SEMINAR TITLE ;

PROTECTING USER RESOURCES AND

PRIVACY WITH SOFTWARE SECURITY.

GROUP 3 – STUDENTS WHO CONTRIBUTED;

ANISE KOLAWOLE LUCKY
[MATRIC NO : 0546]
[EMAIL : [email protected] ]

AWOLUSI JOSHUA OLUWASEUN

[MATRIC NO : 0552]
[EMAIL : [email protected] ]

AKINYISOLA AKINKUNMI A.
[MATRIC NO : 0538]
[EMAIL : [email protected] ]

AKEJU FERANMI IFESEYI

[MATRIC NO : 0531]
[EMAIL : [email protected]]

AKAOLISA REVERENCE CHIKAODILI

[MATRIC NO : 0530]
[EMAIL : [email protected] ]

SUPERVISOR : DR. (MRS) ADEWUMI M.G

PROTECTING USER RESOURCES AND
PRIVACY WITH SOFTWARE SECURITY.

Abstract
In today’s world, where new technologies and applications are rapidly
introduced into the homes and offices of users, the threat levels related to
internet usage are bound to increase. However, security experts are increasingly
being called upon to develop new ways to protect user resources and privacy
using software security.

The research presented in this thesis is based on two concepts, privacy and
security. In layman’s terms privacy can be described as “the right to be let
alone” (Warren and Brandeis, 1890) and security as “the protection from harm”.
The setting in which these concepts are studied is Internet-based information
systems, which are the global information systems that use the Internet as the
communication infrastructure, and which involve information, hardware,
software, and human actors. Since Internet-based information systems are
characterized by, e.g., openness, dynamicity, anonymity, connectivity, and
hostility, managing privacy and security is a cumbersome and challenging task. In
the study of privacy, a number of empirical studies are conducted, in which we
explore the nature and extent of software-based privacy invasions in Internet-
based information systems. Three examples of privacy-invasive activities that are
specifically examined are spam (unsolicited bulk e-mail), adware (software that
displays commercial content), and spyware (software that spies on users). The
main contributions are the analyses of such privacy-invasions and their
consequences, and the specification of a new category of software, which is

2
referred to as privacy-invasive software (software that ignores users’ right to be
let alone).
In the study of security, it has been investigated how inter-organizational and
interoperable business collaboration using Internet-based information systems
can be achieved in the context of virtual enterprises. Virtual enterprises are a
major trend in enterprise interoperability, making it possible to configure
cooperative settings in which different companies temporarily share their
resources toward a common goal. To realize this vision, we introduce Plug and
Play Business, which is an integrated framework of information and
communication technologies intended to support the secure formation
and operation of virtual enterprises. A formal analysis of Plug and Play Business
and the crucial tasks involved in the management of virtual enterprises is carried
out together with a discussion of how to improve security and promote trust. A
community of virtual enterprises, a gate-keeper facility and a set of security
measures including norms and norm-enhancing mechanisms are identified for
this purpose. To support the users of Plug and Play Business, intelligent software
agents are suggested as means to automate some of the tasks necessary for
operating a virtual enterprise. The study of security is concluded by an
assessment of the available technologies in support of realizing Plug and Play
Business software.

We hope this research will make a positive impact on the protection of user
resources and privacy – using software security

(Retrieved from; Andreas Jacobsson (2008) “Privacy and security in Internet-based information
system”, Blekinge Institute of Technology Doctoral Dissertation Series No.2008.02 School of
Engineering)

3
Introduction
Computer Security

The meaning of the term computer security has evolved in recent years. Before
the problem of data security became widely publicized in the media, most
people’s idea of computer security focused on the physical machine.
Traditionally, computer facilities have been physically protected for three
reasons:

• To prevent theft of or damage to the hardware

• To prevent theft of or damage to the information

• To prevent disruption of service

Computer security is security applied to computing devices such as computers

and smartphones, as well as computer networks such as private and public
networks, including the whole Internet.

The field covers all the processes and mechanisms by which digital equipment,
information and services are protected from unintended or unauthorized access,
change or destruction, and are of growing importance in line with the increasing
reliance on computer systems of most societies worldwide. It includes physical
security to prevent theft of equipment, and information security to protect the
data on that equipment. It is sometimes referred to as "cyber security" or "IT
security", though these terms generally do not refer to physical security (locks
and such). Some important terms used in computer security are:

Vulnerability

Vulnerability is a weakness which allows an attacker to reduce a system's

information assurance. Vulnerability is the intersection of three elements: a
system susceptibility or flaw, attacker access to the flaw, and attacker capability
to exploit the flaw. To exploit

4
vulnerability, an attacker must have at least one applicable tool or technique
that can connect to a system weakness. In this frame, vulnerability is also known
as the attack surface.

Vulnerability management is the cyclical practice of identifying, classifying,

remediating, and mitigating vulnerabilities. This practice generally refers to
software vulnerabilities in computing systems.

Backdoors

A backdoor in a computer system, is a method of bypassing normal

authentication, securing remote access to a computer, obtaining access to
plaintext, and so on, while attempting to remain undetected.

The backdoor may take the form of an installed program (e.g., Back Orifice), or
could be a modification to an existing program or hardware device. It may also
fake information about disk and memory usage.

Denial-of-service attack

Unlike other exploits, denials of service attacks are not used to gain
unauthorized access or control of a system. They are instead designed to render
it unusable. Attackers can deny service to individual victims, such as by
deliberately entering a wrong password enough consecutive times to cause the
victim account to be locked, or they may overload the capabilities of a machine
or network and block all users at once. These types of attack are, in practice,
very hard to prevent, because the behaviour of whole networks needs to be
analysed, not only the behaviour of small pieces of code. Distributed denial of
service (DDoS) attacks are common, where a large number of compromised
hosts (commonly referred to as "zombie computers", used as part of a botnet
with, for example; a worm, trojan horse, or backdoor exploit to control them)
are used to flood a target system with network requests, thus attempting to
render it unusable through resource exhaustion.

