UNIT VI: Information and Control

and Privacy
Introduction/Overview

Week 11 to Week 12 Unit VI: Information and Control and Privacy will give an overview about control and privacy, Define the different characteristics of
 

information, Discuss why information security and privacy a contemporary issue and Explain what is privacy and the data privacy and protection regulation.
Learning Goals/objectives

At the end of the lessons, the student are expected to:

 

•
Understand the characteristics of information in terms of Availability, Accuracy, Authenticity, Confidentiality, Integrity,
Utility and Possession. ;

•
Explain why information security and privacy a contemporary issue in terms if Fraud, Hoaxes, Identity Theft, System
Hacking, Disclosure and Privacy Breach;

Learn Data Privacy and Protection Regulation.

Characteristics of Valuable Information as Resource


Accurate


Complete


Economical


Reliable


Flexible


Relevant


Simple


Timely


Verifiable


Secure
Characteristics of Information
Availability

Availability means information should be consistently and readily accessible for authorized

 

parties. This involves properly maintaining hardware and technical infrastructure and systems
that hold and display the information.

Information should be easy to obtain or access.  Information kept in a book of some kind is
only available and easy to access if you have the book to hand.  A good example of availability
is a telephone directory, as every home has one for its local area.  It is probably the first place
you look for a local number. But nobody keeps the whole country’s telephone books so for
numbers further afield you probably phone a directory enquiry number.  For business
premises, say for a hotel in London, you would probably use the Internet.

Businesses used to keep customer details on a card-index system at the customer’s branch.  If
 

the customer visited a different branch a telephone call would be needed to check details. 
Now, with centralized computer systems, businesses like banks and building societies can
access any customer’s data from any branch.
Accuracy

Information needs to be accurate enough for the use to which it is

 

going to be put.  To obtain information that is 100% accurate is

usually unrealistic as it is likely to be too expensive to produce on
time.  The degree of accuracy depends upon the circumstances. 
Accuracy is important.  As an example, if government statistics
based on the last census wrongly show an increase in births within
an area, plans may be made to build schools and construction
companies may invest in new housing developments. In these
cases any investment may not be recouped.
 Authenticity

Authenticity is assurance that a message, transaction, or other exchange of

 

information is from the source it claims to be from. Authenticity involves proof

of identity. We can verify authenticity through authentication.

The process of authentication usually involves more than one “proof” of

identity (although one may be sufficient). The proof might be something a
user knows, like a password. Or, a user might prove their identity with
something they have, like a keycard. Modern (biometric) systems can also
provide proof based on something a user is. Biometric authentication methods
include things like fingerprint scans, hand geometry scans, or retinal scans.
Confidentiality

Confidentiality is roughly equivalent to Confidentiality measures are designed to prevent sensitive

 

information from unauthorized access attempts. It is common for data to be categorized according to the
amount and type of damage that could be done if it fell into the wrong hands.

Confidentiality is the keeping of another person or entity’s information private. Certain professionals are
required by law to keep information shared by a client or patient private, without disclosing the
information, even to law enforcement, except under certain specific circumstances. The principle of
confidentiality is most commonly expected in the medical field, and the legal field.

Sometimes safeguarding data confidentiality involves special training for those privy to sensitive
documents. Training can help familiarize authorized people with risk factors and how to guard against
them. Further aspects of training may include strong passwords and password-related best practices and
information about social engineering methods to prevent users from bending data-handling rules with
good intentions and potentially disastrous results.

A good example of methods used to ensure confidentiality is requiring an account number or routing
 

number when banking online. Data encryption is another common method of ensuring confidentiality.
User IDs and passwords constitute a standard procedure; two-factor authentication (2FA) is becoming the
norm. 
Integrity

Integrity involves maintaining the consistency, accuracy and trustworthiness of data over its entire
 

lifecycle. Data must not be changed in transit, and steps must be taken to ensure data cannot be
altered by unauthorized people (for example, in a breach of confidentiality).

These measures include file permissions and user access controls. Version control may be used to
 

prevent erroneous changes or accidental deletion by authorized users from becoming a problem.
In addition, organizations must put in some means to detect any changes in data that might occur
as a result of non-human-caused events such as an electromagnetic pulse (EMP) or server crash.

Data might include checksums, even cryptographic checksums, for verification of integrity. Backups

 

or redundancies must be available to restore the affected data to its correct state. Furthermore,
digital signatures can be used to provide effective nonrepudiation measures, meaning evidence of
logins, messages sent, electronic document viewing and sending cannot be denied.
Utility

"Utility" refers to the usefulness of the information to the intended users.

