Applications of phone-home software

Phone-home features have been integrated into numerous software titles for reasons including:

• Anti-piracy measures
• Tracking lost/stolen hardware
• Access control
• Marketing purposes

Often, the traffic on the end-user’s network is encrypted, so it can be difficult to determine exactly what data is being transmitted back to the manufacturer.

A well-known example of phone-home software is Windows Genuine Advantage (WGA). In 2005, Microsoft launched this application as part of an anti-piracy program. The installation of the application was required if users wanted to download further Windows updates. It checked if users were working from a licensed copy of Windows XP. Should a user be running a pirated version, the user would receive notifications. Finally, if no action was taken, the user would be blocked from downloading some updates.

WGA garnered much criticism in mid-2006 as users learned that it would “phone home” on a daily basis, without informing users of this function. In response to the controversy, Microsoft made significant adjustments to the phone home activities of WGA. Once systems were validated, WGA would cease connection attempts altogether. Systems that could not be validated would be restricted from certain automatic updates, downloads, installation procedures and some program executions. Microsoft also changed its End User License Agreement (EULA) to include more explicit information regarding the WGA. The EULA presented users with the choice to accept or reject the WGA procedures.

Microsoft was not the only one receiving criticism for its phone home practices at this time. Users of Apple’s Mac OS X were also noticing network activity, which was supposedly for the purposes of verifying Dashboard widgets. According to users, Apple did not inform them of the new feature or its activities. Such activity was only determined through the use of firewalls, which informed users when the program would attempt to establish outgoing internet connections. Although it was unclear what exactly was being communicated between the client and the server, users were obviously uncomfortable with the fact that their computers were automatically checking in with Apple.

Another example of phone-home software is the iTunes MiniStore, which introduced a feature that suggested music from the iTunes Music Store based on users’ song selections. This was one of many downloadable updates from Apple. However, the EULA for iTunes did not inform users that the application would transmit information about the user’s music preferences back to Apple. With the new feature, whenever a user selected a song, iTunes connected to the internet to update the MiniStore. User information would be passed to Apple through a third party.

Although the iTunes MiniStore feature could be disabled easily enough (by closing the pane), users were enraged that their personal information was being passed through third party without their consent. Even though this information was relatively harmless, users demanded that Apple make this feature clear and explain how it could be turned off.

Windows Activation Technologies

In February 2010, Microsoft announced a new anti-piracy initiative, referred to as Windows Activation Technologies (WAT) update KB971033 for Windows 7. This would involve an automatic phone-home procedure to Microsoft servers every ninety days. The purpose of the WAT is to ensure that users are not using pirated versions of Windows. Critics have voiced concerns regarding the repeated authentication checks. These quarterly checks would mean that systems need to meet a certain set of criteria, or be subject to restrictions, even if that same system had previously been verified.

This could result in previously verified systems being downgraded to a non-genuine level. Such systems would still be able to function normally, but users may face some annoying changes. For instance, desktop backgrounds will periodically change to black, users would only have limited access to updates and piracy notifications will appear frequently.

The incentive for downloading and running WAT is still unclear to many users. While it may be important to identify if systems are running illegitimate versions of Windows 7, the downgrade process is largely unnecessary. Certain users may be concerned if their system is running a pirated version of Windows, which may have a chance of allowing viruses or other malware into their system. However, it may be more common that people are using legitimate copies that simply have not been authenticated yet.

While Microsoft insists that the WAT upgrade is completely voluntary, critics argue that consumers should not be tied to application manufactures as a result of cradle-to-grave authentication processes. This sort of surveillance regime is an unacceptable intrusion on the privacy of individuals and could potentially harm a large number of innocent computer users.

Other uses

Not all phone home applications receive a negative response from end-users. Certain tracking technology allows police to locate stolen computers across the world. One of the most effective types of tracking software is embedded within the BIOS of a computer’s motherboard. This software cannot be wiped or removed from the system. If the stolen computer attempts to connect to the internet, the phone home software transmits information to a monitoring center, reports the IP address and allows law enforcement officials to find its location. One such application, ComputraceOne, created by Absolute Software, claims to have helped recovered over 5,000 stolen computers.

Summary

This article explores the issue of phone-home features embedded in certain software. While phone-home features are found in spyware and other forms of malware, they are also integrated in legitimate software, such as Microsoft Windows, Apple OS and other applications. The feature may be used as an anti-piracy measure, to track lost or stolen hardware, to control access or for collecting information for marketing purposes. Security issues that are raised by such a feature include lack of disclosure to users, lack of consent, scope of functionality and level of surveillance.

CIPP/IT Preparation

In preparation for the Certified Information Privacy Professional/Information Technology exam, a privacy professional should be comfortable with topics related to this post, including:

• Privacy concerns and the consumer perspective (II.A.a.)
• System monitoring (II.A.l.)
• Phone-home software (II.A.l.i.)
• Privacy expectations and consumer behaviors (II.B.a.)

With the rapid growth of e-commerce, companies are able to experiment with and implement different price discrimination strategies. Online consumers consciously and unconsciously provide vendors with information that helps them to split the market into segments for price discrimination. This article introduces basic concepts involved in price discrimination, as well as some of the impacts on consumers’ privacy.

What is Price Discrimination?

Price discrimination is also referred to as yield management. This takes place when a company charges varying prices to different groups of customers, for the same goods or services. This variation in price is not related to the cost of the good or service provided. The different groups of customers are referred to as segmented markets.

Price discrimination is a strategy that is employed by almost every industry that has some power to determine prices. There are a number of different types of price discrimination:

1. Optimal Pricing:  This is also referred to as perfect price discrimination. With this type of price discrimination, the vendor charges each individual the price that they are willing and/or able to pay. This heavily depends on how much information the vendor has regarding the consumer’s preferences. For the most part, this type of price discrimination is considered unattainable.
2. Second Degree Price Discrimination:  With this form of price discrimination, vendors sell a product that is surplus capacity at a lower price than the standard or advertised price. This type of price discrimination is independent of any personal information from consumers. An example of this is the sale of standby airline seats. Second degree price discrimination has been advanced by developments in e-commerce.
3. Third Degree Price Discrimination:  This is also referred to as multi-market price discrimination. With this type of price discrimination, the market is segmented, for instance in terms of time or geography. It is a common type of price discrimination that depends on charging different prices, depending on the segment of the market.

Price discrimination is not a new strategy; it has been applied throughout history. However, it is often not publicized, as it incites negative public responses. However, proponents argue that despite the inequitable treatment of individuals, on a larger scale, the practice may offer a more efficient use of resources. With the development of new technologies, companies are finding ways to price discriminate that may not have been possible before.

E-Commerce & Price Discrimination

With the rise of e-commerce, there has been a steady erosion of privacy. Privacy professionals and other observers have identified this as a continuing trend with the internet. The vast majority of privacy invasions stem from the private sector. Seemingly, with better information about consumers, vendors can more appropriately target their advertising dollars. In the past, companies needed to invest heavily into gathering personal information and monitoring the spending habits of consumers, current technology makes price discrimination a commercially feasible practice.

