IAPP Privacy Certification

1
IAPP Privacy Certification
Certified Information Privacy Professional
Web Privacy Security Martin Keane Senior
Consultant
2
learning objectives
This course material describes the key
technologies of the Internet and the World Wide
Web. It provides an overview of privacy and
security considerations for an organizations
external Websites and other e-commerce channels
such as electronic mail.
3
learning objectives

• This course material will enable students
• to better understand
• The technical make-up of the Internet and
• World Wide Web from a high-level perspective
• The range of Web privacy and security
• challenges such as collecting personal
• information and tracking end user activities
• as well as childrens privacy online
• The emerging threats of spyware and phishing
• The importance of effective disclosure
• mechanisms such as P3P and layered notices
• A selection of standards and best practices
• that will mitigate risk and build brand trust

4
presenter
Martin Keane Is Senior Consultant with
PriceWaterhouseCoopers privacy practice. Mr.
Keane is based in Washington He has over 18 years
of experience providing D.C. and focuses his
work in the technology and information sectors.
Martin has performed dataflow analysis and safe
harbor compliance assessments for large multi-
national companies. He has also developed
privacy enhancing technologies and compliance
tools Including P3P-based solutions such as
WebXM, a Website analysis tool set from
Watchfire.
5

• Web technologies

agenda

• data collection

• Web user tracking

• notice mechanisms

• childrens privacy

6

• Web security

agenda

• email marketing

• online verification
• and certification

• advertising, phishing
• and spyware

7
Web Privacy Security
Web technologies
8
Web technologies

• Internet
• a global network connecting millions of computers
• World Wide Web (the Web)
• an information sharing model that is built on top
  of the Internet
• utilizes HTTP protocol and browsers (such as
  Internet Explorer) to access Web pages formatted
  in HTML that are linked via hyperlinks
• the Web is only a subset of the Internet (other
  uses of the Internet include email (via SMTP),
  Usenet, instant messaging and file transfer (via
  FTP)

Internet vs. the Web
9
Web technologies
protocols languages

• IP (Internet Protocol)
• specifies the format of data packets and the
  addressing protocol
• IP Address
• a unique number assigned to each connected device
• often assigned dynamically to users by an ISP on
  a session-by-session basis dynamic IP address
• increasingly becoming dedicated, particularly
  with always-on broadband connections static IP
  address

10
Web technologies
protocols languages

• TCP (Transmission Control Protocol)
• enables two devices to establish a connection and
  exchange data
• TCP/IP
• used to send data over the Internet
• Packet
• a portion of a message sent over a TCP/IP Network
• contains content and destination

11
Web technologies
protocols languages

• HTTP (HyperText Transfer Protocol)
• underlying protocol of the World Wide Web
• defines how messages are formatted and
  transmitted over a TCP/IP network for Web sites
• defines what actions Web servers and Web browsers
  take in response to various commands
• example when you enter a URL in your browser, an
  HTTP command is sent to the Web server telling to
  fetch and transmit the requested Web page

12
Web technologies
protocols languages

• SSL (Secure Sockets Layer)
• protocol for establishing a secure connection for
  transmission
• uses the HTTPS convention
• Javascript
• a scripting language to produce more interactive
  and dynamic Web sites
• Flash
• a bandwidth friendly animation technology
  increasingly used to liven up Web pages and
  advertisements

13
Web technologies
protocols languages

• HTML (HyperText Markup Language)
• the authoring language used to create documents
  on the World Wide Web
• hundreds of tags can be used to format and layout
  a Web pages content and to hyperlink to other
  Web content
• URL (Uniform Resource Locator)
• the address of documents and other content on the
  Web
• hyperlink
• used to connect a user to other parts of a web
  site and to other web sites and web-enabled
  services

14
Web technologies
Web clients servers

• Web server
• a computer that is connected to the Internet,
  hosts Web content and is configured to share that
  content
• Web client
• most commonly in the form of Web browser software
  such as Internet Explorer or Netscape
• used to navigate the Web and retrieve Web content
  from Web servers for viewing

