Chapter 12: Technology Privacy and Security
What We’ll Cover >>>
- Technology Privacy and Security Concepts
- Privacy on the Internet
- Security on the Internet
- Internet Ethics
- Cyber Threat Prevention
- Information Security in the Workplace
- Special Concerns
This chapter focuses on privacy and security related to technology – computing and the Internet. Some of this has been touched on in other chapters as was relevant to that chapter. This chapter is an overview of privacy and security overall, including tips and techniques for managing your own.
For instance, during the drafting of this course textbook:
- A ransomware attack hit the author’s college workplace during Winter Quarter (finals) week, which had potential effects on the student population’s access to communications, final project materials, due dates, end-of-quarter transcript updates, and stress levels.
- The author’s data security vendor sent information about a possible data breach, which had potential effects on the author’s secure identity information.
- An online sandbox/MMO game that the author enjoys had a server hacked and corrupted which required a several-play-days rollback to correct. On another server new players used hacking code broke into player bases to steal everyone’s hard-won assets – just for kicks.
Because of the nature of online access to information and data, and contributed to by human nature, online lives have exposed users to unprecedented risks and areas of concern about how their own information and property is secured and used.
Technology Privacy and Security Concepts
- Privacy in technology / computing / Internet has to do with user information and how it is accessed, used, protected, bought and sold, and sometimes abused.
- Security in technology goes to an additional level. Not only do users need to be aware of, and careful about, their own private data, they also need to deal with insecurity in the computing and digital equipment and resources. Sometimes there is a fine line between privacy intrusion and outright security risks on data.
Privacy on the Internet
Personal data has become a commodity, even with users reading disclaimers and signing off on forms regarding apparent acceptance of data use. In many ways every day, a user’s right to privacy and control over their own information has been lost, byte by byte (yes, a pun). Laws are barely keeping track, much less offering and standardizing user control, protection, and full disclosure / opt-out.
- Browsers capture information: Searches and search results, and about which results were clicked and reviewed. Cookies indicate what sites were visited and what a user did. Addresses, payment info, and passwords can be recorded. Looking up a subject can be get linked on online retailers that start showing personalized ads for a related product or sending emails.
- Computer usage: Leaves traces about the computer, the identity of the computer user, and the applications/resources on the computer. Computer users have accounts for the computer and many applications on it. The hard drive is full of personal data, like documents, homework, music, pictures, game settings, and application preferences. The computer also stores logs of usage: times, dates, prioritized systems, and more.
- Internet resource visits: Information is picked up about the user. How many hours did a user play a game through Steam? How many calls and chats did a user make with a technical problem? Downloads and uploads are logged by applications and the affected servers and processes. How long was a user on a website and which pages were visited? What was purchased and how was it paid for? Is there a chat log of the transactions?
- Internet usage: Our usage leaves traces. Emails carry information about the sender, as well as the email content. Having online accounts for bills provides surface info that hackers try to use to get direct contact with a user. Any communication application logs dates, times, what, how, etc. Cameras and microphones pick up traces during meetings and streams.
- Real-life activities: In the presence of electronic devices, real-life has also been affected. Persons can find themselves directly or indirectly captured on smartphones then find themselves on someone’s social media. Social media itself encourages quick and responsive behavior to offer entertainment and drama, while the evidence may never leave the records of the web. Some crimes are captured by cell phone; people’s behavior in street protests are caught on camera and broadcast on the web.
- Workplace and public services portals: Pick up times, dates, and length of usage in the workplace and for the use of services.
Much of this was designed to improve speed, offer convenience, and personalize settings and options for users, such as for personal news aggregators or dashboards of favorite entertainment. Much was also enhanced and accelerated by vendors trying to increase sales, decrease their advertising costs, and make getting users to part with their money much easier and more routine.
Web Browser Cookies
Web browser cookies are a small text file that records information about a user’s visit to a website. The next time the user returns to the website, the browser reads the cookie file. Similar to a fortune cookie, a browser cookie contains a small amount of text or a message.
- Cookies aren’t malicious, and don’t harm a computer like malware potentially can.