With ubiquitous computer systems, vendors can engage in more “intelligent” transactions, recording information about the environment and consumer conditions. Information about consumers may be collected through repeated interactions between vendor and seller. For instance, cookies may be used to track consumer purchasing habits. This allows vendors to refine the information about their customer base and dynamically change pricing schemes to respond to the information.

This practice may bring about both positive and negative results. For instance, customers may enjoy personalized treatment, such as discounts, suggested products and individualized content. On the other hand, many customers are wary of potential privacy invasions. Consumers are generally not pleased to learn that a vendor engages in price discrimination; no one wants to pay more than someone else for the same item.

Common examples of price discrimination include:

• Dell Computers selling the same model laptop to different markets (i.e. individuals, small businesses, enterprises and governments) at different prices.
• Vendors charging customers at different rates, depending on their IP address.
• Amazon.com drawing on customer’s past purchases and spending habits to charge different prices for DVDs.

Web Coupons

Coupons retrieved from the internet are a rapidly growing segment of the coupon industry. Such coupons are accessed and printed from the internet and may carry with them a lot of consumer information, such as their IP address, personally identifiable information and the search terms used to find the coupon. While this form of tracking may be invisible to consumers, vendors may be able to collect such information simply by scanning the bar code of the coupon.

Many web coupons are handled by third party service providers, who may collect and analyze vast amounts of information about clients for the retailers. Well-known web coupon companies include RevTrax, FatWallet and Ebates.com. Vendors may also be able to narrow down their customer base by sending specific keyword searches to different web addresses. These addresses may be invisible to the consumer, who may only be able to see a simple, standard web address. Information collected online may be combined with data from offline databases that could significantly be harmful to consumers. Such information is collected, not only without individual consent, but without any form of transparency or accountability.

Legal Issues

The issues that have been raised by e-commerce and other online practices have significant implications on law and technology. Currently, the US antitrust law specifically addresses price discrimination. The Robinson-Patman Act of 1936 states that it is illegal for vendors to treat their customers differently, unless they have an acceptable legal justification for such treatment. However, the FTC has hardly applied the Act in the recent past. The Robinson-Patman Act has even been considered irrelevant in terms of dynamic pricing in an e-commerce context.

Critics have argued that the Act is not really designed to protect consumer rights. This is highly problematic for privacy advocates, who believe that private sector interests are unfairly targeting and classifying individuals without their consent. Recently, the US PIRG (United States Public Interest Research Group) has partnered with the Center for Digital Democracy and World Privacy Forum in order to urge the FTC to review online consumer tracking practices.

Summary

This article explores the issue of price discrimination. It discusses three main types of the price discrimination practice: optimal pricing; second degree price discrimination and third degree price discrimination. The article examines how price discrimination has become more prominent with the developments in e-commerce and how practices such as web coupons intensify the risk of privacy intrusions. The lack of relevant, up-to-date legislation around this issue is also discussed.

CIPP/IT Preparation

In preparation for the Certified Information Privacy Professional/Information Technology exam, a privacy professional should be comfortable with topics related to this post, including:

• E-commerce personalization (II.A.d.)
• Price discrimination (II.A.h.)
• Privacy expectations and consumer behaviors (II.B.a.)

This article examines social networking services from a privacy standpoint, looking at key issues such as access, control, limitations and trust. Websites’ privacy policies and their weaknesses are also examined, by using the well-known social networking service Facebook as an example of how these services can compromise users’ security.

Gaining Access

The virtual communities of social networking websites have rapidly developed in recent years. For instance, facebook.com ranks second on US Quantcast rankings, with over 130 million visitors per month from the US alone. Other social networking sites, such as MySpace, Twitter and LinkedIn rank within the top fifty most visited websites in the US.

Upon joining a social networking site, users provide personal information to create a profile, which may include their name or username; birth date; photos and videos; hometown; location; religious beliefs; ethnicity; personal interests and other identifying information. Through their profile, users make links with other people on the site, whether they are existing friends and family, or new acquaintances. While some users create their profiles to communicate with their circle of friends, information on social networking sites can all to easily be accessible to the public, employers, the press, academic staff, law enforcement and more.

Many social networking websites have restrictions for membership, which limit who can have access to users’ information. MySpace requires users to be at least thirteen years old, while Facebook is open to anyone. Sites like LinkedIn require users to be invited to the network, in order to show that they are part of a professional community. Despite these membership restrictions, social networking sites facilitate the sharing of digital information at a large scale. Distribution of information may be done by members within the network, or by the website itself. Sharing member information with third party advertisers is a common practice for many social networking sites.

Limiting Control

Once users put their information online, they relegate much of their control over it. Information is transmitted much faster through an online social network than through a “real” or offline network. Even though people in the real world do not all have the same access to an individual’s personal information, on a social networking site, every “friend” has access to whatever the user may choose to put online.

There are various reasons for a user to limit the access to their personal information. Since digital information is shared amongst a group of people, it could be collected and stored for an undefined period of time. This may be harmful to the individual if the information is in the possession of someone for whom it was not intended.

Many social networking sites maintain files of users that try to reflect his/her identity as accurately as possible. Content is contributed by the user along with other members of the website. Users may have problems with how much control they actually have over their own online identity. Some social networking sites also have access to the user’s personal information from other websites.

Most social networking sites are free of charge; however, they depend on third-party affiliates to generate income. Many social networking sites collect and sell user information in the form of marketing profiles. One example of this is the targeted ads used by Facebook. With this program, third party advertisers use information from a users’ profile to create personalized advertising content. Currently, Facebook does not allow users to opt out of receiving such content.

Limited user control of information could lead to dangerous outcomes. Combined with loose access limitations, it may become difficult to prevent information-based harm. For instance, users of social networking services may unwittingly be putting themselves at risk for identity theft. Studies have shown that it is easier than one might imagine to guess a social security number. With knowledge of one’s address and current employer, a burglar may know when a house is empty. With lax restrictions on information collection, information processing and information dissemination, users of social networking services may be poorly protected from such harmful outcomes.

Privacy Safeguards

From a privacy standpoint, trust is a key concept for social networking sites, among other online interactions. Trust is closely linked to information disclosure and social exchange. If users believe that the disclosure of information will be beneficial to them, then they are more likely to enter into a relationship with the social networking service.

However, researchers believe that the level and basis of this trust is not well understood. Despite numerous incidents, millions of users continue to join and participate in social networking sites, adding more and more personal information to their profiles. Unfortunately, the type of privacy expected and provided by social networking services is often undefined or inadequately defined.

Default privacy settings on many social networking sites do not offer a high level of privacy protection. They often allow a large amount of personal information to be accessible to any viewer. This may include blogs, comments, profile photos or videos.

