AP COMPUTER SCIENCE PRINCIPLES Test Booklet

5.6: Safe Computing

1. Directions: The question or incomplete statement below is followed by four suggested answers or
completions. Select the one that is best in each case.

A bank customer receives an e-mail from a sender claiming to be a bank employee. The e-mail asks the customer to
provide personal information and to call a phone number if he or she has any questions. The customer suspects the
e-mail might be a phishing attempt. Which of the following responses is most likely to be a privacy risk for the bank
customer?
(A) Calling the bank at its official phone number to ask whether the request for personal information is legitimate
(B) Calling the phone number given in the e-mail and providing the personal information over the phone
(C) Checking that the domain name of the sender’s e-mail address is associated with the bank
(D) Conducting aWeb search to see if other people have received similar requests for personal information

2. Many Web browsers allow users to open anonymous windows. During a browsing session in an anonymous
window, the browser does not record a browsing history or a list of downloaded files. When the anonymous
window is exited, cookies created during the session are deleted. Which of the following statements about browsing
sessions in an anonymous window is true?
The activities of a user browsing in an anonymous window will not be visible to people who monitor the
(A)
user’s network, such as the system administrator.
Items placed in a Web store’s shopping cart for future purchase during the anonymous browsing session will
(B)
not be saved on the user’s computer.
(C) A user will not be able to log in to e-mail or social media accounts during the anonymous browsing session.
A user browsing in an anonymous window will be protected from viruses launched from any Web sites
(D)
visited or files downloaded.

3. Which of the following has the greatest potential for compromising a user’s personal privacy?
(A) A group of cookies stored by the user’s Web browser
(B) The Internet Protocol (IP) address of the user’s computer
(C) The user’s e-mail address
(D) The user’s public key used for encryption

AP Computer Science Principles Page 1 of 10

 Test Booklet

5.6: Safe Computing

StreamPal is an audio-streaming application for mobile devices that allows users to listen to streaming music and connect
with other users who have similar taste in music. After downloading the application, each user creates a username,
personal profile, and contact list of friends who also use the application.

The application uses the device’s GPS unit to track a user’s location. Each time a user listens to a song, the user can give
it a rating from 0 to 5 stars. The user can access the following features for each song that the user has rated.

A list of users on the contact list who have given the song the same rating, with links to those users’ profiles
A map showing all other users in the area who have given the song the same rating, with links to those users’ profiles

A basic StreamPal account is free, but it displays advertisements that are based on data collected by the application. For
example, if a user listens to a particular artist, the application may display an advertisement for concert tickets the next
time the artist comes to the user’s city. Users have the ability to pay a monthly fee for a premium account, which removes
advertisements from the application.

4. Which of the following is most likely to be a data privacy concern for StreamPal users?
(A) Users of the application are required to rate songs in order to enable all of the application’s features.
Users of the application may have the ability to determine information about the locations of users that are
(B)
not on their contact list.
Users of the application may not be able to use the application if they are located in an area with a poor
(C)
Internet connection.
(D) Users of the application may not have similar music taste to any other users on their contact list.

5. Which of the following statements is most likely true about the differences between the basic version and the
premium version of StreamPal?
Users of the basic version of StreamPal are more likely to give songs higher ratings than are users of the
(A)
premium version of StreamPal.
Users of the basic version of StreamPal indirectly support StreamPal by allowing themselves to receive
(B)
advertisements.
Users of the basic version of StreamPal spend more on monthly fees than do users of the premium version of
(C)
StreamPal.
Users of the basic version of StreamPal use less data storage space on their devices than do users of the
(D)
premium version of StreamPal.

Page 2 of 10 AP Computer Science Principles

 Test Booklet

5.6: Safe Computing

A chain of retail stores uses software to manage telephone calls from customers. The system was recently upgraded.
Customers interacted with the original system using their phone keypad. Customers interact with the upgraded system
using their voice.

The upgraded system (but not the original system) stores all information from the calling session in a database for future
reference. This includes the customer’s telephone number and any information provided by the customer (name, address,
order number, credit card number, etc.).

The original system and the upgraded system are described in the following flowcharts. Each flowchart uses the following
blocks.

Block Explanation
Oval The start of the algorithm
Parallelogram An input or output step
A conditional or decision step, where execution proceeds to the side labeled “Yes” if the
Diamond
answer to the question is yes and to the side labeled “No” if the answer to the question is no
Rectangle The result of the algorithm

AP Computer Science Principles Page 3 of 10

 Test Booklet

5.6: Safe Computing

6. Which of the following is the most likely data privacy concern of the upgraded system?
Customers’ personal information could be compromised if an unauthorized individual gains access to the call
(A)
session database.
Storing information in the call session database makes it easy for individuals to trick the system using
(B)
malicious links.
The system design increases the chance that customers will unknowingly install malware on their devices
(C)
that will share their data with unauthorized individuals.
(D) The system design makes it easy for unauthorized individuals to acquire customers’ private encryption keys.

