iapp privacy certification web privacy & security ruth nelson director and co-leader, privacy...
TRANSCRIPT
IAPP Privacy Certification
Web Privacy & SecurityRuth NelsonDirector and Co-leader, Privacy Practice
Certified Information Privacy Professional
2
• data collection
• Web technologies agenda
• notice mechanisms
• Web user tracking
• children’s privacy
3
• email marketing
• Web securityagenda
• advertising, phishing and spyware
• online verification and certification
5
Web technologies• Internet
– a global network connecting millions of computers
• World Wide Web (the Web)– an information sharing model that
is built on top of the Internet– utilizes HTTP protocol and
browsers (such as Internet Explorer) to access Web pages formatted in HTML that are linked via hyperlinks
– the Web is only a subset of the Internet (other uses of the Internet include email (via SMTP), Usenet, instant messaging and file transfer (via FTP)
Internet vs. the Web
6
Web technologies
• IP (Internet Protocol)– specifies the format of data
packets and the addressing protocol
• IP Address– a unique number assigned to each
connected device– often assigned dynamically to
users by an ISP on a session-by-session basis – dynamic IP address
– increasingly becoming dedicated, particularly with always-on broadband connections – static IP address
protocols &
languages
7
Web technologies
• TCP (Transmission Control Protocol)– enables two devices to establish
a connection and exchange data
• TCP/IP– used to send data over the
Internet
• Packet– a portion of a message sent over
a TCP/IP Network– contains content and destination
protocols &
languages
8
Web technologies
• HTTP (HyperText Transfer Protocol)– underlying protocol of the World
Wide Web– defines how messages are
formatted and transmitted over a TCP/IP network for Web sites
– defines what actions Web servers and Web browsers take in response to various commands
– example: when you enter a URL in your browser, an HTTP command is sent to the Web server telling to fetch and transmit the requested Web page
protocols &
languages
9
Web technologies
• SSL (Secure Sockets Layer)– protocol for establishing a secure
connection for transmission– uses the HTTPS convention
• Javascript– a scripting language to produce
more interactive and dynamic Web sites
• Flash– a bandwidth friendly animation
technology increasingly used to liven up Web pages and advertisements
protocols &
languages
10
Web technologies• HTML (HyperText Markup
Language)– the authoring language used to
create documents on the World Wide Web
– hundreds of tags can be used to format and layout a Web page’s content and to hyperlink to other Web content
• URL (Uniform Resource Locator)– the address of documents and
other content on the Web• hyperlink
– used to connect a user to other parts of a web site and to other web sites and web-enabled services
protocols &
languages
11
Web technologies
• Web server– a computer that is connected
to the Internet, hosts Web content and is configured to share that content
• Web client– most commonly in the form of
Web browser software such as Internet Explorer or Netscape
– used to navigate the Web and retrieve Web content from Web servers for viewing
Web clients & servers
12
Web technologies
• proxy server– an intermediary server that
provides a gateway to the Web (e.g., employee access to the Web most often goes through a proxy)
– Improves performance through caching and filters the Web
– The proxy server will also log each user interaction
• caching– Web browsers and proxy servers
save a local copy of the downloaded content – pages that display personal information should be set to prohibit caching
Web clients & servers
14
data collection
• active collection– where a user actively
provides information, usually through Web forms
• passive collection– where information is
gathered automatically as the user navigates from page to page on a Web site
active vs.
passive collectio
n
15
data collection
• Web form: a portion of a Web page containing blank fields that users can fill in with data (including personal info)
• when the user submits the form, it is sent to a Web server that processes the information where it can be stored in a database
Web forms
16
data collection• one-line text boxes are used to
capture specific pieces of information such as name, city, credit card number, search terms
• scrolling text boxes are used to capture a sentence of more of text – e.g., a request for support
• checkboxes and radio buttons are used to collect answers to structured questions – a common approach to providing privacy choice
Web forms
17
data collection
• privacy considerations for Web forms:– should be designed to only
require what is really needed (and make it clear what, if anything, is optional)
– should be accompanied by a functioning link to the privacy statement (“notice at the point of collection”)
– should use the POST method of form submission (the alternative GET method can inadvertently spill information to third parties, via the referrer URL)
Web forms
18
data collection
• privacy considerations for Web forms (continued):– should place limitations on one-line
text boxes to help ensure they are only used as intended (e.g., maximum of 14 characters for fist name)
– should be cautious in using scrolling text boxes – you have no control over what information the user submits!
