What is the most important part to focus on: Data Lifecycle
Trace personal information from collection, through its various uses, to possible dissemination to third parties, and ultimately to archiving or deletion. These stages in the lifecycle
World Wide Web
Definition: information-sharing model that is built on top of the physical Internet
Uses hypertext to access various forms of information available on the world's different networks
Historic development
Hypertext transfer protocol (HTTP)
application protocol that manages data communications over the Internet
determines how messages are formatted and transmitted over a TCP/IP network
defines what actions web servers and web browsers take in response to various commands
Hypertext markup language (HTML)
content-authoring language used to create web pages.
HyperText Transfer Protocol Secure (HTTPS)
allows the transfer of data from a browser to a website over an encrypted connection
HTML5 has new capabilities and features, such as the
ability to run video, audio and animation directly from websites without the need for a plug-in (a piece of so ware that runs in the browser and renders media such as audio or video).
Mobile ecosystems use HTML 5 with no flash, as many mobile devices do not support Flash, but can use this feature, no plug in.
Ability to store information store information offline, in web applications that can run when not connected to the internet
Extensible markup language (XML)
language that facilitates the transport, creation, retrieval and storage of documents.
Uses tags to describe the contents of a web page or file
Describes the content of a web page in terms of data being produced
Web browser software is considered a “web client” application in that it is used by the computer or other device (the “client”) to navigate the web and retrieve web content from web servers for viewing.
URL
address of documents and other content that are located on a web server.
Hyperlink
Used to connect an end user to other websites, parts of websites, and/or web-enabled services
Web Infrastructure
Different hardware/software technologies use to build the web.
web server
a computer that is connected to the Internet, hosts web content and is configured to share that content
proxy server
an intermediary server that provides a gateway to the web
Socks or some other type for employees to access, and then goes out
Virtual private networks (VPNs)
an important category of proxy server, widely used in the United States for employee web access
VPNs encrypt the information from the user to the organization’s proxy server.
Caching
occurs when web browsers and proxy servers save a local copy of the downloaded content
reduces the need to download the same content again from the web server.
To protect privacy, pages that display personal information should be set to prohibit caching.
Web server log
automatically created when a visitor requests a web page.
Internet protocol (IP)
specifies the format of data packet that travels over the Internet and also provides the appropriate addressing protocol.
IP address
Unique number assigned to each connected device
It is similar to a phone number because the IP address shows where data should be sent from the website.
internet service provider (ISP) often assigns a new IP address on a session-by-session basis.
Transmission control protocol (TCP) enables two devices to establish a stream-oriented reliable data connection. A combination of TCP and IP is used to send data over the internet.
Transport layer security (TLS)
protocol that ensures privacy between a user and a web server.
TLS secures the connection to ensure that no third party can eavesdrop on or corrupt the message.
Cascading style sheets (CSS) is the language used to describe the presentation of web pages. It includes colors, layout and font.
Flash is a bandwidth-friendly interactive animation and video technology that has been widely used to enliven web pages and advertisements.
Internet -
Global system of interconnected networks
Links billions of computers and devices around the world
Accessed by computers and other electronic devices
Threats to Online Privacy
Unauthorized Access
Malware
Phishing
Spear Phishing
Social Engineering
Online Security
Web Access
Comprehensive Defense Plan
Outward facing protect against all threats
Data in Transit – Transport Layer Security –
The norm is that data should be encrypted in transit.
TLS is a standard method for encrypting the transmission of PII over the web – including the verification of end user information required for website access.
Protecting Online Identity – individual end users have the ultimate responsibility. These are standard practices to protect privacy over the web:
Login/Password/PINs
Software – antivirus and firewall
WI-FI and Bluetooth - easy to exploit
File Sharing - BitTorrent should protect against vulnerabilities
Public Computers - dangerous, many use
Public Charging Stations -connect to USB of many devices
PII on websites
Online Verification and Certification
Enhance user’s level of trust in online activity.
Use a 3rd party known as accreditation or assurance services, or trust seal providers.
3rd party evaluates activities (i.e. privacy notices of a website or confirm the absence of viruses or spyware from a software download).
Examples
Norton
TrustArc
BBBOnline.