7. Which of the following are true statements about digital certificates in Web browsers?

I. Digital certificates are used to verify the ownership of encrypted keys used in secured communication.

II. Digital certificates are used to verify that the connection to a Web site is fault tolerant.
(A) I only
(B) II only
(C) I and II
(D) Neither I nor II

Page 4 of 10 AP Computer Science Principles

 Test Booklet

5.6: Safe Computing

8. Directions: The question or incomplete statement below is followed by four suggested answers or
completions. Select the one that is best in each case.

In public key cryptography, the sender uses the recipient’s public key to encrypt a message. Which of the following
is needed to decrypt the message?
(A) The sender’s public key
(B) The sender’s private key
(C) The recipient’s public key
(D) The recipient’s private key

9. A Web site uses several strategies to prevent unauthorized individuals from accessing user accounts. Which of the
following is NOT an example of multifactor authentication?
Each employee for a company is issued a USB device that contains a unique token code. To log into a
(A) company computer, an employee must insert the USB device into the computer and provide a correct
password.
After logging into an account from a new device, a user must enter a code that is sent via e-mail to the e-mail
(B)
address on file with the account.
In order to log into an account, a user must provide both a password and a fingerprint that is captured using
(C)
the user’s device.
When a user enters an incorrect password more than two times in a row, the user is locked out of the account
(D)
for 24 hours.

10. Directions: The question or incomplete statement below is followed by four suggested answers or
completions. Select the one that is best in each case.

Which of the following is an example of symmetric encryption?

Evy buys a locked box that operates using two different codes. When the first code is entered, a slot opens
that allows a message to be put in the box. When the second code is entered, the door to the box opens. Evy
(A)
gives the first code to her friends so they can leave messages for her and keeps the second code to herself so
that she is the only one who can retrieve the messages.
Finn and Gwen develop a system that maps each letter of the alphabet to a unique symbol using a secret key.
(B) Finn uses the key to write a message to Gwen where each letter is replaced with the corresponding symbol.
Gwen uses the key to map each symbol back to the original letter.
Hannah writes a message to send to Isabel and hides the message under a rock behind the soccer field.
(C)
Hannah gives Isabel the exact location of the rock so that only Isabel can find the message.
Juan writes a message to send to Kelly and slides the message through a slot in the front of Kelly’s locker.
(D) Juan knows that Kelly has not shared her locker combination with anyone, so no one other than Kelly will be
able to read the message.

11. A user unintentionally installs keylogging software on a computer. Which of the following is an example of how the
keylogging software can be used by an unauthorized individual to gain access to computing resources?

AP Computer Science Principles Page 5 of 10

 Test Booklet

5.6: Safe Computing

The software gives an unauthorized individual remote access to the computer, allowing the individual to
(A)
search the computer for personal information.
The software installs a virus on the computer and prompts the user to make a payment to the unauthorized
(B)
individual to remove the virus.
The software prompts the user to enter personal information to verify the user’s identity. This personal
(C)
information is recorded and transmitted to an unauthorized individual.
The software records all user input on the computer. The recorded information is transmitted to an
(D)
unauthorized individual, who analyzes it to determine the user’s login passwords.

12. An individual receives an e-mail that appears to be from an insurance company. The message offers a low insurance
rate, and prompts the recipient to click a link to learn more. Which of the following is most indicative that the e-
mail is part of a phishing attempt?
(A) After clicking the link, a browser cookie is downloaded to the recipient’s computer.
(B) After clicking the link, a Web page opens that prompts the recipient for personal information.
(C) After clicking the link, the recipient’s private network becomes publicly visible via a rogue access point.
After clicking the link, software is installed on the recipient’s computer that records every keystroke made on
(D)
the computer.

13. Which of the following best exemplifies the use of keylogging to gain unauthorized access to a computer system?
A user unintentionally installs a program on their computer that records all user input and forwards it to
(A) another computer. A few weeks later, someone else is able to access the user’s computer using the recorded
data.
A user has a very common password for an online banking account. Someone else guesses the password after
(B)
a few attempts and gains access to the user’s account.
A user logs into an unsecure Web site. Someone else is able to view unencrypted log-in information as it is
(C) transmitted over the Internet. The user has the same username and password for multiple accounts, so the
user’s log-in information for multiple systems may be compromised.
A user receives an e-mail that claims to be from the user’s bank. The e-mail instructs the user to click on a
(D) link to a Web site and enter a username and password to verify an account. Shortly after following the steps,
the user discovers that the Web site is fraudulent and that the user’s username and password were stolen.

