1. Students can describe how intermediary devices, and the services that provide them, are involved in transmitting information from point A to point B on the Internet.
2. Students can explain how the interconnected, many-layered structure of the Internet affects the security and privacy of online communication.
3. Students can identify the difference between a private network and a shared network and can describe some of the potential risks of using a shared network.
4. Students can describe how encryption decreases the chances of outside parties infiltrating private communications and accessing private information.
5. Students can explain why their security depends (in part) on their own decisions and behavior.
6. Students can give some examples of common encryption protocols, identify what layer of an electronic communication each of those protocols protect, and describe how they would verify that those protocols were being used.

Lesson elements in this module can be used to address the following computer-science curricular standards.

AP Computer Science Principles Curriculum Framework

Elements substantially address the following Essential Knowledge under Big Idea 3, Data and Information:

• 3.3.1F. Security and privacy concerns arise with data containing personal information.

Elements substantially address the following Essential Knowledge under Big Idea 6, The Internet:

• 6.3.1H. Cryptography is essential to many models of cybersecurity.

Elements substantially address the following Essential Knowledge under Big Idea 7, Global Impact:

• 7.3.1G. Privacy and security concerns arise in the development and use of computational systems and artifacts.

The following Essential Knowledge is also touched on:

• Under Big Idea 3: Data and Information: 3.3.1A, 3.31B.
• Under Big Idea 6: The Internet: 6.1.1A, 6.1.1C, 6.2.2B, 6.2.2H, 6.3.1A, 6.3.1C, 6.3.1F, 6.3.1G, 6.3.1M.

CSTA K–12 Computer Science Standards (Level 3 — High School)

Elements substantially address the following learning objective under Level 3, Course 3A: Computer Science in the Modern World:

• CI.10. Describe security and privacy issues that relate to computer networks.

The following learning objectives are also touched on:

• Under Level 3, Course 3A: Computer Science in the Modern World: CPP.9, CD.8.

ACM Computer Science Curricula 2013 (CS2013) Guidelines (Undergraduate)

The following Learning Outcomes are touched on:

• Under Information Assurance and Security: Cryptography 1; Web Security 2.
• Under Networking and Communciation: Introduction 1.
• Under Social Issues and Professional Practice: Security Policies, Laws and Computer Crimes 6.

Estimated Time: 10-12 minutes.
What You’ll Need: Computer and projector.

Quick Knowledge Check

What kind of path does information take to get from your computer or smartphone to get to a destination website? Is it as short and direct as possible?

High-Level Answer: There are many different computers that serve as intermediaries between you and the website you are trying to reach. These intermediaries may be geographically far out of the way with respect to the shortest path between you and a website’s servers.

Details/Background for Teachers: The information travels an often long, seemingly random path — because allowing data to travel along many different paths decreases the chances of information getting lost along the way. For example, when a connection through New York is heavily loaded or breaks down, the information can simply take a route through Massachussetts. In addition, as it leaves your computer, the information is broken up into packets that may each take a different route; they are reassembled by the destination computer.

Introduction to Traceroute

Summary of Traceroute Demonstration: The teacher uses a traceroute website to give a visual representation of how many different intermediaries data from their computer passes through before reaching its destination. Students may be surprised to know just how widely distributed their information can be — which emphasizes the importance of using a secure network in case someone may be listening in.

To demonstrate how many nodes data goes through for a typical website visit, go to the following website: yougetsignal.com/tools/visual-tracert

• Explain to the class that you will demonstrate the path information from your laptop takes to arrive at a chosen destination.
• Type in a destination URL and click “Proxy Trace”. The trace will take about 30–60 seconds.
• While the route is being traced, ask the students:
• • Do you think the connection between my computer and the [website] server has any intermediary stops?
  • How many stops or “nodes” do you think the information from my computer is passing through?
  • How widely do you think those nodes are spread, geographically? Will the information go in a straight line?

