Name: USC ID: 1 INF 529 Final Exam Spring 2019 IMPORTANT: FOR REMOTE PROCTORS Please Scan Both Sides of all Pages Students have been instructed to answer some questions on the back of the page. Instructions: Show all work. This exam is open book and open note. You may use electronic devices to consult materials stored on the devices, but you may not use them to access material through the net, or for communication in any manner. Electronic devices must be placed in “airplane mode” with wifi and other communications capabilities disabled. You have 120 minutes to complete the exam. Please prepare your answers on separate sheets of paper. You may write your answers on the sheet of paper with the question (front and back). If you need more space, please attach a separate sheet of paper to the page with the particular question. Do NOT extend your answer on the back of the sheet for a different question, and do NOT use the same extra sheet of paper to answer more than one question. The exam will be split apart for grading by different people, and if part of your answer for one question appears on a page given to a different grade because the sheet contains parts of the answer to more than one question, then you will NOT receive credit for that part of the answer not seen by the grader. In particular, each numbered questions must appear on separate pieces of paper so that the exam can be split for grading. Be sure to include your name on each page. There are 100 points in all and 3 questions. Q1 Q2 Q3 Total Score Score Name: USC ID: 2 1. Privacy Destroying Technologies (35 points) a) Facial Recognition (5 points) In three or four sentences explain why facial recognition technology has such an impact on privacy when compared with the near ubiquitous deployment of security cameras that don’t support face recognition. b) License Plate Readers (5 points) In three or four sentences explain why automated license plate readers and the accumulation of the data from these readers in shared databases has a significant impact on privacy. c) Session tracking (5 points) List at least three substantially different techniques used to track sessions (match sessions to users or identifiers, match sessions to devices, or link sessions) and explain in three or four sentences how or for what purpose these linkages are used by business. (answer on back of page) Name: USC ID: 3 d) Data Mining, AI, and Machine Learning (5 points) Explain in five or six sentences how data mining, AI, and Machine learning are used in ways that affect our privacy. e) Apps (5 points) Explain in four to six sentences how the apps (or applications) we install on our personal devices affect the security of our data and how they affect our privacy. f) Internet of Things (5 points) In no more than 8 sentences, list the main reasons that many internet of things devices present both security risks and privacy risks. g) Required encryption back-doors (5 points) In no more than 3 sentences explain some of the dangers associated with requiring back-doors to security technologies that can be exercised by government agents. In no more than 2 sentences, explain why some argue such back-doors are necessary. (answer on back of page) Name: USC ID: 4 2. Privacy Preserving Technologies (30 points) a. Anonymizers (5 points) In no more than 4 sentences explain what an anonymizer is, what kind of monitoring it protects against, and what the main limitations of the technology is in terms of privacy. b. Onion Routing (5 points) In no more than 4 sentences explain how Onion routing addresses some of the limitations of anonymizers that you described in 2a. c. End to end secure messaging (10 points) What do we mean when we describe a messaging system as end-to-end secure, or as applying end-to-end encryption. Why is this better than simply using SSL or TLS? Answer is no more than 5 sentences. (answer on back of page) Name: USC ID: 5 d. Differential Privacy (5 points) In no more than 3 sentences explain why differential privacy is so effective at preventing mis-use of our personally identifiable information. e. Whole disk/Memory Encryption (5 points) In no more than 4 sentences explain which situations whole disk encryption (or whole memory encryption in devices like cell phones) prevents “adversaries” from obtaining our data and in what situations is it not effective. Name: USC ID: 6 3. Understanding the CCPA (35 Points) On January 1st, 2020 the California Consumer Privacy Act will become enforceable (subject to amendments that make be passed before that date). The stated purposes of the act are to provide California Residents with the rights to: • Know what personal data is being collected about them. • Know whether their personal data is sold or disclosed and to whom. • Say no to the sale of personal data. • Access their personal data. • Equal service and price, even if they exercise their privacy rights. There have been various bills introduced that might scale back some of the protection in the CCPA. Despite this fact, there are already aspects of CCPA that are significantly weaker than Europe’s GDPR. IN this question you are to discuss specific strengths and weakness of the CCPA as spelled out in the subparts of this question that follow: Name: USC ID: 7 A. Opt out Provisions. 1798.120 (a) A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out. … (c) A business that has received direction from a consumer not to sell the consumer’s personal information … shall be prohibited, pursuant to paragraph (4) of subdivision (a) of Section 1798.135, from selling the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides express authorization for the sale of the consumer’s personal information. 1798.115 (d) A third party shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out pursuant to 1798.120. Question: These provisions are significantly weaker than the protections provided by the GDPR. Explain the ways (there are more than one) that this provision is weaker than GDPR in terms of regulating the activities of third parties that have purchased information about a consumer or who have otherwise obtained information from another party about a consumer for a business purpose. (10 points – Continue answer on Back of Page) [Hint for one of the ways, consider our discussion in class about one of the major differences of GDPR with respect to other privacy legislation] Name: USC ID: 8 B. Non-Discrimination for exercising rights. 1798.125. (a) (1) A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, including, but not limited to, by: (A) Denying goods or services to the consumer. (B) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties. (C) Providing a different level or quality of goods or services to the consumer, if the consumer exercises the consumer’s rights under this title. (D) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services. (2) Nothing in this subdivision prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data. (b) (1) A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data. (2) A business that offers any financial incentives pursuant to subdivision (a), shall notify consumers of the financial incentives pursuant to Section 1798.135. (3) A business may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent pursuant to Section 1798.135 which clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time. The section above is similar to certain interpretations of provisions of the GDPR, at least with respect to the actions covered. Question: Discuss at least two common business practices/models that MIGHT be affected by this rule. At least one of the practices you describe should apply to offline retail (e.g. Grocery stores). For each of the practices/models you discuss, explain aspects of the business model that might allow the company to argue they are not covered by this section or how they may adjust their model so that they are not (in considering this, focus on what customers are opting out of as discussed in question 1a). Also suggest problems with the wording in (b)(1) financial incentives, that might make it difficult to allow this exception with respect to the offline retail example). (15 points – Answer on Back of Page) Name: USC ID: 9 C. Deletion of Data 1798.105. (a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer…. (c) A business that receives a verifiable request from a consumer to delete the consumer’s personal information pursuant to subdivision (a) of this section shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records. (d) A business or a service provider shall not be required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business or service provider to maintain the consumer’s personal information in order to: (1) Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer. (2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity. (4) Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law. (5) Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code. (7) To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business. (8) Comply with a legal obligation. (9) Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information. Question: Discuss the major differences between the right to deletion of data in the section above as compared with similar provisions in GDPR. (10 points – Continue answer on Back of Page)
欢迎咨询51作业君