CSC 1113 – Introduction to Computers LECTURE NOTES – CHAPTER 12 I. Privacy and Encryption CIYF 12.03 Describe the ways in which computer databases and the Internet are combining to erode privacy. Note that traditional forms of information collection such as telephone surveys and supermarket club cards are being combined with computer databases to endanger personal privacy. Compare the terms privacy and encryption. Define privacy as an individual’s ability to restrict or eliminate the collection, use, and sale of confidential personal information. Explain that encryption refers to a coding or scrambling process by which a message is rendered unreadable by anyone except the intended recipient. Describe identity theft and its impact on peoples’ lives. List the information required to pull off identity theft, including an address, Social Security number, date of birth, or other seemingly innocuous bits of data. Class Exercise: Engage students in a discussion about identity theft. You may find that several students have had such an experience, or may know someone who has. Web Link: Refer students to the U.S. Government’s central Web site on identity theft (www.consumer.gov/idtheft/) for more information. II. Privacy in Cyberspace CIYF 12.04 A. The Problem: Collection of Information without Consent Describe the ways in which personal information is collected without consent. Using Figure 12.2, discuss how electronic databases track and combine information on individuals. Note that in the United States, individuals have no recourse against those who collect sensitive personal information. B. The Internet Factor Describe how database vendors sell the information they have gathered to many different types of customers, some who have legitimate reasons for wanting the information, and some who have wicked intentions. Web Link: Encourage students to visit the Electronic Privacy Information Center (EPIC) at www.epic.org/ for more information on privacy issues. C. Protecting Privacy: Basic Principles Privacy advocates believe that governments should protect the privacy of their citizens. Describe the basic human privacy rights afforded to all citizens in the European Union: Consumers must be informed when information is being collected about them. Consumers must be allowed to choose whether or not they want to divulge the information. Consumers must be allowed to remove information about themselves upon request. Note that U.S. citizens do not enjoy these same rights. Describe some of the various Federal and state laws that attempt to provide privacy protection in the United States. CSC 1113 –Introduction to Computers Page 2 Chapter 12 Lecture Notes Class Exercise: Lead students in an exercise to create their own declaration of personal privacy rights. Would they desire the same rights as citizens of the European Union? Are there other items that should be included in a declaration for the United States? D. Anonymity Define anonymity as the ability to convey a message without disclosing your name or identity. Briefly explain the difference between defamation and libel. III. How Is Technology Eroding Privacy and Anonymity? CIYF 12.08 Review how technology is enabling various organizations to collect information and defeat the concept of anonymous speech. List the two technologies that are commonly used, cookies and global unique identifiers. A. Cookies Define cookies as small files that are written to your computer’s hard disk by many of the Web sites you visit for the purpose of recording information so it is available for future browsing sessions. Explain how ad networks work and describe the use of banner ads. Using the Richard Smith example, show how DoubleClick, Inc. was able to gather key information about his identity. List different types of information that can be transmitted to Internet ad networks, including: 1. Your e-mail address 2. Your full name 3. Your mailing address (street, city, state and ZIP code) 4. Your phone number Transactional data B. Global Unique Identifiers (GUIDs) Define global unique identifiers (GUIDs) as identification numbers that are generated by a computer hardware component or a program. Explain how Microsoft’s .NET Passport fits into the scheme of protecting personal privacy. Web Link: Encourage students to visit the Microsoft .NET Passport Web site (www.passport.net) for more information on this new privacy strategy. Web Link: Refer students to the Web site www.privacy.net/track to see an online demonstration of how ad banner tracking works. IV. Is Self-Regulation Sufficient? CIYF 12.12 Discuss the debate centered on self-regulation within the technology industry. Introduce both sides of the debate: the marketing industry and consumer advocacy groups. CSC 1113 –Introduction to Computers Page 3 Chapter 12 Lecture Notes Class Exercise: Divide the class into two groups, each representing one side of the debate. Ask them to work together as a team to create several points in favor of their position. Have each group nominate a spokesperson who will engage in the debate. Refer students to the TechTalk margin note to define Web bug. A. Protecting Your Privacy Online Review the steps recommended by the U.S. government to safeguard your privacy on the Internet: 1. Browse anonymously by surfing from sites such as The Anonymizer (www.anonymoizer.com) or The Cloak (www.the-cloak.com). 