5
Direct-access attacks : An unauthorized user gaining physical access to a
computer (or part thereof) can perform many functions, install different types of
devices to compromise security, including operating system modifications,
software worms, key loggers, and covert listening devices. The attacker can also
easily download large quantities of data onto backup media, for instance CD-
R/DVD-R, tape; or portable devices such as key drives, digital cameras or digital
audio players. Another common technique is to boot an operating system
contained on a CD-ROM or other bootable media and read the data from the
hard drive(s) this way. The only way to defeat this is to encrypt the storage
media and store the key separate from the system. Direct-access attacks are the
only type of threat to Standalone computers (never connect to internet), in most
cases.

Eavesdropping

Eavesdropping is the act of surreptitiously listening to a private conversation,

typically between hosts on a network. For instance, programs such as Carnivore
and NarusInsight have been used by the FBI and NSA to eavesdrop on the
systems of internet service providers.

Spoofing

Spoofing of user identity describes a situation in which one person or program

successfully masquerades as another by falsifying data and thereby gaining an
illegitimate advantage.

Tampering

Tampering describes an intentional modification of products in a way that would

make them harmful to the consumer.

Repudiation

Repudiation describes a situation where the authenticity of a signature is being

challenged.

6
Information disclosure

Information Disclosure (Privacy breach or Data leak) describes a situation where

information, thought as secure, is released in an untrusted environment.

Elevation of privilege

Elevation of Privilege describes a situation where a person or a program want to

gain elevated privileges or access to resources that are normally restricted to
him/it.

Exploits

An exploit is a piece of software, a chunk of data, or sequence of commands that

takes advantage of a software "bug" or "glitch" in order to cause unintended or
unanticipated behaviour to occur on computer software, hardware, or
something electronic (usually computerized). This frequently includes such
things as gaining control of a computer system or allowing privilege escalation or
a denial of service attack. The term "exploit" generally refers to small programs
designed to take advantage of a software flaw that has been discovered, either
remote or local. The code from the exploit program is frequently reused in
Trojan horses and computer viruses.

Indirect attacks

An indirect attack is an attack launched by a third-party computer. By using

someone else's computer to launch an attack, it becomes far more difficult to
track down the actual attacker.

There have also been cases where attackers took advantage of public
anonymizing systems, such as the tor onion router system.

Computer crime: Computer crime refers to any crime that involves a computer
and a network.

7
(Retrieved from; Asst.Prof. Sumitra Kisan, Asst.Prof. D. Chandrasekhar Rao.
“Information and Security Lecture Notes” Department of Computer Science and
Engineering & Information Technology. Veer Surendra Sai University of
Technology (Formerly UCE, Burla) Burla, Sambalpur, Odisha.)

8
Users Resources/Personal Data/Information
A User's Personal information or data is information or data that is linked or can
be linked to individual persons. Examples include explicitly stated characteristics
such as a person‘s date of birth, sexual preference, whereabouts, religion, but
also the IP address of your computer or metadata pertaining to these kinds of
information. In addition, personal data can also be more implicit in the form of
behavioural data, for example from social media, that can be linked to
individuals. Personal data can be contrasted with data that is considered
sensitive, valuable or important for other reasons, such as secret recipes,
financial data, or military intelligence. Data used to secure other information,
such as passwords, are not considered here. Although such security measures
(passwords) may contribute to privacy, their protection is only instrumental to
the protection of other (more private) information, and the quality of such
security measures is therefore out of the scope of our considerations here.

A relevant distinction that has been made in philosophical semantics is that

between the referential and the attributive use of descriptive labels of persons
(van den Hoven 2008). Personal data is defined in the law as data that can be
linked with a natural person. There are two ways in which this link can be made;
a referential mode and a non-referential mode. The law is primarily concerned
with the ‘referential use’ of descriptions or attributes, the type of use that is
made on the basis of a (possible) acquaintance relationship of the speaker with
the object of his knowledge. “The murderer of Kennedy must be insane”, uttered
while pointing to him in court is an example of a referentially used description.
This can be contrasted with descriptions that are used attributively as in “the
murderer of Kennedy must be insane, whoever he is”. In this case, the user of
the description is not – and may never be – acquainted with the person he is
talking about or intends to refer to. If the legal definition of personal data is
interpreted referentially, much of the data that could at some point in time be
brought to bear on persons would be unprotected; that is, the processing of this
data would not be constrained on moral grounds related to privacy or personal

9
sphere of life, since it does not “refer” to persons in a straightforward way and
therefore does not constitute “personal data” in a strict sense.

(Retrieved from; Stanford Encyclopedia of Philosophy, Privacy and Information

Technology First Published Thu Nov 20, 2014; Substantive revision Wed Oct. 30,
2019)

10
Privacy

(According to Wikipedia) The word Privacy is derived from the Latin word
“Privatus”, which means to set apart from what is public, personal and belonging
to one’s self and not to the state.
Privacy is your personal information and how you allow it to be accessed and viewed.
In contrast, security is the protection of this data and information. When you download
a new app on your smartphone, you are often asked to agree to a privacy policy. This
policy will detail what information the app is going to collect and how it will be used. It
is up to you to decide if you agree to the terms or not. With security, the goal is to
safeguard your data and information, often through cybersecurity products and
measures. Cybersecurity deals with deflecting unauthorized access to your data
through leaks or breaches using security technologies and tools.
(Retrieved from; Okta @ https://www.okta.com/identity-101/privacy-vs-security/)

Today, discussions of privacy are in focus for many reasons.

