Difference between revisions of "Main Page/Teaching Resources/Glossary"

Privacy glossary

Most definitions taken from Wikipedia.

Ad exchange

An ad exchange is a technology platform that facilitates the buying and selling of media advertising inventory from multiple ad networks. Prices for the inventory are determined through real-time bidding. The approach is technology-driven as opposed to the historical approach of negotiating price on media inventory. This represents a field beyond ad networks as defined by the Interactive Advertising Bureau, and by advertising trade publications.

Ad network

An online advertising network or ad network is a company that connects advertisers to websites that want to host advertisements. The key function of an ad network is an aggregation of ad supply from publishers and matching it with advertiser's demand.

Algorithm

In mathematics and computer science, an algorithm is a finite sequence of well-defined, computer-implementable instructions, typically to solve a class of problems or to perform a computation. Algorithms are always unambiguous and are used as specifications for performing calculations, data processing, automated reasoning, and other tasks

Artificial intelligence

Artificial intelligence is intelligence demonstrated by machines, unlike the natural intelligence displayed by humans and animals, which involves consciousness and emotionality. The distinction between the former and the latter categories is often revealed by the acronym chosen.

Authentication

The process by which an entity (such as a person or computer system) determines whether another entity is who it claims to be.

Behavioral advertising

Behavioral targeting comprises a range of technologies and techniques used by online website brands, publishers and advertisers aimed at increasing the effectiveness of marketing and advertising using user web-browsing behavior information.

Big data

Big data is a field that treats ways to analyze, systematically extract information from, or otherwise deal with data sets that are too large or complex to be dealt with by traditional data-processing application software. Data with many fields offer greater statistical power, while data with higher complexity may lead to a higher false discovery rate.

biometrics

Data concerning the intrinsic physical or behavioral characteristics of an individual. Examples include DNA, fingerprints, retina and iris patterns, voice, face, handwriting, keystroke technique and gait. The General Data Protection Regulation, in Article 9, lists biometric data for the purpose of uniquely identifying a natural person as a special category of data for which processing is not allowed other than in specific circumstances.

CCTV

Originally an acronym for "closed circuit television," CCTV has come to be shorthand for any video surveillance system. Originally, such systems relied on coaxial cable and was truly only accessible on premise. Today, most surveillance systems are hosted via TCP/IP networks and can be accessed remotely, and the footage much more easily shared, eliciting new and different privacy concerns.

chat bot

Computerized intelligence that simulates human interactions and may be used to handle basic customer requests and interactions.

cloud computing

The provision of information technology services over the Internet. These services may be provided by a company for its internal users in a "private cloud" or by third-party suppliers. The services can include software, infrastructure (i.e., servers), hosting and platforms (i.e., operating systems). Cloud computing has numerous applications, from personal webmail to corporate data storage, and can be subdivided into different types of service models.

confidentiality

Data is "confidential" if it is protected against unauthorised or unlawful processing. The General Data Protection Regulation requires that an organization be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as part of its requirements for appropriate security. In addition, the GDPR requires that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

consent

This privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law. If an individual has choice about the use or disclosure of his or her information, consent is the individual's way of giving permission for the use or disclosure. Consent may be affirmative; i.e., opt-in; or implied; i.e., the individual didn’t opt out. (1) Affirmative/Explicit Consent: A requirement that an individual "signifies" his or her agreement with a data controller by some active communication between the parties.

(2) Implicit Consent: Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.

consent decree

A judgment entered by consent of the parties. Typically, the defendant agrees to stop alleged illegal activity and pay a fine, without admitting guilt or wrongdoing. This legal document is approved by a judge and formalizes an agreement reached between a U.S. federal or state agency and an adverse party.

content delivery network

The servers that contain most or all of the visible elements of a web page and that are contacted to provide those elements. In the realm of advertising, a general ad server is contacted after a webpage is requested, that ad server looks up any known information on the user requesting to access the webpage.