- Cookies help customize web pages for future interaction.
- Cookies don’t steal information; they only know what the user does on the website.
- Cookies don’t have the ability to look at other files on a computer to access information.
- First party cookies are created by the website the user visits.
- Third party cookies are created when the visited website temporarily redirects the user to a cookie tracking website.
Third party tracking cookies are considered a privacy issue, and government legislation has made many websites obtain your consent before they use a cookie on a site you visit. Currently, almost every commercial website immediately seems to pop up a ‘cookies acceptance’ alert.
Identity Security issues
Reports of data security breaches and cybercrime occur frequently. There is real-life damage that can and does happen when personal data is insecure.
- Cyberstalking: Use of electronic means to stalk, terrorize, harass, or otherwise control an individual, a group of individuals, or an organization.
- Cyberterrorism: Scams and attacks that are part of an organized effort by cyberterrorists and/or foreign intelligence services. Can include cyber warfare.
- Fraud: Unscrupulous people use data about you online to target you for phishing scams, access your money, and to commit other crimes.
- Harassment: Directed obscenities and derogatory comments at specific individuals focusing on gender, race, religion, nationality, sexual orientation, etc. May include actual specific threats.
- Identity Fraud/Theft: Stealing or using someone’s identity in order to access resources, information, obtain credit, and/or steal finances or other benefits in that person’s name. Identity fraud victims often do not know how their personal information was obtained – through malware, cyber attacks, skimming financial card info, finding published user information and privacy details, etc.
- Identity Security: The security and protection of your identity, accounts, and finances from intentional misuse and crime by others. Identity security is different from identity privacy (personal information shared/sold), although they have some overlap in effects to you.
- Skimming: Occurs when devices illegally installed on ATMs, and other payment card-access devices capture data or record cardholders’ PINs. The data can be used to create fake debit or credit cards and steal from accounts.
Security on the Internet
While sharing information about security issues below, one important thing to note is that a user can protect their information security (and privacy) best by being aware, careful, and investing time in being diligent rather than being focused on convenience, speed, social acceptance, and open access.
Contextual situations
- Communications: Communications is an area in which the user has to take as much control as possible in order to boost privacy and security. Any of the standard home tools, and expectations of workplace and transaction business tools being in play are likely not enough. A user needs to take more control over their own outgoing information, their own communication and access habits, and their own equipment and information management. Choosing quality and highly reputable programs, equipment, tools, and services can help minimize the issues that can come up with newer, more casual, and revolving-door type of service/product use.
- Email: Minimize the amount of personal information you keep in an email program. Have a professional-oriented attitude about outgoing emails. Avoid clicking email links, attachments, ads, and URLs. Assume that any email asking for personal information of any kind may be a scam.
- Geolocation: Geolocation is the ability of a computing device to know a user’s location. ISPs can determine the location of the user’s computer, and smartphone service providers can trace cell tower locations. When a user approves a device’s OS ability to share a location, that can become the default. While GPS can make using a map on the road more convenient, it also makes finding the user on the road easier.
- Home/Personal: Security can begin with equipment. While equipment can come with default security options, and many manufacturers make continued investments in upgrading security tools and applications, users might not take full advantage. This is in part because some security measures also intrude on the user – the speed of booting up the computer, the waiting to log in, the remembering of many passwords, the pausing of outgoing emails. In addition, many of the OS provided options are generalized, which isn’t bad, yet likely not enough.
- Social media: Over the past few years, many users have learned that social media is not a friend. It may add drama, spice, a place in social hierarchy, and a sense of connection to life. At the same time, any video, chat, messaging, meming as a message, political and personal opinions, and a lot of bad behavior is also out there.
- Streaming: A user who is a streamer may thrive on attention, a casual social presence, and divulging personal information as part of the show. Anything you divulge, film, and tell is out there. Likely for always.
- Transactions: Organizations that provide transactions – financial, health, retail, government services – also have to have the kind of IT department services and expectations. Companies that have insecure financial transactions, poorly designed customer/product databases, and data breaches face legal issues, loss of customers, and a potential drop in market share that impacts portfolios and the company’s own financial status.