 

"Objectivity" focuses on whether the disseminated information is being

presented in an accurate, clear, complete, and unbiased manner, and as a matter
of substance, is accurate, reliable, and unbiased.
 Possession

Possession means to hold occupancy with or without rights of ownership. This
 

 exactly describes possession in the psychic sense. It is the possession of the p
hysical body with—though frequently without—the permission of the owner.
Why is information security and
privacy a contemporary issue?
Fraud

Fraud is commonly understood as dishonesty calculated for advantage. A person who is dishonest m
 

ay be called a fraud.
Fraud is most common in the buying or selling of property, including real estate, 
PersonalProperty, and intangible property, such as stocks, bonds, and copyrights.

Fraud must be proved by showing that the defendant's actions involved five separate elements: 
(1) a false statement of a material fact,
(2) knowledge on the part of the defendant that the statement is untrue, 
(3) intent on the part of the defendant to deceive the alleged victim, 
(4) justifiable reliance by the alleged victim on the statement, and 
(5) injury to the alleged victim as a result.
Hoaxes

A hoax is a falsehood deliberately fabricated to masquerade as the truth. It is

 

distinguishable from errors in observation or judgment, rumors, urban legends,

pseudoscience's, and April Fools' Day events that are passed along in good faith by
believers or as jokes.

Hoax is to trick into believing or accepting as genuine something false and often
preposterous
System Hacking

System hacking is a vast subject that consists of hacking the different software-based
 

technological systems such as laptops, desktops, etc. System hacking is defined as the
compromise of computer systems and software to access the target computer and steal or
misuse their sensitive information. Here the malicious hacker exploits the weaknesses in a
computer system or network to gain unauthorized access to its data or take illegal
advantage.

When one enters the world of hacking, he is bombarded with seemingly similar or even
synonymous terms: malicious users or malicious attackers, hackers, crackers and more. But
what does each of them mean? In a more technical or meticulous context, chances are that
you'll come across the term cracker as the more precise one when describing a hacker whose
motivation is malice and wrongful gain. Therefore, cracking is illegal as well as unethical
hacking. System hacking, on the other hand, has usually got a more generic definition: it is
the procedure of obtaining unauthorized access to a system and its resources. Some hacking
types are perfectly legal, the most typical example being ethical hacking, a system
penetration testing, conducted by information security specialists.
Phishing

Phishing is when a scammer uses fraudulent emails or texts, or copycat websites to get you to share
valuable personal information – such as account numbers, social security numbers or your log-in IDs
and password. Scammers lure their targets into false sense of security by spoofing the familiar, trusted
logos of established, legitimate companies.
Identity Theft

Identity theft is the crime of obtaining the personal or financial information of

 

another person to use their identity to commit fraud, such as making

unauthorized transactions or purchases. Identity theft is committed in many
different ways and its victims are typically left with damage to their credit,
finances, and reputation.

KEY TAKEAWAYS

Identity theft occurs when someone steals your personal information and
 

credentials to commit fraud.

There are various forms of identity theft, but the most common is financial.
 

Identity theft protection is a growing industry that keeps track of people's credit
 

reports, financial activity, and Social Security number use.

Disclosure

Disclosure of information is
 

any release of information from one party to another. Usually it refers to release of management 
information relevant to COLLECTIVE BARGAINING
 and potentially useful to trade union negotiators. 
Privacy Breach

A privacy breach occurs when an organization or individual either intentionally

 

or accidentally:

Provides unauthorized or accidental access to someone's personal information.

 

Discloses, alters, loses or destroys someone's personal information

 

A privacy breach also occurs when someone is unable to access their personal
 

information due to, for example, their account being hacked. 

What is Privacy?
Privacy

Privacy is a fundamental right, essential to autonomy and the

 

protection of human dignity, serving as the foundation upon which

many other human rights are built.

Privacy enables us to create barriers and manage boundaries to

 

protect ourselves from unwarranted interference in our lives, which

allows us to negotiate who we are and how we want to interact with
the world around us. Privacy helps us establish boundaries to limit
who has access to our bodies, places and things, as well as our
communications and our information.

The rules that protect privacy give us the ability to assert our rights in
 

the face of significant power imbalances.

Data Privacy and Protection Regulation
Scope and Application

The Data Privacy Act is broadly applicable to individuals and legal entities that
 

process personal information, with some exceptions. The law has extraterritorial
application, applying not only to businesses with offices in the Philippines, but when
equipment based in the Philippines is used for processing. The act further applies to
the processing of the personal information of Philippines citizens regardless of
where they reside.

