UNIT-V

Privacy Issues

Basic Data Privacy Concepts

Fundamental Concepts:

Data Privacy:
Data Privacy or Information privacy is a part of the data protection area that deals with
the proper handling of data focusing on compliance with data protection regulations.
Data Privacy is centered around how data should be collected, stored, managed, and
shared with any third parties.

Elements of Data Privacy

• Data Privacy or Information privacy encompasses 3 elements:
• Right of an individual to be left alone and have control over their personal data
• Procedures for proper handling, processing, collecting, and sharing of personal data
• Compliance with data protection laws.

Data Privacy Vs Data Security

Data Privacy
• Data Privacy focuses on the rights of individuals, the purpose of data collection and
processing, privacy preferences, and the way organizations govern personal data of data
subjects.
• It focuses on how to collect, process, share, archive, and delete the data in accordance with
the law.

Data Security
• Data Security includes a set of standards and different safeguards and measures that an
organization is taking in order to prevent any third party from unauthorized access to digital
data, or any intentional or unintentional alteration, deletion or disclosure of data.
• It focuses on the protection of data from malicious attacks and prevents the exploitation of
stolen data (data breach or cyber-attack). It includes Access control, Encryption, Network
security, etc.

Data Privacy Attacks / Data Breaches

Data Breach:
A data breach is a security violation in which sensitive, protected or confidential data is
copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.

Types of Data Breaches:

1. Stolen Information
2. Ransomware
3. Password Guessing
4. Recording Key Strokes
5. Phishing
6. Malware or Virus
7. Distributed Denial of Service (DDoS)
CYBER SECURITY Page 49
 Stolen Information:
Stolen data may involve sensitive, proprietary, or confidential information such as credit
card numbers, customer data, trade secrets, or matters of national security.

Ransomware:
Ransomware is a type of malware attack in which the attacker locks and encrypts the
victim’s data, important files and then demands a payment to unlock and decrypt the data.

1. Infection—Ransomware is covertly downloaded and installed on the device.

2. Execution—Ransomware scans and maps locations for targeted file types, including locally stored
files, and mapped and unmapped network-accessible systems. Some ransomware attacks also delete
or encrypt any backup files and folders.
3. Encryption—Ransomware performs a key exchange with the Command-and-Control Server, using
the encryption key to scramble all files discovered during the Execution step. It also locks access to
the data.
4. User Notification—Ransomware adds instruction files detailing the pay-for-decryption process, then
uses those files to display a ransom note to the user.
5. Cleanup—Ransomware usually terminates and deletes itself, leaving only the payment instruction
files.
6. Payment—Victim clicks a link in the payment instructions, which takes the victim to a web page
with additional information on how to make the required ransom payment.
7. Decryption—After the victim pays the ransom, usually via the attacker’s Bitcoin address, the victim
may receive the decryption key. However, there is no guarantee the decryption key will be delivered
as promised.

Recording Key Strokes

• Cybercriminals can insert or email you malware called keyloggers that can record what you’re typing
onto your computer. The data is then passed back to the hackers and used to access sensitive data.
This can happen at your place of employment, or on your personal computer.
• When this happens, they record everything you are typing. This can include credit card numbers,
passwords and sensitive information you might enter into a database like names, health data or
anything else.

Phishing:
• Phishing attacks are the practice of sending fraudulent communications that appear to come from
a reputable source. It is usually done through email. The goal is to steal sensitive data like credit
card and login information, or to install malware on the victim’s machine.

CYBER SECURITY Page 50

Malware or Virus:
• Malware or viruses can be sent to people with the goal of wiping their computer.

Distributed Denial of Service (DDoS):

• A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic
of a targeted server, service or network by overwhelming the target or its surrounding
infrastructure with a flood of Internet traffic.

Data Linkage and Profiling

Data Linkage:
Data linking is the process of joining datasets together so that we can make as much use as
possible of the information that they hold.
Data Profiling:
Data profiling helps you discover, understand and organize your data.
Data profiling techniques or processes used today fall into three major categories:
• Structure discovery
• Content discovery
• Relationship discovery.

• Structure discovery, also known as structure analysis, validates that the data that you have
is consistent and formatted correctly.

