CSPIQ · AP Computer Science Principles · Lesson 23 of 25
CSPIQ · AP Computer Science Principles

Lesson 23: Safe Computing: PII, Phishing, Encryption & Authentication

Big Idea 5 (IOC) · Phase 5

Objectives

Warm-Up

Three "harmless" facts: a runner posts her usual route (fitness app), her work badge photo (new-job post), and her birthday brunch (tagged location, date visible).

From those three posts a stranger can assemble: where she'll be at 6:30 tomorrow (route), where she works and her full name (badge), and her birth date (brunch) — enough for stalking, convincing impersonation ("Hi, this is HR, verifying your details — born March 12th, right?"), and password-reset guessing.

No hack occurred. No password leaked. Each post was individually innocent; the combination is the exposure — Lesson 6's "combining data reveals more than either source" wearing its darkest outfit. Safe computing starts from that math: your data aggregates whether you think about it or not. Attackers think about it.


Core Concept

PII: personally identifiable information

PII is information that can identify you — alone or combined: name, address, birth date, ID/Social Security numbers, biometric records, and in context: location history, medical/financial records, even search history.

CED claims to answer with:

  1. PII has value — to legitimate businesses (targeted services and ads) and to criminals (impersonation, account takeover, stalking). Search history, browsing patterns, location, and purchases are all collected, often to personalize what you see.
  2. Aggregation is the multiplier — separately harmless data points combine into an identifying, exploitable profile (the warm-up). Exam answers acknowledging combination beat answers treating each datum in isolation.
  3. Once shared, control is gone — information posted online can be copied, cached, and redistributed; deletion removes your copy, not the Internet's. Assume permanence.
  4. Tracking is ambient: cookies and similar mechanisms let sites remember you and let third parties follow your browsing across sites; devices broadcast identifying signals. Convenience and surveillance ride the same rails — dual effects, as always (Lesson 20).

The attack zoo — sorted by mechanism

Attack How it works The tell
Phishing A fraudulent message (email/text/site) impersonates a trusted party to trick you into revealing credentials or installing malware Urgency + credential request + slightly-off sender/URL ("your account will be locked — verify now")
Keylogging Software/hardware records your keystrokes — capturing passwords as you type them Often installed by malware or a malicious device
Malware / viruses Software intended to damage or take control; a virus attaches to legitimate programs/files and spreads when they're shared or run Unexpected attachments, untrusted downloads
Rogue access point A wireless network set up (or compromised) to intercept traffic from devices that join it — e.g., fake "Free_Airport_WiFi" Unsecured public Wi-Fi; data sent unencrypted through it can be read in transit

Classification is the tested skill: deception to extract info = phishing; recording keystrokes = keylogging; self-spreading hostile software = virus/malware; hostile network intercepting traffic = rogue access point. Each question describes one mechanism in scenario clothes.

Defenses ladder (CED-level): skepticism toward unexpected requests (phishing); software from trusted sources + security updates (malware); avoiding sensitive business on untrusted networks — or encrypting traffic so interception yields gibberish (rogue APs). Which brings us to—

Encryption: scrambling with keys

Encryption transforms data so only intended parties can read it; decryption reverses it with the proper key. Two architectures, one exam distinction:

Mailbox analogy: your public key is a mail slot anyone can drop letters through; your private key is the only key to the box. Publishing the slot's location risks nothing.

Certificate authorities (CAs) answer the remaining question — "is this public key really my bank's?" A CA is a trusted organization that verifies a site's identity and issues a digital certificate binding that identity to its public key. Your browser trusts the CA, the CA vouches for the site, the padlock appears. (An impostor site can offer a public key; it can't easily get a trusted CA to certify it as yourbank.com.)

Authentication: proving you're you

Passwords are one factor — something you know. Multifactor authentication (MFA) requires evidence from multiple independent categories:

The independence is the strength: a phished password alone no longer opens the account, because the thief lacks your phone. Note the categories rule — password + security question is two things you know: one factor, twice, not MFA. The exam tests exactly that nuance.

