registration form or sign in with their Facebook accounts on social websites, there exists a possibility of personal data transfer to a third party which the user may ...
SHAIKHA B. ALKHUDER
212122147
ASSIGNMENT 2
Kuwait University, Computer Engineering MS program CpE-511: Privacy and Data Protection Assignment 2, October 13, 2014
! !
Data Privacy Related Risks !
Short Research Paper
1. a. The following short research content is concerned by the top 10 risks associated with data protection and information security. Disclosing some personal data to online peers is something that cannot be avoided, so users should be fully aware of what they are putting at stake when they do so. Users should know what are the possibility of data leakage to third parties, or whether the data they provide to online establishments are truly protected. First risk is data disclosure. Users should understand that at the moment they fill in a registration form or sign in with their Facebook accounts on social websites, there exists a possibility of personal data transfer to a third party which the user may not approve of, or may have unconsciously by agreeing to a long statement of privacy not read. Second risk is personal data marketing. Some online establishments may trade personal data for a financial or equal return. At this degree the peer buying the personal data may have planned unethical use for it threatening users identity and privacy. Third risk is account hijacking (identity phishing). If user data is disclosed it may be used to reset passwords or gain control over a certain user account. This can affect user digital representation. This may be more of a crucial point when it comes to public, political and social personalities. Fourth risk is blackmail. When a person has disclosed personal data like religious belief, political opinion, or even health records. An adversary who gains access to these data may use them against that user court cases, or at times of war conflicts. Health records can be used to manipulate prices of health insurances or to plan a physical threat. Fifth risk is weak data disposal process. When a user registers to a social community or a shopping website, and then decides to terminate his account at that community or website. The online establishment should be transparent with user in terms of how will they dispose of the data and logs linked to his account. User must make sure that those pieces of data are carefully
CPE-511: PRIVACY & DATA PROTECTION
!1
SHAIKHA B. ALKHUDER
212122147
ASSIGNMENT 2
shredded and shall no longer exist to reduce the chances of data misuse in the future time after that particular user has left that specific network. Sixth risk is the unclarity of the purpose of data collection. There are online establishments that would state a long privacy policy, yet most of it would be ambiguous to the user. In return that establishments may gain the right in front of the law to use personal data in the way they wish to. Seventh risk is the insecurity of the online establishment that require user personal data. Security readiness of some online establishments, if weak and vulnerable, can be a common threat to user personal data. The servers and storage assets of those entities may be an easy target for attack. Eighth risk is access to personal data control. At the end, it is the people who deal with other people’s personal data. An establishment should make sure that only the required and responsible operators gain access to user personal data, and when they do have access they should have it with the appropriate privilege. Ninth risk is failing to use the most upto-date personal information. For instance, your bank may dil to update your phone number after you have changed it, and in a sense keeps sending your financial logs or keys to your old number, which may or may not be used. Tenth risk is physical threat. If your personal data includes your current address or work place, and the person who has access to your data is in fact a person with criminal leans, he may actually cause physical or psychological threat to the user. 1. b. Some of the risks associated with using instagram is: - Identity theft; where users can snapshot your photos and create a new account claiming tone yourself. This is mostly done when user account is public for other users to view, however it is not fully prevented if the user account is private. - Copyrights; Professionals posting photos on instagram cannot guarantee their copyrights. This is bluntly stated in their privacy policy. - Security issues; instagram is a cloud-based establishment meaning it suffers from the vulnerabilities any cloud-based establishment has. Whether it is data breach, access control, or any other. - Location services misuse; this is also a possible threat for users. Users disclosing their locations, which may be their best restaurant or best gym place, can be subject for a preplanned physical threat or a criminal act.
CPE-511: PRIVACY & DATA PROTECTION
!2
SHAIKHA B. ALKHUDER
212122147
ASSIGNMENT 2
- Weak disposal of data; Users terminating their accounts may face trouble deleting all their photos or personal data or logs. This is probably a result of using hashtags or mentioning features offered by instagram. 1.c. Most of the cloud-based social services suffer from the same common vulnerabilities. Cloud-based services are basically storages housing large numbers of servers and machinery, so they are vulnerable to downtime and security threats as long as they are connected to the internet and serving millions of users daily. Social media in precise require users to create their accounts to start their experience in the social online community. This is the step when users provide certain data including personal information. Not all fields required by the online community are mandatory yet users still provide those. i.e: Facebook leaves your phone number optional to provide. The same social media websites however keep reminding you to complete your profile. This is a psychological approach to gain the most of a user personal data. The data provided by the user may be processed in a way that threatens the privacy of the user. Social media like Facebook and twitter are vulnerable for breaches and data leakage of course, but sometimes they affect users machines as well. Worms and certain viruses can be spread using these tools of social media, i.e: messages advertising weight-losing medicine or false news. 1. d. The risks mentioned in the previous paragraphs can be assessed by spreading awareness between users at first and most important level. Users remain the weakest link on the network. Law plays a significant role in these cases. Laws and punishments set to control the rapid evolvement of user interaction with the network is significant whenever they are enforced in the right way and applied in the appropriate cases. 1. e. A simple check-list that the user can evaluate his usage with may include the following points: - Read the privacy policy, or at least the section concerning data processing and control. - Use a strong password for your account. Mostly it is the main key of account protection. - Avoid saving your financial details to the machine cache. - Avoid providing unnecessary personal information to the website, and keep your personal data private whenever you have the option. - Avoid dealing with untrusted websites for commercial or publication uses.
