From 1e3ca9ff919d9705f47739247ed9c245e8e82d1a Mon Sep 17 00:00:00 2001 From: Leonard Kugis Date: Mon, 9 Mar 2020 16:27:10 +0100 Subject: IntroSec Added privacy chapter. --- .../introduction_to_information_security.md | 52 +++++++++++++++++++++- 1 file changed, 51 insertions(+), 1 deletion(-) diff --git a/en_GB/Introduction to Information Security/introduction_to_information_security.md b/en_GB/Introduction to Information Security/introduction_to_information_security.md index 60774c8..f8e5f93 100644 --- a/en_GB/Introduction to Information Security/introduction_to_information_security.md +++ b/en_GB/Introduction to Information Security/introduction_to_information_security.md @@ -353,7 +353,7 @@ In TLS, the Diffie-Hellman values coming from Server to Client are signed with t ### HTTP sessions -HTTP sessions per se do no end with TCP connections. +HTTP sessions per se do not end with TCP connections. To check for Man-In-The-Middle attacks, TCP session state is included in the HTTP digest. Then the server also checks against his session state. If they are not equal, there is a MitM. @@ -431,6 +431,56 @@ Privacy is based on the *Universal Declaration of Human Rights*. No one shall be - Ownership: What may others do with your data? - Nuisance: Right to be let alone +### EU Data Protection Directive + +Member states shall protect the rights guaranteed in the *Universal Declaration of Human Rights*. +But member states shall also not restrict the free flow of data between states. +Tese *directives* are not *laws*. It is up to the states to implements the *directives* how they like. + +#### Terminology + +- Personal Data: Any information relating to a *data subject*. +- Data Subject: Living person to whome personal data relates. +- Data Controller: The entity determining the purposes and means of the processing of data. Mostly some kind of authority. +- Data Processor: The entity processing the data on behalf of the controller. + +#### Summary + +- Processing personal data must have a legitimate purpose. +- If neccessary, it must be kept up to date. +- It might not be stored longer than neccessary. +- Processing is neccessary under several conditions (law obligation of the processor, protect vital interests, ensure performance of task). +- Processing only after consent of data subject. +- Data subjects have the right to access their data. +- No transfer of data to non EU countries. + +### EU General Data Protection Regulation (GDPR) + +- Penalties: 4% of annual global turnover. +- Request consent in a more accessible form (explainations to the DAU) +- Breach notification +- Right to be forgotten + +### Tracking + +People might get tracked through cookies. *Same Origin Policy* prohibits tracking from third parties, +but including resources such as images or ads on the primary website, the client fetches these resources +from the tracking party, which is the origin in that view. + +#### Cookie syncing + +Links cookies together to match information and collect rich profiles about users. + +- *Demand Side Platform (DSP)*: Operates as an entity of the advertisers. +- *Data Management Platform (DMP)*: Servers DSPs with historical user data. + +1. User visits website containing ad. +2. Ad request is sent to the DSPs, unique user ID is created and stored in cookie. +3. DSP calls pixel URL on DMP. +4. DMP checks ID sent from DSP and if ID already exists in database. +5. DMP puts own ID in matching table, mapping DSP ID and DMP ID together. +6. In bidirectional sync, DMP also passes his ID to DSP for his map. + ## Crypto Analysis ### Side Channel Analysis -- cgit v1.2.1