RunRoutr is a fitness tracking application for smartphones that creates suggested running routes so that users can run with
each other. Upon downloading the application, each user creates a username, a personal profile, and a contact list of
friends who also use the application. The application uses the smartphone’s GPS unit to track a user’s location, running
speed, and distance traveled. Users can use the application to review information and statistics about their previous runs.

At the beginning of a run, users indicate the distance they want to run from their current location, and the application
suggests a running route. Once a user accepts a suggested route, the application shares the suggested route with other
compatible users in the area so that they can run together. Users are considered compatible if they are on each other’s
contact lists or if they typically run at similar speeds.

A basic RunRoutr account is free, but it displays advertisements that are targeted to individual users based on data
collected by the application. For example, if a user’s running route begins or ends near a particular store, the application
may display an advertisement for that store. Users have the ability to pay a monthly fee for a premium account, which
removes advertisements from the application.

Page 6 of 10 AP Computer Science Principles

 Test Booklet

5.6: Safe Computing

14. Which of the following is most likely to be a data privacy concern for RunRoutr users?
Users of the application are required to carry their smartphones with them while running in order to enable
(A)
all of the application’s features.
Users of the application may have the ability to determine information about the locations of users that are
(B)
not on their contact lists.
Users of the application may not be able to accurately track their running history if they share their
(C)
smartphone with another family member.
(D) Users of the application may not be compatible with any other users in their area.

15. Which of the following best exemplifies the use of multifactor authentication to protect an online banking system?
When a user resets a password for an online bank account, the user is required to enter the new password
(A)
twice.
When multiple people have a shared online bank account, they are each required to have their own unique
(B)
username and password.
After entering a password for an online bank account, a user must also enter a code that is sent to the user’s
(C)
phone via text message.
An online bank requires users to change their account passwords multiple times per year without using the
(D)
same password twice.

16. Which of the following activities poses the greatest personal cybersecurity risk?
(A) Making a purchase at an online store that uses public key encryption to transmit credit card information
(B) Paying a bill using a secure electronic payment system
(C) Reserving a hotel room by e-mailing a credit card number to a hotel
(D) Withdrawing money from a bank account using an automated teller machine (ATM)

17. A user purchased a new smart home device with embedded software and connected the device to a home network.
The user then registered the device with the manufacturer, setting up an account using a personal e-mail and
password. Which of the following explains how a phishing attack could occur against the user of the smart home
device?
A vulnerability in the device’s software is exploited to gain unauthorized access to other devices on the
(A)
user’s home network.
A vulnerability in the device’s software is exploited to install software that reveals the user’s password to an
(B)
unauthorized individual.
The user is sent an e-mail appearing to be from the manufacturer, asking the user to confirm the account
(C)
password by clicking on a link in the e-mail and entering the password on the resulting page.
The user’s account is sent an overwhelming number of messages in an attempt to disrupt service on the
(D)
user’s home network.

18. Which of the following is LEAST likely to indicate a phishing attack?

AP Computer Science Principles Page 7 of 10

 Test Booklet

5.6: Safe Computing

(A) An e-mail from your bank asks you to call the number on your card to verify a transaction
(B) An e-mail from a merchant asks that you click on a link to reset your password
An e-mail from a utility company asks you to enter your date of birth and social security number for
(C)
verification purposes
An e-mail indicates that you have won a large sum of money and asks you to enter your bank account
(D)
number so that the money can be transferred to you

19. Which of the following is an example of a phishing attack?

(A) Loading malicious software onto a user’s computer in order to secretly gain access to sensitive information
(B) Flooding a user’s computer with e-mail requests in order to cause the computer to crash
(C) Gaining remote access to a user’s computer in order to steal user IDs and passwords
(D) Using fraudulent e-mails in order to trick a user into voluntarily providing sensitive information

20. Which of the following scenarios best exemplifies a phishing attack?

A user connects to a public wireless network. An unauthorized individual intercepts data transmitted on the
(A)
network, looking for private information that can be used to gain access to the user’s accounts.
A user’s e-mail account is overwhelmed with messages containing large attachments, which causes the
(B) account to exceed the maximum amount of data allowed and temporarily prevents the user from sending and
receiving new messages.
A user receives an e-mail from a sender offering technical help with the user’s computer. The e-mail prompts
(C) the user to start a help session by clicking a provided link and entering the username and password associated
with the user’s computer.
A user chooses a weak password for an online account. An unauthorized individual successfully guesses the
(D)
user’s password from a list of common passwords.

