Sitemap   |   Contact   |   Search
Slovensko
Home » Information technologies » Personal data protection on the internet
Povečaj pisavoPomanjšaj pisavo Tiskanje

Personal data protection on the internet

Fast development of information communication technologies is increasing the potential of personal data abuse. One of the main strategies for combating abuse is to train people to recognize potential abuse; with the descriptions of some of the dangers and recommendations for safer use we wish to contribute to better protection of individual’s personal data.

 

  1. “Phishing”
  2. “Pharming” attacks
  3. Unsolicited e-mails (spam) and Slovenian legislation
  4. Child pornography and hate speech report hotline
  5. How do I remove caches in the listings of search engine results if the original website no longer exists on the internet?

 

 

“PHISHING”

The term phishing is influenced by the words password and fishing. It is a criminally fraudulent process of attempting to acquire sensitive information such as usernames and passwords, credit card details, digital certificates and other personal data by masquerading as a trustworthy website or e-mail. Phishing is an example of the so called social engineering techniques used to fool users to supply personal data. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one (an example of a surreptitious message).

 

The damage caused by phishing ranges from relatively minor consequences (denial of access to free e-mail account) to substantial loss (e.g. stealing large sums of money from bank accounts). The number of phishing sites worldwide is growing – between 100 and 200 new phishing sites emerge every day. In one of the recent notorious cases 250 clients of a Swedish bank lost all together 850.000 EUR in January 2007.

 

Considering the high proportion of young internet users in Slovenia (already more than 90%) it is very important to inform the young users about the potential dangerous consequences of new technologies. Many recommendations on safe use of internet can be found on SAFE-SI project’s website, however bellow you may find some basic recommendations on how to protect yourself against data phishing.


We advise website visitors to be careful, and to regularly check the identity of websites and content owners. We also recommend them to verify the identities of owners of those internet applications which require the user to supply personal data. We strongly advise the users to transfer personal data over the internet only when the internet connections are appropriately protected.

 

Recommendations for protection against data phishing

 

1. Learn to recognize e-mails used for phishing.

The characteristics of such e-mails are:

- use of names and graphic designs of genuine existing organizations (banks, companies)

- use of names that seem to refer to genuine people and departments within organizations

- use of domain names that resemble trusted domains

- a threat that data will be lost, account disabled, or similar harmful activity will take place if a user will not supply the requested information (e.g. “…if you shall not provide your user name within X days, your account will be considered inactive and we will therefore be forced to close it…”).

 

Keep it mind that the above refers to less harmful actions, such as acquiring data for access to free e-mail accounts, and also to potentially severe actions, like acquiring data for unauthorised access to bank accounts.

 

2. Check the source of incoming messages.

Most likely the banks will not communicate with you using mail without any security features (unprotected mail) and will also not request for your personal data, such as user names and passwords or call for you to export your digital certificate in this manner. If you doubt the truthfulness of the incoming message, you can always use the phone or otherwise contact the bank to verify legitimacy of the message.

 

3. Don't click on links that seem like genuine links to your bank in e-mails.
Rather use bookmarks or favourites you have saved in your browser. Read also the part about the so called “pharming”.

 

4. Check if you're visiting the genuine website.

Most of all you should check whether the link to the website is protected by the safe http protocol – in this case the domain name starts with https:// and a lock sign is shown in the browser toolbar. You should pay attention to other recommendations as well because only checking the protocol might not be enough to protect your data in the event of malicious software on your computer. The difference between genuine and bogus website can be minimal, and additionally, some organizations register dozens of domains similar to the original one (e.g. onlinebanking.com, online-banking.com, login-onlinebanking.com). It is necessary to keep in mind that checking the protocol and lock sign will not protect you against data abuse in the case of dangerous Trojan horses (some Trojan horses silently replace the genuine window with the malicious one). Therefore regular updates of anti-virus software and installation of safety updates are of great importance.

 

5. Check your bank statements regularly.

Pay attention to online transactions that are not shown in your statements, and the ones you haven’t made, but are shown in your statements.


6. Consider the safety of your computer system.

Most of all, you should regularly install operation system safety updates, and also use and regularly update anti-virus software. You should avoid installing programs from suspicious websites, and opening e-mails from unknown senders, especially the ones with attached programs (like .exe or .bat files).  


7. Phishing is not typical only for English speaking world anymore.

Even Slovenian organizations have experienced cases of user personal data phishing. In this case the messages are in Slovene and look very authentic at first sight.


8. Use the latest versions of internet browsers with latest safety updates.

The most popular browsers such as Internet Explorer 7, Mozilla Firefox 2, Opera 9.1, etc. contain certain technologies that protect you against data phishing.  


Useful links:

Wikipedia - http://en.wikipedia.org/wiki/Phishing

SAFE-SI - http://www.safe.si/index.php?fl=2&p1=670&p2=717&id=755&lact=1&bid=82&parent=5

SI-CERT - http://www.arnes.si/si-cert/obvestila/2004-06.html

top

 

 

"PHARMING" ATTACKS


Pharming is a hacker's attack aiming to redirect a website's traffic to another, bogus website. The term pharming is a neologism based on farming and pharmacy; it is based on a technique of genetic engineering, however in the world of internet it refers to engineering of URL addresses. Pharming attacks are considered more dangerous for users because it is not easy to recognize them. The main difference between pharming and phishing is that pharming attacks are technical whereas phishing attacks are based on social engineering. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software. For instance, incorrect entries in a desktop computer's hosts file, which circumvents name lookup with its own local name to IP address mapping will cause that a legitimate request for a sensitive website can direct the user to a fraudulent copy. In this case the user is sure he/she is on the right website and this fake trust will make him/her confident enough to provide personal data required by the site.

