TLDR
Safe computing in AP Computer Science Principles is about understanding how personal data gets collected and stored, the privacy risks that come with it, and the tools that protect computing resources. You need to know what counts as personally identifiable information (PII), how attackers gain unauthorized access through tricks like phishing and keylogging, and how defenses like strong passwords, multifactor authentication, and encryption work.
Why This Matters for the AP Computer Science Principles Exam
This topic shows up on the multiple-choice section, where you may read a passage about a computing innovation and answer questions about the data it collects and the privacy or security concerns that come with it. You will also use these ideas when you describe the impact of gathering data and evaluate computing based on legal and ethical factors. The big skill here is connecting a specific data-collection or security situation to its real consequences for people, then naming the right protection.
Key Takeaways
- PII is any information that identifies, links, relates to, or describes a person, including Social Security number, age, race, phone numbers, medical and financial information, and biometric data.
- Disparate data like geolocation, cookies, and browsing history can be aggregated to build a detailed picture of someone, even from pieces that seem harmless alone.
- Information placed online is hard to delete and can be used in unintended ways, so think before you post.
- Authentication (strong passwords and multifactor authentication) and encryption (symmetric and public key) protect data from unauthorized access.
- Unauthorized access is often gained through phishing, keylogging, malicious links, unsolicited emails, rogue access points, and untrustworthy downloads.
- Regular software updates, malware scanning, and reviewing app permissions are practical ways to protect a computing system.
How Personal Data Gets Collected
Computers and computer systems often store the personal data of their users. Beyond the data you type in directly, things like your location, cookies, and browsing history can also be combined to identify you.
- Search engines can record and keep a history of your searches. They use that history to suggest websites and to show you ads, part of a process known as targeted marketing.
- Devices, websites, and networks can collect information about a user's location.
- Some programs go further and record everywhere you have been, how you got there, and how long you stayed.
- Websites can record and keep a history of who has viewed their pages.
A key part of safe computing is protecting your personally identifiable information, or PII.
What Is Personally Identifiable Information?
PII is information about an individual that identifies, links, relates to, or describes them. Examples include:
- Social Security number
- Age
- Race
- Phone number(s)
- Medical information
- Financial information
- Biometric data (such as fingerprints or facial recognition)
Aggregation: The Hidden Risk
One piece of data might seem harmless, but disparate personal data can be aggregated to create knowledge about you. Geolocation, cookies, and browsing history can be combined to reveal patterns and details you never directly shared. Both commercial companies and governments curate this kind of information, and that curation can be exploited if privacy protections are ignored.
Benefits and Harms of Information Collection
A single effect of data collection can be both helpful and harmful, which is exactly the kind of trade-off you should be ready to explain.
Benefits
- PII and other information placed online can be used to enhance your online experience, like connecting with friends or finding products faster.
- PII stored online can simplify making online purchases by saving your payment and shipping details.
Harms
Without strong protections, the collection of information can be exploited.
- Location data and travel routes can be used to stalk a person.
- PII, especially a Social Security number, can be used to steal someone's identity or help plan other criminal acts.
- Commercial and governmental data can be misused when privacy protections are ignored.
Think Before You Post
The information you put online yourself can also be used against you. People can deduce a lot about you by combining information posted across different social media accounts and other sources. You might reveal private details by accident.
Information placed online can be used in ways you did not intend. An email can be forwarded, a post can be retweeted, and social media content can be viewed by potential employers or college admissions officers. Once information is online, it is difficult to delete. When in doubt, think carefully before posting.
How Unauthorized Access Is Gained
Attackers use several methods to get into accounts and systems. Knowing the vocabulary helps you match a scenario to the right threat on the exam.
- Phishing tricks a user into providing personal information by posing as a trustworthy source, like a fake email from your bank asking for your password.
- Keylogging uses a program to record every keystroke, capturing passwords and other confidential information.
- Malicious links can be disguised on a web page or inside an email message.
- Unsolicited emails, attachments, links, and forms can compromise a system. These can come from unknown senders or from known senders whose accounts have been compromised.
- A rogue access point is a wireless access point that gives unauthorized access to a secure network. Data sent over public networks (like coffee shop Wi-Fi) can be intercepted, analyzed, and modified this way.
- Untrustworthy downloads from freeware or shareware sites can contain malware.