• The tension between state affairs and citizen concerns in the wake
of global terrorism is being witnessed.
• Secondly, the importance of enforcing privacy as a critical aspect of ICT
proliferation is recognized. This is acknowledged in many different areas
throughout our society, for example, within health care, government
authorities, and international politics. In particular, privacy has a
prominent position in public debates about potential impacts of
contemporary ICT.
• Thirdly, we are also increasingly aware of the conflict between wanted
and unwanted effects of “profiling user or customer data” with the
purpose of customized marketing.

The study of privacy in a computerized setting is, however, not new.

For this particular environment, it has been a discussion for almost 40
years now (Grenier, 1969). Still, there is no judicial impediment, technical
solution, or economic model powerful enough to adequately protect the
privacy of individuals.
One reason is that privacy is in many ways a paradox; to protect some
information, other information must be disclosed.
Another reason is that privacy as a concept is neither clearly defined nor

11
easily explained (Tavani, 2007). Also, the availability and amount of information
makes it virtually impossible to stay in control of one’s personal information.
Consequently, it may be impossible to define a method that
fully ensures people’s right to privacy. A more pragmatic view is that it is
through increased awareness amongst users that privacy invasions can be
recognized, avoided, and managed.

(Retrieved from; Andreas Jacobsson (2008) “Privacy and security in Internet-based information
system”, Blekinge Institute of Technology Doctoral Dissertation Series No.2008.02 School of
Engineering)

12
Accounts Of The Value Of Privacy
The debates about privacy are almost always revolving around new technology,
ranging from genetics and the extensive study of bio-markers, brain imaging,
drones, wearable sensors and sensor networks, social media, smart phones,
closed circuit television, to government cybersecurity programs, direct
marketing, RFID tags, Big Data, head-mounted displays and search engines.
There are basically two reactions to the flood of new technology and its impact
on personal information and privacy: the first reaction, held by many people in IT
industry and in R&D, is that we have zero privacy in the digital age and that there
is no way we can protect it, so we should get used to the new world and get over
it (Sprenger 1999). The other reaction is that our privacy is more important than
ever and that we can and we must attempt to protect it.
In the literature on privacy, there are many competing accounts of the nature
and value of privacy (Negley 1966, Rössler 2005).
On one end of the spectrum, reductionist accounts argue that privacy claims are
really about other values and other things that matter from a moral point of
view. According to these views the value of privacy is reducible to these other
values or sources of value (Thomson 1975). Proposals that have been defended
along these lines mention property rights, security, autonomy, intimacy or
friendship, democracy, liberty, dignity, or utility and economic value.
Reductionist accounts hold that the importance of privacy should be explained
and its meaning clarified in terms of those other values and sources of value
(Westin 1967). The opposing view holds that privacy is valuable in itself and its
value and importance are not derived from other considerations (see for a
discussion Rössler 2004). Views that construe privacy and the personal sphere of
life as a human right would be an example of this non-reductionist conception.
More recently a type of privacy account has been proposed in relation to new
information technology, which acknowledges that there is a cluster of related
moral claims underlying appeals to privacy, but maintains that there is no single
essential core of privacy concerns. This approach is referred to as cluster
accounts (DeCew 1997; Solove 2006; van den Hoven 1999; Allen 2011;
Nissenbaum 2004).
From a descriptive perspective, a recent further addition to the body of privacy
accounts are epistemic accounts, where the notion of privacy is analyzed
primarily in terms of knowledge or other epistemic states. Having privacy means
that others don’t know certain private propositions; lacking privacy means that
others do know certain private propositions (Blaauw 2013).

13
An important aspect of this conception of having privacy is that it is seen as a
relation (Rubel 2011; Matheson 2007; Blaauw 2013) with three argument places:
a subject (S), a set of propositions (P) and a set of individuals (I). Here S is the
subject who has (a certain degree of) privacy. P is composed of those
propositions the subject wants to keep private (call the propositions in this set
‘personal propositions’), and I is composed of those individuals with respect to
whom S wants to keep the personal propositions private.
Another distinction that is useful to make is the one between a European and a
US American approach. A bibliometric study suggests that the two approaches
are separate in the literature. The first conceptualizes issues of informational
privacy in terms of ‘data protection’, the second in terms of ‘privacy’ (Heersmink
et al. 2011). In discussing the relationship of privacy matters with technology,
the notion of data protection is most helpful, since it leads to a relatively clear
picture of what the object of protection is and by which technical means the
data can be protected. At the same time it invites answers to the question why
the data ought to be protected, pointing to a number of distinctive moral
grounds on the basis of which technical, legal and institutional protection of
personal data can be justified. Informational privacy is thus recast in terms of the
protection of personal data (van den Hoven 2008). This account shows how
Privacy, Technology and Data Protection are related, without conflating Privacy
and Data Protection.

(Retrieved from; Stanford Encyclopedia of Philosophy, Privacy and Information

Technology First Published Thu Nov 20, 2014; Substantive revision Wed Oct. 30,
2019)

14
Data Security
Data security is a set of processes and practices designed to protect your critical
information technology (IT) ecosystem. This included files, databases, accounts, and
networks. Effective data security adopts a set of controls, applications, and techniques
that identify the importance of various datasets and apply the most appropriate
security controls.

Effective data security takes into account the sensitivity of various datasets and
corresponding regulatory compliance requirements. Like other cybersecurity postures
— perimeter and file security to name a few — data security isn’t the end-all-be-all for
keeping hackers at bay. Rather, data security is one of many critical methods for
evaluating threats and reducing the risk associated with data storage and handling.

Types of Data Security

• Access Controls
This type of data security measures includes limiting both physical and
digital access to critical systems and data. This includes making sure all
computers and devices are protected with mandatory login entry, and
that physical spaces can only be entered by authorized personnel.

• Authentication

Similar to access controls, authentication refers specifically to accurately

identifying users before they have access to data. This usually includes
things like passwords, PIN numbers, security tokens, swipe cards, or
biometrics.