Password hygiene still matters (long, unique per site — reuse means one breach unlocks many doors), but the CED's headline is MFA: layered categories, each layer an independent failure the attacker must cause.


Worked Examples

Example 1 (easy): Classify the attack

Problem: An email styled like your bank's, from "security@yourbank-verify.com," warns of suspicious activity and links to a login page that harvests your credentials. Classify the attack.

Solution: Phishing — impersonation of a trusted party to trick you into surrendering credentials. The tells: urgency, credential request, off-domain sender.

Interpretation: No software was hacked; you were. Phishing attacks the human, which is why the defense is skepticism (verify via the bank's real site/app, never the message's link), not antivirus.

Example 2 (medium): Why public-key changed everything

Problem: Two strangers — a shopper and an online store — have never communicated. With symmetric encryption alone, what's the fatal problem, and how does public-key encryption solve it?

Solution: Symmetric needs both sides to hold the same secret key before secure communication starts — but delivering that key to a stranger over the open Internet exposes it to interception (encrypting the delivery would need... another shared key; the problem recurses). Public-key breaks the loop: the store publishes its public key freely; the shopper encrypts with it; only the store's private key decrypts. No secret ever travels.

Interpretation: The exam asks this as "the main advantage of public-key cryptography" — credited answer: secure communication without prior secret/key exchange. Not "it's stronger" or "faster" (it's actually slower — real systems use it to establish a symmetric session key, a detail beyond the CED).

Example 3 (medium): Is it MFA?

Problem: Which login setups are genuinely multifactor? (i) Password + code texted to your phone. (ii) Password + mother's maiden name. (iii) Fingerprint + PIN.

Solution: (i) Yes — know (password) + have (phone). (ii) No — two knows: one factor, doubled. (iii) Yes — are (fingerprint) + know (PIN).

Interpretation: Count categories, not prompts. The security-question distractor appears on real forms; it feels like a second factor and isn't.

Example 4 (AP-style): The coffee-shop Wi-Fi

Problem: A traveler joins an open Wi-Fi network named "CoffeeShop_Free" and logs into email via an HTTPS (encrypted) connection. Later she learns the network was a rogue access point run from a laptop in the corner. What could its operator most plausibly have captured?

(A) Her email password, since rogue access points break encryption (B) The encrypted traffic — readable only as scrambled data, though metadata like which sites she visited may leak (C) Nothing whatsoever, since HTTPS makes networks irrelevant (D) Her fingerprint

Solution: (B). The rogue AP sits in the traffic path and captures what passes — but HTTPS encryption means captured content is ciphertext without the keys. Interception ≠ decryption. Some routing metadata still leaks, and any unencrypted connection she used would be fully readable. (A) overpowers the attacker; (C) overtrusts — an attacker in the path can still attempt trickery (fake login pages), so caution on untrusted networks stands.

Interpretation: Layered reasoning is the graded skill: the rogue AP compromises the path; encryption protects the content; neither statement cancels the other. Answers acknowledging both layers win.


Common Mistakes

  1. Phishing = virus. Phishing is deception aimed at you; no software need be infected. Classify by mechanism, not by "bad computer thing."
  2. Public key must be kept secret. Backwards — the public key is meant to be shared; only the private key is secret. If an answer has you hiding public keys, it's wrong.
  3. Password + security question = MFA. Two of the same category (know) = one factor. MFA requires different categories.
  4. "Deleting the post removes the data." Copies, caches, screenshots, archives. The CED's stance: once shared, assume permanent and beyond your control.
  5. Each data point judged alone. The exam's privacy scenarios hinge on aggregation — innocuous pieces combining into identification. If choices differ on this, the aggregation-aware one is credited.