- Workplace: In a workplace, the employer needs to worry about employee data, customer information, intellectual property, hardware security, software vulnerabilities, data breaches, and the behavior of the employees. For instance, employees using personal cell phones on the employer’s wireless network can pass malware. Employees can open work computers to malware during gaming breaks, doing personal business at lunch, downloading non-work files, and so on. Employee emails can be phished from outside senders. Work files accessed from home for home-office work may be vulnerable to the employee’s computer or network weaknesses.
MedAttrib: Reese Wang (CC BY-NC-SA 4.0). Insecure data.
Common Internet security issues
- Computer virus: A computer virus is a specific type of malware that is designed to replicate (copy) and spread from one computer to another. It can make a copy of itself over and over again, and spread between computers through email attachments, removable storage devices, and infected downloads. It can damage a computer by corrupting system files, sending spam, stealing data and personal information from the computer, destroy data, and/or delete everything on a hard drive.
- Hackers: A hacker refers to a person who can gain unauthorized access to (break into) a computer or a network to commit crimes, like:
- Hijack usernames and passwords.
- Gain access to personal information (credit card numbers, bank account, Social Insurance Number, etc.).
- Steal, change, exploit, sell, or destroy data.
- Damage or bring down the system.
- Hold the system hostage to collect ransom.
- Malware: Malicious software (Malware) is designed to damage, disrupt, or infect computers. It refers to different types of safety threats like a virus, Trojan horse, worm, spyware, etc. Malware can gain unauthorized access to a computer and continuously work in the background without the owner’s knowledge, causing either immediate damage or damage over time (DOT – gamers should get that reference).
- Phishing: Phishing is a common attempt to scam information. Deceptive emails or websites can try to obtain valuable personal information like a user’s username, password, account number, social security number, and credit card information. It is problematic because an email may seem to be by a product or service provider a user actually works with, like a retail store or utility company. It also may suggest some urgency that the user needs to solve a problem, like a declined credit card or some change in the user’s account status that needs to be handled through email. It is like the email version of scam phone calls. Sometimes a text can be sent to your phone that behaves the same way.
- Spyware: Spyware is a form of software that secretly monitors (spies) on user’s online behavior and gets sensitive information about a person or organization without the user’s knowledge. It can record a user’s Web browsing habits, email messages, keystrokes on online advertisements, and personal information. Then it can forward that information to a third party. For instance, advertisers can use spyware/adware to target specific ads to a user’s preferences. Spyware can also collect financial information (banking accounts, credit card information, password, etc.), then forward it as a data breach so your accounts can be accessed.
- Trojan horse: A Trojan horse (Trojan) is a type of malware that seems harmless but can cause harm to a computer system. It misleads users of its true intent, like claiming it can to get rid of viruses while actually introducing viruses onto the computer. A Trojan can take the form of innocent-looking email attachments, downloads.
- Worm: A worm is similar to a virus in its spread. However, a worm does not require human action to replicate while a virus does. A virus spreads when a user opens an affected file whereas a worm spreads without the use of a host file.
Internet Ethics
Several things are considered unethical:
- Trying to gain unauthorized access to the resources of the Internet.
- Disrupting the intended use of the Internet.
- Destroying the integrity of computer-based information.
- Compromising the privacy of users.
ACTION: Quick Task – Personal Internet Ethics Questions
- Is it ethical to download music and videos?
- Are Peer-to-Peer sites/resources ethical?
- Is it ethical to repurpose images, text, and media you get from the Web?
- Is it ethical to use employer internet resources for personal items?
Internet Ethics Considerations
In personal usage, you also need to consider the ethics of several things:
- Location, time, and amount of surfing that is not on your own time.
- Types of surfing and saving of information – porn, illegal downloads, selling information or work of others.
- Inappropriate use of email and other communications.
- Defamation of other people’s reputations and information, libel and slander.
- Creating false and inaccurate personal profiles for yourself in order to mislead others.
- Understanding the technology and internet policies of your workplaces and school.