• Backups & Recovery

Good data security means you have a plan to securely access data in the
event of system failure, disaster, data corruption, or breach. You’ll need
a backup data copy, stored on a separate format such as a physical disk,
local network, or cloud to recover if needed.

15
• Data Erasure
You’ll want to dispose of data properly and on a regular basis. Data
erasure employs software to completely overwrite data on any storage
device and is more secure than standard data wiping. Data erasure
verifies that the data is unrecoverable and therefore won’t fall into the
wrong hands.

• Data Masking
By using data masking software, information is hidden by obscuring
letters and numbers with proxy characters. This effectively masks key
information even if an unauthorized party gains access to it. The data
changes back to its original form only when an authorized user receives
it.

• Data Resiliency
Comprehensive data security means that your systems can endure or
recover from failures. Building resiliency into your hardware and
software means that events like power outages or natural disasters
won’t compromise security.

• Encryption
A computer algorithm transforms text characters into an unreadable
format via encryption keys. Only authorized users with the proper
corresponding keys can unlock and access the information. Everything
from files and a database to email communications can — and should —
be encrypted to some extent.

16
Data Security Regulations
Data security is a critical element to regulatory compliance, no matter
what industry or sector your organization operates in. Most — if not all
— regulatory frameworks make data security a key aspect of
compliance. Therefore, you’ll need to take data security seriously and
work with an experienced compliance partner to ensure you’re
employing all the right measures.
Some of the major compliance frameworks that put data security at the
forefront are:

• General Data Protection Regulation (GDPR)

• California Consumer Protection Act (CCPA)

• Health Insurance Portability and Accountability Act (HIPAA)

• Sarbanes-Oxley (SOX)

• Payment Card Industry Data Security Standard (PCI DSS)

• International Standards Organization (ISO) 27001

Data Security Technologies

17
 Using the right data security technologies can help your organization
prevent breaches, reduce risk, and sustain protective security measures.

Data Auditing
Security breaches are often inevitable, so you’ll need to have a process
in place that gets to the root cause. Data auditing software solutions
capture and report on things like control changes to data, records of
who accessed sensitive information, and the file path utilized. These
audit procedures are all vital to the breach investigation process. Proper
data auditing solutions also provide IT administrators with visibility in
preventing unauthorized changes and potential breaches.

Data Real-Time Alerts

Typically, it takes companies several months before they discover that a
data breach has actually taken place. All too often, companies discover
breaches via their customers or third-party vendors and contractors
rather than their own IT departments. By using real-time systems and
data monitoring technology, you’ll be able to discover breaches more
quickly. This helps you mitigate data destruction, loss, alteration, or
unauthorized access to personal data.

Data Risk Assessment

A data risk assessment will help your organization identify its most
overexposed, sensitive data. A complete risk assessment will also offer
reliable and repeatable steps towards prioritizing and remediating
serious security risks. The process begins by identifying sensitive data
that’s accessed via global groups, data that’s become stale, or data with
inconsistent permissions. An accurate risk assessment will summarize
important findings, expose vulnerabilities, and include prioritized
remediation recommendations.

18
Data Minimization
Traditionally, organizations viewed having as much data possible as a
benefit. There was always the potential that it might come in handy in
the future. Today, large amounts of data are seen as a liability from a
security standpoint. The more data you have, the greater the number of
targets for hackers. That’s why data minimization is now a key security
tactic. Never hold more data than necessary and follow all data
minimization best practices.

Purge Stale Data

If data doesn’t exist within your network, it can’t be compromised.
That’s why you’ll want to purge old or unnecessary data. Use systems
that can track file access and automatically archive unused files. In the
modern age of yearly acquisitions, reorganizations, and “synergistic
relocations,” it’s quite likely that networks of any significant size have
multiple forgotten servers that are kept around for no good reason.

Best Practices for Ensuring Data Security

There is no silver bullet that will guarantee 100 percent security of your
data. However, there are several steps, tactics, and best practices that
can help minimize the chances of a data breach, loss, and exposure.

Quarantine Sensitive Files

One common data management mistake is placing sensitive files on a
shared or open drive accessible to the entire company. You’ll want to
eliminate this practice, placing sensitive data into safely quarantined
areas. Gain control of your data by using data security software that
continually classifies sensitive data and moves it to a secure location.

19
Behaviour-Based Permissions
Overly permissive behaviour is another common misstep, where more
people have access to data than is necessary. A convoluted web of
temporary access and permissions quickly arises, with individuals having
access to data that they shouldn’t. Limit over-permissioning by using
software that profiles user behaviour and automatically places
appropriate behaviour-based permissions via an entitlement review.

Prepare for Cyber Threats

Good data security is all about thinking ahead. You’ll want to have a
solid cybersecurity policy that encompasses current and potential future
threats to your data. This includes both external hackers and insider
threats. Aside from your policy, employ software that provides real-time
monitoring and alerts of suspicious activities.

Delete Unused Data

Storing stale data for longer than necessary presents a significant
liability in terms of data security. You’ll want to have processes and
technologies in place to eliminate sensitive data that’s no longer
necessary for ongoing business activities. The last thing you want is a
mountain of data that you’re unaware of as a sitting duck for hackers.

20
Capabilities and Solutions

Aside from the right technologies and cyber hygiene best practices, your
company should also have the following business process capabilities
and solutions to ensure ongoing data security:

Knowing Where Data Lives

It’s critical to know where all of your data resides at any given time. This
includes data you’re currently using as well as data that should be
deleted or retired. Make sure you have both technologies and processes
in place that will give you visibility into your data at all times.

Tracking User Access

One of the biggest dangers to data security is internal personnel gaining
access to data that they shouldn’t. Therefore, you’ll need to track user
access to ensure only the right people are accessing the most sensitive
data.