15
Web technologies
Web clients servers

• proxy server
• an intermediary server that provides a gateway to
  the Web (e.g., employee access to the Web most
  often goes through a proxy)
• Improves performance through caching and filters
  the Web
• The proxy server will also log each user
  interaction
• caching
• Web browsers and proxy servers save a local copy
  of the downloaded content pages that display
  personal information should be set to prohibit
  caching

16
Web Privacy Security
data collection
17
data collection
active vs. passive collection

• active collection
• where a user actively provides information,
  usually through Web forms
• passive collection
• where information is gathered automatically as
  the user navigates from page to page on a Web site

18
data collection
Web forms

• Web form a portion of a Web page containing
  blank fields that users can fill in with data
  (including personal info)
• when the user submits the form, it is sent to a
  Web server that processes the information where
  it can be stored in a database

19
data collection

• one-line text boxes are used to capture specific
  pieces of information such as name, city, credit
  card number, search terms
• scrolling text boxes are used to capture a
  sentence of more of text e.g., a request for
  support
• checkboxes and radio buttons are used to collect
  answers to structured questions a common
  approach to providing privacy choice

Web forms
20
data collection
Web forms

• privacy considerations for Web forms
• should be designed to only require what is really
  needed (and make it clear what, if anything, is
  optional)
• should be accompanied by a functioning link to
  the privacy statement (notice at the point of
  collection)
• should use the POST method of form submission
  (the alternative GET method can inadvertently
  spill information to third parties, via the
  referrer URL)

21
data collection

• privacy considerations for Web forms (continued)
• should place limitations on one-line text boxes
  to help ensure they are only used as intended
  (e.g., maximum of 14 characters for fist name)
• should be cautious in using scrolling text boxes
  you have no control over what information the
  user submits!
• should use secure transmission (e.g., SSL) for
  the collection of sensitive personal information
  (a requirement in some instances)
• AutoComplete should be turned off for sensitive
  personal information as it could be exposed on
  shared computers

Web forms
22
data collection
software the Internet converge

• increasingly, client software is connecting to
  the Internet, examples include
• financial packages (updating account details)
• media players (downloading metadata)
• operating systems and applications (automatic
  updates and error reporting)
• it is important to ensure that adequate notice
  and choice is in place for these situations

23
data collection
third-party interactions

• the boundaries of Web sites are increasingly
  becoming blurred
• joint-venture co-branded Web sites
• syndicated content
• Web services such as news feeds, weather reports,
  metrics gathering, advertising
• privacy professionals need to understand these
  third-party interactions and ensure that it is
  clear to the user which entities are receiving
  information, and that the appropriate contractual
  protections are in place to protect privacy

24
Web Privacy Security
Web user tracking
25
Web user tracking
Web server logs

• Web server log every time a Web page is
  requested, the Web server may automatically logs
  the following information
• the IP address of the visitor
• date and time of the request
• the URL of the requested file
• the URL the visitor came from immediately before
  (referrer URL)
• the visitors Web browser type and operating
  system

GET http//www.amazon.com/ HTTP/1.0 User-Agent
Mozilla/3.01 (X11 I SunOS 4.1.4 sun4m) Host
www.amazon.com Referer http//www.alcoholics-anon
ymous.org/ Accept image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, / Cookie
session-id-time868867200 session-id6828-2461327
-649945 group_discount_cookieF
26
Web user tracking
cookies

• a small text file provided by a Web server and
  stored on a users PC
• the text can be sent back to the server every
  time the browser requests a page from the server
• cookies are used to identify a user as they
  navigate through a Web site and/or return at a
  later time
• cookies enable a range of functions including
  personalization of content

27
Web user tracking
cookies

• session vs. persistent cookies
• a session cookie is stored only while the user is
  connected to the particular Web server the
  cookie is deleted when the user disconnects
• persistent cookies are set to expire at some
  point in the future many are set to expire a
  number of years forward

28
Web user tracking
cookies

• 1st-party vs. 3rd-party cookies
• a first-party cookie is set and read by the Web
  server hosting the Web site the user is visiting
• a third-party cookie is set and read by a
  third-party Web server that is providing a
  service, such as advertising or analytics, to the
  Web site the user is visiting