- Appropriate use and citation of Internet resources, like text, images, and media.
Cyber Threat Prevention
Home/Personal
Security can begin with equipment. While equipment can come with default security options, and many manufacturers make continued investments in upgrading security tools and applications, users might not take full advantage. This is in part because some security measures also intrude on the user – the speed of booting up the computer, the waiting to log in, the remembering of many passwords, the pausing of outgoing emails. Computers tend to come with a few basics:
- Browser firewall: The default browser that comes wrapped with a computing device’s OS can have a panel for setting some browser security choices.
- Default system/hidden files protection: An OS can default to keeping system and hidden files inaccessible to any user but the computer’s administrator, and require that admin to respond to every attempt.
- Internet security settings: The computer may come with basic Internet security settings for the user to select.
- Login PIN / other options: Computers can have a mandatory login process, with a password, or PIN, and/or optical or fingerprint recognition.
- Network firewall: Computers can have a protocol to allow/disallow network connections.
- OS Virus protection: An OS may come with some level of virus protection, which the user can schedule as part of regular maintenance.
- Updates: An OS, and other computer programs, can have an update alert when a software or hardware update has been offered and needs to happen. Updates can add more security protocols, may add more data to virus definition files, and may help equipment be more imperious to tampering.
- User account control: The controls for user accounts can let a user be an administrator, set limits to other users who share the machine, and add extra protections for children.
A home computing device may come with a number of default security options, but they are just starting points for a user’s computer. They may little effect on a user’s programs, access to and use of Internet resources, personal and private data, in-the-moment virus and hacking problems, and so on. They may offer some coverage for the one computer, but not synchronized devices. They may not be able to support much from email or ad-delivered malware. They can’t defend against other users that prioritize invading and abusing people’s computing devices, information, files, work products, and personal life data.
Additional security options
Good Internet hygiene is a must. This means creating and maintaining a routine of actions to protect your data and equipment. It means developing practices that put privacy and security above convenience, casual speed-oriented activity, and being accessible to anyone who asks. Consider:
- Avoiding download sites that specialize in free files, pirated files, or promised free downloads.
- Avoiding clicks on ads and free games.
- Backing up files and storing them in different locations.
- Clearing browser history, cookies, cache, and temp files.
- Creating secure and strong password protocol.
- Deleting suspicious/unknown emails.
- Ignoring / not responding to any pop-up windows. A user’s response is what can initiate the scam / intrusion, not the pop-up or urgent message itself.
- Not opening links, images, attached files, or forms in emails.
- Not responding to any personal data requests in emails.
- Using a specialized virus / security application designed to clean a computer, prevent intrusions, and quarantine questionable files.
- Using a backup service that protects data on its own server in case the user needs to recover data for a compromised computer.
- Using an online security service designed for information protection, both personal data and financial resources.
ACTION: Quick Task – Personal Internet Security Questions
- What do you currently use to check for computer viruses?
- What do you think of the risks of clicking on an ad or image of something appealing when a friend sends it to you?
- Is it safe to use websites designed to give free games or that promise faster downloads of content you want?
- Should you ever give any personal financial or security information out in response to an email from one of the services you pay bills to?
Browser security
Browsers have an option to change to a private browsing mode. This can be useful in a workplace at lunch, at a public location, and when doing personal transactions like banking. Different browsers have slightly different names for the private browsing mode:
- Chrome: Incognito
- Edge: InPrivate
- Firefox: Private
- Safari: Private
For each of these browsers look for three dots, three lines or a new window tab near the top right corner of the browser, clicking on this will open a menu, and then a new window in a private browsing mode.
The private browsing mode in the popular browsers provides some extra security in that web history is not saved on the computer being used; however, the IP address is still trackable. For an extra level of anonymity, there are browsers designed for private browsing which hide history, mask the IP address and physical location, and can be encrypted to increase anonymity.
Information Security in the Workplace
In the workplace, an employer will use an Information Technology (IT, other acronyms) department/team of some kind which specializes in assessing and maintaining workplace privacy, security, and work product protection. An IT department is responsible for:
- Accounts: employees, external users and customers.