One exception in the act provides that the law does not apply to the processing of
 

personal information in the Philippines that was lawfully collected from residents of
foreign jurisdictions — an exception helpful for Philippines companies that offer
cloud services.
Approach

The Philippines law takes the approach that “The processing of

 

personal data shall be allowed subject to adherence to the

principles of transparency, legitimate purpose, and proportionality.
Collection, Processing, and Consent

The act states that the collection of personal data “must be a declared, specified, and legitimate purpose” and
 

further provides that consent is required prior to the collection of all personal data. It requires that when
obtaining consent, the data subject be informed about the extent and purpose of processing, and it specifically
mentions the “automated processing of his or her personal data for profiling, or processing for direct
marketing, and data sharing.” Consent is further required for sharing information with affiliates or even mother
companies.

Consent must be “freely given, specific, informed,” and the definition further requires that consent to collection
and processing be evidenced by recorded means. However, processing does not always require consent.

Consent is not required for processing where the data subject is party to a contractual agreement, for
 

purposes of fulfilling that contract. The exceptions of compliance with a legal obligation upon the data
controller, protection of the vital interests of the data subject, and response to a national emergency are also
available.

An exception to consent is allowed where processing is necessary to pursue the legitimate interests of the data
 

controller, except where overridden by the fundamental rights and freedoms of the data subject.
Information Control
Information Control

Information
control is about
allowing those
who have
appropriate
authority access
to and use of
information
based on the
authority that
they hold .
Intellectual Property (IP)
Intellectual Property (IP) refers to a few distinct types of intangible assets for which a set of exclusive rights
are recognized. IP includes musical, literary, and artistic works. However, IP is not just limited to these items.
It can also include words, phrases, symbols, and even designs.

Image 2.2 Popular logos

IP is any creation or product of the human mind and may be expressed in the form of original ideas, expressions, and
processes. Intellectual Property Rights (IPR) are the rights given to persons over their creations . They usually give the
creator an exclusive right over the use of his or her creation for a certain period of time.
Intellectual Property Code of the Philippines

Republic Act No. 8293 s. 1998

IPR consist of the following:

1. Copyright and related rights

2. Trademarks and service marks

3. Geographic indications

4. Industrial design

5. Patents

6. Layout designs (topographic) of Integrated Circuits (ICs)

7. Protection of undisclosed information

Copyright

Copyright is a set of exclusive rights granted by a state to the creator of an original work or their assignee for a limited
period of time in exchange for public disclosure of the work, and includes the right to copy, distribute, and adapt the
work. Copyright owners can license or permanently transfer or assign their exclusive rights to others.

Digital rights, on the other hand, is the permission granted to individuals to legitimately perform actions involving the
use of a computer, any electronic device, or a communications network. It is particularly related to the protection and
realization of existing rights in the context of new digital technologies, especially the internet.
The following are techniques designed to control access and reproduction of online information:

1. Encryption – is the process of converting data or information in such a way that only authorized parties can understand. Its primary purpose is
to protect the confidentiality of digital data stored of computer systems or transmitted via internet or other computer networks. Encryption
occurs every time someone uses an ATM or buys something online with a smartphone, makes a mobile phone call or presses a key fob to
unlock a car. This is done so that information being sent is kept safe and secure.

2. Serial Keys – also known as a product key or software key, it is a series of alphanumeric characters acting as a key to denote that the product
or software is original. In some cases product keys are used for product activation.

3. Scrambling – Data scrambling is done to hide sensitive information from unauthorized users. Scrambling is accomplished by the addition of
components to the original signal or the changing of some important component of the original signal in order to make the extraction of the
original signal difficult. It is often done with the aid of encryption.

4. Tag embedding – Similar to how pictures can include watermark to denote information content. Watermarks are not complete DRM
mechanisms in their own right, but are used as part of system for copyright enforcement, such as helping provide prosecution evidence for
legal purposes, rather than direct technological. In terms of data embedded into the actual content, the use of metadata is included to identify
the owner’s name, author, and date of purchase, among other pertinent information.
A Patent is a set of exclusive rights granted by the state to an inventor for a limited period of time in exchange for the
public disclosure of an invention. The exclusive right granted to a patentee in most countries is the right to prevent others
from making, using, selling, or distributing the patented invention without the permission.

A Trademark is a distinctive sign used by an individual, business organization, or other legal entity to identify the
products or services to consumers. The mark comes from a unique source, and it distinguishes its product (trademark) or
services (service mark) from the others. Rights in a mark shall be acquired through registration made validly in accordance
with the provisions of the IP code.