29
Example cookie
cookies
expiry date of persistent cookie
content of cookie
1st party cookie
P3P compact policy
30
Web user tracking
cookies

• privacy considerations for cookies
• should not store unencrypted personal information
  in cookies
• should provide adequate notice of cookie usage
• should only use persistent cookies if the need
  justifies it
• should not set long expiry dates
• 3rd party cookie providers should be vetted,
  disclosed and perhaps opt-out provided (e.g.,
  DoubleClick)

31
Web user tracking
Web beacons

• also Web bug, pixel tag or clear gif
• usually a clear graphic image of 1 x 1 pixel in
  size on a Web page or in HTML email
• operates as a tag that records a visit to a
  particular Web page
• often used in conjunction with a cookie and
  provided as part of a third-party tracking
  service
• provide an ability to produce specific profiles
  of user behavior in combination with Web server
  logs
• uses include hit counter, ad campaign performance
  measurement, email readership

32
Web beacon example
Web beacons

• ltIMG SRC"http//fcstats.bcentral.com/activitysrc
  999387typevirtu430catevent251ord1num' a
  '?" WIDTH"1" HEIGHT"1" BORDER"0"gt

33
Web user tracking
Web beacons

• privacy considerations for Web beacons
• they are invisible to users, lack of notice might
  be deemed unfair or deceptive
• it is safest to implement in a non-personally
  identifiable manner
• choice should be provided for use in a personally
  identifiable manner (consistent with US
  FTC-approved NAI Web Beacon Guidelines found at
  www.networkadvertising.org)

34
Web Privacy Security
notice mechanisms
35
notice mechanisms
content of notices

• comprehensive privacy statements typically cover
• effective date
• scope
• information collected (both actively and
  passively)
• information uses
• choices available
• how to modify information or preferences
• how to contact or register a dispute
• how policy changes will be communicated

36
notice mechanisms
P3P

• Platform for Privacy Preferences Project (P3P) of
  the World Wide Web Consortium (W3C)
• representation of a privacy statement in a
  machine-readable format (XML based standard)
• user agents can discover Web site privacy
  practices and take an action as a result (e.g.
  Microsoft Internet Explorer and Netscape cookie
  controls, ATT PrivacyBird plug-in)

37
notice mechanisms

• full P3P Policy
• referenced from a well known location on the
  Web server (./w3c/p3p.xml) or from the server
  header so Web browsers know where to locate it
• Web browsers translate this into a human readable
  version in a standardized format
• communicated upon user request (e.g., in Internet
  Explorer - View, Privacy Report, View Summary)

P3P
38
sample full P3P policy
P3P
the XML file
39
sample full P3P policy
P3P
The users view View, Privacy Report..
40
notice mechanisms

• compact P3P Policy
• shorter version of the policy constructed of a
  series of 3 or 4 letter tokens
• communicated with each Web page

P3P
Online access provided to Contact And Other
information
Information may be used to CONtact the individual
(opt-out provided)
P3P CP CAO DSP COR CUR CONo ADMa DEVa TAIa
TELo PSAa PSDa OUR SAMi PUBi IND PHY ONL UNI PUR
FIN COM NAV INT DEM CNT STA PRE
PHYical contact information is collected on the
site
41
notice mechanisms
layered notices

• industry initiative to provide privacy notices in
  more succinct, readable and comparable format
• short notice the top layer
• one screen of policy highlights using a standard
  format covering scope, info collection, info use,
  choice, additional information, contact details
• provides links to full statement
• full statement
• Comprehensive information policy disclosure

42
sample short notice
sample short notice
43
notice mechanisms
Web links to notices

• at a minimum, privacy statements should be
  accessible from the home page and from all
  collection points
• following the principle of at or before the
  point of information collection many Web sites
  choose to provide a link on every page to cover
  passive information collection
• in an easy to find location, in a font no less
  prominent than other links on the page