Blocking High-Risk Activities

Not all data handling actions are created equal. Individuals can engage
in high-risk activities and data movements, such as sending sensitive

21
 information in a non-encrypted format via email. You want to have
systems and software in place that block all high-risk activities.

(Retrieved from; David Harrington. Data Security. Published July 6, 2021

https://www.varonis.com/blog/data-security)

22
Aims and Objectives/Main Elements Of Data
Security
There are three core elements to data security that all organizations should
adhere to: Confidentiality, Integrity, and Availability. These concepts are also
referred to as the CIA Triad, functioning as a security model and framework for
top-notch data security. Here’s what each core element means in terms of
keeping your sensitive data protected from unauthorized access and data
exfiltration.

• Confidentiality. Ensures that data is accessed only by authorized users

with the proper credentials.

• Integrity. Ensure that all data stored is reliable, accurate, and not
subject to unwarranted changes.

• Availability. Ensures that data is readily — and safely — accessible and

available for ongoing business needs.

(Retrieved from; David Harrington. Data Security. Published July 6, 2021

https://www.varonis.com/blog/data-security)

23
Methodologies –

1.1. How Do We Protect Users Resources And Privacy

With Software Security?
The principle of data protection is to deploy methodologies and technologies to
protect and make data available under all circumstances.

• Use of Data encryptions, passwords, and biometrics.

• Use of Additional software tools (e.g.

cloning, mirroring, replication, snapshots, changed block tracking, etc.,) –
This provides another layer of data protection in addition to traditional
backup. Technology advancements mean that it is now common practice
to provide continuous data protection which backs up the data whenever
a change is made so that recovery can be near-instantaneous.

• Use of Cloud backup - This is becoming more prevalent as organizations

frequently move their backup data to public clouds or clouds maintained
by third-party service vendors. These backups can replace on-site disk and
tape libraries, or they can serve as additional protected copies of data to
provide a disaster recovery facility.

• Use of Anonymizing software or anonymous proxies (cf. the web

application Anonymizer) - These are tools that allow people to browse the
Internet using an intermediary to prevent unauthorized parties from
gathering personal information in terms of Internet surf records. The
anonymizing software accesses the Internet on the user’s behalf,
protecting personal information by primarily hiding the source computer’s
identification information. There are, however, risks associated with
anonymizing software, e.g., the personal data that is routed through the
anonymous proxy is often not encrypted rendering in that it can be easy
to capture and obfuscate.
• Use of Antispyware applications to detect programs that are engaged in
unsanctioned monitoring activity on computers. AntiSpyWare applications
are usually designed to protect against spyware-related components, such

24
 as key loggers, activity monitoring software, website loggers, tracking
cookies, and many other privacy website items that are frequently
encountered on privacy-invasive-virus applications are also increasingly
used to detect and immunize spyware programs. We will discuss antivirus
software in more detail in Section 2.3.3.
• Use of Cryptographic privacy and authentication tools to protect the
content of information, e.g., in e-mail messages, by providing encryption
and decryption of data. One prominent example of this is pretty good
privacy, or PGP10, which is a computer program that provides privacy
protection for computer files, network connections, and email messages.
It is mainly composed by digital signatures11, public key cryptography12,
and certificates13 to ensure end-to-end security for messages and files.
• Use of Email filtering is the processing of e-mail messages to organize
them according to specified criteria. Often this is an automatic sorting of
incoming messages, but the term can also be applied to outgoing email
messages. Incoming email filtering software, which is the most common
form, is usually deployed for the detection and removal of spam
messages and virulent programs.
• Use of A Personal firewall - an application which deals with border control.
More specifically, it controls network traffic to and from a computer,
permitting or denying communications based on a predefined security
policy. Just as companies can use firewalls to protect their corporate
networks, home users can install personal firewalls to prevent various
forms of privacy-invasive software to enter their systems. It can also be
used to prevent an installed spyware program to communicate with its
corresponding servers on the Internet. The main difference to a
conventional firewall is in terms of scale. As personal firewalls are
designed to be used by end users solely, they usually protect only the
computer on which they are installed.
• Use of Privacy management technology – This is a broad class of software
that helps corporate organizations to collect, store, access, and use
information in ways that are compliant with regulations, policies, and the

25
 personal preferences of users. One example is the IBM Tivoli System14 in
which the idea is to take an organization’s privacy policy and integrate it
with all relevant business processes and applications in order to manage
privacy.

(Retrieved from; Andreas Jacobsson (2008) “Privacy and security in Internet-based information
system”, Blekinge Institute of Technology Doctoral Dissertation Series No.2008.02 School of
Engineering

26
1.2 How To Protect Your Digital Privacy

You can maintain security against outside parties’ unwanted attempts to

access your data as well as protect your privacy from those you don’t consent
to sharing your information with by making a few simple changes to your
devices and accounts.

Here’s a guide to the few simple changes you can make to protect yourself
and your information online.

• Secure your accounts

Why: In the past decade, data breaches and password leaks have struck
companies such as Equifax, Facebook, Home Depot, Marriott, Target, Yahoo,
and countless others. If you have online accounts, hackers have likely leaked
data from at least one of them. Want to know which of your accounts have
been compromised? Search for your email address on Have I Been Pwned? to
cross-reference your email address with hundreds of data breaches.

How: Everyone should use a password manager to generate and remember

different, complex passwords for every account — this is the most important
thing people can do to protect their privacy and security today. Wirecutter’s
favorite password managers are LastPass and 1Password. Both can generate
passwords, monitor accounts for security breaches, suggest changing weak
passwords, and sync your passwords between your computer and phone.
Password managers seem intimidating to set up, but once you’ve installed one
you just need to browse the Internet as usual. As you log in to accounts, the
password manager saves your passwords and suggests changing weak or
duplicate passwords. Over the course of a couple of weeks, you end up with
new passwords for most of your accounts. Take this time to also change the
default passwords for any devices in your house — if your home router, smart
light bulbs, or security cameras are still using “password” or “1234” as the
password, change them.