Practice Problems

Question 1
Which is the best example of PII?
Question 2
A pop-up claims "Your device is infected! Enter your password to clean it now." This is most likely:
Question 3
A keylogger's defining behavior is:
Question 4
A computer virus is distinguished by:
Question 5
In public-key encryption, a message encrypted with your PUBLIC key can be decrypted by:
Question 6
The key-distribution problem of symmetric encryption is that:
Question 7
A certificate authority's role is to:
Question 8
Which login system is genuinely multifactor?
Question 9
(Select two answers.) Which statements about personal data online are accurate?
Question 10
The safest practice for sensitive tasks (banking) on public Wi-Fi is:
Question 11
Cookies are used to:

12 (short response, passage-style). A fitness app stores users' names, birth dates, GPS running routes, and heart-rate data, and shares "anonymized" route heat-maps publicly. Identify (i) the PII involved, (ii) one specific risk created by the public heat-maps despite anonymization, and (iii) one authentication improvement the app should offer.


Create PT Connection

If your PT handles anything user-entered, one design sentence pays dividends: collect only what the program needs. A study-tracker that stores subject and minutes — not name, school, and birthday — has nothing to leak. Data minimization is professional-grade privacy thinking, and Written Response 1 credits purpose-driven design choices ("my program stores only the quiz scores because that's all the average requires").

And as you finish the course's content lessons: apply this one to yourself. You're about to spend weeks in exam-prep mode — enable MFA on the accounts that matter, and treat any "urgent: verify your College Board login" email with the skepticism this lesson just installed. Attackers know exam season too.


Show answer key & explanations

(g) Answer Key

1. (B). Birth date + address — identifying, and note it's the combination that sharpens the identification. (A)/(C)/(D) identify no one.

2. (C). Manufactured urgency + credential request = phishing's fingerprint, pop-up edition.

3. (A). Keystroke recording, by definition — capturing secrets as typed, upstream of any encryption.

4. (B). Attach + spread via legitimate files — the virus's defining reproduction mechanism.

5. (C). The pairing rule: public encrypts → private (its twin) decrypts. (A) would make encryption pointless — this distractor tests whether you understand the asymmetry.

6. (B). The bootstrap problem: securing the key's delivery needs the security you don't have yet. Public-key crypto exists to break exactly this loop (Example 2).

7. (C). Identity verification + certificate issuance = trust anchoring. (D) is a security disaster, not a service — private keys never leave their owners.

8. (B). Know (password) + have (phone/app). (A)/(C)/(D) stack the same category — one factor in a trench coat.

9. (A) and (C). Aggregation risk + routine collection/personalization: both core CED claims. (B) denies permanence; (D) denies the data economy.

10. (B). Rogue-AP awareness + the two real mitigations (avoid, or encrypt). (A) is exactly how rogue APs are named; (C) confuses venue passwords with security.

11. (C). Remember-and-track — cookies' dual convenience/surveillance nature in one sentence (dual effects, one last time).

12. (Model answer.) (i) PII: names and birth dates directly; GPS routes and heart-rate data in context (routes reveal home address and schedule; health data is sensitive). (ii) Heat-map risk: aggregated routes can expose individuals' start/end points (homes) or reveal patterns at sensitive locations — "anonymized" location data re-identifies people whose routes are distinctive (the warm-up's aggregation logic; the military-base incident of Lesson 20 is the famous case). (iii) Authentication: offer multifactor authentication — e.g., password plus a code to the user's phone — so a leaked or phished password alone can't open an account containing location history. (Credit any answer hitting identification-by-combination in (ii) and a genuine second category in (iii).)

Answer letter distribution check: B, C, A, B, C, B, C, B, A+C, B, C — singles: A×1, B×5, C×4, D×0 + multi (A,C). Cumulative through L23 ≈ A 22%, B 32%, C 27%, D 19% — D-share persistently light across IOC lessons (definitional gravity); the mocks' engineered keys will restore global balance. Flagged for the final sweep.


Exam tip: Build the two tables on scratch paper if security questions rattle you: the attack zoo (phishing/keylogger/virus/rogue-AP × how-it-works) and the key rules (public = share & encrypt; private = secret & decrypt; CA = vouches; MFA = different categories). Every security item on the exam is one cell of those tables wearing a story.

← All lessons
Lesson 24 ›
Score: 0/0 correct