Many social networking sites have privacy policies that appear as disclaimers that a user must accept to continue using the service. Through his/her acceptance of the terms and conditions, the user waives some privacy rights and other privileges over his/her personal information. Critics have pointed out that many of these privacy policies suffer from:

• Lack of visibility: Many privacy policies are mentioned once in the “terms of use,” which users must accept in order to continue. As these privacy policies are constantly changing to accommodate new features, services or demands, updated versions should be made visible on the website.
• Provide inadequate information for users: Users are largely unaware of any changes to the social networking service, or the results that may occur from these changes. Users are also kept in the dark regarding any third party service providers the site may share information with.
• Lack of independent review: The majority of social networking sites lack an independent monitoring system.

Example: Facebook

Due to its great popularity, Facebook has received much attention for its actions regarding user privacy. Since 2006, Facebook has made numerous changes to its privacy policy, which has been problematic for privacy watchdogs and users alike. A number of its significant changes and privacy breaches are outlined below:

• 2006: User information started to be shared with the public as well as third-party application developers. Facebook users were misled to reveal personal information that had once been protected.
• 2007: Facebook’s Beacon program disclosed users’ personal information without their knowledge or consent. This was a violation of a number of federal and state laws, including the Video Privacy Protection Act; California’s Computer Crime Law; the Electronic Communications Privacy Act; and the Computer Fraud and Abuse Act.
• 2009: Facebook made significant changes to its Terms of Service, declaring that it retained broad and even retroactive rights to users’ information, even after their accounts had been deleted. In the face of public outcry, Facebook was forced to overturn the changes.
• 2009: The Privacy Commissioner’s Office of Canada found Facebook violated the Personal Information Protection and Electronic Documents Act (PIPEDA).
• Currently, publicly available information on Facebook includes: names; profile photos; list of friends; pages that members are fans of; gender; geographic regions; and networks that members belong to.

Summary

This article introduces key privacy and security concepts surrounding social networking sites. While such sites have seen incredible popularity in recent years, they are also potentially dangerous tools, as they provide almost unrestricted access to the personal information of hundreds of millions of people worldwide. The article looks at issues of access to such information, how access is limited and how privacy and trust affect users of social networking sites. The article also explores some shortcomings and potential privacy risks, through a brief examination of Facebook’s privacy policies and their changes over time.

CIPP/IT Preparation

In preparation for the Certified Information Privacy Professional/Information Technology exam, a privacy professional should be comfortable with topics related to this post, including:

• Privacy by policy, notice and choice (III.A.a.)
• Social networking services (VI.C.)

This article looks at the processes of de-identification, or anonymization of personal information. It also examines how developments in re-identification can use anonymous information to identify individuals, underscoring the shortcomings of anonymization processes.

De-Identification

De-identification refers to the process in which sensitive data is treated in such a way that the individual cannot be identified. For instance, the de-identification of data may remove specified identifiers. Depending on the legislation, there may be different criteria for de-identification of data.

There are numerous reasons for de-identifying data. The de-identified, or anonymized, data allows important information to be accessed and analyzed, while still protecting the privacy of individuals. This win-win compromise allows analysts to use this information, while preventing identity thieves and other unauthorized entities from identifying the individuals.

Data mining companies will often gather personal information from dentists, doctors, nurses or pharmacists. For instance, prescription information will be collected and later sold to private interests, such as pharmaceuticals or research organizations. The information is then analyzed for trends or patterns in the prescriptions. Data mining companies argue that since the information they collect is de-identified, there is no risk of compromising individual’s sensitive information or revealing his/her identity.

According to the HIPAA (Health Insurance Portability and Accountability Act), there are two methods for de-identifying information. One option is to consult a qualified statistical expert regarding the risk of identifying the individual. This expert would be able to de-identify the data by applying methods to determine the risk that the information may be used to identify an individual, whether used alone or in combination with other information.

The other method is to remove eighteen specified identifiers. This ensures that there is no identifying information in the data. These identifiers are as follows:

1. Name
2. Geographic categories smaller than a state
3. Dates (except for the year) that is related to an individual. This may include data of birth, death, admission, discharge, etc.
4. Telephone numbers
5. Fax number
6. E-mail address
7. Social security number (SSN)
8. Medical record number
9. Health plan beneficiary number
10. Account numbers
11. Certificate or license numbers
12. Vehicle identifiers (e.g. serial numbers, license plates)
13. Device identifiers
14. Web URLs
15. IP addresses
16. Biometric identifiers (e.g. finger print, voice print)
17. Full-face photos
18. Any other unique identifying number, code or characteristic

Re-Identification

The process of re-identification matches de-identified, or anonymized, personal information back to the individual. Re-identification brings to light some of the shortcomings of anonymization, since the goal of anonymization is to ensure that any personally identifying information is removed, without compromising the utility of the data.

Computer scientists have found that once de-identified data can easily be re-identified. This raises a host of issues for organizations dealing with “anonymized” data. Currently, organizations do not have privacy obligations when working with anonymized data. However, if the data can easily be made personally identifiable, critics argue that privacy safeguards should be put in place.

Trail Re-Identification

Originally, re-identification refers to using data from a single entity holding the data. Recent research has looked at the concept of trail re-identification, which studies a trail of anonymous, homogenous data from a number of different locations. Looking at how the different data intersects can reveal personal, identifying information about the individual.

One example of trail re-identification is of online shoppers, who may visit a number of different websites before making a purchase. However, the IP addresses of their computers are recorded at each website they visit. Combining the visit logs with the customer lists may successfully identify individuals.

An identity thief may be able to reconstruct trails from data distributed over a number of locations. By pairing identified entities with their anonymized data, an adversary may be able to re-identify the individual through the process of trail matching. This form of identity attack is dependent on how the data is collected and to what extent it is collected. For instance, important information may include the fact that anonymous data is collected along with identified data, and if this data is complete or incomplete.

Examples of Re-identification

The following examples illustrate some failures of anonymization, in which individuals’ privacy could no longer be protected in light of the developments in re-identification processes. Although the harm done to the individuals was relatively limited, these examples point to how the process of re-identification can be used in more dangerous ways.

The introduction of this article cites Latanya Sweeney’s 2006 research in which 87% of people in the United States can be identified by combining their ZIP code, birth date and sex. Sweeney’s research also found that other types of information can also re-identify people. For instance, 53% of US citizens can be identified by their city, birth date and sex, while 18% of citizens can be identified by their county, birth date and sex.

In August of 2006, America Online (AOL) publicly posted 20 million search queries for 650,000 AOL search engine users. These queries summed up three months of activity. Before the data was released, AOL anonymized it by removing identifying information, such as the username and IP address. However, these identifiers were replaced with unique identification numbers, so that researchers could still make use of the data. Due to the nature of the personal information revealed, AOL was criticized for the move. Even though the data was anonymized before the release, within a relatively short time, journalists were able to trace user queries to specific individuals.

In October 2006, Netflix, an online movie rental service, publicly released 100 million records regarding how its users had rated movies over the period of time from December 1999 to December 2005. The records showed the movie, the rating the user had given and the date the user had rated the movie. While identifying usernames had been removed, each user was given a unique identifying number.