Everyone should also use two-step authentication whenever possible for their
online accounts. Most banks and major social networks provide this option. As
the name suggests, two-step authentication requires two steps: entering your
password and entering a number only you can access. For example, step one is
logging in to Facebook with your username and password. In step two,

27
Facebook sends a temporary code to you in a text message or, even better,
through an app like Google Authenticator, and you enter that code to log in.
• Protect your Web browsing
Why: Companies and websites track everything you do online. Every ad, social
network button, and website collects information about your location,
browsing habits, and more. The data collected reveals more about you than
you might expect. You might think yourself clever for never tweeting your
medical problems or sharing all your religious beliefs on Facebook, for instance,
but chances are good that the websites you visit regularly provide all the data
advertisers need to pinpoint the type of person you are. This is part of how
targeted ads remain one of the Internet’s most unsettling innovations.

How: A browser extension like uBlock Origin blocks ads and the data they
collect. The uBlock Origin extension also prevents malware from running in
your browser and gives you an easy way to turn the ad blocking off when you
want to support sites you know are secure. Combine uBlock with Privacy
Badger, which blocks trackers, and ads won’t follow you around as much. To
slow down stalker ads even more, disable interest-based ads
from Apple, Facebook, Google, and Twitter. A lot of websites offer means to
opt out of data collection, but you need to do so manually. Simple Opt Out has
direct links to opt-out instructions for major sites like Netflix, Reddit, and more.
Doing this won’t eliminate the problem completely, but it will significantly cut
down the amount of data collected.

You should also install the HTTPS Everywhere extension. HTTPS Everywhere
automatically directs you to the secure version of a site when the site supports
that, making it difficult for an attacker — especially if you’re on public Wi-Fi at
a coffee shop, airport, or hotel — to digitally eavesdrop on what you’re doing.

Some people may want to use a virtual private network (VPN), but it’s not
necessary for everyone. If you frequently connect to public Wi-Fi, a VPN is
useful because it adds a layer of security to your browsing when HTTPS isn’t
available. It can also provide some privacy from your Internet service provider
and help minimize tracking based on your IP address. But all your Internet
activity still flows through the VPN provider’s servers, so in using a VPN you’re
choosing to trust that company over your ISP not to store or sell your data.
Make sure you understand the pros and cons first, but if you want a
VPN, Wirecutter recommends IVPN.

28
• Use antivirus software on your computer
Why: Viruses might not seem as common as they were a decade ago, but they
still exist. Malicious software on your computer can wreak all kinds of havoc,
from annoying pop-ups to covert bitcoin mining to scanning for personal
information. If you’re at risk for clicking perilous links, or if you share a
computer with multiple people in a household, it’s worthwhile to set up
antivirus software, especially on Windows computers.

How: If your computer runs Windows 10, you should use Microsoft’s built-in
software, Windows Defender. Windows Defender offers plenty of security for
most people, and it’s the main antivirus option that Wirecutter recommends;
we reached that conclusion after speaking with several experts. If you run an
older version of Windows (even though we recommend updating to Windows
10) or you use a shared computer, a second layer of protection might be
necessary. For this purpose, Malwarebytes Premium is your best bet.
Malwarebytes is unintrusive, it works well with Windows Defender, and it
doesn’t push out dozens of annoying notifications like most antivirus utilities
tend to do.

Mac users are typically okay with the protections included in macOS, especially
if you download software only from Apple’s App Store and stick to well-known
browser extensions. If you do want a second layer of security, Malwarebytes
Premium is also available for Mac. You should avoid antivirus applications on
your phone altogether and stick to downloading trusted apps from official
stores.

(Retrieved from; By Thorin Klosowski Illustrations by Jon Han

@https://www.nytimes.com/guides/privacy-project/how-to-protect-your-
digital-privacy )

29
Limitations / Challenges Of The Digital Age Of Privacy And
Personal Data Protection.

Digital age can be described as a collection of different technological

solutions as virtual environments, digital services, intelligent applications,
machine learning, knowledge-based systems, etc., determining the specific
characteristics of contemporary world globalization, e-communications,
information sharing, virtualization, etc.

1. Social computing (SoC) challenges

It is known that this technology permits to organize a dialog between

individual computer users through the Internet by using different
environments united under the term Social Networking Sites –

SNS (Social Media, Social Networks, Social Bookmarking, Social Aggregators,

Blogs & Microblogs, Wikis, Multiplayer games, etc.). Practically the SoC is a
useful instrument for connection between users and information sharing, but
there is a possible risk to personal data protection because it might happen
the information is shared to an unauthorized person. In some cases this can
cause negative financial and psychological consequences to the owner of
these data. A brief summary of the SoC negatives for user’s privacy is
presented below.

1. In many cases, web sites play the role of an “open door” – during the
preliminary registration or at the first visit with just one “click” users can
accept the Privacy Policy without reading the text. The result is full
acceptance of all conditions without the user being really aware of them. In
this case she/he is not aware of exactly what will happen to her/his personal
data in the created user’s profile.

30
2. In other cases, the user’s personal data are stored after one visit only and
automatically transferred to the center without the owner's knowledge and
consent. Indicative is the fact that only 54% of social network users think that
they are informed about the conditions for collecting personal data and their
next use when they join a social networking site or register for an online
service.

3. In some cases, a media may not provide information about the Privacy
Policy or require too much personal information when user makes
registration which exceeds the defined goal of the media(the GDPR principle
of limited personal data is violated).

