IAPP Privacy Certification

Web Privacy & Security Martin Keane Senior Consultant

Certified Information Privacy Professional

2

learningobjectivesThis course material describes the key

technologies of the Internet and the

World Wide Web. It provides an

overview of privacy and security

considerations for an organization’s

external Websites and other

e-commerce channels such as

electronic mail.

3

learningobjectives

This course material will enable students to better understand:

• The technical make-up of the Internet and World Wide Web from a high-level perspective

• The range of Web privacy and security challenges such as collecting personal information and tracking end user activities as well as children’s privacy online

• The emerging threats of spyware and phishing

• The importance of effective disclosure mechanisms such as P3P and layered notices

• A selection of standards and best practices that will mitigate risk and build brand trust

4

presenterMartin Keane

Is Senior Consultant with PriceWaterhouseCoopers’

privacy practice. Mr. Keane is based in Washington

He has over 18 years of experience providing

D.C. and focuses his work in the technology and

information sectors.

Martin has performed dataflow analysis and safe

harbor compliance assessments for large multi-

national companies. He has also developed privacy

enhancing technologies and compliance tools

Including P3P-based solutions such as WebXM,

a Website analysis tool set from Watchfire.

5

• data collection

• Web technologies agenda

• notice mechanisms

• Web user tracking

• children’s privacy

6

• email marketing

• Web securityagenda

• advertising, phishing and spyware

• online verification and certification

Web technologies

Web Privacy & Security

8

Web technologies• Internet

– a global network connecting millions of computers

• World Wide Web (the Web)– an information sharing model that

is built on top of the Internet– utilizes HTTP protocol and

browsers (such as Internet Explorer) to access Web pages formatted in HTML that are linked via hyperlinks

– the Web is only a subset of the Internet (other uses of the Internet include email (via SMTP), Usenet, instant messaging and file transfer (via FTP)

Internet vs. the Web

9

Web technologies

• IP (Internet Protocol)– specifies the format of data

packets and the addressing protocol

• IP Address– a unique number assigned to each

connected device– often assigned dynamically to

users by an ISP on a session-by-session basis – dynamic IP address

– increasingly becoming dedicated, particularly with always-on broadband connections – static IP address

protocols &

languages

10

Web technologies

• TCP (Transmission Control Protocol)– enables two devices to establish

a connection and exchange data

• TCP/IP– used to send data over the

Internet

• Packet– a portion of a message sent over

a TCP/IP Network– contains content and destination

protocols &

languages

11

Web technologies

• HTTP (HyperText Transfer Protocol)– underlying protocol of the World

Wide Web– defines how messages are

formatted and transmitted over a TCP/IP network for Web sites

– defines what actions Web servers and Web browsers take in response to various commands

– example: when you enter a URL in your browser, an HTTP command is sent to the Web server telling to fetch and transmit the requested Web page

protocols &

languages

12

Web technologies

• SSL (Secure Sockets Layer)– protocol for establishing a secure

connection for transmission– uses the HTTPS convention

• Javascript– a scripting language to produce

more interactive and dynamic Web sites

• Flash– a bandwidth friendly animation

technology increasingly used to liven up Web pages and advertisements

protocols &

languages

13

Web technologies• HTML (HyperText Markup

Language)– the authoring language used to

create documents on the World Wide Web

– hundreds of tags can be used to format and layout a Web page’s content and to hyperlink to other Web content

• URL (Uniform Resource Locator)– the address of documents and

other content on the Web• hyperlink

– used to connect a user to other parts of a web site and to other web sites and web-enabled services

protocols &

languages

14

Web technologies

• Web server– a computer that is connected

to the Internet, hosts Web content and is configured to share that content

• Web client– most commonly in the form of

Web browser software such as Internet Explorer or Netscape

– used to navigate the Web and retrieve Web content from Web servers for viewing

Web clients & servers

15

Web technologies

• proxy server– an intermediary server that

provides a gateway to the Web (e.g., employee access to the Web most often goes through a proxy)

– Improves performance through caching and filters the Web

– The proxy server will also log each user interaction

• caching– Web browsers and proxy servers

save a local copy of the downloaded content – pages that display personal information should be set to prohibit caching

Web clients & servers

data collection

Web Privacy & Security

17

data collection

• active collection– where a user actively

provides information, usually through Web forms

• passive collection– where information is

gathered automatically as the user navigates from page to page on a Web site

active vs.

passive collectio

n

18

data collection

• Web form: a portion of a Web page containing blank fields that users can fill in with data (including personal info)

• when the user submits the form, it is sent to a Web server that processes the information where it can be stored in a database

Web forms

19

data collection• one-line text boxes are used to

capture specific pieces of information such as name, city, credit card number, search terms

• scrolling text boxes are used to capture a sentence of more of text – e.g., a request for support

• checkboxes and radio buttons are used to collect answers to structured questions – a common approach to providing privacy choice

Web forms

20

data collection

• privacy considerations for Web forms:– should be designed to only

require what is really needed (and make it clear what, if anything, is optional)

– should be accompanied by a functioning link to the privacy statement (“notice at the point of collection”)

– should use the POST method of form submission (the alternative GET method can inadvertently spill information to third parties, via the referrer URL)

Web forms

21

data collection

• privacy considerations for Web forms (continued):– should place limitations on one-line

text boxes to help ensure they are only used as intended (e.g., maximum of 14 characters for fist name)

– should be cautious in using scrolling text boxes – you have no control over what information the user submits!