Two weeks after the data was released, researchers from the University of Texas found that it was relatively easy to re-identify the individuals in the Netflix database and find out all of the movies that the individual had rated. According to the research, using only six movie ratings, one could identify the individual 84% of the time. With the six movie ratings and the approximate date of the ratings, one could identify the individual 99% of the time.

A 2009 study carried out by Alessandro Acquisti and Ralph Gross showed that SSNs can be predicted when combined with an individual’s date of birth and his/her geographic location. Using the publicly available records in the Social Security Administration’s Death Master File (DMF), Acquisti and Gross looked for trends in SSNs of reported deaths. The researchers found there was a strong correlation between an individual’s birth data and the digits in their SSN. This raises a serious concern for individuals whose birth dates are publicly known, whether through voter registration lists, social networking profiles or other sources.

Protecting Privacy

There are a number of different privacy models that have been developed in order to address the issue of re-identification. Some methods include:

• Access control: This is the traditional model for safeguarding individuals’ privacy. It is also referred to as query restriction, which associates certain data to a given request in a multi-level relational database.
• Statistical disclosure control: This method includes a wide variety of techniques, including suppression, noise addition, perturbing records of a collection. Statistical disclosure control prevents the receiver of the data from inferring identities of the individuals.
• Computational disclosure control: This model prevents the formation of direct connections from unidentified data to identifiable data. With computational disclosure control, records appear identical through generalization and suppression of attributes.
• Algorithms: This model has been promoted most by the data mining industry to preserve the privacy of individuals.

Legislation must be able to respond to the shortcomings of anonymization as well. Critics have pointed out that if the process of de-identification is ineffective, then so-called privacy protecting laws may be severely eroded. According to the HIPAA, the handling of health records that have been anonymized is not regulated. There are no regulations for such data, since it is supposedly protected. Given the many examples of unintended re-identification, critics have argued that de-identification alone is an insufficient privacy safeguard.

Summary

This article examines the reasons for and methods of de-identification, in which personal data is anonymized. It then looks at developments in re-identification of data, which links the personal information back to the individual. Several examples of re-identification of data are given, which raise the issue that anonymization is insufficient for safeguarding individuals’ privacy. Finally, the article presents privacy protection methods for addressing the issue of re-identification.

CIPP/IT Preparation

In preparation for the Certified Information Privacy Professional/Information Technology exam, a privacy professional should be comfortable with topics related to this post, including:

• Data de-identification and minimization (III.B.a.)
• Degrees of identification (III.B.a.iv.)
• De-identification and re-identification (III.B.iv.2.)

Anonymizers: What do they do?

Anonymity tools allow users to build connections with websites, for instance for communications, or commercial purposes, without revealing the user’s identity. There may be numerous reasons for individuals to protect their identity, for instance, fear of persecution, exercising the right of free speech, or to minimize risk, avoid activity monitoring and prevent identity theft. Anonymity tools are used by a variety of individuals, from law enforcement officers, to human rights workers, journalists, citizens of repressive governments and regular internet browsers. Anonymity tools enable users to browse the internet without revealing personal information.

Even while visiting websites that do not require personal information, internet browsers reveal IP addresses by default. The use of anonymizing proxies allows users to browse without exchanging any personal information, as the proxy makes requests to the websites on the user’s behalf.

Models of Anonymizers

Mix networks are one type model of anonymizer. Mix networks are made up of routers which use layered encryption, buffering and message reordering to create a path for the data to follow through the network. The routers store and forward messages at random intervals and can ensure that each message sent in the network is exactly the same length. Even if there is no data ready to be sent, the router can randomly create and send a message. An example of a mix network anonymity tool is Onion Routing, which uses an “onion,” or layered data structure to transmit data to recipients.

Another model is known as the Crowd system. It was first developed by AT&T, based on a similar concept to the mix network. With the Crowd system, users are grouped with other users in a “crowd.” The crowd forwards requests to a random member, without revealing the origin of the request. Unlike mix networks, which send data on pre-configured paths, the Crowd system dynamically creates paths for each request. This makes the Crowd system more flexible to network changes.

Anonymizers & Risks

There are a number of risks involved with using anonymizers. For instance, users who access the anonymizing proxy are revealing their IP addresses to that proxy. Some anonymizers may record incoming and outgoing connections. Even if an anonymizer claims not to log user activity, this is often difficult to ascertain. Internet service providers have also been known to log their customers’ online activities. Certain malicious anonymizers have been known to perpetrate “man in the middle” attacks, in which the anonymizer modifies the content being transmitted or received.

In order to limit risks, certain users will encrypt any private information that is exchanged outside of the anonymizer, for instance usernames, passwords, credit card information and email addresses.

Tor Network

Another option for limiting risks is to use one anonymizer to connect to another, a technique known as daisy chaining. This allows the user to appear anonymous to the exposed anonymizing tool. A well-known application of daisy chained anonymizers is the Tor network.

The Tor network is based on an onion routing system and is a network of encrypted connections. It works to hide users’ identity and their online activities from monitoring and analysis efforts. Since each layer is encrypted, the Tor network ensures that there is anonymity between the routers. When data is sent on a Tor network, it takes a random, private pathway through different relays. Each relay is only aware of the relay that came before it and the relay that comes next. No single relay will ever know all the relays in the sequence. The user’s circuit is changed every ten minutes, to prevent monitoring.

Like any anonymity network, the Tor system does have its shortcomings. Tor is mainly designed to ensure the secure transport of data. However, data sent on the Tor network may be monitored by any party that has access to both origin and destination of a user’s connection. In the US, the federal government is entitled to monitor domestic internet activity, in accordance with the Communications Assistance for Law Enforcement Act (CALEA).

Encryption

Many users rely on encryption tools to protect sensitive information transmitted online. Numerous encryption tools have been developed to enable users to protect their information. Encryption algorithms render information unreadable to individuals unless they have the encryption key. The longer the encryption key, the more difficult it is for an attacker to decrypt the information. While previous encryption keys were only 56-bits, most privacy professionals will recommend 128-bit encryption keys.

File Encryption

There are different types of encryption for different purposes. File encryption ensures that sensitive data transmitted over the internet, or that information stored on a home system is secured.

One example of file encryption software is Pretty Good Privacy (PGP), developed by Philip Zimmerman in 1991. PGP applies a combination of data compression, symmetric-key cryptography, hashing and public-key cryptography. PGP uses a web of trust to ensure that the public key is distributed to and used by the correct person. This software provides relatively high security. In a number of different incidents, the FBI and other law enforcement agencies were unable to access files that had been encrypted with PGP.

GNU Privacy Guard (GnuPG) is another suite of cryptographic software, developed by Werner Koch in 1999. It was designed to operate together with PGP. GnuPG works by using asymmetric keypairs to encrypt messages. The public keys are then exchanged with the appropriate individuals, verifying the recipient. GnuPG relies on a number of different encryption algorithms, such as block ciphers, asymmetric-key ciphers, cryptographic hashes and digital signatures.

