Privacy / Level 2 / Correct answers

Scenario 1

Private browsing is a feature available in all major browsers. Web browsers normally store browsing history, web pages visited, images, videos etc., within the browser’s cache. However when private browsing is enabled, the browser history is no longer stored in the cache, and cannot be recovered.

However, does private browsing fully ensure that no one is able to know what you did online?

Answer:

Private browsing only protects me from people with physical access to the computer. Private browsing offers you privacy at the local level only. Many organisations including your Internet Service Provider (ISP), but also the providers of the web pages you visit (e.g. social networks), are still able to know what you did online.

Scenario 2

With mobile devices such as tablets or smartphones it appears that companies are often able to know where you are and what you are doing. You are concerned about these issues since you would like to fully use your devices, but without being tracked or monitored besides the default monitoring on the GPS / Internet Service Provider network. However you are also unsure about what you can do to protect yourself.

A possible solution could be to…

Answer:

Deactivate the active components of your device. Unfortunately this is the incorrect answer. While the device will not transmit information in ‘flight mode’, you will also not be able to make or receive calls for example, and ultimately you won’t really be able to use your device. A relevant suggestion is deactivate all the active components of your device. You can equip your device with functions that allow you to stop any unwanted background communication of personal data to service and application providers.

Scenario 3

Privacy-by-Design is an approach that promotes privacy by ensuring that data protection safeguards are to be built into products and services from the earliest stage of development of a software. Traditionally however the engineering of software has had limitations in building technologies that by design ensure privacy. The ENISA report Privacy and Data Protection by Design considers two main reasons why traditional software approaches have limitations in the Privacy-by-Design. The first reason is the lack of awareness of developers and data controllers.

What is the second reason?

Answer:

The lack of appropriate tools to realise Privacy-by-Design. Indeed this is the second reason that the ENISA report mentions as to why traditional software engineering approaches have limitations in the Privacy-by-Design. It becomes therefore important that tools become more available to the software engineering community. The need for Privacy-by-Design is also addressed by the European Commission in their new proposal for a General Data Protection Regulation. See for more information the ENISA report Privacy and Data Protection by Design https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-and-data-protection-by-design

Scenario 4

Personal data can only be gathered legally under strict conditions for a legitimate purpose. Furthermore, persons or organisations which collect and manage your personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by EU law’. (http://ec.europa.eu/justice/data-protection/)  While this applies to any form of data collection, including physical collection, it has a huge impact on Internet users with the increased use of digital data storage and transmission.

The specific fundamental right protecting you against such misuses is called…

Answer:

The right to the protection of personal data. 

This is the correct answer: ‘common EU rules have been established to ensure that your personal data enjoys a high standard of protection everywhere in the EU. You have the right to complain and obtain redress if your data is misused anywhere within the EU’.

http://ec.europa.eu/justice/data-protection/

These rights are described in the Charter of Fundamental Rights of the European Union. See in particular Article 8 on the protection of personal data and Article 7 on the Respect for private and family life (“privacy”).

http://www.europarl.europa.eu/charter/pdf/text_en.pdf

Another relevant source are the OECD Privacy Guidelines:

http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf.

Scenario 5

A Cloud storage is a way to keep your file saved on third parties services over the internet. Common examples are Hubic, Dropbox or Amazon Cloud Drive. Today you have created an account to a personal cloud storage service to store your photos, documents, videos, and files. When you created the account you wanted to find out how your provider keeps all of your files secure and private.

What kind of document would you look for?

Answer:

Privacy Policy. Your cloud providers should on their website document and explain how they collect and use your information when you use these service. There will be a document, often referred to as a Privacy Policy. The provider should explain exactly what data they collect about yourself and why and what they do with it.

 The document should also clearly explain who they share this information with and for what purposes, for example third parties to provide, improve, protect, and promote the services.

