Cybersecurity - Lesson 3: Data Policies and Privacy

Overview

Students learn that the apps, websites, and other computing innovations they use every day require a lot of data to run, much of which they might consider to be private or personal. In the warm up students discuss which of a list of possible information types they consider private. Then students read the data policies from a website or service they use or know about. This investigation focuses on the kinds of data that are being collected, the way it's being used, and any potential privacy concerns that arise. A brief second activity reveals that even data that may not seem private, like a birthdate or zipcode, can be combined to uniquely identify them. To conclude the lesson students prepare for a discussion in the following class about the pros and cons of sharing all this data by journaling about their current thoughts on whether the harms of giving up this privacy are outweighed by the benefits of the technology they power.

Purpose

This lesson is closely tied with the one that follows. In today's lesson students focus primarily on understanding the kinds of data that are collected by modern apps, websites, and computing innovations, and the ways that this may sometimes lead to sharing private information. In the following lesson students will specifically discuss the pros and cons of sharing that information.

Goals

Students will be able to:

  • Describe the different types of data that are used and collected by modern computing innovations
  • Define Personally Identifiable Information as information about an individual that identifies, links, relates, or describes them.
  • Explain how disparate pieces of personal information can be combined to identify individuals or deduce other private information.

Preparation

  • Check a few popular websites with students in your school to make sure they'll be able to access those sites' data policies over your school network.

Resoucres

For the Students

Supplemental Code.org material

Getting Started (5 minutes)

What Information is Private?

Prompt: Which of the following pieces of information would you consider to be "personal", as in you wouldn't want it shared with just anyone.

  1. Your full name.
  2. Your social security number.
  3. Your favorite musician / band.
  4. A picture of your face.
  5. Your fingerprint.
  6. Your birthdate.
  7. Your address.
  8. Where you go after school.
  9. Your phone number.
  10. Your medical information.
  11. Who your best friends are.
  12. Your racial/ethnic identity.
  13. A list of everything your've bought this month.
  14. A list of recordings of your voice.
  15. Your IP address.
  16. A video of you singing.
  17. Your academic history / report card.
  18. The town or city you live in.

Discuss: Have students brainstorm silently at their tables, then have them share with neighbors, and finally have them share out with the room.

Discussion Goal

Goal: This prompt sets up the rest of the lesson where students will be exploring instances where many of the pieces of information on this list are used by the services they use every day. Aim to push students to think about what it means to say that something is "personal" or "private". This is a lens they should take into the lesson.

Also, point out to students the items on this list that are biometric data: a picture of your face, your fingerprint, and voice/video recordings. Are these considered any more private or personal than the other items? Why or why not?

Remarks

We know that computing innovations need data to run, but we don't always think about just how personal or private that information may be. We're about to kick off a two-part lesson. In today's lesson we're going to look at just how much personal data we share online. Tomorrow we'll debate the pros and cons of sharing all that data.

Activity (35 mins)

Remarks

Most good websites and apps will have a privacy policy that explains the data that they collect and the way that it's used. We may have seen them before, but we've probably not read them.

Display: Show the video about how to read a data privacy policy. Take note of the teaching tip about the date and content of the video to the right.
Teaching Tip

Profanity in VideoNote this video briefly includes the written phrase "How to read an f*$%ing privacy policy" roughly 15 seconds in. Review the video and ensure you're comfortable sharing it in your class. If you need you can start the video later.

Dated VideoThis video is from 2018 but makes the point that students should check that privacy policies are recent. Be prepared to let students know that even though this video was shot in 2018, the same principles are important and apply.

Data Policy Exploration - 25 mins

Today we're going to practice reading data policies to get a sense for what kinds of information is actually being collected by modern computing innovations like websites and apps. We're going to spend today filling out the front part of the activity guide. In the next lesson we'll think more deeply about whether we think the tradeoffs of privacy are worth it, but you don't need to worry about that side of the activity guide today.

Distribute: Give each student a copy of Privacy, Security, and Innovation - Activity Guide

Choose a Website and Find the Data Privacy Policy Have students pick a company / app to use. If students are having a hard time picking a specific website, many big technology companies have fairly robust data policy pages, like Facebook, Google, Twitter, Instagram, and so on.

