AP CSP Big Idea 5 (Impact of Computing): Security and Ethics Study Notes

Crowdsourcing

Crowdsourcing is the practice of obtaining ideas, work, data, or solutions from a large group of people—often through the internet—rather than from a single expert or a small team. The “crowd” might be volunteers, paid contributors, or users who participate because they care about the outcome.

What it is (and what it isn’t)

Crowdsourcing is about distributing a task across many people. Sometimes those people are doing creative work (designing a logo), sometimes they are doing microtasks (labeling images), and sometimes they are providing resources (donating computing power). What makes it crowdsourcing is not that it’s online, but that it relies on many independent contributions.

A common confusion is mixing up crowdsourcing with “open source.” Open-source software can be crowdsourced (many people contribute code), but “open source” is specifically about licensing and access to source code. Crowdsourcing is a method of getting contributions; open source is a legal/organizational approach to sharing software.

Why it matters

Crowdsourcing matters in the impact of computing because it changes:

  • Who can contribute: You don’t need to be hired by an organization to help build knowledge or solve a problem.
  • How quickly work can scale: Many people doing small parts can accomplish a large goal faster than a small team.
  • What kinds of problems become solvable: Some problems are too large, too distributed, or too local to be solved centrally.

It also introduces new ethical and security concerns—like how to ensure quality, protect contributor privacy, and prevent manipulation.

How it works (step by step)

Most crowdsourcing systems follow a pattern:

  1. Break a big goal into pieces. For example, “map the world” becomes “add roads for this neighborhood.”
  2. Provide a platform where people can contribute. This could be a website, app, or marketplace.
  3. Motivate participation. Motivation might be:
    • Intrinsic (helping science, community pride)
    • Social (status, recognition)
    • Extrinsic (payment, prizes)
  4. Aggregate contributions into a final result. The platform merges inputs and resolves conflicts.
  5. Validate quality. This is crucial: the crowd can be wrong, malicious, or biased.

Types of crowdsourcing (with examples)

Crowdsourcing can look different depending on what the crowd provides:

Human knowledge and content

Platforms collect many small contributions of information.

  • Example: A community-edited encyclopedia where many editors improve articles over time.
  • Why it works: Many eyes can catch errors and add detail.
  • What can go wrong: Edit wars, misinformation, and biased coverage.
Microtasking / human computation

People do tasks that computers struggle with (or that are expensive to automate).

  • Example: Labeling images (“cat” vs. “not cat”) to create training data for machine learning.
  • Why it works: Humans are still very good at perception and context.
  • What can go wrong: Workers may be underpaid; labels may be inconsistent.
Citizen science

Volunteers contribute observations or analysis.

  • Example: People classify galaxies, transcribe historical documents, or report local environmental data.
  • Why it works: Massive data sets become manageable.
  • What can go wrong: Data quality varies; participation may be unrepresentative of the broader population.
Crowdfunding

The crowd contributes money to fund a project.

  • Example: Raising funds for a new product or a community project.
  • What can go wrong: Fraud, misleading claims, and lack of accountability.
Distributed computing (volunteer computing)

The crowd contributes computing resources.

  • Example: Donating spare CPU/GPU time to scientific research.
  • What can go wrong: Security risks if software is not trustworthy; participants may not understand what is being run.

Showing it in action: two concrete scenarios

Scenario 1: Building a map after a natural disaster

After a hurricane, official maps may be outdated. A platform asks volunteers to trace roads and damaged areas from satellite images.

  • How crowdsourcing helps: Many volunteers can update many regions quickly.
  • Quality control approach: Multiple volunteers map the same area; disagreements are flagged for review.
  • Ethical concern: If mapping includes sensitive locations (shelters, medical sites), sharing might put people at risk.
Scenario 2: Training an image classifier

A company wants to detect damaged roofs from drone photos. They crowdsource labels for thousands of images.

  • How crowdsourcing helps: You can generate labeled data fast.
  • What can go wrong: If labelers misunderstand what “damage” means, the model learns the wrong patterns.
  • Ethical concern: If labelers are paid per task, incentives may encourage speed over accuracy.

What goes wrong (pitfalls and misconceptions)

Crowdsourcing is powerful, but it isn’t magic.

  • “The crowd is always right.” Not necessarily. Large groups can still be biased, misinformed, or manipulated.
  • Sampling bias: The people who participate may not represent everyone affected by the outcome.
  • Malicious contributions: Spammers, trolls, or coordinated groups can inject false data.
  • Privacy leakage: Contributors may unintentionally reveal personal or location data.

A useful way to think about it: crowdsourcing is a tradeoff between scale and control. You gain speed and breadth, but you must invest in validation and governance.