2. Disable cookies on your Web browser. 3. Use “throw-away” e-mail addresses. 4. Tell children not to divulge any personal information online. 5. Look for a privacy statement before providing personal information on a Web site. Class Exercise: Demonstrate to students the process for disabling cookies on the Web browsers in the computer lab. V. Privacy at Work CIYF 12.14 Web Link: Encourage students to find out about online reporting for employers to track their employees by visiting the Web site www.spectorsoft.com, shown in Figure 12.8. Discuss the issues around e-mail and Internet privacy at work. Review simple rules for appropriate conduct at work including telephone, e-mail, and Internet usage. VI. The Encryption Debate CIYF 12.16 A. Encryption Basics Define the term encryption. Explain plain text and the use of an encryption key using the example shown in Figure 12.9. Explain the rot-13 encryption technique for scrambling characters. Define symmetric key encryption algorithm and encryption algorithm. Review the commonly used Data Encryption Standard (DES). B. The Problem of Key Interception Define strong encryption as an encryption method that is nearly impossible to break. However, one can defeat the system not by breaking the code, but by stealing the key. This major vulnerability of symmetric key encryption is called key interception. Describe public key encryption and the use of a public key and a private key. Explain how public key encryption works. Explain the system of Pretty Good Privacy (PGP) and discuss its strengths and weaknesses. Web Link: Direct students to visit Public Key Encryption for Dummies (www.nwfusion.com/news/64452_05-17-1999.html) for an excellent description of the public key encryption process. C. Key Length CSC 1113 –Introduction to Computers Page 4 Chapter 12 Lecture Notes Describe cryptanalysis as another word for code breaking. Explain that one way to break a code is through the brute force method. Explain how key length can be used to prevent cryptanalysis. D. Public Key Encryption Algorithms Teaching Tip: While much of this information is interesting, it may constitute “information overload” for some of your students. To keep their attention, make your discussion of the topics in this section brief. Very briefly discuss some public key encryption algorithms, including the Diffie-Hellman algorithm, the RSA encryption algorithm, and Fortezza. E. Digital Signatures and Certificates Relate the use of digital signatures and digital certificates to public key encryption. Define hash key. Further explain digital certificates defining the terms certificate authority (CA) and web of trust. F. Toward a Public Key Infrastructure (PKA) Describe why a public key infrastructure (PKI) is important, yet is slow in development. Discuss some of the issues surrounding the adoption of a public key infrastructure. List and describe the three alternatives to PKI being proposed by U.S. government agencies: the Clipper Chip shown in Figure 12.12 which uses a back door, the key escrow plan proposed by the Clinton administration, and a new back door-based system called key recovery. Web Link: Students can learn more about cryptography issues by visiting the Web site www.cdt.org/crypto. Class Exercise: Refer to the Currents section “Navajo Code Talkers.” The following questions may be posed to lead students in a discussion about the Navajo code talkers: 1. Do you think there are any spoken languages today that could serve the same function as the Navajo language in 1942? 2. Do you think computer message encryption will stand the test of time? Why or why not? 3. The Navajo code talkers could only protect messages during transmission. Discuss the ways a computer message might be captured or compromised before or after the encryption/decryption cycle. G. Public Security Issues of Strong Encryption Discuss export restrictions that are in place surrounding encryption algorithms and the reasons for their existence. Class Exercise: In the aftermath of September 11, 2001, there were calls in the U.S. Congress to outlaw public key encryption. Prior to that, Louis J. Freeh, Director of the FBI, said the honest CSC 1113 –Introduction to Computers Page 5 Chapter 12 Lecture Notes have nothing to hide, and only criminals would use encryption. Lead the class in a discussion of the implications of this statement. Describe the Clipper Chip, key escrow plan and key recovery alternatives to public key encryption proposed by U.S. government agencies. H. The Academic Angle Explain the copyright management infrastructure (CMI) and the Digital Millennium Copyright Act (DMCA). Web Link: For current information about the field of cryptographic research, encourage students to visit The International Association of Cryptographic Research (www.iacr.org/). Describe the situation of encryption technologies outside of the United States. Class Exercise: Refer students to the Impacts section “Is the Government Watching You?” The following questions may be posed to lead students in a discussion of Echelon: 1. Do you think Echelon or something similar exists? Make arguments for and against its existence. 