44
Web Privacy Security
childrens privacy
45
childrens privacy
parental consent

• particular concerns exist in relation to the
  collection of personal information from children
• countries with specific online child privacy
  protections include Korea (lt12) and United States
  (lt13)
• parental consent is required prior to collection
  of PII

46
Web Privacy Security
Web security
47
Web security
security information

• information security is covered in a separate
  CIPP module
• a few Web security-specific aspects are addressed
  here
• authentication
• encryption
• Web application vulnerabilities

48
Web security

• the more sensitive the Web site the stronger the
  authentication should be require more than one
  piece of information to authenticate
• password fields use the password field type in
  HTML masks the display of text entered to
  respect privacy
• cookies are not an effective means of
  authentication consider the possibility of
  multiple-user PCs

authentication
49
Web security
encryption

• by default, information travels in clear text
  across the Internet
• transmission of personal information can be
  secured through SSL (Secure Sockets Layer)
• SSL establishes an encrypted connection between
  the Web server and Web browser
• should require high level of encryption (e.g.,
  128bit) for sensitive uses (e.g. access to bank
  accounts)
• SSL provides user comfort in addition to actual
  security should consider securing the page
  hosting the form as well as securing the
  transmission

50
Web security
Web application vulner-abilities

• security weaknesses with privacy consequences
  include
• unvalidated input
• broken session management
• cross site scripting
• injection flaws
• refer to OWASP top ten (www.owasp.org) for
  further details

51
Web Privacy Security
email marketing
52
email marketing
email tracking

• marketing emails (formed in HTML) are increasing
  similar to Web pages
• while they most often do not include Web forms
  (but link to Web sites that do) they can have
  third party interactions and user tracking linked
  to PII
• behavioral profiles are often built so Web beacon
  and cookie protections apply
• SPAM (unsolicited commercial email) and phishing
  are key concerns

53
Web Privacy Security
verification certification
54
verification certification
Self-regulatory certifications

• self-regulatory regimes such as TRUSTe and BBB
  Online require self-certification to a set of
  online privacy best practices, provide a trust
  mark and provide an independent remediation
  mechanism

55
verification certification
attestation

• in some business models, a more comprehensive
  audit of compliance is justified ( due to
  sensitivity or drive for a competitive
  differentiator)
• an independent third-party will test actual
  compliance with Web privacy policy and publish an
  audit report
• Examples include CPA WebTrust and custom
  attestations from audit firms

56
verification certification
web scanning technologies

• a category of privacy-enabling technology has
  emerged to address the complexity of dealing with
  a long list of privacy concerns across large and
  ever-changing Web sites
• the technologies crawl through Web sites and
  report on Web privacy issues and compliance status

57
Web Privacy Security
advertising, phishing and spyware
58
advertising, phishing spyware
advertising

• many Web sites rely on the provision of
  advertising to fund their activities
• targeted advertising can provide value to both
  the visitor and the Web site operator but might
  be considered privacy invasive if it is performed
  without transparency or is based on sensitive
  information
• network advertising service providers have the
  most sensitivity due to their ability to create
  broad profiles of user behavior (ref NAI
  www.networkadvertising.org)

59
advertising, phishing spyware
phishing

• phishing
• setting up a bogus Web site to fraudulently
  capture sensitive PII and luring users to that
  Web site via a spoofed SPAM email

60
advertising, phishing spyware
phishing example
email with fake link
61
advertising, phishing spyware
phishing example
fake site redirects to trusted site
62
advertising, phishing spyware
phishing example
user gets fake pop-up window - no URL
63
advertising, phishing spyware
adware/ spyware

• adware
• software that is often downloaded in a deceptive
  manner (e.g., drive-by download) and monitors
  the users online behavior to target advertising
• spyware
• software that is usually covertly downloaded and
  used to fraudulently collect and use sensitive
  PII such bank account credentials and credit card
  numbers

64
spyware examples
adware/ spyware
Multi-line program name (drive-by download)
65
spyware examples
adware/ spyware
cancel means yes
66
spyware example
adware/ spyware
false security alert
67
IAPP Certification Promoting Privacy