21. A city’s police department has installed cameras throughout city streets. The cameras capture and store license plate
data from cars driven and parked throughout the city. The authorities use recorded license plate data to identify
stolen cars and to enforce parking regulations.

Which of the following best describes a privacy risk that could occur if this method of data collection is misused?
(A) The cameras may not be able to read license plates in poor weather conditions.
(B) Local business owners could lose customers who are unwilling to park in the city.
(C) Traffic personnel who work for the city could lose their jobs if their services are no longer needed.
(D) The vehicle location data could be used to monitor the movements of city residents.

22. Which of the following best explains how a certificate authority is used in protecting data?
A certificate authority certifies the safety of a particular Web site so that users know that it does not contain
(A)
any viruses.
(B) A certificate authority issues passwords that grant access to secure databases.
A certificate authority maintains a secure database that maps all Web domain names to the IP addresses of
(C)
the servers where the sites are hosted.
(D) A certificate authority verifies the authenticity of encryption keys used in secured communications.

Page 8 of 10 AP Computer Science Principles

 Test Booklet

5.6: Safe Computing

23. Which of the following is a true statement about the use of public key encryption in transmitting messages?
Public key encryption enables parties to initiate secure communications through an open medium, such as the
(A)
Internet, in which there might be eavesdroppers.
Public key encryption is not considered a secure method of communication because a public key can be
(B)
intercepted.
Public key encryption only allows the encryption of documents containing text; documents containing audio
(C)
and video must use a different encryption method.
Public key encryption uses a single key that should be kept secure because it is used for both encryption and
(D)
decryption.

24. An Internet user has a need to send private data to another user. Which of the following provides the most security
when transmitting private data?
(A) Certifying the data with a Creative Commons license before sending it
(B) Sending the data using a high-bandwidth connection
(C) Sending the data using public-key encryption
(D) Sending the data using redundant routing

25. Which of the following is an example of an attack using a rogue access point?
An unauthorized individual gains the ability to view network traffic by connecting to a network router that
(A)
uses weak or no security measures.
An unauthorized individual physically disconnects an exposed network router, making the network
(B)
unavailable to some users.
An unauthorized individual poses as a network administrator and attempts to trick a user into providing
(C)
personal information.
A group of unauthorized individuals overwhelms a network router with traffic, making it unavailable to some
(D)
users.

26. Which of the following best exemplifies the use of multifactor authentication?
A computing device enables users to input information using multiple interfaces, including a keyboard, a
(A)
mouse, and a touch pad.
A user employs a public key encryption method that uses one key to encrypt information and a different key
(B)
to decrypt information.
A Web site requires a user to enter a password as well as a numeric code received via text message before the
(C)
user can log in to an account.
Multiple users share an account to a Web-based software program, and each user has an individual username
(D)
and password.

27. Which of the following best explains how symmetric encryption algorithms are typically used?

AP Computer Science Principles Page 9 of 10

 Test Booklet

5.6: Safe Computing

Symmetric encryption uses a single key that should be kept secret. The same key is used for both encryption
(A)
and decryption of data.
Symmetric encryption uses a single key that should be made public. The same key is used for both
(B)
encryption and decryption of data.
Symmetric encryption uses two keys that should both be kept secret. One key is used for encryption, and the
(C)
other is used for decryption.
Symmetric encryption uses two keys. The key used for encryption should be made public, but the key used
(D)
for decryption should be kept secret.

28. Which of the following best explains how devices and information can be susceptible to unauthorized access if
weak passwords are used?
Unauthorized individuals can deny service to a computing system by overwhelming the system with login
(A)
attempts.
Unauthorized individuals can exploit vulnerabilities in compression algorithms to determine a user’s
(B)
password from their decompressed data.
Unauthorized individuals can exploit vulnerabilities in encryption algorithms to determine a user’s password
(C)
from their encryption key.
(D) Unauthorized individuals can use data mining and other techniques to guess a user’s password.

29. Individuals sometimes attempt to remove personal information from the Internet. Which of the following is the
LEAST likely reason the personal information is hard to remove?
Internet users with a copy of the information might redistribute the personal information without first seeking
(A)
permission.
(B) There are potentially an extremely large number of devices on the Internet that may contain the information.
(C) Automated technologies collect information about Internet users without their knowledge.
All personal information is stored online using authentication measures, making the information hard to
(D)
access.

Page 10 of 10 AP Computer Science Principles