Some apps / services to consider:

  • Education: Code.org, Khan Academy, Codecademy.com
  • Social media: Facebook, Twitter, Instagram, Snapchat, Tik Tok
  • Online store: Amazon, Target, Walmart
  • Search: Google, Bing
  • Maps: MapQuest, Yahoo Maps, Google Maps
  • Productivity: MS Office Online, Google Docs
  • Mail & communication: Gmail, Hotmail, Yahoo Mail, Skype, Google Hangouts
  • Streaming sites: Netflix, Spotify, Pandora
  • Gaming sites: Steam, Xbox Live
  • Banks and financial institutions: Chase, Citibank

What is Their Data Policy? Students should spend 10-15 minutes reviewing the data policies and answering the questions there. The easiest way to find a data policy, if it exists, is to search for the company name followed by the terms data policy or privacy policy.

Share Findings: Have groups meet with another group to share what they discovered.

Respond to the following questions.

  • Question 1: What kinds of data is collected?
  • Question 2: How is the data you listed above being used? What features are enabled by the data?
  • Question 3: Does the company share the data with anyone else? Who?
  • Question 4: Can you get access to your own data? Can you modify what is collected, or delete your data if you wish?

Privacy vs. Security Tradeoffs

  • Question 5: Do you believe the benefits of the innovation you researched outweigh the privacy concerns? Explain why or why not making explicit connections to responses 1-4 above.
  • Question 6: Which of the following categories best describes your overall comfort with using data to drive innovations or ensure security? Write a paragraph below explaining your response and tying it to either the information in this activity guide or discussions shared in class.
    • 1 - Totally Comfortable: Have my data! It makes the technology I love work and keeps me safe!
    • 2 - Mostly Comfortable:I want tech innovations and stronger security. Let's make sure we take care of the most damaging privacy concerns.
    • 3 - Mixed: There's a lot of this that makes me uncomfortable, but I'm still going to use technology.
    • 4 - Mostly Uncomfortable: Privacy is more important than empowering innovations or ensuring security. I would give up on some tech innovations to ensure my privacy
    • 5 - Totally Uncomfortable: I'd give up most technology and would like to see much stronger limits on what kind of data can be collected and stored, even if it limits the introduction of new technology

Wrap up (5 Minutes)

Review: Review the key takeaways from the lesson and have students record the definition of Personally Identifiable Information in their journal.

Key Takeaways

  • Technology enables the collection, use, and exploitation of information about, by and for individuals, groups, and institutions. Geolocation, cookies, and browsing history can all be used to create knowledge about an individual. Most digital technology needs some kind of Personally Identifiable Information (PII) to work (for example street navigation needs to know your location or PII stored online to simplify making online purchases).
  • Other times websites collect more data to improve their services.
  • Many services and websites collect information (like your browser history) that can be used to advertise to you by creating detailed profiles of who you are and what you like. Search engines also can record and maintain a history of searches made by users. This information can be used to suggest websites or for for targeted marketing.
  • Once data is made digital, and especially once it's shared online, it's much harder to control.
  • PII can be used to steal the identity of a person, or stalk them online. Information that is often posted on social media can be combined to create a profile on you.

Journal

Students add the following vocaublary word: Personally Identifiable Information(PII).

  • Personally Identifiable Information: information about an individual that identifies, links, relates, or describes them.

Remarks

Users can control the permission that programs have for collecting their information. As a thoughtful user of technology, don't forget to review the privacy policies of the various apps and programs you use to protect your privacy!

Which of the following is NOT a reason that a company would typically collect personally identifiable information (PII)?

  1. a. Many computing innovations rely on some PII in order to work.
  2. b. PII collected by a computing innovation can be used to personalize the way a service works or the advertising that users see.
  3. c. PII can be sold to third parties intereseted in learning more about individuals.
  4. d. Making PII digital improves a user's ability to control who has access to it or delete it.

Activity Guide: Have students submit their activity guides from today's lesson but be prepared to hand them back out for the following lesson.

Assessment: Check for Understanding

For Teachers

Check For Understanding Question(s) and solutions can be found in each lesson on Code Studio. These questions can be used for an exit ticket.

For Students

Open a word doc or google doc and copy/paste the following question.

Question

Standards Alignment

  • CSTA K-12 Computer Science Standards (2017): 2-IC-23, 3A-IC-29, 3A-IC-30
  • CSP2021: IOC-2.A

Next Tutorial

In the next tutorial, we will discuss Code.Org Unit 10 Lesson 4, which describes Understanding privacy risks with computer innovation.

Go BackNext Tutorial