cookie

A small text file stored on a client machine that may later be retrieved by a web server from the machine. Cookies allow web servers to keep track of the end user’s browser activities, and connect individual web requests into a session. Cookies can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their username and password already. Cookies may be referred to as "first-party" (if they are placed by the website that is visited) or "third-party" (if they are placed by a party other than the visited website). Additionally, they may be referred to as "session cookies" if they are deleted when a session ends, or "persistent cookies" if they remain longer. Notably, the General Data Protection Regulation lists this latter category, so-called "cookie identifiers," as an example of personal information. The use of cookies is regulated both by the GDPR and the ePrivacy Directive (see Cookie Directive).

dark patterns

Recurring solutions that are used to manipulate individuals into giving up personal information.

data aggregation

Taking Individual data sets and combining them to statistically analyze data trends while protecting individual privacy by using groups of individuals with similar characteristics rather than isolating one individual at a time. To effectively aggregate data so that it cannot be re-identified (or at least make it difficult to do so) the data set should: (1) have a large population of individuals, (2) Categorized to create broad sets of individuals, and; (3) not include data that would be unique to a single individual in a data set.

data breach

The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector. Breaches do not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector—provided the personal information is not used for a purpose unrelated to the data collector's business or subject to further unauthorized disclosure.

data brokers

Entities that collect, aggregate and sell individuals’ personal data, derivatives and inferences from disparate public or private sources.

data centers

Facilities that store, manage and disseminate data and house a network’s most critical systems. Data centers can serve either as a centralized facility for a single organization’s data management functions or as a third-party provider for organization’s data management needs.

data minimization principle

The idea that one should only collect and retain that personal data which is necessary.

data protection

The rules and safeguards applying under various laws and regulations to personal data about individuals that organizations collect, store, use and disclose. “Data protection” is the professional term used in the EU, whereas in the U.S. the concept is generally referred to as “information privacy.” Importantly, data protection is different from data security, since it extends beyond securing information to devising and implementing policies for its fair use.

de-identification

An action that one takes to remove identifying characteristics from data.

deep learning

A subset of artificial intelligence and machine learning. It learns by performing a tasks repeatedly and adding layers of data to improve the outcome.

digital rights management (DRM)

The management of access to and use of digital content and devices after sale. DRM is often associated with the set of access control (denial) technologies. These technologies are utilized under the premise of defending copyrights and intellectual property but are considered controversial because they may often restrict users from utilizing digital content or devices in a manner allowable by law.

do not track

A catch-all term for various technologies and browser settings designed to allow data subjects to indicate their objection to tracking by websites. Years of effort, by the W3C and other organizations, to create an official Do Not Track standard for HTTP headers has of yet led to naught.

encryption

The process of obscuring information, often through the use of a cryptographic scheme in order to make the information unreadable without special knowledge; i.e., the use of code keys. Encryption is mentioned in the General Data Protection Regulation as a potential way to mitigate risk, and certain breach notification requirements may be mitigated by the use of encryption as it reduces the risks to the rights and freedoms of data subjects should data be improperly disclosed.

encryption key

A cryptographic algorithm applied to unencrypted text to disguise its value or used to decrypt encrypted text.

end user license agreement (EULA)

A contract between the owner of the software application and the user. The user agrees to pay for the use of the software and promises to comply with certain restrictions on that use.

family educational rights and privacy act (FERPA)

FERPA establishes requirements regarding the privacy protection of student educational records. It applies to all academic institutions that receive funds under applicable U.S. Department of Education programs. FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are referred to as “eligible students.”

federal communiations commission (FCC)

The United States agency that regulates interstate communications through radio, wire, telecommunications, satellite and cable. The Federal Communications Commission has authority that overlaps with the Federal Trade Commission in some areas of privacy law including enforcement and further regulation under the Telephone Consumer Protection Act.

federal trade commission (FTC)

The United States' primary consumer protection agency, the FTC collects complaints about companies, business practices and identity theft under the FTC Act and other laws that they enforce or administer. Importantly, the FTC brings actions under Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices.

freedom of information act (FOIA)