– should use secure transmission (e.g., SSL) for the collection of sensitive personal information (a requirement in some instances)
– AutoComplete should be turned off for sensitive personal information as it could be exposed on shared computers
Web forms
19
data collection
• increasingly, client software is connecting to the Internet, examples include:– financial packages (updating account
details)– media players (downloading
metadata)– operating systems and applications
(automatic updates and error reporting)
• it is important to ensure that adequate notice and choice is in place for these situations
software & the
Internet converge
20
data collection
• the boundaries of Web sites are increasingly becoming blurred:– joint-venture co-branded Web sites– syndicated content– Web services such as news feeds,
weather reports, metrics gathering, advertising
• privacy professionals need to understand these third-party interactions and ensure that it is clear to the user which entities are receiving information, and that the appropriate contractual protections are in place to protect privacy
third-party
interactions
22
Web user tracking• Web server log – every time
a Web page is requested, the Web server may automatically logs the following information:– the IP address of the visitor– date and time of the request– the URL of the requested file– the URL the visitor came from
immediately before (referrer URL)
– the visitor’s Web browser type and operating system
Web server logs
GET http://www.amazon.com/ HTTP/1.0User-Agent: Mozilla/3.01 (X11; I; SunOS 4.1.4 sun4m)Host: www.amazon.comReferer: http://www.alcoholics-anonymous.org/Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*Cookie: session-id-time=868867200; session-id=6828-2461327-649945; group_discount_cookie=F
23
Web user tracking• a small text file provided by a
Web server and stored on a users PC
• the text can be sent back to the server every time the browser requests a page from the server
• cookies are used to identify a user as they navigate through a Web site and/or return at a later time
• cookies enable a range of functions including personalization of content
cookies
24
Web user tracking
• session vs. persistent cookies– a session cookie is stored only
while the user is connected to the particular Web server – the cookie is deleted when the user disconnects
– persistent cookies are set to expire at some point in the future – many are set to expire a number of years forward
cookies
25
Web user tracking
• 1st-party vs. 3rd-party cookies– a first-party cookie is set and
read by the Web server hosting the Web site the user is visiting
– a third-party cookie is set and read by a third-party Web server that is providing a service, such as advertising or analytics, to the Web site the user is visiting
cookies
26
Example cookie
cookies
content of cookie
1st party cookie
P3P compact policy
expiry date of persistent cookie
27
Web user tracking
• privacy considerations for cookies:– should not store unencrypted
personal information in cookies– should provide adequate notice
of cookie usage– should only use persistent
cookies if the need justifies it– should not set long expiry dates– 3rd party cookie providers should
be vetted, disclosed and perhaps opt-out provided (e.g., DoubleClick)
cookies
28
Web user tracking
• also Web bug, pixel tag or clear gif• usually a clear graphic image of 1
x 1 pixel in size on a Web page or in HTML email
• operates as a tag that records a visit to a particular Web page
• often used in conjunction with a cookie and provided as part of a third-party tracking service
• provide an ability to produce specific profiles of user behavior in combination with Web server logs
• uses include hit counter, ad campaign performance measurement, email readership
Web beacon
s
29
Web beacon example
<IMG SRC="http://fcstats.bcentral.com/activity;src=999387;type=virtu430;cat=event251;ord=1;num='+ a + '?" WIDTH="1" HEIGHT="1" BORDER="0">
Web beacon
s
30
Web user tracking
• privacy considerations for Web beacons:– they are invisible to users, lack
of notice might be deemed unfair or deceptive
– it is safest to implement in a non-personally identifiable manner
– choice should be provided for use in a personally identifiable manner (consistent with US FTC-approved NAI Web Beacon Guidelines found at www.networkadvertising.org)
Web beacon
s
32
notice mechanisms
• comprehensive privacy statements typically cover:– effective date– scope– information collected (both actively
and passively)– information uses– choices available– how to modify information or
preferences– how to contact or register a dispute– how policy changes will be
communicated
content of
notices
33
notice mechanisms
• Platform for Privacy Preferences Project (P3P) of the World Wide Web Consortium (W3C)
• representation of a privacy statement in a machine-readable format (XML based standard)
• user agents can discover Web site privacy practices and take an action as a result (e.g. Microsoft Internet Explorer and Netscape cookie controls, AT&T PrivacyBird plug-in)
P3P
34
notice mechanisms
• full P3P Policy– referenced from a “well known
location” on the Web server (…./w3c/p3p.xml) or from the server header so Web browsers know where to locate it
– Web browsers translate this into a human readable version in a standardized format
– communicated upon user request (e.g., in Internet Explorer - View, Privacy Report, View Summary)