4. Another problem is the location of stored personal data somewhere in the

global network. It may be possible to maintain multiple copies when looking
for an acceptable position. This is contrary to the GDPR principle for
minimizing stored and processed personal data. An example in this direction
is the conclusion of the National Consumer Agency in Germany for violation
of legislation on data protection by Facebook with the disseminated
information that the advertisements are fully free of charges. The stated
reason is that social network receives significant amounts by collecting
personal data and their storage in various location in the global network.

5. The above problem causes another negative to do the GDPR requirement

“right to be forgotten / erased” in case of refusal of further use. The user
cannot be sure that all copies of personal data are indeed deleted in different
nodes of the network. There is an example with a law student from Austria
who requested all the information that a social networking site (SNS) had
stored for him regarding the user’s profile. He receive as a response 1224
pages of information including his photos, messages and publications from
years ago, some of which he considered erased. Apparently, the site has
collected much more personal information than the user has imagined, as
well as storing unnecessary information and one that has been deleted.

31
 2. Cloud computing (CC) challenges

CC is a distributed environment based on connected virtual computers with

dynamic communications between them, which provides cloud services to
the clients (users). The basic cloud services, defined by NIST (National
Institute of Standards and Technology) are Infrastructure as a service (IaaS),
Platform as a Service (PaaS) and Software as a Service (SaaS). These services
could be provided by different types of cloud – public, community, private,
and hybrid, including using the technology of the Mobile Cloud Computing
(MCC) – uniting the 3 parts: mobile device, mobile internet and cloud
computing. The Thales report for 2020 determines that 83% of the
organizations use 11 or more SaaS providers and 48% of the corporative data
in the cloud are sensitive but only 57% of them are protected by encryption.
For comparison, the assessment of data encryption using in the digital space
for 2019 is 36%. Cloud computing does not violate principles of data
protection, but can be a risk for cross-border data transfers. Practically, there
are not specific regional legislations for personal data protection when using
cloud services, however, to support GDPR e-privacy requirements, a
document representing guidelines for correct cloud computing services using
was developed and published. The CISCO determines that 59% of companies
confirm their readiness for the GDPR and other 29% will be ready in early
2020. The opportunities and benefits of the cloud provoke identification of
possible negatives that could be risk to user’s privacy and persona data
protection, summarized below;

Multi-tenancy

A group of users share services and use the components of the cloud
infrastructure which could be risk for the CIA triad:

• Confidentiality, because a large number of users can access the stored data
by mobile devices and applications.

32
• Integrity, because it is possible some of the cloud users to make attempts
for modification of data without permission;

• Availability, because the providing access to services, data and tools

anywhere, anytime could be a problem for resources.

Data Location

The customer does not know where the data are stored.

Regulatory Compliance

It is not clear whether the cloud computing provider is determined as a “data

controller” of “data processor” and whether he is a subject of external audits
and security certification.

Privacy Right To Be Forgotten

There is no information what capacity of system restoring is provided. The

data usually migrate among different nodes in the cloud and it is difficult to
prove if the data are erased in the all places where they have been stored.

3. Internet of things (IoT) challenges

The term is used to describe a set of objects and devices that are connected
to the Internet in order to send and receive data obtained by using sensors
for monitoring of selected parameters and to capture and analyze values
obtained to control of processes on different spaces as home, city, health,
etc. It is possible that connected devices may disturb the privacy and security
and could undermine consumer confidence. In this connection two main
aspects of IoT for the privacy and data protection could be defined:

a) Confidentiality – it could be disturbed because each physical or logical

object or thing could receive a unique identification code and could freely

33
communicate through the Internet or via the other networks. All data sent
from the end points are not the target for the strong confidentiality, but the
analysis of these data which are usually received by many points could
consist of sensitive information for a person. On the other hand, the increase
in the number of sensors leads to the accumulation of data, which increases
the risks to security and privacy. For example, when hacking smart sensors,
accessing the collected data can lead to learning about certain habits, health
and religion data, and more.

b) Security of IoT – a set of different computers and internet devices are

configured by using traditional passwords that are not protected, and the
things could be object of different attacks. The attacks target components
with low-level of “cyber-hygiene” and look for their vulnerability to hacking
and tampering. Another problem with IoT security is identity verification -
usually a traditional approach is used which hardly provides the necessary
level of access control. It is also possible to use devices that have factory
default passwords that cannot be changed

4. Big data (BD) and Big data analytics (BDA) challenges

The term “big data” relates to a set of collected and stored information in
very large volume received from different sources in different places for
further processing for any purpose. This information could exist in different
forms. The main idea is “the more data will be better”, but it creates
negatives for the privacy and is against the GDPR principle of minimizing
personal data in processing. BD are collected from various sources for further
analysis (BDA) to form conclusions, select solutions, or investigate trends in
object behaviour, including for persons. In this sense, BD itself are not a
problem for the privacy, but BDA can lead to negative situations for
individuals – incorrect conclusions about private life or behaviour of certain
people personals, inaccurate trends, etc. The existence of possible negative

34
problems for privacy in BD is discussed in [24] stating that “big data storage,
processing, sharing and management crucial procedures” which are subject
of serious attacks and lead to the violation of privacy. Certain features of the
BD/BDA can lead to unwanted negative consequences for privacy and can be
defined as follows:

- The processed BD could be collected for different purposes and this violate
the important principle of data correctness “Defining the goal”. What is the
guarantee that the collected data are correct, precise and full (GDPR
requirement)?

- The very large scale of the collected data violates another GDPR principle of
data correctness –“data minimization”;

- Incorrect interpretation of the collected “big data” for a person is possible,

which can cause troubles for the relationship of the person in the
organization, and in his/her family. The incorrect conclusions can cause some
ethical deviations or discrimination (incorrect conclusions for race, status,
sexual orientation, etc.);

- Using BDA in business marketing research can lead to incorrect conclusions

and may compromise reputation of individuals, for example when recruiting
employees;

- The GDPR requirements for anonymization and pseudonymization of

personal data cannot be realized by BDA;

- The accuracy of the BDA cannot be full guaranteed, because it is not clear
what methods and tools (algorithms, software, applications, etc.) are used
for the analysis and this will violate the GDPR requirement for data
processing transparency.