– should use secure transmission (e.g., SSL) for the collection of sensitive personal information (a requirement in some instances)

– AutoComplete should be turned off for sensitive personal information as it could be exposed on shared computers

Web forms

22

data collection

• increasingly, client software is connecting to the Internet, examples include:– financial packages (updating account

details)– media players (downloading

metadata)– operating systems and applications

(automatic updates and error reporting)

• it is important to ensure that adequate notice and choice is in place for these situations

software & the

Internet converge

23

data collection

• the boundaries of Web sites are increasingly becoming blurred:– joint-venture co-branded Web sites– syndicated content– Web services such as news feeds,

weather reports, metrics gathering, advertising

• privacy professionals need to understand these third-party interactions and ensure that it is clear to the user which entities are receiving information, and that the appropriate contractual protections are in place to protect privacy

third-party

interactions

Web user tracking

Web Privacy & Security

25

Web user tracking• Web server log – every time

a Web page is requested, the Web server may automatically logs the following information:– the IP address of the visitor– date and time of the request– the URL of the requested file– the URL the visitor came from

immediately before (referrer URL)

– the visitor’s Web browser type and operating system

Web server logs

GET http://www.amazon.com/ HTTP/1.0User-Agent: Mozilla/3.01 (X11; I; SunOS 4.1.4 sun4m)Host: www.amazon.comReferer: http://www.alcoholics-anonymous.org/Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*Cookie: session-id-time=868867200; session-id=6828-2461327-649945; group_discount_cookie=F

26

Web user tracking• a small text file provided by a

Web server and stored on a users PC

• the text can be sent back to the server every time the browser requests a page from the server

• cookies are used to identify a user as they navigate through a Web site and/or return at a later time

• cookies enable a range of functions including personalization of content

cookies

27

Web user tracking

• session vs. persistent cookies– a session cookie is stored only

while the user is connected to the particular Web server – the cookie is deleted when the user disconnects

– persistent cookies are set to expire at some point in the future – many are set to expire a number of years forward

cookies

28

Web user tracking

• 1st-party vs. 3rd-party cookies– a first-party cookie is set and

read by the Web server hosting the Web site the user is visiting

– a third-party cookie is set and read by a third-party Web server that is providing a service, such as advertising or analytics, to the Web site the user is visiting

cookies

29

Example cookie

cookies

content of cookie

1st party cookie

P3P compact policy

expiry date of persistent cookie

30

Web user tracking

• privacy considerations for cookies:– should not store unencrypted

personal information in cookies– should provide adequate notice

of cookie usage– should only use persistent

cookies if the need justifies it– should not set long expiry dates– 3rd party cookie providers should

be vetted, disclosed and perhaps opt-out provided (e.g., DoubleClick)

cookies

31

Web user tracking

• also Web bug, pixel tag or clear gif• usually a clear graphic image of 1

x 1 pixel in size on a Web page or in HTML email

• operates as a tag that records a visit to a particular Web page

• often used in conjunction with a cookie and provided as part of a third-party tracking service

• provide an ability to produce specific profiles of user behavior in combination with Web server logs

• uses include hit counter, ad campaign performance measurement, email readership

Web beacon

s

32

Web beacon example

<IMG SRC="http://fcstats.bcentral.com/activity;src=999387;type=virtu430;cat=event251;ord=1;num='+ a + '?" WIDTH="1" HEIGHT="1" BORDER="0">

Web beacon

s

33

Web user tracking

• privacy considerations for Web beacons:– they are invisible to users, lack

of notice might be deemed unfair or deceptive

– it is safest to implement in a non-personally identifiable manner

– choice should be provided for use in a personally identifiable manner (consistent with US FTC-approved NAI Web Beacon Guidelines found at www.networkadvertising.org)

Web beacon

s

notice mechanisms

Web Privacy & Security

35

notice mechanisms

• comprehensive privacy statements typically cover:– effective date– scope– information collected (both actively

and passively)– information uses– choices available– how to modify information or

preferences– how to contact or register a dispute– how policy changes will be

communicated

content of

notices

36

notice mechanisms

• Platform for Privacy Preferences Project (P3P) of the World Wide Web Consortium (W3C)

• representation of a privacy statement in a machine-readable format (XML based standard)

• user agents can discover Web site privacy practices and take an action as a result (e.g. Microsoft Internet Explorer and Netscape cookie controls, AT&T PrivacyBird plug-in)

P3P

37

notice mechanisms

• full P3P Policy– referenced from a “well known

location” on the Web server (…./w3c/p3p.xml) or from the server header so Web browsers know where to locate it

– Web browsers translate this into a human readable version in a standardized format

– communicated upon user request (e.g., in Internet Explorer - View, Privacy Report, View Summary)

P3P

38

sample full P3P policy

P3P the XML file

39

sample full P3P policy

P3P The users view: View, Privacy Report..