A U.S. federal law that ensures citizen access to federal government agency records. FOIA only applies to federal executive branch documents. It does not apply to legislative or judicial records. FOIA requests will be fulfilled unless they are subject to nine specific exemptions. Most states have some state level equivalent of FOIA. The federal and most state FOIA statutes include a specific exemption for personal information so that sensitive data (such as Social Security numbers) are not disclosed.

general data protection regulation (GDPR) (EU)

The General Data Protection Regulation (GDPR) replaced the Data Protection Directive in 2018. The aim of the GDPR is to provide one set of data protection rules for all EU member states and the European Economic Area (EEA). The document comprises 173 recitals and 99 articles.

geofencing

Geofencing is the creation of virtual perimeters linked to the geographic position of a mobile device. In the BYOD context, geofencing may be used to restrict access to applications or sensitive information inside of or outside of specific locations. For example, a company may be able to restrict access to potentially risky applications on a personal device when the device is connected to the company’s network or, conversely, restrict access to company resources when the device is outside of the company’s network.

health insurance portability and accountability act (HIPAA)

A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. HIPAA required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt in before their information can be shared with other organizations—although there are important exceptions such as for treatment, payment and healthcare operations.

identifiers

Codes or strings used to represent an individual, device or browser.

information security (infosec)

The protection of information for the purposes of preventing loss, unauthorized access and/or misuse. It is also the process of assessing threats and risks to information and the procedures and controls to preserve confidentiality, integrity and availability of information.

integrity

Integrity refers to the consistency, accuracy and trustworthiness of the data

internet of things

A term used to describe the many devices that are connected to the internet. Any device that is built with a network interface can be assigned an IP address to allow for automation and remote access.

internet protocol address (IP address)

A unique string of numbers that identifies a computer on the Internet or other TCP/IP network. The IP address is expressed in four groups of up to three numbers, separated by periods. For example: 123.123.23.2. An address may be "dynamic," meaning that it is assigned temporarily whenever a device logs on to a network or an Internet service provider and consequently may be different each time a device connects. Alternatively, an address may be "static," meaning that it is assigned to a particular device and does not change, but remains assigned to one computer or device.

internet service provider (ISP)

A company that provides Internet access to homes and businesses through modem dial-up, DSL, cable modem broadband, dedicated T1/T3 lines or wireless connections.

location data

Data indicating the geographical position of a device, including data relating to the latitude, longitude, or altitude of the device, the direction of travel of the user, or the time the location information was recorded.

machine learning

A subfield of, or building block for, artificial intelligence (see Artificial Intelligence), machine learning is a problem-solving technique that trains a computer to identify new patterns. It implements various algorithms in a problem-solving process that includes data cleansing, feature selection, training, testing, and validation. Companies and government agencies increasingly deploy machine learning algorithms for tasks such as fraud detection, speech recognition, image classification and other pattern-recognition applications.

metadata

Data that describes other data. “Meta” is a prefix meaning “an underlying description” in information technology usage.

multi-factor authentication

An authentication process that requires more than one verification method (see Authentication), such as a password and biometric identifier, or log-in credentials and a code sent to an email address or phone number supplied by a data subject.

national institute of standards and technology (NIST)

NIST is an agency within the Department of Commerce. NIST has the lead responsibility for the development and issuance of security standards and guidelines for the federal government, contractors, and the United States critical information infrastructure.

The NIST has published a series of publications in support of its risk management framework (RMF). The RMF is a multi-tiered and structured methodology for creating a unified information security framework for the federal government in order to meet the vast array of requirements set forth in FISMA.

national security letter (NSL)

A category of subpoena. The USA PATRIOT Act expanded the use of national security letters. Separate and sometimes differing statutory provisions now govern access, without a court order, to communication providers, financial institutions, consumer credit agencies and travel agencies.

natural language processing (NLP)

Utilizes machine reading comprehension through algorithms to identify and extract natural language that the computer can understand.

open source vs closed source

Easily viewed, shared and modified software is considered open-source. Closed-source software must by fixed and updated by the vendor.