Exam Focus
  • Typical question patterns:
    • Describe a computing innovation that uses crowdsourcing and explain a benefit and a drawback.
    • Compare crowdsourcing to a traditional approach (expert-only, centralized) in terms of scale, cost, or reliability.
    • Identify potential biases or risks in crowdsourced data and propose a mitigation.
  • Common mistakes:
    • Treating crowdsourcing as automatically accurate without discussing validation.
    • Giving a “benefit” and “harm” that are not clearly linked to the crowdsourcing aspect (they must result from using a crowd).
    • Confusing crowdsourcing with open source, social media, or “anything online.”

Legal and Ethical Concerns

Computing doesn’t just enable new capabilities; it changes what people can do to each other. Legal concerns are about what rules you must follow, while ethical concerns are about what you should do—even when the law is unclear or lagging behind technology.

What “legal” vs. “ethical” means

Legal: governed by laws and regulations. Violations can lead to penalties.

Ethical: guided by values such as fairness, respect, minimizing harm, and honesty. You can act unethically even if you technically follow the law.

A key idea in AP CSP is that laws and ethics often interact but don’t always align:

  • Something can be legal but unethical (for example, collecting excessive user data with confusing consent screens).
  • Something can be illegal but arguably ethical (for example, certain whistleblowing situations—though these are complex and context-dependent).

Why it matters

Legal and ethical issues show up whenever computing handles:

  • Data about people (privacy)
  • Creative work (intellectual property)
  • Access to systems (security and cybercrime)
  • Automated decisions (bias and fairness)

If you build or use computing innovations without considering these issues, you can cause real harm—financial loss, discrimination, loss of freedom, safety risks—even if your program “works.”

Intellectual property (IP): ownership of creative work

Intellectual property refers to creations of the mind—writing, music, art, software, inventions. Computing makes copying and sharing extremely easy, which is great for collaboration but also increases the risk of misuse.

Important categories you should recognize:

  • Copyright: protects original creative expression (like code, text, music). It generally gives the creator rights to control copying and distribution.
  • Patents: protect inventions and certain novel technical ideas.
  • Trademarks: protect brand identifiers (names, logos) that distinguish goods/services.

You do not need to memorize legal details, but you should understand the core ethical tension: creators want credit and control; society benefits from sharing and building on ideas.

Example: Using images in an app

If you pull images from the internet for your app’s interface, you may be violating copyright unless you have permission or the license allows it. Ethically, even if you think you won’t get caught, using someone’s work without credit or permission undermines the creator.

Privacy: what data is collected, how it’s used, and who controls it

Privacy is the ability of individuals to control information about themselves—what is collected, how it is used, and how widely it is shared.

Computing complicates privacy because:

  • Data can be collected automatically (location, clicks, device identifiers).
  • Data can be stored indefinitely and copied perfectly.
  • Separate data sets can be combined to reveal more than each one shows alone.

A common misconception is: “If data is not directly identifying (like no name), it’s anonymous.” In reality, re-identification is possible when seemingly harmless data points are combined (for example, a few location/time points can uniquely match a person). On the exam, you may be asked to reason about this risk conceptually rather than prove it with math.

Example: Fitness app data

A fitness app collects running routes. Even if names are removed, frequent start/stop locations might reveal where a person lives or works. Ethically, the app should minimize unnecessary collection, secure the data, and be transparent about sharing.

Data bias and fairness: when computing reinforces inequality

Bias in data or algorithms means systematic unfairness—certain groups are treated differently or harmed disproportionately.

Bias can enter systems through:

  • Biased data: historical data may reflect unequal treatment (for example, unequal policing or hiring).
  • Non-representative samples: the data might overrepresent some populations and underrepresent others.
  • Design choices: what you measure, what you optimize, and what outcomes you label as “success.”

Even if an algorithm is “accurate overall,” it can still be harmful if errors concentrate on a specific group. Ethically, designers should test for disparate impact, seek diverse input, and be cautious about deploying automated decisions in high-stakes settings.

Example: Facial recognition

If training data contains fewer faces from certain skin tones, the system may have higher error rates for those groups. This can lead to greater harm if used for law enforcement or identity verification.

Digital divide and access

The digital divide is the gap between people who have effective access to computing devices, the internet, and digital skills and those who do not. Impact isn’t just about owning a device—reliable broadband, accessible design, and education matter.

Ethically, innovations can unintentionally exclude:

  • People with disabilities if accessibility is ignored
  • Rural areas with limited internet infrastructure
  • Low-income communities where cost is a barrier

Questions in this unit often ask you to connect an innovation to both positive outcomes and unequal access.