Email Encryption

Emails may be vulnerable to interception from the point it leaves the sender until it arrives at its recipient. For instance, companies have the authority to monitor their employees’ email messages. Email server administrators also have access to the email stored on their servers. There are a number of different email encryption programs, with various security capabilities.

A common way to ensure the security of email messages is to use digital signatures. Digital signatures apply public-key cryptography attached to the email message. Digital signatures identify the sender, ensure that the message has not been modified or tampered with and underscore the legal consequences of the message for the sender and recipient. Digital signatures are also relatively efficient and offer a relatively high level of assurance of the authenticity of the sender. Digital certificates work together with digital signatures to verify the identity of the public key holder.

Like any other security model, there are shortcomings of the digital key system. Private keys are still vulnerable to theft or copying. For instance, a third party may gain enough information to create a copy of a private key. Digital certificates could theoretically be forged or cracked, though according to researchers, this would be highly difficult to do.

Filters

Filters are a broad category of tools that can selectively control the online content that appears on the user’s system. For example, a filter may be designed to block emails, HTML cookies, websites, HTML headers or other unwanted content. Filters may be used by organizations to prevent access to certain online content, by individuals who do not want spam messages, or by parents to protect their children from inappropriate content.

A cookie cutter is a type of filtering program that blocks a system from exchanging cookies with another website. Cookie cutters may also prevent websites from displaying specific types of cookies, or stop the user’s browser from sending header information to the website. One example of such a program is Internet Junkbuster, which blocks the browser from loading banner ads and other cookies. It functions as a proxy between the browser and the internet and allows the user to configure which cookies or files to block or allow.

Summary

This article introduces the importance of protecting online privacy through three major categories of tools: anonymizers, encryption and filters. Anonymizers prevent the user’s identity from being revealed, while allowing the user to browse on the internet. Encryption tools ensure the secure transmission of data, for instance files or email. Filters block specific content from being loaded by internet browsers. The article explains the functions of each of the privacy tools and offers some examples of each tool.

CIPP/IT Preparation

In preparation for the Certified Information Privacy Professional/Information Technology exam, a privacy professional should be comfortable with topics related to this post, including:

• Privacy-enhancing technologies (III.B.c.)
• Anonymity tools (III.B.d.)
• Applications of anonymity tools (III.B.d.iii.)
• Tor Anonymity System (III.B.d.iii.5.)

US Secure Flight Program

The US Transport Security Administration’s Secure Flight Program was launched in August 2009 and has been phasing in new regulations since. The TSA explains Secure Flight as a “behind the scenes” program, aimed at enhancing security of domestic and international air travel. The program was initially developed by the Department of Homeland Security in response to 9/11 Commission Recommendations.

The Secure Flight program began with the Secure Flight Passenger Data check, which required passengers to provide personal information to their airline when making a reservation. This information included their name as it appears on government-issued identification; date of birth; gender; and redress number, if necessary. The information would then be transmitted to TSA’s Secure Flight and crosschecked with federal government watch lists. The results of this check would then be transmitted to the airline. The TSA has access to all US government databases.

According to the TSA, the goals of watch list matching include:

• Decreasing the chances of compromised watch lists; limiting distribution of watch lists.
• Early identification of potential matches, meaning expedited notification of law enforcement authorities and threat management.
• Developing a fair, equitable and consistent matching process for all airlines.
• Reducing instances of misidentified individuals.
• Consistent application of redress process for misidentified individuals.

Individual privacy has been a prominent concern during the implementation of the Secure Flight program. The TSA has developed a Secure Flight Privacy Program, which includes the following elements:

1. Foundation privacy principles
2. Privacy organization, including a privacy officer and supporting staff
3. Secure Flight privacy policies
4. Systems development and security to manage privacy risks throughout the Secure Flight system
5. Awareness and training programs
6. Monitoring and compliance procedures
7. Redress and response processes
8. Privacy risk management technique

The TSA set out objectives of checking 100 percent of domestic flight passengers by early 2010. It also states intentions of vetting 100 percent of passengers on all international commercial flights into, out of, or over the US by the end of 2010.

Objections

The TSA’s Secure Flight objectives raised public outcry in Canada and Europe. The application of Secure Flight on airlines flying over US airspace was seen as an unprecedented assertion by the TSA. Once the program launches globally in December 2010, the TSA can prevent passengers from boarding flights, even if they are only flying in US airspace. For instance a passenger may be denied boarding an aircraft in Canada, headed to Mexico, if they have not passed the Department of Homeland Security screening. The Secure Flight program applies to flights to, from, or over the US. About eighty percent of Canadian flights to the Caribbean, to other southern points and to Europe fly over the US.

Secure Flight requires that Canadian airlines transfer travelers’ personal information to the Department of Homeland Security at least seventy-two hours before departure. Using Infoglide, a package of fifty identity resolution algorithms, it checks passenger identities. The Department also has access to data collected in Canada, such as police records.

In the case that the search results in “no match,” the airline will be informed and the passenger can be issued a boarding pass. In these situations, the personal information will be purged from the Department of Homeland Security system after seven days.  However, a potential match (according to the Department, this is someone who has not been determined as an exact match, but has the potential to match some data elements) can be kept in the system for seven years. Positive, or exact, matches are kept in the Secure Flight system for ninety-nine years. It will take around fifty to sixty days to resolve false positives.

Many privacy watchdogs and advocates are wary of this new program as it requires non-US airlines to release passengers’ personal information to US government departments. It is unacceptable to many, as Canadian Parliament never adopted or even discussed the Secure Flight program. The European Parliament has raised a number of objections to the program.

Most airlines do not host their own passenger name records (PNR). This is often outsourced to a third-party computerized reservation system (CRS). PNR data is entered through travel agencies, tour operators and travel websites and is stored as a master copy in the CRS. It is the CRS that sends the PNR data to the Department of Homeland Security.

However, there is no data protection law for CRSs in the US. Once a CRS has PNR data, they are legally able to use, disclose, transfer or sell that data, without notice or consent. Currently, CRSs in the US share data with data mining and marketing companies, as well as with PNR processing companies. Since the CRS does not keep as access log on who retrieves the PNRs, it is impossible to determine who has seen passenger information.

Security vs. Privacy?

Canadian airlines currently check all flight manifests against the US no-fly list, a watch list compiled by the FBI and distributed amongst airlines worldwide. This no-fly list contains the names of 16,000 people suspected of terrorist involvement by the US government. According to the Canadian Charter of Rights and Freedoms, the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA), it would be difficult to introduce measures such as Secure Flight without considering the following:

• The right to privacy is a fundamental right. It cannot be infringed unless it is necessary for the public good.
• Collection of personal information can only occur when proven necessary.
• Necessity of collection must be assessed continually.
• Less privacy-invasive alternatives that fulfill the same purpose should always be considered.