opt-in

One of two central concepts of choice. It means an individual makes an active affirmative indication of choice; i.e., checking a box signaling a desire to share his or her information with third parties.

opt - out

One of two central concepts of choice. It means an individual’s lack of action implies that a choice has been made; i.e., unless an individual checks or unchecks a box, their information will be shared with third parties.

personally identifiable information (PII)

Any information about an individual, including any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and any other information that is linkable to an individual, such as medical, educational, financial, and employment information.

phishing

E-mails or other communications that are designed to trick a user into believing that he or she should provide a password, account number or other information. The user then typically provides that information to a website controlled by the attacker. “Spear phishing” is a phishing attack that is tailored to the individual user, such as when an e-mail appears to be from the user’s boss, instructing the user to provide information.

privacy

A nebulous philosophical, legal, social and technological concept which means different things to different observers. In an influential 1890 Harvard Law Review article, Samuel Warren and Louis Brandeis, who later became a Supreme Court Justice, famously defined privacy as “a right to be let alone.” Common areas of privacy that are of particular interest with regard to data protection and privacy laws include information privacy, bodily privacy, territorial privacy, and communications privacy.

privacy by design

Generally regarded as a synonym for Data Protection by Design (see Data Protection by Design). However, Privacy by Design as a specific term was first outlined in a framework in the mid-1990s by then-Information and Privacy Commissioner of Ontario, Canada, Ann Cavoukian, with seven foundational principles.

privacy policy

An internal statement that governs an organization or entity’s handling of personal information. It is directed at those members of the organization who might handle or make decisions regarding the personal information, instructing them on the collection, use, storage and destruction of the data, as well as any specific rights the data subjects may have. May also be referred to as a data protection policy.

pseudonymization

The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

public key infrastructure (PKI)

A system of digital certificates, authorities and other registration entities that verifies the authenticity of each party involved in an electronic transaction through the use of cryptography.

re-identification

The action of reattaching identifying characteristics to pseudonymized or de-identified data (see De-identification and Pseudonymization). Often invoked as a “risk of re-identification” or “re-identification risk,” which refers to nullifying the de-identification actions previously applied to data (see De-identification).

right to be forgotten

An individual’s right to have their personal data deleted by a business or other organization possessing or controlling that data.

social engineering

A general term for how attackers can try to persuade a user to provide information or create some other sort of security vulnerability.

subpoena

A written court order issued in an administrative, civil or criminal action that requires the person named in the subpoena to appear in court in order to testify under oath on a particular matter which is the subject of an investigation, proceeding or lawsuit. A subpoena may also require the production of a paper, document or other object relevant to an investigation, proceeding or lawsuit that discloses personal information.

terms of service

The set of rules which govern the use of a service and must be agreed to, either implicitly through the use of that service or explicitly, in order to make use of that service.

two-factor authentication

transport layer security (TLS)

A protocol that ensures privacy between client-server applications and Internet users of the applications. When a server and client communicate, TLS secures the connection to ensure that no third party can eavesdrop on or corrupt the message. TLS is a successor to SSL.

virtual private network (VPN)

A network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users an access to a central organizational network. VPNs typically require remote users of the network to be authenticated and often secure data with encryption technologies to prevent disclosure of private information to unauthorized parties.

warrant

web beacon

Also known as a web bug, pixel tag or clear GIF, a web beacon is a clear graphic image (typically one pixel in size) that is delivered through a web browser or HTML e-mail. The web beacon operates as a tag that records an end user’s visit to a particular web page or viewing of a particular e-mail. It is also often used in conjunction with a web cookie and provided as part of a third-party tracking service. Web beacons provide an ability to produce specific profiles of user behavior in combination with web server logs. Common usage scenarios for web beacons include online ad impression counting, file download monitoring, and ad campaign performance management. Web beacons also can report to the sender about which e-mails are read by recipients. Privacy considerations for web beacons are similar to those for cookies. Some sort of notice is important because the clear pixel of a web beacon is quite literally invisible to the end user.