P3P
37
notice mechanisms
• compact P3P Policy– shorter version of the policy
constructed of a series of 3 or 4 letter “tokens”
– communicated with each Web page
P3P
P3P: CP = “CAO DSP COR CUR CONo ADMa DEVa TAIa TELo PSAa PSDa OUR SAMi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA PRE
Information may be used to CONtact the individual (opt-out
provided)
Online access provided to Contact
And Other information
PHYical contact information is
collected on the site
38
notice mechanisms
• industry initiative to provide privacy notices in more succinct, readable and comparable format
• short notice – the top layer– one screen of policy highlights
using a standard format covering scope, info collection, info use, choice, additional information, contact details
– provides links to full statement
• full statement– Comprehensive information
policy disclosure
layered notices
40
notice mechanisms
• at a minimum, privacy statements should be accessible from the home page and from all collection points
• following the principle of “at or before the point of information collection” many Web sites choose to provide a link on every page to cover passive information collection
• in an easy to find location, in a font no less prominent than other links on the page
Web links to notices
42
children’s privacy
• particular concerns exist in relation to the collection of personal information from children
• countries with specific online child privacy protections include Korea (<12) and United States (<13)
• parental consent is required prior to collection of PII
parental
consent
44
Web security
• information security is covered in a separate CIPP module
• a few Web security-specific aspects are addressed here:– authentication– encryption– Web application
vulnerabilities
security informat
ion
45
Web security
• the more sensitive the Web site the stronger the authentication should be – require more than one piece of information to authenticate
• password fields use the “password” field type in HTML – masks the display of text entered to respect privacy
• cookies are not an effective means of authentication – consider the possibility of multiple-user PCs
authentication
46
Web security• by default, information travels in clear
text across the Internet• transmission of personal information
can be secured through SSL (Secure Sockets Layer)
• SSL establishes an encrypted connection between the Web server and Web browser
• should require high level of encryption (e.g., 128bit) for sensitive uses (e.g. access to bank accounts)
• SSL provides user comfort in addition to actual security – should consider securing the page hosting the form as well as securing the transmission
encryption
47
Web security
• security weaknesses with privacy consequences include– unvalidated input– broken session management– cross site scripting– injection flaws
• refer to OWASP top ten (www.owasp.org) for further details
Web applicati
on vulner-abilities
49
email marketing
• marketing emails (formed in HTML) are increasing similar to Web pages
• while they most often do not include Web forms (but link to Web sites that do) they can have third party interactions and user tracking linked to PII
• behavioral profiles are often built so Web beacon and cookie protections apply
• SPAM (unsolicited commercial email) and phishing are key concerns
email trackin
g
51
verification & certification
• self-regulatory regimes such as TRUSTe and BBB Online require self-certification to a set of online privacy best practices, provide a ‘trust’ mark and provide an independent remediation mechanism
Self-regulator
y certificati
ons
52
verification & certification
• in some business models, a more comprehensive audit of compliance is justified ( due to sensitivity or drive for a competitive differentiator)
• an independent third-party will test actual compliance with Web privacy policy and publish an audit report
• Examples include CPA WebTrust and custom attestations from audit firms
attestation
53
verification & certification
• a category of privacy-enabling technology has emerged to address the complexity of dealing with a long list of privacy concerns across large and ever-changing Web sites
• the technologies crawl through Web sites and report on Web privacy issues and compliance status
web scanning
technologies
55
advertising, phishing & spyware
• many Web sites rely on the provision of advertising to fund their activities
• targeted advertising can provide value to both the visitor and the Web site operator but might be considered privacy invasive if it is performed without transparency or is based on sensitive information
• network advertising service providers have the most sensitivity due to their ability to create broad profiles of user behavior (ref: NAI www.networkadvertising.org)
advertising
56
• phishing– setting up a bogus Web
site to fraudulently capture sensitive PII and luring users to that Web site via a spoofed SPAM email
phishing
advertising, phishing & spyware
60
advertising, phishing & spyware
• adware– software that is often downloaded
in a deceptive manner (e.g., ‘drive-by download’) and monitors the users online behavior to target advertising
• spyware– software that is usually covertly
downloaded and used to fraudulently collect and use sensitive PII such bank account credentials and credit card numbers
adware/ spyware