ACM Code of Ethics explain that: "It is the responsibility of the professionals to maintain the privacy and integrity of data describing individuals".
} This includes taking precautions to ensure the accuracy of data, as well as protecting it from unauthorized access or accidental disclosure to inappropriate individuals.
42 Dr. Hassan Abdullah lecture note
Discussion Questions
} Discuss the importance of anonymity on the Internet
} Define security and privacy. Why are both important in the information age?
} What is the difference between privacy and confidentiality?
} Discuss the technical, contractual, and legal guidelines for privacy protection.
43