E-mail Security
Security products today include content filtering services (antivirus, antispam, HTML tag removal, script removal, blocking of attachments by file type, scanning of inappropriate content, confidentiality checks and disclaimer enforcement).
Online Attacks on Users
SPAM Email – spam filters examine the contents to block messages containing known viruses and other malicious codes.
Phishing
Phishing
Spear Phishing
Waling
Malware – viruses, worms, ransomware, spyware
Mobile Online Privacy
problems with how to provide notice on a small screen.
Geolocation data is also an important privacy issue. It is notably difficult to anonymize location data.
Proper rules for collection, use and storage of location data by mobile phone companies, operating system and app developers.
3rd party use of these data including advertisements.
Location Based Services (LBS) present new business opportunities for local businesses
Children’s Online Privacy
Childrens cannot give meaningful consent for online activities.
Parents can install filtering software.
Many websites require minimum age verification.
COPPA –
Website must provide clear and conspicuous notice of the data collection methods employed, including functioning hyperlinks to the website privacy policy on all website where PI is collected.
Requires parents consent for under 13 years old prior to data collection.
13 years old to 18 years old – states have made efforts to address privacy for this group.
CA teenagers have the right to request removal of information posted online.
Online Privacy Notices and Methods for Communication
Web Privacy Notices – This statement covers:
Effective date
Scope of notice
Type of PI collected
Information uses and disclosure
Choices available to user
Methods for accessing, correcting, modifying PI or preferences.
Methods for contacting the organization or registering disputes
Processes for how any policy changes will be communicated to public
Trustarc Recommendations for privacy notice
Say what the organization does
Do not treat privacy statements as disclaimers
Revisit frequently
Communicate privacy practices to the entire company
Trustmarks
Trustmarks are images or logos that are displayed on websites to indicate that a business is a member of a professional organization or to show that it has passed security and privacy tests.
They are designed to give customers confidence that they can safely engage in e-commerce transactions.
TrustArc, Norton and the Better Business Bureau are examples of trustmarks.
Layered Notices
Response to single long legalese notices.
Provide key points on top in a short notice but give option to read a detailed notice. (Short Notice + Full Notice)
Mobile Privacy Notices
Problems with geolocation, text messages, metadata from phone calls, medical monitoring, and other information gathered through numerous apps.
Small screen makes privacy notice challenging.
FTC recommended best practices practices for platforms, ad networks, app developers, etc.
Principles are privacy by design (or even privacy by default), transparency, and simplification of consumer choices.
Customer Access to Information
Privacy notice should say what sort of notice consumer will receive, and when and how they can access records.
In US, no general legal right to access or correct PI. However, it exists for HIPAA and FCRA.
In EU, it’s fundamental to have right to access and correct PI.
Online Data Collection
Web Form – contains black fields, text boxes, check boxes or other inputs areas that end users compete by providing data.
When completed, it is sent to a web server that processes and stores the submitted information into a database.
Active vs. Passive Data Collection
Active is online data collection.
Passive is when information is gathered automatically – often no user knowledge – as the user navigates from page to page of websites through cookies or others.
Desktop Products with Web Interfaces – Google Docs etc.
Third-Party Interactions
Onward Transfers – of information from the original org. that holds the data to a 3rd party (data processor, ensure payment, determining the use of data).
Digital Advertising
Many websites rely on online advertising to fund their services to customers.
Targeted advertisements support the websites themselves as well as the ecosystem of advertising and other companies that provide support services for websites.
On the other hand, privacy advocates have expressed concerns – unclear notice and often do not know how to choose whether they received target ads. Users may also be unaware that their browsing habits are being tracked by 3rd parties.
Cookies – help a website or ad network track a user’s browsing activities, potentially across multiple websites visited. Best Practice standpoint, cookies should not store unencrypted PI, provide adequate notice of their usage, not set long expiration dates, disclose the involvement of a 3rd party cookie provider as well as opt-out (in EU, opt-in).
Pop-up Ads
Adware
Web Beacons – Web bug, pixel tag, or clear GIF. It operates as a tag that records an end user’s visit to a particular web page.
Digital Fingerprinting – can identify based on information revealed to the website by the user.
Search Engines
Online Social Networking