40

notice mechanisms

• compact P3P Policy– shorter version of the policy

constructed of a series of 3 or 4 letter “tokens”

– communicated with each Web page

P3P

P3P: CP = “CAO DSP COR CUR CONo ADMa DEVa TAIa TELo PSAa PSDa OUR SAMi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA PRE

Information may be used to CONtact the individual (opt-out

provided)

Online access provided to Contact

And Other information

PHYical contact information is

collected on the site

41

notice mechanisms

• industry initiative to provide privacy notices in more succinct, readable and comparable format

• short notice – the top layer– one screen of policy highlights

using a standard format covering scope, info collection, info use, choice, additional information, contact details

– provides links to full statement

• full statement– Comprehensive information

policy disclosure

layered notices

42

sample short noticesample short notice

43

notice mechanisms

• at a minimum, privacy statements should be accessible from the home page and from all collection points

• following the principle of “at or before the point of information collection” many Web sites choose to provide a link on every page to cover passive information collection

• in an easy to find location, in a font no less prominent than other links on the page

Web links to notices

children’s privacy

Web Privacy & Security

45

children’s privacy

• particular concerns exist in relation to the collection of personal information from children

• countries with specific online child privacy protections include Korea (<12) and United States (<13)

• parental consent is required prior to collection of PII

parental

consent

Web security

Web Privacy & Security

47

Web security

• information security is covered in a separate CIPP module

• a few Web security-specific aspects are addressed here:– authentication– encryption– Web application

vulnerabilities

security informat

ion

48

Web security

• the more sensitive the Web site the stronger the authentication should be – require more than one piece of information to authenticate

• password fields use the “password” field type in HTML – masks the display of text entered to respect privacy

• cookies are not an effective means of authentication – consider the possibility of multiple-user PCs

authentication

49

Web security• by default, information travels in clear

text across the Internet• transmission of personal information

can be secured through SSL (Secure Sockets Layer)

• SSL establishes an encrypted connection between the Web server and Web browser

• should require high level of encryption (e.g., 128bit) for sensitive uses (e.g. access to bank accounts)

• SSL provides user comfort in addition to actual security – should consider securing the page hosting the form as well as securing the transmission

encryption

50

Web security

• security weaknesses with privacy consequences include– unvalidated input– broken session management– cross site scripting– injection flaws

• refer to OWASP top ten (www.owasp.org) for further details

Web applicati

on vulner-abilities

email marketing

Web Privacy & Security

52

email marketing

• marketing emails (formed in HTML) are increasing similar to Web pages

• while they most often do not include Web forms (but link to Web sites that do) they can have third party interactions and user tracking linked to PII

• behavioral profiles are often built so Web beacon and cookie protections apply

• SPAM (unsolicited commercial email) and phishing are key concerns

email trackin

g

verification &

certification

Web Privacy & Security

54

verification & certification

• self-regulatory regimes such as TRUSTe and BBB Online require self-certification to a set of online privacy best practices, provide a ‘trust’ mark and provide an independent remediation mechanism

Self-regulator

y certificati

ons

55

verification & certification

• in some business models, a more comprehensive audit of compliance is justified ( due to sensitivity or drive for a competitive differentiator)

• an independent third-party will test actual compliance with Web privacy policy and publish an audit report

• Examples include CPA WebTrust and custom attestations from audit firms

attestation

56

verification & certification

• a category of privacy-enabling technology has emerged to address the complexity of dealing with a long list of privacy concerns across large and ever-changing Web sites

• the technologies crawl through Web sites and report on Web privacy issues and compliance status

web scanning

technologies

advertising, phishing

and spyware

Web Privacy & Security

58

advertising, phishing & spyware

• many Web sites rely on the provision of advertising to fund their activities

• targeted advertising can provide value to both the visitor and the Web site operator but might be considered privacy invasive if it is performed without transparency or is based on sensitive information

• network advertising service providers have the most sensitivity due to their ability to create broad profiles of user behavior (ref: NAI www.networkadvertising.org)

advertising

59

• phishing– setting up a bogus Web

site to fraudulently capture sensitive PII and luring users to that Web site via a spoofed SPAM email

phishing

advertising, phishing & spyware

60

phishing example

advertising, phishing & spyware

email with fake link

61

phishing example

fake site redirects to trusted site

advertising, phishing & spyware

62

phishing example

user gets fake pop-up window - no URL

advertising, phishing & spyware

63

advertising, phishing & spyware

• adware– software that is often downloaded

in a deceptive manner (e.g., ‘drive-by download’) and monitors the users online behavior to target advertising

• spyware– software that is usually covertly

downloaded and used to fraudulently collect and use sensitive PII such bank account credentials and credit card numbers

adware/ spyware

64

spyware examplesadware/ spyware

Multi-line program name(drive-by download)

65

spyware examplesadware/ spyware “cancel” means “yes”

66

spyware exampleadware/ spyware false security alert

IAPP Certification Promoting Privacy