Malware and Viruses
- Malware is software intended to damage a computing system or take partial control over its operation.
- A computer virus is a malicious program that can copy itself and gain unauthorized access to a computer. Viruses often attach themselves to legitimate programs and then run independently.
A key safe-computing habit is to be cautious. Do not open or click links in emails when you do not recognize the sender, and be careful even with messages from friends, since accounts can be compromised. Only download from websites you trust.
Protecting Computing Resources
These concerns have not gone unnoticed, and there are several established ways to protect data and devices.
Authentication
Authentication measures keep people from gaining unauthorized access to your accounts. Two common ones are strong passwords and multifactor authentication.
A strong password is something that is easy for you to remember but difficult for someone else to guess based on what they know about you. Avoid generic phrases (like "password" or "12345") and easily guessed details (like your name or a family member's name). Strong passwords mix character types, such as uppercase letters, numbers, and symbols.
Multifactor authentication grants access only after you present several separate pieces of evidence, usually from at least two of these categories:
- Knowledge: something you know, like a password or PIN.
- Possession: something you have, like a phone that receives a one-time code or an access badge.
- Inherence: something you are, like a fingerprint or facial scan.
Each step adds a new layer that an attacker has to break, so multifactor authentication is more secure than a password alone.
Encryption
Encryption is the process of encoding data to prevent unauthorized access. Decryption is the process of decoding it. Two common approaches are:
- Symmetric key encryption uses one key for both encrypting and decrypting.
- Public key encryption pairs a public key for encrypting with a private key for decrypting. The sender does not need the receiver's private key to encrypt a message, but the receiver's private key is required to decrypt it.
You do not need to know the specific math behind encryption for this course or the AP exam.
Public key encryption relies on digital certificates issued by certificate authorities. These certificates validate the ownership of encryption keys used in secure communications and are based on a trust model. Think of a certificate as a way for one computer to confirm that a website really is who it claims to be.
Other Protections
- Regular software updates patch errors and design flaws that could otherwise be exploited. Every real-world system has flaws that attackers may try to use.
- Computer virus and malware scanning software helps protect a system against infection.
- Reviewing app permissions lets you control what information programs can collect. Users should check these settings to protect their privacy.
How to Use This on the AP Computer Science Principles Exam
MCQ
You will often get a short passage about a computing innovation followed by questions about its data and effects. Read for two things: what data the innovation collects, and how that data could help or harm people. Watch for answer choices that name a specific risk (identity theft, stalking, aggregation) or a specific protection (multifactor authentication, encryption, updates).
Describing Data Impact
When a question asks about the impact of gathering data, connect the data type to a concrete consequence. For example, location history can enable stalking, and aggregated browsing data can reveal private details a person never shared directly. Vague answers like "it is bad for privacy" usually do not earn credit; name the data and the effect.
Evaluating Legal and Ethical Factors
When you evaluate a computing use, weigh both sides. Data collection can enhance an experience and also expose someone to harm. Strong responses acknowledge the trade-off and then justify a position instead of only listing one side.
Common Trap
Match the threat to the right defense. Encryption protects data in transit and storage but does not stop you from being tricked by a phishing email. Multifactor authentication protects logins but does not delete data already posted online. Pick the protection that actually addresses the scenario described.
Common Misconceptions
- PII is only your Social Security number. PII is any information that identifies, links, relates to, or describes you, including age, race, phone numbers, and biometric data.
- Harmless data stays harmless. Separate pieces like cookies, geolocation, and browsing history can be aggregated to reveal private information about you.
- You can always delete what you post. Once information is online it is difficult to delete, and it can be forwarded, screenshotted, or reshared beyond your control.
- A virus and malware are different categories. A computer virus is a type of malware, not a separate thing. Malware is the broad term for software meant to damage or take control of a system.
- Multifactor authentication just means a longer password. It requires evidence from at least two different categories (knowledge, possession, inherence), so adding more characters to one password is not multifactor.
- Encryption hides who you are. Encryption encodes data so unauthorized people cannot read it. It does not make you anonymous or protect you from tricks like phishing.
- A strong password has to be a random mess you cannot remember. A strong password is easy for you to remember but hard for others to guess, often by mixing character types in a phrase that means something only to you.