Notes and FAQs:

• The intermediary nodes in the traced route are listed along the right side of the screen. Many may not appear on the map, if YouGetSignal cannot get data about where the actual servers are located. However, you can draw students’ attention to how long the list is!
• The number of stops may vary each time the URL is typed in.
• Colorado is a common stop across all websites visited because it is the location of the host website, yougetsignal.com, and it traces routes to all websites through its server.

The Quick Hook

Estimated Time: 2-3 minutes per story.
What You’ll Need: Computer and projector (optional).

These news items can be used to illustrate the real-life consequences of privacy breaches. If you have a computer and projector, you can show the stories on a screen as you talk about them. If not, you can simply summarize them verbally.

Petraeus and Broadwell Used Common E-mail Trick

• Summary: An affair between David Petraeus, former CIA chief, and Paula Broadwell, his biographer and a former military officer, is uncovered when the FBI finds their hidden emails.
• Content Advisory: The article refers to Petraeus and Broadwell’s extramarital affair, and there is a reference at the end to “arousal”.

Companies Spying on Students Online for Common Core Leaks

• Summary: Standardized testing companies hire investigators to find students who share exam material online — among other things.

Optional Extension

Estimated Additional Time: 5-7 minutes per story.

For each news item, ask the students:

• What form of communication was listened in on?
• What information did the eavesdropper gain access to?
• What did the eavesdropper use this information for?
• Could the people in the story have used a more secure means of communication to prevent eavesdropping?

Estimated Time: 20-30 minutes.
What You’ll Need: Paper and pens/pencils.

This activity demonstrates the problems with sharing information over an unsecure network, and how using encryption can aid with online security. Students first send an unencrypted message through an intermediary, who obviously is able to read it. They then try sending an encrypted message, which the intermediary tries to decipher.

1. (2 minutes) Have students create groups of 6. For each group, divide students into three pairs and name each pair A, B, and C.
   1. Pair A will be the sender, Pair B will be the “Network”, and Pair C will be the recipient.
   2. Have each pair in each group stand an equal distance away from one another, with Pair B in between Pairs A and C.
2. (4 minutes) In the first round, have all Pairs A send a note to Pairs C by passing it through Pairs B. Afterwards, have Pairs C pass notes to Pairs A via Pairs B.
   1. Before Pairs B pass the note along, ask them to read and decide if they could understand what the note says (to which they will presumably say they can).
   2. Explain to the class that this is the same way unsecured networks work: people running the networks (Pairs B) on these unsecured lines are able to decipher two-way conversations easily, exposing Pairs A and C’s private (or non-private) information.
3. (10 minutes) Have each group break up for 10 minutes. All Pairs A and C will meet up together and come up with their own encryption code on a sheet of paper.
   1. You can help them get started by doing an example. To write an encryption code, the students can assign a different letter or other symbol to each letter in the alphabet. For example: whenever there is an “a” in the message, they could use “m” or “%” for their encrypted message. Encourage students to get creative with their keys!
   2. Have Pairs A and C stand stand together, while Paris B stand several feet away (depending on classroom size).
   3. Although Pairs B should not physically look at the code Pairs A and C are developing, they may be allowed to eavesdrop and try to strategize about how to break the code.
   4. Make sure Pairs A and C each have a copy of their encryption code, then they can return back to their positions.
4. (4 minutes) In the second round, have Pairs A and C each send a note to one another by handing it to Pairs B, with a message written in the encryption code Pairs A and C previously agreed on. (Suggest students make the message content interesting, so that Pair B is motivated to break the code.)
   1. Before passing along the note each time, have Pairs B get a copy of it (photograph the note with a smartphone or manually copy it down).
   2. Ask Pairs B if they are able to decipher what the encrypted message says.
5. (1 minute) Explain to students that this (although simplified) is how you can ensure information you communicate online is secure: by using encryption!

Estimated Time: 12-15 minutes.
What You’ll Need: Copies of worksheet; computers for students.

This activity demonstrates how, in order for your information to get from Point A to Point B, it goes through numerous intermediaries. Students answer questions based on their own experiences tracerouting several websites. This activity can be done by individual students or in pairs/groups, in class or as homework.