!
CPE-511: PRIVACY & DATA PROTECTION
!3
SHAIKHA B. ALKHUDER
212122147
ASSIGNMENT 2
2. a. Data mining is the process of concluding useful data out of adhoc snippets of data existing on databases, and applying some functions to make use of them [1]. As observed the process of data mining is directly involved with pieces of information provided by the user, reordering, sorting, filtering them, and more. It requires the interaction between data controllers, data processors, and data itself provided by the user. This could serve as the main reason why it is inseparable from data privacy and security. Operators dealing with such personal information must be extra careful, cautious, and committed to an ethical code of respecting and preserving the privacy and security of the data they are working with. 2. b. Some of the challenges faced when performing data mining is: - Correct transport and handling; operators must keep the integrity of data they conclude, as they are required to keep them safe from illegal disclosure. for instance, some hospitals may disclose the diagnoses of particular patients for researchers for developers and welfare of the medical field, but they must maintain their privacy[1]. - Protection against data leakage; i.e: Some operators may refer to auditing projects to enhance their work performance, auditing team in return may request data of users for their assessment. Data may contain sensitive user information. This must handled with care and caution to prevent leakage of data. - Simplicity but security of data mining process; it is easier and much less risky to have user data flow directly to data mining agents instead going through “multi-party communication” or “iterative protocols” as mentioned in [2]. This is more straight forward for the operators to perform their job and less hectic in terms of data leakage occurrences. 2. c. Privacy-preserving data mining (PPDM) in simple terms as mentioned in [3] is crewing aggregated models out of rough data from databases without access to certain information in a user record. A process to make use out of data provided by the user and preserving his privacy amidst that operation. 2. d. One of the models which provide a data mining solution that offers privacy protection is random perturbation of data [2]. This scheme shows minor privacy loss, and it does not cause major information loss. It is model used to perform computation using certain values in user records without knowing these exact values. Cryptographic techniques are used if a single party of multi-parties would like to perform a computational operation on the values provided by the CPE-511: PRIVACY & DATA PROTECTION
!4
SHAIKHA B. ALKHUDER
212122147
ASSIGNMENT 2
user. This is done to guarantee privacy in scenarios of having multi-parties dealing with user data. This is done with the assumption that there is no interaction between users. as shown in Fig. 1 from [2].
! 2. e. A general opinion may exclude data mining from being an issue of privacy for a few reasons that may include the following[4]: - Data mining is not required necessarily to misuse data, - Data mining technologies can be misunderstood and therefore misused, - Security breaches and vulnerable servers affect privacy more than the operations of data mining. - and identifiable data are the ones that define privacy. However, my personal opinion based on [4], [5], and [1] still supports the obvious relationship between data mining and privacy. Although, there are many varying ways to threaten users privacy, we cannot exclude data mining as an operation that has zero possibility at putting users privacy at risk. Data mining is dealing with values of data straight from user records, and unless it is a privacy-preserving data mining process it remains a double edged tool that may breach user privacy directly. In fact as M. Malik, M. Ghazi, and R. Ali [5] stated “Privacy preserving has originated as an important concern with reference to the success of data mining.”. With such large amounts of data stored in multi-party databases, the use of data mining is inevitable. So, yes, privacy is an issue for data mining.
CPE-511: PRIVACY & DATA PROTECTION
!5
SHAIKHA B. ALKHUDER
212122147
ASSIGNMENT 2
References: [1] J. Wang, Y. Luo, Y. Zhao, J. Le, “A Survey on Preserving Data Mining” , IEEE 2009 First International Workshop on Databases and Applications, pages: 111-114, 2009. [2] Ch. Wu, “Privacy Preserving Data Mining with Unidirectional Interaction” IBM T. J. Watson Research Center, IEEE, pages: 5521-5524, 2005. [3] R. Srinkat, “Privacy Preserving Data Mining: Challenges and Opportunities”, Invited Plenary Talk, Sixth Pacific-Asia Conference on Knowledge Discovery and Data Mining, May 2002. [4] Ch. Clifton, W. Jiang, M. Muruguesan, M. Nergiz, “Is Privacy Still an Issue for Data Mining?”, National Science Foundation Symposium on Next Generation of Data Mining and Cyber-Enabled Discovery for Innovation, Oct., 2007. [5] M. Malik, M. Ghazi, and R. Ali, “Privacy Preserving Data Mining Techniques: Current Scenario and Future Prospects”, Third International Conference on Computer and Communication Technology, pages: 26-32, 2012.
CPE-511: PRIVACY & DATA PROTECTION
!6