Related AP Computer Science Principles Guides
Vocabulary
The following words are mentioned explicitly in the College Board Course and Exam Description for this topic.Term | Definition |
|---|---|
authentication measures | Security methods used to verify the identity of a user and protect devices and information from unauthorized access. |
biometric data | Personal information based on physical or behavioral characteristics, such as fingerprints or facial recognition, that can be used to identify an individual. |
browsing history | A record of websites and pages an individual has viewed that can be collected and maintained by websites and networks. |
certificate authority | An organization that issues digital certificates to validate the ownership of encryption keys based on a trust model. |
computer virus | A malicious program that can copy itself and gain unauthorized access to a computer, often by attaching itself to legitimate programs. |
cookies | Data files stored on a user's device that track browsing behavior and can be aggregated with other personal data. |
data aggregation | The process of combining disparate personal data from multiple sources to create comprehensive knowledge about an individual. |
decryption | The process of decoding encrypted data to make it readable. |
digital certificate | A credential issued by a certificate authority that validates the ownership of encryption keys used in secure communications. |
encryption | The process of encoding data to prevent unauthorized access. |
freeware | Free software that can potentially contain malware if downloaded from untrustworthy sources. |
geolocation | Information about a user's physical location that can be collected by devices, websites, and networks. |
identity theft | The unauthorized use of a person's PII to impersonate them or commit fraud. |
keylogging | The use of a program to record every keystroke made by a computer user in order to gain fraudulent access to passwords and confidential information. |
malicious link | A link that can be disguised on a web page or in an email message to compromise computing security. |
malware | Software intended to damage a computing system or to take partial control over its operation. |
malware scanning software | Software designed to detect and protect a computing system against infection from viruses and malware. |
multifactor authentication | A method of computer access control requiring a user to present at least two separate pieces of evidence from the categories of knowledge (something they know), possession (something they have), and inherence (something they are). |
permissions | Settings that control what information programs are allowed to collect from users and how they can access user data. |
personally identifiable information | Information about an individual that identifies, links, relates, or describes them, such as Social Security numbers, age, race, phone numbers, medical information, financial information, or biometric data. |
phishing | A technique that attempts to trick a user into providing personal information that can be used to access sensitive online resources. |
public key encryption | An encryption approach that uses a public key for encryption and a private key for decryption, allowing secure communication without sharing the private key. |
rogue access point | A wireless access point that gives unauthorized access to secure networks. |
search history | A record of searches made by users on search engines that can be collected, maintained, and used for targeted marketing or other purposes. |
shareware | Software available for free or low cost that can potentially contain malware if downloaded from untrustworthy sources. |
social media | Online platforms where individuals post information that can be viewed, shared, and used by others in ways not originally intended. |
software updates | Regular patches and improvements to software that fix errors and design flaws that could compromise a computing system. |
strong password | A password that is easy for the user to remember but difficult for others to guess based on knowledge of that user. |
symmetric key encryption | An encryption approach that uses one key for both encrypting and decrypting data. |
targeted advertising | A marketing technique that uses computing innovations to deliver specific advertisements to individuals or groups based on their data and behavior. |
unauthorized access | Gaining access to computing resources without permission, often through techniques like phishing, keylogging, or rogue access points. |
Frequently Asked Questions
What is safe computing in AP CSP?
Safe computing is the AP CSP topic about protecting personal data, computing resources, and privacy. It includes PII, data aggregation, encryption, authentication, malware, and phishing.
What is personally identifiable information?
Personally identifiable information, or PII, is information that identifies, links to, relates to, or describes a person, such as a Social Security number, phone number, medical data, financial data, or biometric data.
Why is data aggregation a privacy risk?
Data aggregation combines separate pieces of information, such as location, cookies, searches, and browsing history. Together, those pieces can reveal private patterns that one data point alone might not show.
What is phishing?
Phishing is an attempt to trick a user into giving away personal information or credentials by pretending to be a trusted source, often through email, texts, links, or forms.
What is the difference between symmetric and public key encryption?
Symmetric encryption uses the same key to encrypt and decrypt data. Public key encryption uses a public key to encrypt and a private key to decrypt.
How is safe computing tested on AP CSP?
AP CSP questions may ask you to identify privacy risks, match threats to defenses, explain how data can help or harm people, or distinguish encryption, authentication, phishing, and malware.