Download Worksheet: “Traceroute: Where Is Your Information Going?”

Wrap-Up Explanation: This activity has shown how many intermediaries, called “nodes”, your information travels through just to get to a website (and back). If any of the intermediary nodes are not secure, your data could be captured and, if unencrypted, it could be read.

Estimated Time: 5-10 minutes.
What You’ll Need: Computer and projector; copies of graphic organizer (optional).

These slides can be used for an overview lecture on the basic concepts underlying the principle “Communication over a network, unless strongly encrypted, is never just between two parties”. The slides are accompanied by Notes with details and examples to guide your lecture.

Access Slide Deck: “Someone Could Listen”

Use the custom Graphic Organizer to help students follow along and take notes.

Access Worksheet: Graphic Organizer for “Someone Could Listen” Presentation

The Blown to Bits textbook covers a wide spectrum of ideas related to Internet privacy, with a particular focus on the new, unique, ever-changing nature of the Internet.

Online Version: Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion, by Hal Abelson, Ken Ledeen, and Harry Lewis

You can assign students all or parts of the following chapters for an in-depth but engaging exploration of the ideas covered in Module 5.

• Chapter 5: Secret Bits: How Codes Became Unbreakable — Excerpt

• Content Advisory: Blown to Bits refers to STI outbreaks and discusses the dangers of sending sexually explicit content online.

Estimated Time: 25-30 minutes.
What You’ll Need: Computer and projector.

These slides can be used for an in-depth lecture and discussion about the different types of security warnings students might see when browsing the web, and what they should do when they see one. The slides are accompanied by Notes with details to guide your lecture.

Download Slide Deck: “Understanding Browser Warnings”

Whole-Class Follow-Up Discussion

Use one or more sets of questions to encourage students to reflect on the technical information presented.

What do you normally do when you see a web browser warning?

• If you ignore them, why?
• Will seeing this presentation change the way you react to these warnings? Why or why not?

What are the risks of ignoring these warnings?

• Which risks are you most concerned about? Why?
  

  Possible Answers: The risks of ignoring website warnings include the increased probability of being hacked or attacked by a virus, and in result, the loss and/or theft of the user’s personal data. (Viruses/malware can have a variety of other consequences; see the OnGuardOnline article.) Stolen information can be anything: SSN/passport/driver’s license number, financial information, employment information, location, login information, etc.

  Note for Teachers: Different people may be most concerned about different types of information. For example, many credit card and bank accounts come with fraud protection, so — if they have protection — theft of account numbers may not be the end of the world. More of a concern may be identity thieves using your SSN (etc.) to open new credit lines they don’t pay off, giving you bad credit. If someone has had sensitive or potentially embarrassing communications by email, SMS, or personal messaging on social media, that may be their biggest concern.

Have you heard about any incidents where someone was hacked or attacked by a virus?

• What did the hacker or virus do?
• How did the hacker or virus get into the person’s accounts or devices?
• Were there any warning signs that were given beforehand? Did the user recognize them at all?
• Was the person able to recover their account or fix their device? If so, how?
• How could the incident been prevented?

Did you recognize any of these visual warnings?

• Which ones?
• Which aspects were especially noticeable or recognizable?
• Which aspects are similar between browsers? Which aspects are different?
• Can these warnings change over time?
  

  Target Answer: Yes; they change to convey new information or to match the changing look of the browser.

• Is there any way you would suggest changing these warnings to make them better?

Estimated Time: 10-15 minutes.
What You’ll Need: Copies of review sheet.

This learning assessment can be used as an in-class quiz or as homework.

Download Assessment: “Someone Could Listen: Review Questions”

Teachers: Find out how to access the answer key for the Module 4 review questions.

Estimated Time: 3-5 minutes.
What You’ll Need: Computer and projector.

These slides present three short scenarios involving browser warnings and phishing emails, and ask students what they should do in each situation.

Access Slide Deck: What Would You Do? (Module 4)

Suggested answers are included in the notes on each slide.