From the Canadian Privacy Commissioner’s perspective, shifting responsibility for checking the passenger manifest from the airlines to the Department of Homeland Security brings privacy safeguards as well as privacy risks. After investigating the Secure Flight program, the Commissioner made the following recommendations to the Canadian government:

• Negotiate with US authorities on the collection of minimal personal information.
• Determine if the retention periods (seven days, seven years, ninety-nine years for negative, potential and positive matches, respectively) are necessary.
• Negotiate robust and accessible redress mechanisms in the case of false positive matches.
• Implement measures to support Canadians who must use those redress mechanisms.
• Inform Canadian passengers on the scope of information collected and disclosed under the Secure Flight program.
• Clarify Canadian law regarding the conditions for disclosure of personal information, in order to ensure public debate and legal certainty.

According to the Privacy Commissioner, the issues of privacy and security are not at odds. They can both be supported at the same time, since privacy protection deems the collection of personal information be kept to a minimum, while the efficacy of security depends on the collection of only relevant information.

Summary

This article explores the issue of aviation security and privacy protection issues in trans-border data sharing. The US Transport Security Administration (TSA), a branch of the Department of Homeland Security, proposed the Secure Flight program, which collects and crosschecks passenger data for all flights to, from or over the US. While it is currently implemented domestically, the TSA intends to launch the program internationally in December 2010. This stands to significantly impact Canadian travelers. The article examines privacy concerns and objections to the Secure Flight program. The Canadian Privacy Commissioner’s responses and recommendations are also highlighted.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

• Co-regulatory model of privacy protection (II.B.a.)
• Regulating activities: processing, transfers, data sharing (II.B.d.)
• Enforcement agencies & powers (II.B.e.i.)

Identification

Identity is an important issue for citizens and governments, as well as private sector organizations and individuals. It is important for organizations to identify individuals so that they can provide appropriate services, track individuals’ histories (e.g. health history, previous purchases) or target new services to specific individuals. Whether it is a public or private service organization, individual profiling is a growing trend.

Identity is formed through the combination of disparate attribute information, which can include:

• How an individual is known to other individuals (e.g. name, appearance, membership in a group)
• How an individual is known to an employer (e.g. full name, employee identification number)
• How an individual is known to the government (e.g. name, SIN/Social Insurance Number, health card number)

Each attribute is unique, since the individual in question is the only one to have that attribute. For instance, no two people share the same SIN or health card number. Attributes are context-dependent. While an attribute may serve as an identifier in one social sphere, it may not have any meaning in another context. For instance, a person’s full name may be a unique identifier in his/her workplace, but it may not be a unique identifier in his/her city, as a number of other people may also share that name.

Constant identification limits individual privacy and creates an environment of surveillance and monitoring of activities. One important component of privacy is the ability to carry out daily activities anonymously. Another threat to privacy takes place when there are inappropriate or inadequate safeguards for personal information. Lack of security may facilitate identity theft and impersonation.

Identity Systems Management

A well-structured and responsibly managed identity system can reinforce and defend privacy rights. An identity system recognizes the necessity of effective identification mechanisms in order to fulfill the goals of government and businesses, while still upholding the privacy rights of individuals. Identity management refers to the concept of managing any personally identifying information throughout its lifecycle. For instance, this might involve the passing of attribute data, or the identification of an individual. Identity systems became a significant issue for discussion, especially in terms of improving security after the attacks of September 11, 2001.

The OPC, along with the National Academy of Science of the United States, has suggested a list of criteria that must be well defined before the introduction of new identity systems:

• System purpose
• Scope of population affected by the system
• Means of identity authentication
• Scope of data collected from the individuals
• Users of the system who would have access to the data and their scope of powers (e.g. contributors, viewers, editors)
• Types of use, circumstances of use
• Type of participation/identification (i.e. voluntary or mandatory)
• Level of consent involved
• Legal structures governing the system, data subject’s privacy, due process rights, liability for system misuse/failure

Large-scale, nationwide identity systems are especially of interest, given the security threats posed by terrorists. The implementation of such an identity system would involve policies and procedures regarding account security, privacy considerations, scalability and other management factors. It would require an infrastructure of databases, communications networks, card readers as well as the physical identification cards themselves. There would need to be a system that registers individual identities; stores, updates, searches identities; and issues credentials. It is arguable whether such a system is feasible, desirable or effective at responding to security issues.

Limitations of Authentication

The process of authentication establishes confidence in an identity claim. In order to authenticate their evidence, individuals can present different types of evidence, or authenticators (e.g. passport, ID card, health card or birth certificate).

In most situations, authentication, rather than identification, is what an organization is really after. For instance, a retail clerk wants to know that the customer is authorized to use a credit card. The clerk is not actually interested in the individual’s identity. Likewise, a peace officer checks driver’s licenses in order to determine that the person is entitled to drive. In this case, it would be irrelevant to know the person’s name, age or address.

One of the arguments made by proponents of a national identity card is that it can better prove someone’s identity. While this may be true, the card cannot indicate whether or not the person is trustworthy. However, if identifying information is cross-checked with a criminal database, it can then establish the person’s trustworthiness.

National Identity Cards

Discussion about Canadian National Identity system began after the terrorist attacks on September 11, 2001. This would broadly be defined as an all-purpose identification document, similar to an internal passport, issued to all Canadian citizens by federal or provincial governments. The identification card would be used in numerous situations, including matters with government agencies as well as private entities. Proponents support the replacement of many identification documents with an ID card that would be standardized, recognized and widely accepted in Canada.

According to the Minister of Immigration & Citizenship, this document would likely take the form of a tamper-resistant card that contains a computer chip recording the individual’s name, date, birth place, gender and serial number. It may also include physical attributes (e.g. height, eye color) and other information, such as current address or a sample signature. It would also capture some sort of biometric information from the card holder, for instance, a fingerprint or retinal pattern. This was the most controversial factor.

Countries such as Belgium, Germany, Greece, Italy, Poland and Spain have already implemented national ID card systems, similar to what is being proposed in Canada. The UK is currently looking at means to introduce voluntary or mandatory ID cards, while Australia is debating a national identification plan.

Opponents of the national identity cards argue that it is an inadequate security solution. According to the PIAC, the proposed card scheme fails to meet the three broad goals set out in Canada’s Security Policy, as outlined below:

1. Ensuring public safety in Canada.
2. Preventing the use of Canada as a launching pad for terrorist attacks.
3. Contributing to international security.

To address the first goal, the connection between national identity cards and anti-terrorist initiatives is largely intuitive; there is no evidence to suggest that national documentation would effectively deter terrorist activity. Establishing an individual’s identity in no way reveals that individual’s intentions.

Regarding the second goal, it is arguably more productive to allocate resources to terrorist prevention strategies and intelligence gathering initiatives, rather than to a costly identity system that would only be useful for linking names to faces. The PIAC suggests that the national identity card scheme would be ineffective at identifying terrorists before attacks are committed.

Thirdly, national identity cards may contribute very little to international security. The countries that have already implemented a national identification system have not produced results demonstrating that the cards are actually effective. There is no demonstrable connection between terrorism and the presence of a national identity system.