 

More about the work of DNS server software and an example of a pharming attack is available here (.pdf, 2.07MB).



Useful links:

Wikipedia - http://en.wikipedia.org/wiki/Pharming

top

 

 

UNSOLICITED E-MAILS (SPAM) AND SLOVENIAN LEGISLATION

 


The area of direct marketing in electronic communications (and as a consequence the area of unwanted e-mails and unsolicited advertising mails) is legislated with four acts in Slovenia. The Electronic Communications Act, Consumer Protection Act, and Electronic Commerce Market Act are the special acts, whereas the Personal Data Protection Act is the system act:

 

  • Electronic Communications Act (ZEKom-UPB1)
  • Consumer Protection Act (ZVPot-UPB2)
  • Electronic Commerce Market Act (ZEPT)
  • Personal Data Protection Act (ZVOP-1)

 

The main principles regarding direct marketing arising from the above acts may be summarised as follows:

  • The sender shall acquire prior consent from each recipient.
  • The recipient has the right to refuse further use of his/her e-mail for marketing purposes.
  • The sender shall act according to the Personal Data Protection Act when processing personal data.

 

Further explanation available in Slovenian language at: SI-CERT website.

 

The text is a product of cooperation between SI-CERT, Post and Electronic Communications Agency and Market Inspectorate RS.

 

top

 

 

CHILD PORNOGRAPHY AND HATE SPEECH REPORT HOTLINE

 

SPLETNO-OKO.SI is a Slovenian hotline where users can anonymously report child pornography and hate speech on the internet. SPLETNO-OKO.SI operates in the context of communitarian programme Safer internet plus and INHOPE organization. The project's consultation body also includes the Office of the State Prosecutor of the Republic of Slovenia, the Police, media representatives, and representatives of other organizations active in the child rights protection field.

 

Cooperation of similar hotlines at European level has proved to be efficient in battle against illegal content on the internet. Slovenian internet users may contribute to safer internet environment themselves by anonymously reporting potentially illegal and/or harmful websites.

In the light of the Information Commissioner's efforts for protection of personal data on the internet and for safer internet in general, the Commissioner welcomes the introduction of internet hotline SPLETNO-OKO.SI.

Because of the nature of the project the hotline Spletno oko is publicly available only on the internet at www.spletno-oko.si.



For additional information contact:  info(at)spletno-oko.si.

top

 

 

HOW DO I REMOVE CACHES IN THE LISTINGS OF SEARCH ENGINE RESULTS IF THE ORIGINAL WEBSITE NO LONGER EXISTS ON THE INTERNET

Some search engines like Google, Yahoo!, or Slovenian search engine Najdi.si offer the option of website cache, which enables the user to see how a website looks like in a given moment of time. Sometimes the cache may lead to website content even though the website is no longer at its original place. It happens because search engines usually work on the basis of robots and crawlers which crawl the internet constantly and index websites. All the websites the crawlers have indexed are included in the refreshed search engine index.

 

Cache example:



A cache will display a link to a website even though the original site no longer exists until the crawler visits the website again and sees that it does not exist anymore. Sometimes this process is rapid but it can also take up to several weeks. On the one hand cache service is very useful but on the other hand it may be quite unpleasant, especially when a website that doesn’t exist anymore is included as a cache showing illegal, disturbing or false information.

 

Website caches are referred to in the Electronic Commerce Market Act (ZEPT), which specifically defines the responsibilities of cache providers, i.e. the search engines. ZEPT implements Article 18 of the Electronic Commerce (EC Directive) Regulations 2002 and provides that the service provider shall not be liable for damages or for any other pecuniary remedy or for any criminal sanction as a result of that transmission where the service provider does not modify the information, complies with conditions on access to the information, complies with any rules regarding the updating of the information, does not interfere with the lawful use of technology, widely recognised and used by industry, to obtain data on the use of the information, and acts expeditiously to remove or to disable access to the information he has stored upon obtaining actual knowledge of the fact that the information at the initial source of the transmission has been removed from the network, or access to it has been disabled, or that a court or an administrative authority has ordered such removal or disablement.

 

This means that search engines are not liable for caches they provide, if the caches are provided according to the above mentioned conditions. Search engine’s liability begins upon obtaining actual knowledge of the fact that the information at the initial source of the transmission has been removed from the network, or access to it has been disabled, or that a court or an administrative authority has ordered such removal or disablement. In this case it has to act expeditiously to remove or to disable access to the information it has stored, meaning it has to update its website index so that the website will no longer be shown among the search results.

 

Search engines are obliged to provide tools the users can use for cache removal requests. Our experience shows that search engines are quite quick in updating their index when requested by users. This way the non-existing sites are not shown among search engine results anymore. To remove the link to cache the user can also contact the webmaster of the original website and request from him/her to notify the search engine to index the website again and thus correct its index database.

 

In any case responsibility for caches primarily lies in the hands of the users; that is why we describe some of the ways to request cache removal from some of the mot popular search engines.  Some search engines provide special websites, and others accept reports via e-mail:

 

top

Pravne informacije | Zasebnost | Kontakt
Oblikovanje in izdelava: Nova Vizija d.d.