2. Should we fear the National Security Agency? Are you concerned about your right to privacy? Are you willing to give up some of your electronic communications privacy so that those who would harm us can be thwarted or caught? 3. Assume Echelon exists. How will you modify your electronic communications activities? VI. CHAPTER REVIEW CIYF 12.31 Web Link: Refer students to www.prenhall.com/ciyf2004 for a review of the chapter, to answer the questions, and to complete the exercises and Web research questions. Takeaway Points: Ask students to recall the objectives identified at the beginning of this lesson. Tie the initial objectives with the essential lecture points that met the objectives. Objective: Explain the threat to privacy posed by the sale of sensitive personal information on the Internet. Because the United States has no comprehensive Federal regulations protecting an individual’s privacy, highly sensitive personal information, such as Social Security numbers, is now for sale on the Internet. Many Web sites collect personal information without informing their visitors. Objective: Define anonymity and discuss how it can be abused. Anonymity refers to the ability to convey a message without disclosing one’s name or identity. We hold anonymity as a personal freedom in the United States, but anonymity may free people from accountability, and they may abuse the privilege of anonymous speech. Using the cloak of anonymity, someone may injure another’s reputation by making false and malicious statements. Anonymous communications can also be used to threaten and harass, or to spread false and misleading information. CSC 1113 –Introduction to Computers Page 6 Chapter 12 Lecture Notes Objective: Describe how technological developments are eroding privacy and anonymity. Computers and the Internet enable marketing firms, snoops, and government officials to harness all the power of technology in order to collect information in ways that are hidden from the user’s view. For example, cookies are small files that are written to your computer’s hard disk by many of the Web sites you visit. Cookies provide Web sites with a way of recording information so that it is available for future browsing sessions at the same site. A global unique identifier (GUID) is a unique identification number that is generated by a computer hardware component or a program. Privacy advocates say that GUIDs make anonymous usage of the Internet more difficult, if not impossible. Objective: Explain the reasons why many employers feel that they need to monitor their employees’ computer usage. Because large U.S. employers want to make sure that they’re getting their money’s worth from employees, many of them routinely monitor employees’ phone calls, e- mail, Web browsing habits, and computer files. Companies are concerned about potential sexual harassment lawsuits and employees who offer trade secrets to competitors. Objective: State why U.S. security officials believe public-key encryption poses a threat to U.S. security, both foreign and domestic. Public key encryption uses two different keys: an encryption key (called the public key) and a decryption key (called the private key). People who wish to receive secret messages publish their public key. When the public key is used to encrypt a message, the message becomes unreadable. The message becomes readable only when the recipient applies his or her private key, which nobody else knows. U.S. security agencies fear that public key encryption will prevent them from detecting the activities of terrorists, drug dealers, and organized crime syndicates. Objective: Describe the U.S. government’s proposed key recovery plan and explain why it threatens the growth of Internet commerce. Key length is the term used to describe the length (in bits) of an encryption key. The longer the key, the stronger the encryption. A key length of 40 bits is highly vulnerable to brute force attack; a key length of 56 bits was formerly thought to be reasonably safe for Web shopping and other non-military or non-banking exchanges. However, safe electronic commerce requires a key length of at least 128 bits. A public key infrastructure (PKI) is a uniform set of encryption standards that specify how public key encryption, digital signatures, and CA-granted digital certificates should be implemented in computer systems and on the Internet. Although there are numerous contenders, no dominant PKI has emerged. Encryption software containing key recovery features would enable investigators to read secret messages, but financial institutions fear that these features would open security holes.