The development of a national identification card system may be prone to fraud and counterfeit, as much as any other forms of identification. The OPC also argues that such a system may even increase national security risks, as it could give citizens a false sense of security. By contrast, effective security requires depth, or multiple angles of protection. A national ID card provides only one level of security.

Furthermore, the likelihood that the card would serve other purposes is high. The national ID may see a type of “function creep,” which is when information collected for one purpose is used for another. This is certainly the case with the Social Insurance Number (SIN), which branched out into new and unrelated uses. This could raise profound privacy implications for card holders.

Summary

This article explores the concepts of identity, identity systems and identity management in Canada. It looks at the shortcomings of identification methods alone, as they are often meaningless without some form of authentication. The article also explores the debate surrounding national identity cards, which were proposed after the September 11, 2001 attacks in the US. It examines the purported objectives of the ID cards as well as the arguments against the introduction of such a system.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

• Types of Personal Information (I.B.a.)
• Commissioner Expectations (III.B.g.i.)
• User Access & Redress (V.C.d.)

Encryption/Decryption

Cryptography is used to protect the confidentiality of data. When original data (referred to as plaintext) is transformed cryptographically, it is encrypted, or disguised. The process of encryption produces ciphertext, or cipher. The ciphertext is not readable until it is converted back into plaintext through a process called decryption. The process of decryption can only be initiated by the designated recipient through the use of a key. Examples of ciphertext include substituting letters for numbers, rotating letters of the alphabet, scrambling voice signals, or using computer algorithms to rearrange data bits in digital signals.

The most secure encryption methods rely on mathematical algorithms and a key (or password) for decryption. The key is a variable value, often a random character string, which is necessary for transforming the ciphertext back into plaintext. The key is known only by authorized individuals and should not be shared with other parties.

Encryption and decryption are crucial elements in a number of other processes, including:

• Authentication: this process verifies or establishes the identity of an entity or of the data. User authentication verifies if a user is authorized to enter a system. This is based on three factors of identification: something the user knows (e.g. PIN, password); something the user has (e.g. ID card, smart card, token); or something the user is or does (e.g. biometric identifiers). Data authentication establishes both data integrity and data origin authentication.
• Data confidentiality: this ensures that sensitive data is kept secure. Data confidentiality may involve data that is transmitted between two parties, through intermediaries, or data that is kept in repositories. Ensuring data confidentiality means that sensitive information is not accessed by attackers or other unauthorized parties.
• Data origin authentication: this confirms that the sender of the data is the originator of the data, rather than someone claiming to be the originator.
• Data integrity: a high level of data integrity assures users that the information is trustworthy, complete and untampered with. Data integrity ensures that data is accessible, correct and consistent.

There are a number of different levels of encryption, which depend on the key space. The key space refers to the number of possible keys that may be used to initialize an algorithm. Organizations can choose from different levels, depending on their requirements:

1. File-Level Encryption: this encrypts data at the individual file level. Users can decide which files to encrypt, depending on the sensitivity of their contents. This method is also referred to as folder encryption, since entire folders can be encrypted in a similar fashion. Files are encrypted and decrypted by users who have been authenticated.
2. Full-Drive Encryption: this method encrypts all the data that is on the disk drive. This is done through software on the hard disk driver, or by the hardware in the disk drive. Users must be authenticated when the disk drive is powered on, before they can gain access to the data.
3. Field-Level Encryption: this method encrypts only designated fields in a document. The non-encrypted fields are then able to appear in plaintext when viewed.

Non-Repudiation & Digital Signatures

Cryptography influences non-repudiation, which proves that the integrity and origin of data is genuine. Repudiation is when one party involved in a communication denies involvement in some or all of the communication. Users need to have evidence that messages were sent. This prevents a sender from later denying having sent a message. Non-repudiation falls under two categories:

1. Proof of Origin: Non-repudiation with proof of origin establishes the origin of the data, protecting the recipient in case the sender should deny sending the data. This ensures accountability from the originating party. Often, the term “non-repudiation” is used interchangeably with non-repudiation with proof of origin.
2. Proof of Receipt: Non-repudiation with proof of receipt proves that the data was received as it was originally addressed. This protects the sender in case the recipient should deny receipt of the data.

There are a number of ways to ensure non-repudiation. For instance, a data hash can establish, to a reasonable degree, that the data was not manipulated without detection. Data hashes, or hash functions, convert large amounts of data into single integers. However, data hashes cannot prevent data from being manipulated during the transmission process.

Another way to ensure non-repudiation is to use digital certificates. Digital certificates confirm that information transmitted electronically is authentic. For instance, digital certificates may be used for e-commerce, online banking and other sensitive online services. In these situations, encryption is insufficient; certificates are necessary as evidence of the sender of the encrypted information.

Digital certificates associate an identity to a pair of electronic keys for encryption of digital information. They make it possible to verify a claim to identity and prevent impersonation. Digital certificates usually contain the following:

• Owner’s public key
• Owner’s name
• Expiration date of the public key
• Name of issuer – this is the certification authority that issued the certificate
• Serial number of the certificate
• Digital signature of the issuer

Symmetric & Asymmetric Encryption

There are two types of encryption schemes: symmetric encryption and asymmetric encryption.

Symmetric key cryptography refers to using the same key for encrypting as well as decrypting. It is also referred to as shared secret, secret-key or private key. This key is not distributed, rather is kept secret by the sending and receiving parties. With symmetric encryption, the sender encrypts a plaintext message with a symmetric encryption algorithm and a shared key. This process results in a ciphertext message that is sent to the recipient. The recipient then decrypts this message back as a plaintext with a shared key. With this form of encryption, the two parties must share the key over a secure channel before communications.

Asymmetric cryptography is also referred to as public-key cryptography. Public key depends on a key pair for the processes of encryption and decryption. Unlike private keys, public keys are distributed freely and publicly. Data that has been encrypted with a public key can only be decrypted with a private key.

Asymmetric cryptography is the most recent cryptographic technique. With asymmetric cryptography, the sender encrypts a plaintext message with an asymmetric encryption algorithm and the recipient’s public key. The result is a ciphertext message, which is sent to the recipient. The recipient then decrypts this message back as plaintext, by using the private key corresponding to the public key the sender used to encrypt the message.

Compared to asymmetric cryptography, symmetric cryptography is much simpler, as the same key is shared between sender and receiver. Asymmetric encryption needs more processing resources to encrypt a message then asymmetrically encrypt the shared key. However, asymmetric encryption offers a number of advantages over symmetric encryption, including:

• Simplified key distribution
• Digital signature
• Long-term encryption

Strong Encryption

Strong encryption refers to ciphers that are virtually unbreakable without the decryption keys. This method of encryption relies on a very large number (256 bits) as a cryptographic key. However, the practice of strong encryption is controversial. While most companies and consumers believe it is a security measure, governments tend to view strong encryption as a potential means by which criminal activity or harassment could be concealed. The concern is that stalkers, predators or terrorists could disguise their identities through encryption, essentially becoming untraceable to authorities.

