Web Applications: Get a Grip on PrivacyMichael CornCAMP 2008

Outline

Relationship to Identity Management Free Speech Privacy Censorship Concerns Visibility and Public use of Resources Outsourcing Hosting or Linking to External Content

Relationship to Identity Management

Relatively few unique challenges– Most content is user generated– Students are surprisingly savvy about privacy matters

http://www.pewinternet.org/pdfs/PIP_Teens_Privacy_SNS_Report_Final.pdf

Greatest challenges are – the demand for “opaque authentication”– desire for public visibility– desire for public interaction (esp. blogs)– faculty expectations of technology

Privacy

Privacy and the Web do not have to be orthogonal, but try very hard to be so

FERPA, FERPA, FERPA– Misinformation

Faculty behavior implies that pedagogical concerns trump personal privacy

Opaque authentication - few (if any) tools See FERPA Scenarios

Privacy II

Link to your campus Privacy policy or whatever serves that purpose

It should include:– What data web sites may collect– Survey's that take place on the web– Public discussion forums– eCommerce– FERPA, SSNs, Cookies, and other security matters– Legal conditions (warranties and liability).

Illinois’s Web Privacy Notice:http://www.vpaa.uillinois.edu/policies/web_privacy.asp

Free Speech

Understand the ‘limits’ on the use of your resources– Political campaigning (policy and Illinois State law)– Commercial activity

All forms of communication can be construed as part of the educational environment - but not everywhere

Define the purpose and scope of a service

Free Speech II

Creating a Terms of Use (ToU) statement; Communicating the ToU to the consumers and

ensuring they acknowledge its receipt; and Responding to violations in a timely yet

transparent fashion

Guidelines for creating a Terms of Usehttp://www.uiuc.edu/alwaysillinois/termshttps://agora.cs.uiuc.edu/x/AR

Censorship Concerns

Before deploying a Wiki or blog, consider the following:– Are you concerned that individuals will use your forums

to disparage your unit?– Are you prepared to face individuals whose content you

have removed and explain why said content is unprofessional and/or inappropriate?

– Are you prepared to sanction individuals who consistently violate your ToU by prohibiting their use of the resource?

– What is your comfort level for critical speech or aggressive disagreement being displayed on your resource?

Visibility and Public use of Resources

Electronic resources should be made visible only to those population using those resources. – Require authentication to your resource (a login and

password) and limit access and visibility – Control search engines

If your resource is open to the public Internet by design, then it is even more critical to address the issue of a Terms of Use statement before users can access the resource.

Hosting or Linking to External Content

Scenario: Faculty/staff/student/alumni is doing fieldwork and blogging about it using a commercial service; your public affairs office (or the department) wants to feature the blog on their web site - what issues are you facing?– Permission to include content– Appropriateness of content (watch for commercial

sponsorship)– Privacy of individuals in photos– Use of ‘departure flag’ for links to non-University

resources

Outsourcing

General Principles:– Data stored on third-party servers or systems must be secured

to at least the same degree as the Campus or University would meet.

– Student data and access to systems by students will require vetting by the Campus Security Office and the Office of Admissions and Records to ensure compliance with FERPA and other campus security and privacy related policies.

– The burden this brings to vendors is non-trivial; many vendors simply will not be able to comply with the high-standard the Campus has for security and confidential or high-risk data.

See Sample Procurement Language

Summary

Create a service description document (SDD) that identifies the users of the service (both participants and observers) and a description of what the purpose of the service is (e.g., "to build a sense of community among our graduate students" or "to discuss topics relevant to rocket science").

Create a Terms of Use document. Place a link to the ToU on every web page or in the 'signature

block' of any auto-generated email messages. Place a link to your University’s Privacy Policy on the main pages

of your service. Create a mechanism for users to report inappropriate usage. This

can be as simple as the email address for the individual responsible for the service or a form that permits anonymous reporting.

Be very careful about outsourcing arrangements.

Resources

Guidelines for Writing a Terms of Use– https://netfiles.uiuc.edu/xythoswfs/webui/_xy-27100251_2-t_iA5QhDUx

Sample Procurement Language– https://netfiles.uiuc.edu/xythoswfs/webui/_xy-27100249_2-t_bvKcsRzh

Guidelines for Wikis and Blogs (written version of this presentation)– https://netfiles.uiuc.edu/xythoswfs/webui/_xy-27100252_2-t_eMOLgXmi

FERPA Scenarios– https://netfiles.uiuc.edu/xythoswfs/webui/_xy-27100250_2-t_AUdATNzA

Feel free to contact me: Mike Corn mcorn@uiuc.edu