Define PII and identify examples of personally identifiable information
Explain how disparate data sources can be aggregated to reveal private information
Describe authentication methods including strong passwords and multifactor authentication
Explain how symmetric and public key encryption protect data
Identify common attack methods: phishing, keylogging, rogue access points, and malware
📈 Exam Weight: 21-26% (BI5 combined)
📝 CED Standards: IOC-2.A, IOC-2.B, IOC-2.C
✅ 5 MCQs • 5 FAQs
💡
Exam Impact: Safe Computing is the most fact-dense BI5 topic with 3-5 MCQ questions per exam. The vocabulary is heavy: PII, multifactor authentication, symmetric encryption, public key encryption, phishing, keylogging, rogue access point. Every term is directly tested.
Why This Matters
Your name alone reveals little. Your employer alone reveals little. Your neighborhood alone reveals little. But your name + employer + neighborhood + browsing history + location data + purchase history together create a detailed profile that can be used to stalk you, steal your identity, manipulate your decisions, or deny you services. The AP exam tests whether you understand how individually harmless data becomes dangerous when aggregated.
Personally Identifiable Information (PII)
PII is information about an individual that identifies, links, relates, or describes them. The AP exam expects you to recognize PII from examples:
Social Security number
Age, race, biometric data
Phone numbers
Medical and financial information
Location data
PII can be used to enhance user experiences (personalized recommendations, simplified purchases) and also to harm users (identity theft, stalking, discrimination).
Data aggregation trap: The AP exam frequently tests this: disparate data that is NOT individually PII can be combined to create PII. Your favorite coffee shop location alone is harmless. Your home neighborhood alone is harmless. Your gym schedule alone is harmless. Combined: anyone can predict exactly where you are at specific times. The CED specifically cites geolocation, cookies, and browsing history as examples of aggregatable data.
Privacy Risks of Data Collection
The Internet is built on data collection. Every interaction leaves traces:
Search engines record and maintain search history; use it for targeted advertising
Websites record which pages you visit and when
Devices and apps collect location data -- where you've been, how you got there, how long you stayed
Social media posts can be viewed by employers, law enforcement, and others you didn't intend
Online purchases create records that can be used to infer health, relationships, and finances
Critical point: “Once information is placed online, it is difficult to delete.” Even deleted posts can persist in screenshots, archive sites, and backups.
Authentication: Protecting Access
Authentication measures protect devices and information from unauthorized access.
Strong passwords:
Easy for the user to remember
Difficult for others to guess based on knowledge of the user
The AP exam won't test specific password rules, but the CED definition emphasizes the difficulty-for-others criterion
Multifactor authentication (MFA) requires at least two separate forms of evidence from different categories:
Knowledge -- something you know (password, PIN)
Possession -- something you have (phone, hardware token, smart card)
Inherence -- something you are (fingerprint, face, retina scan)
Key AP exam point: MFA requires at least TWO steps from at least TWO different categories. Two passwords would be two knowledge factors -- that is NOT multifactor authentication in the CED definition. You need two different categories.
Encryption
Encryption encodes data to prevent unauthorized access. Decryption decodes it back. The AP exam tests two types:
Type
How It Works
Key Property
Symmetric key
Same key encrypts AND decrypts
Both parties need the same secret key -- key distribution is the challenge
Public key (asymmetric)
Public key encrypts; private key decrypts
Sender uses recipient's PUBLIC key; only recipient's PRIVATE key decrypts it
Public key encryption insight: Anyone can encrypt a message to you using your public key (it's public -- share it widely). Only YOU can decrypt it because only you have your private key. The sender never needs your private key. This is how HTTPS works.
Certificate authorities issue digital certificates that validate ownership of public encryption keys -- they're the trusted third party that confirms a website's public key actually belongs to that website.
Attack Methods: How Unauthorized Access Is Gained
The AP exam directly tests these attack vectors by name:
Attack
Method
Defense
Phishing
Tricks users into providing personal information via fake emails, websites, or messages
Malicious program that copies itself and attaches to legitimate programs
Anti-virus software; regular updates
AP exam vocabulary check: Know these terms cold. A rogue access point is specifically about unauthorized Wi-Fi -- not about a compromised router on a home network. Keylogging is specifically about recording keystrokes -- not about reading stored files.
Practice MCQs
Predict your answer before clicking. These questions match AP exam difficulty and phrasing.
🔎 MCQ 1 of 5
A user's name, employer, and zip code are each publicly available individually. When combined, this data can be used to uniquely identify most individuals. This scenario BEST illustrates:
Predict your answer before clicking.
🔎 MCQ 2 of 5
A website login requires a password (something the user knows) and a code sent to the user's phone (something the user has). This is an example of:
Predict your answer before clicking.
🔎 MCQ 3 of 5
Alice wants to send Bob an encrypted message using public key encryption. Alice should encrypt the message using:
Predict your answer before clicking.
🔎 MCQ 4 of 5
A student receives an email appearing to be from their school's IT department asking them to click a link and enter their username and password to 'verify their account.' This is MOST likely an example of:
Predict your answer before clicking.
🔎 MCQ 5 of 5
Which of the following would NOT be considered PII according to the CED? I. A person's Social Security number II. A person's favorite color III. A person's medical history
Predict your answer before clicking.
Frequently Asked Questions
Data aggregation is combining multiple sources of data about a person to create a more complete profile. Individually harmless data (your morning jogging route, your workplace location, your frequent coffee shop) becomes identifying and potentially dangerous when combined. The CED cites geolocation, cookies, and browsing history as examples. A stalker, employer, or government can use aggregated data to know your habits, relationships, and vulnerabilities.
Symmetric encryption uses the SAME key to encrypt and decrypt -- both sender and receiver must have the same secret key. The challenge is securely sharing that key. Public key (asymmetric) encryption uses a key PAIR: a public key (share it with everyone) encrypts; a private key (keep it secret) decrypts. The sender never needs the receiver's private key. HTTPS uses public key encryption to establish secure connections.
A password alone is 'something you know.' Even a strong password can be stolen through phishing, keylogging, or data breaches. MFA adds a second factor from a different category: something you have (phone) or something you are (fingerprint). An attacker who steals your password still can't log in without also stealing your phone or biometric. Both factors would need to be compromised simultaneously.
A rogue access point is a fake Wi-Fi hotspot that intercepts network traffic. When you connect to what appears to be a legitimate public Wi-Fi network, you may actually be connecting to an attacker's device. The attacker can see all unencrypted data you send, including usernames, passwords, and personal information. Rogue access points are most common in airports, coffee shops, and hotels where people expect free Wi-Fi.
The CED states: 'Once information is placed online, it is difficult to delete.' Screenshots can capture content before deletion. Archive services like the Wayback Machine cache websites. Recipients can forward messages. Search engine caches may retain deleted content. For practical purposes on the AP exam: treat online information as permanent. This is especially relevant for social media posts that can be viewed by future employers.
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed.
Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Typically responds within 24 hours
✓
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.