Certain governments, including that of the United States, are pushing for key escrow systems for strong encryption. Key escrow systems involve a trusted third party, who holds the encryption key on behalf of the government. This third party may be a bank or new federal office created by Congress. Everyone who uses a strong encryption would essentially be required to provide the government with a copy of the key. Decryption keys would then be stored securely and only used by authorities with the appropriate court orders. A significant concern about the key escrow system is that the keys are held in a single, central location, which would present a risk for hacker attacks. It is possible for criminals to hack into the key database and steal or modify the keys.

Summary

This article discusses cryptography, the practice of encrypting and decrypting data in order to ensure confidentiality and integrity. The article explores various levels of encryption, including field-level, file-level and full-drive encryption. It also explores cryptography in relation to associated concepts, such as authentication, confidentiality, integrity and non-repudiation. The article then compares two types of encryption schemes: symmetric encryption (also called private key encryption) and asymmetric encryption (also called public key encryption). Finally, it discusses the controversy surrounding strong encryption, which may inadvertently disguise criminal activity.

Foundations Exam Preparation

In preparation for the Foundations exam, a privacy professional should be comfortable with topics related to this post, including:

• Cryptography (II.C.a.iii.)
• Digital signatures (II.C.b.vi.5.)
• Non-repudiation (II.C.b.vi.6.)

Preventative, Detective & Corrective Controls

Controls function as safety valves which prevent accidental disclosure of information. They may take the form of human processes, automated processes, or human work flows that are aided by technology. Controls may be physical, technical or administrative and are grouped into three main categories of controls: preventive, detective and corrective.

Preventive controls are implemented in order to avoid unwanted situations. They prevent errors or irregularities from happening. Examples of preventative controls include:

• Access Control Software: this controls data and program sharing between users. It controls access to a system by allowing access only to registered users with the appropriate ID and password. After users have logged on, the control software manages access to data and programs in the system.
• Anti-Virus Software: this software identifies, detects, isolates and removes viruses. This should be kept active on a system to ensure continual detection and interception of new viruses.
• Policies/Procedures: to identify the ways in which processes must be performed. This must go hand in hand with training, detective controls and audits.
• System Design: appropriate system design enables controls to be more effective. System engineering with an eye to the control requirements can result in a better system.
• Standards: using standards as sources of process information can help to prevent problems from occurring. Standards may be drawn from the BSI (British Standards Institute), NIST (US National Institute of Standards), or the ISO (International Standards Organization), among others.
• Passwords: this is combined with an ID to verify the identity of users. Password-ID log-on also ensures that users are accountable for their actions within the system. There are a number of different types of passwords, including fixed, dynamic and one-time passwords.
• Smart Cards: these contain chips that can be read by remote terminals. Smart cards specify user’s authorization and privileges in the system. These are often combined with another form of identity authentication (e.g. password, PIN number, biometrics) before the user can be allowed access to the system.
• Encryption: this protects data from unintended discloser when it is transmitted through the network. The process of encryption changes readable data, or plain text, into unreadable data, or ciphertext. Data can be encrypted through hardware or software.
• Access Systems: for instance, preventing access to a specific port or service that is vulnerable to exploitation.

However, preventative controls are insufficient, as policies, standards and procedures are often misinterpreted or ignored for a number of reasons. This is why other types of controls are necessary.

Detective controls spot errors or irregularities that may have taken place. Although detective controls cannot stop unauthorized access to data, they can send alerts to monitoring parties when unintended events take place. Some examples of detective controls include:

• Audit Trails: record system activities in order to reconstruct and examine events, produce violation reports.
• Intrusion Detection: track users during usage of the system to ensure activities are authorized. Useful in situations where intruders are using authorized accounts, or when legitimate users are engaged in unauthorized activities.

Corrective controls are implemented to correct errors or irregularities that have been detected. Such controls correct the circumstances that allowed unauthorized activity to take place, or they restore the system’s original conditions. Corrective controls may make changes to existing physical, technical or administrative controls. Examples of this type of control include backup configuration files, hard drive images and response plans for specific incidents.

What do they do?

Access controls can help to maintain the CIA triad (confidentiality, integrity, availability) in information system security. The triad represents the core principles of the information security field.

Confidentiality in a system indicates that the privacy of individuals is protected and that information is not disclosed to unauthorized users. A strong access control system can ensure that information is accessed through a case-by-case basis, ensuring that the information is kept confidential and preventing exposure to unauthorized individuals.

Controls can also maintain the integrity of information, meaning that the data are safeguarded from modification without authorization. Strong access controls protect data integrity in the following ways:

1. Protect data from accidental modification – ensure that data cannot be easily edited or modified
2. Protect data from deliberate modification – control access to sensitive information, preventing deliberate or malicious changes to data
3. Maintain external database consistency – compare external data with local data to check for inconsistencies
4. Maintain internal database consistency – compare local data with external data to check for inconsistencies

Finally, control systems allow authorized users to access the minimum data required to complete their tasks. This ensures that the element of availability is protected. Availability not only ensures that data are available, but also that the necessary procedures required to access that data is reasonable for users.

Types of Controls

Control strategies must be designed to address risks that have been identified as unacceptable. The design of control systems and strategies must take into account threats, vulnerabilities and risks that may potentially be faced by the system or network.

The control system design process also takes into account three layers of controls: policies, models and mechanisms. These three layers are discussed below:

1. Access control policies refer to how access can be managed; who is authorized to access the information; and under which circumstances the information can be accessed. Policies may be based on resource use, competence, obligation, need-to-know or conflict-of-interest factors.
2. Models describe the security policy of the system. As such, models can help identify theoretical vulnerabilities and limitations of a system. Models can connect policy and mechanisms.
3. Control policies are manifested through a mechanism that carries out a user’s request. The mechanism functions within the structure defined by the system. Mechanisms may or may not be direct implementations of control policy.

Controls also function at a number of different levels in a system, from the hardware, to the operating system, to the middleware, to the application. At the hardware level, access controls are provided by the processor, which controls which information a process can access. The middleware level creates resources (e.g. files, communications ports) and has the responsibility for allowing or limiting access to these resources. Applications enforce a number of different protection properties and may be written on top of the middleware. Finally, at the application level, the user may interact with a rich, complex security policy. Preventative, detective and corrective controls appear at each level of the system and build upon each other to mitigate and manage risks.

Summary

Access controls may be comprised of processes, tools and people and are necessary for ensuring the confidentiality, integrity and availability of information. The article looks at the three main categories of access controls: preventative, detective and corrective. It defines each category of control, provides examples and discusses the ways in which these controls function to uphold the CIA triad for information security. Finally, the article looks at the ways in which the controls operate and interact at different levels of the system.

Foundations Exam Preparation

In preparation for the Foundations exam, a privacy professional should be comfortable with topics related to this post, including:

• Access controls: preventative, corrective, detective (II.B.c.ii.)