• Content discovery is the process of looking more closely into the individual elements of the
database to check data quality. This can help you find areas that contain null values or values
that are incorrect or ambiguous.

• Relationship discovery involves discovering what data is in use and trying to gain a better
understanding of the connections between the data sets.

There are four general methods by which data profiling tools help accomplish better data quality:

• Column profiling scans through a table and counts the number of times each value shows up
within each column. This method can be useful to find frequency distribution and patterns within
a column of data.
• Cross-column profiling is made up of two processes: key analysis and dependency analysis.
• Key analysis examines collections of attribute values by scouting for a possible primary
key.
• Dependency analysis is a more complex process that determines whether there are
relationships or structures embedded in a data set.
• Both techniques help analyze dependencies among data attributes within the same table.

• Cross-table profiling uses foreign key analysis, which is the identification of orphaned records
and determination of semantic and syntactic differences, to examine the relationships of column
sets in different tables.
This can help cut down on redundancy but also identify data value sets that could be
mapped together.
• Finally, data rule validation uses data profiling in a proactive manner to verify that data instances
and data sets conform with predefined rules. This process helps find ways to improve data quality
and can be achieved either through batch validation or an ongoing validation service.

CYBER SECURITY Page 51

Privacy policies and their specifications
• Privacy Policy:
A privacy policy is a legal document that discloses the way a party gathers, uses, discloses,
and manages a customer or client’s data. It fulfils a legal requirement to protect a customer or client’s
privacy.
• Such privacy policy must provide the following:
1. clearly and easily accessible statements of its practices and policies;
2. clearly state the type of personal and sensitive personal data or information collected by
the business;
3. purpose of collection and usage of such information;
4. about disclosure of information including sensitive personal data or information
collected; and
5. Reasonable security practices and procedures adopted by it.

• Elements of a privacy policy:

The following are the main elements which shall be consisted of a privacy policy, are as
follows:
• Consent: The most crucial component of a privacy policy is ‘consent’.
• Purpose of information collected.
• Disclosure of information.
• Security practices

Privacy policy languages

• Privacy policy languages can help with several stages involved in managing privacy policies
(writing, reviewing, testing, approving, issuing, combining, analyzing, modifying,
withdrawing, retrieving and enforcing policy).
• Privacy policy languages were designed to express the privacy controls that both
organizations and users want to express.
• Most of the privacy policy languages were designed for specific purposes with specific
features and characteristics.
• Most of the initiatives for designing these languages have occurred in the last ten years.
• In 1997, the World Wide Web Consortium (W3C) began development of the Platform for
Privacy Preferences (P3P) to express website privacy policies in machine-readable format.
• A P3P Preference Exchange Language (APPEL) was also designed by W3C in 1997 to
express an individual’s privacy preferences, to query the data represented by P3P, and to make
decisions accordingly.
• CPExchange (Customer Profile Exchange) was developed in 2000 to facilitate business-to-
business communication about privacy policies.
• Later, the industry felt the need for languages to express the internal privacy policies of the
organizations themselves.
• With that goal IBM designed the Enterprise Privacy Authorization Language (EPAL) in 2003.
• During the same period a consortium of organizations joined to design the eXtensible Access
Control Markup Language (XACML) for expressing both privacy and security policies in a
machine readable format.
• There were other initiatives such as DPAL and XPref in 2003 and 2004. Advances in
technology and the rapid use of pervasive computing

CYBER SECURITY Page 52

 Privacy policy languages are expected to be fairly simple and small. Therefore, they have been
designed as light-weight XML markup languages. These privacy policy languages are not
expected to perform high-level mathematical operations or complicated flow controls.

Privacy in different domains

• Medical privacy or health privacy is the practice of maintaining the security and
confidentiality of patient records.
• It involves both the conversational discretion of health care providers and the security
of medical records.
• The terms can also refer to the physical privacy of patients from other patients and providers
while in a medical facility, and to modesty in medical settings.
• Modern concerns include the degree of disclosure to insurance companies, employers, and
other third parties.
• The advent of electronic medical records (EMR) and patient care management systems
(PCMS) have raised new concerns about privacy, balanced with efforts to reduce duplication
of services and medical errors.

CYBER SECURITY Page 53