Computing misuse: unauthorized access and harm

Ethical concerns also include how tools can be misused:

  • Breaking into accounts (unauthorized access)
  • Spreading malware
  • Harassment and doxxing
  • Creating deepfakes or misinformation

A key ethical principle is intent plus impact: even “testing security” can be unethical or illegal if you do it without permission because it risks harm.

Showing it in action: balancing tradeoffs

Scenario 1: A free app funded by targeted advertising
  • Benefit: People can use the app without paying.
  • Tradeoff: The company collects user data to target ads.
  • Legal/ethical questions:
    • Did users give meaningful consent, or was it hidden in confusing terms?
    • Is the app collecting more data than needed?
    • Could the data be sold or breached?
Scenario 2: Sharing a dataset for research
  • Benefit: Open datasets help researchers find patterns and improve services.
  • Risk: Individuals may be re-identified; sensitive attributes could be exposed.
  • Ethical response: De-identify data, limit what is shared, require agreements, and consider whether sharing is necessary at all.

What goes wrong (pitfalls and misconceptions)

  • “If it’s online, it’s public.” People may share something to a small audience without expecting broad redistribution.
  • “I agreed to the terms, so it’s ethical.” Consent can be manipulated; ethics asks whether consent was informed and freely given.
  • Equating ethics with opinion. Ethics involves reasoned arguments using principles (harm reduction, rights, fairness), not just “I feel like it’s fine.”
Exam Focus
  • Typical question patterns:
    • Explain a beneficial and harmful effect of a computing innovation, focusing on privacy, intellectual property, bias, or access.
    • Given a scenario, identify whether an action is legal/illegal or ethical/unethical and justify with reasoning (not just a label).
    • Propose a response (policy, design change, user education) that mitigates a harm while preserving benefits.
  • Common mistakes:
    • Listing a generic harm (“privacy issues”) without explaining the mechanism (what data, how collected, who can misuse it).
    • Treating “legal” and “ethical” as the same category; the exam often wants both lenses.
    • Ignoring stakeholders—answers should mention who benefits, who is harmed, and why.

Safe Computing (Encryption, Authentication, Phishing)

Safe computing is about protecting confidentiality (keeping data secret), integrity (preventing improper changes), and availability (keeping systems usable). You’ll often see these as the “CIA triad” in cybersecurity discussions, and they map nicely to real-world problems:

  • Confidentiality: keeping a message private
  • Integrity: ensuring it wasn’t altered
  • Availability: ensuring a service isn’t knocked offline

This section focuses on three core ideas you need for AP CSP: encryption, authentication, and phishing.

Encryption

Encryption is the process of transforming readable data (plaintext) into unreadable data (ciphertext) so that only authorized parties can read it. The core idea is that even if someone intercepts the data, they can’t understand it without the key.

Why it matters

The internet is built from many networks and devices you don’t control. Data may pass through routers, servers, Wi-Fi access points, and other infrastructure. Without encryption:

  • Passwords could be stolen in transit.
  • Private messages could be read by eavesdroppers.
  • Sensitive records (medical, financial) could leak.

Encryption supports confidentiality, but it also enables trust: you can safely shop online, communicate privately, and protect stored data on devices.

How it works (conceptually)

Encryption requires an algorithm and a key.

  • The algorithm is the general method (publicly known in modern cryptography).
  • The key is the secret value that makes your encryption unique.

At a high level:

  • You encrypt plaintext with a key to produce ciphertext.
  • The receiver decrypts ciphertext with the appropriate key to recover plaintext.

A crucial concept: modern encryption assumes attackers may know the algorithm, but not the key. The security comes from key secrecy and key strength.

Symmetric vs. asymmetric encryption

There are two main models:

  • Symmetric encryption: the same secret key is used to encrypt and decrypt.

    • Strength: fast and efficient for large data.
    • Challenge: key sharing—how do both parties get the key securely?

  • Asymmetric encryption (public-key encryption): uses a pair of keys.

    • A public key can be shared widely.
    • A private key is kept secret by the owner.
    • What it enables: you can encrypt a message using someone’s public key, and only their private key can decrypt it.

On the AP CSP exam, you’re typically expected to understand the roles these play (especially that public/private keys exist and enable secure communication without pre-sharing a secret), not to compute encryption by hand.

Showing it in action

Example 1: Messaging app

  • Your phone encrypts a message before sending.
  • Anyone who intercepts the data sees ciphertext.
  • The recipient’s device decrypts it back into readable text.

Example 2: Device storage

  • A laptop encrypts its drive.
  • If the laptop is stolen, the thief may still have the file data—but without the key, it should be unreadable.
What goes wrong (common misconceptions)
  • “Encryption hides everything.” Encryption can protect content, but other information (like who you contacted and when) may still be visible depending on the system. This is often called metadata.
  • “If it’s encrypted, it’s unbreakable.” Security depends on strong algorithms, strong keys, and correct implementation. Weak keys, poor randomness, or flawed software can break security.
  • Key management is often the real problem. If someone steals your key (or your password that unlocks the key), encryption won’t save you.