For an introduction to cloud computing and protecting your data and privacy in the cloud read the following report written by Information Commissioners Office (UK) https://ico.org.uk/for-the-public/online/cloud-computing/

Scenario 6

Internet users are increasingly being tracked and profiled: this is the practice of tailoring online content, especially advertisements, to visitors based on their inferred interests, or ‘profile’. For example, a like button (such as the one employed by Facebook) tracks users across sites; each time a user visits a site that contains a Facebook ‘Like’ button, the social networking site is informed about it even if the user does not click on this button.

You can activate an option that limits this profiling in your web browser. This is called…

Answer:

‘Do not track’ option. All major commercial web browsers offer a do not track option, which is a combination of technical and policy aspects. The do not track option allows you to opt-out from being tracked by websites. While the do not track option offers a way of being tracked less in some instances, there is no real solution at the moment. Some further tools to consider are Ghostery

https://www.ghostery.com

and JavaScript Blocker.

http://javascript-blocker.toggleable.com/

More in these ENISA publications:

https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-considerations-of-online-behavioural-tracking

http://spectrum.ieee.org/computing/software/browser-fingerprinting-and-the-onlinetracking-arms-race#

Scenario 7

These days, authorities often insist that users should be informed that any information they publish never disappears from the Internet and that this information might eventually be used for undesired purposes. The European Union has recently introduced the idea of a new right for protecting the users from these scenarios.

This new proposed right is called…

Answer:

The right to erasure. The right to erasure (previously termed the ‘right to be forgotten’) means thatwhen you no longer want your data to be processed and there are no legitimate grounds for retaining it, the data will be deleted. This is about empowering individuals, not about erasing past events or restricting freedom of the press’. http://europa.eu/rapid/press-release_MEMO-14-186_it.htm

Scenario 8

Privacy-by-Design is an approach to protection of privacy that relies on having privacy protection embedded in technologies rather than just in legal documents such as Privacy Policies.

Which of the following is a fundamental and well established Privacy-Enhancing Technology?

Answer:

Encryption. This answer is the correct one. Encryption is a mature, widely adopted and relatively simple to apply Privacy-Enhancing Technology. Encryption: the process that makes data thereby protecting it against unauthorized access.

For a simple introduction on Privacy-Enhancing Technologies see the following article from the International Association of Privacy Professionals

https://privacyassociation.org/news/a/2008-05-introduction-to-privacy-enhancing-technologies/

You can also consult the ENISA report Privacy and Data Protection by Design https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-and-data-protection-by-design

Scenario 9

A Cloud storage is a way to keep your file saved on third parties services over the internet. Common examples are Hubic, Dropbox or Amazon Cloud Drive. You have been using your personal cloud storage to backup photographs but you are considering storing documents and some may contain personal information that you would like to keep secure and private.

What steps can you take to ensure that this happens?

Answer:

Encrypt files yourself. This is the correct answer. The first question to ask is what kind of information is the personal information: names or emails addresses in documents would be fine, but storing any type of personal information for yourself or anyone else would not be appropriate, for example date of birth, Social Security Number, passport numbers should not be stored. If you need to store documents on your cloud storage the most secure way is to encrypt your files. If you hold the encryption key, no one else will be able to decrypt your files and therefore read or use your personal information.

Scenario 10

Smart homes are homes equipped with technology that provides the occupants with comprehensive information about the state of their home and allow them to control all connected devices, including remotely. Examples of smart home devices include: smart fridges, smart electricity meters, smart blinds, and automatic pet feeders. Smart homes hold the promise of improving our quality of life.

However smart homes may also bring number of threats to people living in the house, an example of which is….

Answer:

Privacy Invasions. This is the correct answer, as smart homes may collect data about people living in the house and this data could be used for instance by third parties who are the provider of smart functionalities. The ENISA Report Threat Landscape for Smart Home and Media Convergence

Is available here https://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-thematic-landscapes/threat-landscape-for-smart-home-and-media-convergence