- Company website and Internet services support.
- Data loss prevention.
- Equipment/infrastructure upgrades and security applications.
- Internet access authentication and encryption processes.
- Intrusion detection and prevention.
- Malware and virus prevention.
- Network firewall.
- Preparation against cybercrime.
- Security event management.
- Software management of licenses.
- Storage of data.
- Technical support for employees and sometimes customers.
Special Concerns
What kind of privacy rights do employees have in the workplace? What is the workplace is in the home office although using the employer’s network and data?
Employers need to balance legitimate business interests with employees’ legitimate privacy expectations. Decisions need to be legally sound, transparent, well communicated, and invite discussion. It needs to consider employee conduct, the employment setting, and an employee’s expectation of privacy.
Employee
Employees have a right to keep private facts confidential, such as home life issues, health, finances, religion, politics, partners, social media accounts, use of private time, etc. They also expect that their own property, like personal phone, personal calendar, auto, and personal computer (if applicable) falls under a right for privacy. They expect that their break time, lunch time, time away from the workplace, holidays, and weekends belong to them. They expect that personal leave and the appointments they need to keep are part of their right to privacy. They expect reasonable space from monitoring and scrutiny, and other invasive behaviors on behalf of the employer. Other than a general credit and pre-employment check, employees need respect for their privacy. They expect if there will be changes in policies, they should get sufficient notice and opportunity to adapt.
Employees also have various legal expectations:
- Americans with Disabilities Act (ADA)
- Fair Credit Reporting Act (FCRA)
- Family Educational Rights and Privacy Act (FERPA)
- Family and Medical Leave Act (FMLA)
- Federal Wiretap Act (FWA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Labor-Management Relations Act (LMRA)
- National Labor Relations Act (NLRA)
While each of these laws establishes requirements and standards for employers, there is one commonality to substantiate a claim for a violation of an employee’s right to privacy: For an employer’s conduct to be actionable, it needs to amount to a highly objectionable or offensive act.
Employer
No matter what an employer’s policy is about privacy and company security, the employer has a responsibility to be transparent, current, and respectful about the policies and procedures with employees. At hire, as modifications happen, at annual reviews, and as part of annual refresher trainings, an employer would be most transparent by refreshing privacy and security policies in simple, respectful, and employee-facing methods. The policies should also be available in Human Resources and posted in a group employee setting, like a lounge or cafeteria, as OSHA requirements, Minimum Wage information, and other employee-related information already is. If the employer has an intranet for employees, policies should be readily accessible there for viewing and print; if no intranet is in place, then a segment of the company website should post it. A policy manual should be provided to employees, as well.
In addition, if there are specific computing concerns and policies, a short reminder message should be part of the company computer boot-up / in-company network.
An Employee Privacy Policy is a document that employers can use inform employees about personal data usage. It should be transparent, and clearly stipulate instances in which an employee should not assume their data and communications are private. These could include:
- Basic video security for common areas for the safety of the workplace and employees.
- Behaviors that affect data and equipment security.
- Behaviors that indicate poaching of customers, vendors, or other resources.
- Communications that are transmitted on company-owned equipment.
- GPS tracking of company vehicles.
- Monitoring/tracking of actions like accessing the network and work with company assets. doing
- Use of company equipment, time, and resources for personal use and projects.
- Use of company vehicles and machines, in the office and/or at a home office.
- Use of timesheet / time-keeping methods for confirming work activity.
ACTION: Quick Task – Personal Employment Resources Security Questions
- Should you use company computers for private use, even if it is just at lunch or on a break?
- Should you use a company vehicle for any private business, even while on a break?
- Should you assume that any email you send out on an employer’s system is private to only you?
Privacy Intrusions
There are intrusions that can trigger liability for employers under state and federal law. These include:
- Appropriation of employee’s name/likeness.
- Giving employee information out for non job-related reasons.
- Inappropriate intrusion on employee’s personal space.
- Publicity of employee’s private life.
- Publicity which distorts the employee in the public eye.