Authentication

Authentication is the process of verifying that a user (or device) is who they claim to be. This is different from authorization:

  • Authentication: “Who are you?”
  • Authorization: “What are you allowed to do?”
Why it matters

Without authentication, systems can’t reliably restrict access. Many harms—identity theft, account takeover, data breaches—start with attackers bypassing authentication.

Authentication is also the bridge between humans and cryptography: encryption keys and permissions often depend on proving identity.

How it works: common factors

Authentication usually uses one or more of these factors:

  • Something you know: password, PIN
  • Something you have: phone, security key, smart card
  • Something you are: fingerprint, face, iris (biometrics)

Multi-factor authentication (MFA) means using more than one factor (for example, password + phone prompt). The security benefit is that stealing one factor (like a password) is no longer enough.

Showing it in action

Example 1: Password-only login

  • You enter a username and password.
  • The system checks whether the password matches what it expects.
  • Risk: If your password is reused across sites and one site is breached, attackers can try it elsewhere.

Example 2: MFA login

  • Step 1: You enter your password.
  • Step 2: You confirm a login prompt on your phone (something you have).
  • Benefit: Even if an attacker knows your password, they still need access to your phone.
What goes wrong (common misconceptions)
  • “Biometrics are perfect.” Biometrics can have false positives/negatives and raise privacy issues (you can’t change your fingerprint like a password).
  • “Security questions are MFA.” Many security questions are guessable or discoverable (social media), so they may not add much real security.
  • MFA can still be bypassed via social engineering (tricking you into approving a prompt) or phishing (capturing codes). Authentication is a system, not a single magic step.

Phishing

Phishing is a social engineering attack where an attacker tries to trick you into revealing sensitive information (passwords, credit card numbers) or installing malware by pretending to be a trustworthy entity.

Why it matters

Phishing targets the human part of security. Even strong encryption and authentication can fail if a user is convinced to hand over credentials or approve a malicious login.

Phishing is common because it’s scalable: attackers can send millions of messages, and only a small fraction of victims need to fall for it.

How it works (step by step)

A typical phishing attempt includes:

  1. A believable pretext: “Your account will be locked,” “A package delivery failed,” “Your teacher shared a file.”
  2. A call to action: click a link, open an attachment, or log in.
  3. A spoofed destination:
    • A fake login page that looks real
    • A malicious attachment
    • A site with a similar-looking URL
  4. Credential theft or malware installation: once you enter info or run the attachment, the attacker gains access.

Phishing can also be targeted:

  • Spear phishing: aimed at a specific person or organization, often using personal details to look convincing.
Showing it in action

Example 1: Fake password reset
You receive an email: “Unusual activity detected. Reset your password now.” The link goes to a fake site that records your username and password.

Example 2: “Shared document” scam
A message claims someone shared a document with you. You click and are asked to log in. The page is a replica of a real login screen.

How to recognize and defend

Good defenses combine tools and habits:

  • Verify the sender and the URL (watch for subtle misspellings).
  • Don’t enter credentials from email links; navigate directly to the site.
  • Use MFA so stolen passwords are less useful.
  • Keep software updated to reduce damage from malicious attachments.
What goes wrong (common misconceptions)
  • “Only careless people fall for phishing.” Modern phishing can be highly realistic and timed around real events. The goal is to exploit attention and urgency.
  • “MFA stops all phishing.” MFA helps a lot, but attackers can still trick users into approving prompts or can capture one-time codes in real time.
  • “If the website has a lock icon, it’s safe.” HTTPS helps protect data in transit, but a phishing site can also use HTTPS. The lock icon doesn’t guarantee the site is legitimate.

Connecting the three: how safe computing fits together

In real systems, these concepts reinforce each other:

  • Encryption protects data from eavesdropping and theft.
  • Authentication controls who can access accounts and data.
  • Phishing attacks authentication by tricking the user, often bypassing technical protections.

A strong security posture uses multiple layers: even if one layer fails (a password is stolen), others (MFA, monitoring, encryption) reduce harm.

Exam Focus
  • Typical question patterns:
    • Explain how encryption increases security for data in transit or at rest.
    • Distinguish authentication from authorization and describe how MFA improves security.
    • Given a scenario, identify phishing indicators and propose safe user actions.
  • Common mistakes:
    • Saying encryption “prevents hacking” in general; you need to specify what it protects (confidentiality of data) and under what conditions.
    • Mixing up authentication and authorization (identity vs. permissions).
    • Assuming HTTPS or a familiar logo guarantees legitimacy; phishing can imitate trusted brands.