35
(Retrieved from; Challenges of the digital age for privacy and personal data
protection, August 2020

• Mathematical biosciences and engineering: MBE 17(5):5288-5303

• DOI:10.3934/mbe.2020286

Author - : Radi Petrov Romansky

Technical University of Sofia | TU · Department of Informatics (Faculty of
Appl. Mathematics and Informatics) & Department of Electronics and
Electroenergy (Technical College of Sofia)
Doctor of Science (D.Sc.) in Informatics and Computer Science
Author - Irina Noninska
Technical University of Sofia | TU · Department of Computer Systems.)

36
Research Observations – The Problems Of
Information Privacy Law.
It was observed that the existing common law failed to afford a remedy for
privacy invasion. But It contained the seeds to develop the protection of
privacy. Warren and Brandeís, the authors of “The right to Privacy”(1890)
looked to existing legal rights and concluded that they were manifestations
of a deeper principle lodged in the common law – “the more general rights
of the individual to be let alone”. From this principle, new remedies to
protect privacy could be derived. Warren and Brandeís suggested that the
primary way to safeguard privacy was through tort actions to allow people to
sue others for privacy invasions.

What Warren and Brandeís achieved was nothing short of magnificent. By

pulling together various isolated strands of the common law. The authors
demonstrated that creating remedies for privacy invasions wouldn’t radically
change the law but would merely be an expansion of what was already
germinating.

As early as 1903, court and legislatures responded to the Warren and

Brandeís article by creating a number of privacy torts to redress the harms
that Warren and Brandeís had noted. These torts permits people to sue
others for privacy violations. 1n 1960, William Prosser, one of the most
renowned experts on tort law, surveyed OVER 300 PRIVACY CASES in the
70years since the publication of Warren and Brandeís article. He concluded
that the cases could be classified as involving four distinct torts.

These torts are;

1. Intrusion upon seclusion

2. Public disclosure of private fact
3. False light, and
4. Appropriation

37
Today, most states recognize some of all the privacy torts whether by Statute
or Common Law.

The Privacy torts emerged in response to the privacy problems raised by

Warren and Brandeís – namely, the incursions into privacy by burgeoning
print media. Today we’re experiencing the rapid rise of a new form of media
– the internet.

Some Privacy Acts Includes;

• Congress’s most significant piece of privacy legislation in the 1970s –

the Privacy Act of 1972 - regulates the collection and use of records by
Federal Agencies, giving individuals the right to access and correct
information in these records.
• The Family Education Rights and Privacy Acts of 1974 [FERPA] also
known as the Buckley Amendments regulates the accessibility of
student records.
• The Cable Communications Policy Acts [CCPA] of 1984 requires cable
operators to inform subscribers about the nature and uses of personal
information collected.
• Electronic Communication Privacy Acts [ECPA] of 1986 – Congress
modernized electronic surveillance laws when it passed the ECPA in
1986.

(Retrieved from; Solove, Daniel J. (2010). Understanding Privacy. Harvard

University Press. ISBN 978-0674035072.

38
CONCLUSION
By prioritizing software security and safeguarding user resources and privacy,
we can position ourselves as a trusted entity in an increasingly competitive
market.

Protecting user data ensures compliance with applicable laws and

regulations, prevents reputational damage, and strengthens customer
loyalty. Through the proposed measures, we aim to provide users with a
secure and private experience while utilizing our software applications.

We kindly request your support and approval to proceed with the outlined
software security initiatives. We are confident that with the implementation
of these measures, we can enhance our overall security posture and ensure
the protection of user resources and privacy.

Thank you for your time and consideration. We look forward to discussing
this proposal further and working together to safeguard our users' valuable
assets.

39
REFERENCES AND CITATIONS
• Samuel D. Warren II and Louis Brandeís (1890) “The right to Privacy –
right to be let alone”

• Andreas Jacobsson (2008) “Privacy and security in Internet-based

information system”, Blekinge Institute of Technology Doctoral
Dissertation Series No.2008.02 School of Engineering)

• Asst.Prof. Sumitra Kisan, Asst.Prof. D. Chandrasekhar Rao. “Information

and Security Lecture Notes” Department of Computer Science and
Engineering & Information Technology. Veer Surendra Sai University of
Technology (Formerly UCE, Burla) Burla, Sambalpur, Odisha.)

• Stanford Encyclopedia of Philosophy, Privacy and Information

Technology First Published Thu Nov 20, 2014; Substantive revision Wed
Oct. 30, 2019)

• Okta @ https://www.okta.com/identity-101/privacy-vs-security/)

• David Harrington. Data Security. Published July 6, 2021

https://www.varonis.com/blog/data-security)

40
 • By Thorin Klosowski Illustrations by Jon Han
@https://www.nytimes.com/guides/privacy-project/how-to-
protect-your-digital-privacy)

• Challenges of the digital age for privacy and personal data protection,
August 2020

• Mathematical biosciences and engineering: MBE 17(5):5288-5303

• DOI:10.3934/mbe.2020286

Author - : Radi Petrov Romansky

Technical University of Sofia | TU · Department of Informatics (Faculty of
Appl. Mathematics and Informatics) & Department of Electronics and
Electroenergy (Technical College of Sofia)
Doctor of Science (D.Sc.) in Informatics and Computer Science
Author - Irina Noninska
Technical University of Sofia | TU · Department of Computer Systems.)

• Solove, Daniel J. (2010). Understanding Privacy. Harvard

University Press. ISBN 978-0674035072.

41