Privacy Professional Fundamentals

Online Privacy

Online Privacy Using Personal Information on Websites and Other Internet Technologies

What is the most important part to focus on: Data Lifecycle
1. Trace personal information from collection, through its various uses, to possible dissemination to third parties, and ultimately to archiving or deletion. These stages in the lifecycle

5.1 Overview of Web Technologies

World Wide Web
1. Definition: information-sharing model that is built on top of the physical Internet
  1. Uses hypertext to access various forms of information available on the world's different networks
2. Historic development
  1. Hypertext transfer protocol (HTTP)
    1. application protocol that manages data communications over the Internet
    2. determines how messages are formatted and transmitted over a TCP/IP network
    3. defines what actions web servers and web browsers take in response to various commands
  2. Hypertext markup language (HTML)
    1. content-authoring language used to create web pages.
  3. HyperText Transfer Protocol Secure (HTTPS)
    1. allows the transfer of data from a browser to a website over an encrypted connection
  4. HTML5 has new capabilities and features, such as the
    1. ability to run video, audio and animation directly from websites without the need for a plug-in (a piece of so ware that runs in the browser and renders media such as audio or video).
    2. Mobile ecosystems use HTML 5 with no flash, as many mobile devices do not support Flash, but can use this feature, no plug in.
    3. Ability to store information store information offline, in web applications that can run when not connected to the internet
  5. Extensible markup language (XML)
    1. language that facilitates the transport, creation, retrieval and storage of documents.
    2. Uses tags to describe the contents of a web page or file
    3. Describes the content of a web page in terms of data being produced
  6. Web browser software is considered a “web client” application in that it is used by the computer or other device (the “client”) to navigate the web and retrieve web content from web servers for viewing.
  7. URL
    1. address of documents and other content that are located on a web server.
  8. Hyperlink
    1. Used to connect an end user to other websites, parts of websites, and/or web-enabled services
Web Infrastructure

Different hardware/software technologies use to build the web.

1. web server
  1. a computer that is connected to the Internet, hosts web content and is configured to share that content
2. proxy server
  1. an intermediary server that provides a gateway to the web
  2. Socks or some other type for employees to access, and then goes out
3. Virtual private networks (VPNs)
  1. an important category of proxy server, widely used in the United States for employee web access
  2. VPNs encrypt the information from the user to the organization’s proxy server.
4. Caching
  1. occurs when web browsers and proxy servers save a local copy of the downloaded content
  2. reduces the need to download the same content again from the web server.
  3. To protect privacy, pages that display personal information should be set to prohibit caching.
5. Web server log
  1. automatically created when a visitor requests a web page.
6. Internet protocol (IP)
  1. specifies the format of data packet that travels over the Internet and also provides the appropriate addressing protocol.
7. IP address
  1. Unique number assigned to each connected device
  2. It is similar to a phone number because the IP address shows where data should be sent from the website.
  3. internet service provider (ISP) often assigns a new IP address on a session-by-session basis.
8. Transmission control protocol (TCP) enables two devices to establish a stream-oriented reliable data connection. A combination of TCP and IP is used to send data over the internet.
9. Transport layer security (TLS)
  1. protocol that ensures privacy between a user and a web server.
  2. TLS secures the connection to ensure that no third party can eavesdrop on or corrupt the message.
10. Cascading style sheets (CSS) is the language used to describe the presentation of web pages. It includes colors, layout and font.
11. Flash is a bandwidth-friendly interactive animation and video technology that has been widely used to enliven web pages and advertisements.
12. Internet -
  1. Global system of interconnected networks
  2. Links billions of computers and devices around the world
  3. Accessed by computers and other electronic devices

5.2 Privacy Considerations for Online Information

Threats to Online Privacy
1. Unauthorized Access
2. Malware
3. Phishing
4. Spear Phishing
5. Social Engineering
Online Security
1. Web Access
  1. Comprehensive Defense Plan
    1. Outward facing protect against all threats
2. Data in Transit – Transport Layer Security –
  1. The norm is that data should be encrypted in transit.
  2. TLS is a standard method for encrypting the transmission of PII over the web – including the verification of end user information required for website access.
3. Protecting Online Identity – individual end users have the ultimate responsibility. These are standard practices to protect privacy over the web:
  1. Login/Password/PINs
  2. Software – antivirus and firewall
  3. WI-FI and Bluetooth - easy to exploit
  4. File Sharing - BitTorrent should protect against vulnerabilities
  5. Public Computers - dangerous, many use
  6. Public Charging Stations -connect to USB of many devices
  7. PII on websites
4. Online Verification and Certification
  1. Enhance user’s level of trust in online activity.
  2. Use a 3rd party known as accreditation or assurance services, or trust seal providers.
    1. 3rd party evaluates activities (i.e. privacy notices of a website or confirm the absence of viruses or spyware from a software download).
    2. Examples
      1. Norton
      2. TrustArc
      3. BBBOnline.
5. E-mail Security
  1. Security products today include content filtering services (antivirus, antispam, HTML tag removal, script removal, blocking of attachments by file type, scanning of inappropriate content, confidentiality checks and disclaimer enforcement).
Online Attacks on Users
1. SPAM Email – spam filters examine the contents to block messages containing known viruses and other malicious codes.
2. Phishing
  1. Phishing
  2. Spear Phishing
  3. Waling
3. Malware – viruses, worms, ransomware, spyware
Mobile Online Privacy
1. problems with how to provide notice on a small screen.
2. Geolocation data is also an important privacy issue. It is notably difficult to anonymize location data.
3. Proper rules for collection, use and storage of location data by mobile phone companies, operating system and app developers.
4. 3rd party use of these data including advertisements.
5. Location Based Services (LBS) present new business opportunities for local businesses
Children’s Online Privacy
1. Childrens cannot give meaningful consent for online activities.
2. Parents can install filtering software.
3. Many websites require minimum age verification.
4. COPPA –
  1. Website must provide clear and conspicuous notice of the data collection methods employed, including functioning hyperlinks to the website privacy policy on all website where PI is collected.
  2. Requires parents consent for under 13 years old prior to data collection.
  3. 13 years old to 18 years old – states have made efforts to address privacy for this group.
  4. CA teenagers have the right to request removal of information posted online.

5.3 Online Privacy Notices and Methods for Communication

Online Privacy Notices and Methods for Communication
1. Web Privacy Notices – This statement covers:
  1. Effective date
  2. Scope of notice
  3. Type of PI collected
  4. Information uses and disclosure
  5. Choices available to user
  6. Methods for accessing, correcting, modifying PI or preferences.
  7. Methods for contacting the organization or registering disputes
  8. Processes for how any policy changes will be communicated to public
2. Trustarc Recommendations for privacy notice
  1. Say what the organization does
  2. Do not treat privacy statements as disclaimers
  3. Revisit frequently
  4. Communicate privacy practices to the entire company
  5. Trustmarks
    1. Trustmarks are images or logos that are displayed on websites to indicate that a business is a member of a professional organization or to show that it has passed security and privacy tests.
    2. They are designed to give customers confidence that they can safely engage in e-commerce transactions.
    3. TrustArc, Norton and the Better Business Bureau are examples of trustmarks.
3. Layered Notices
  1. Response to single long legalese notices.
  2. Provide key points on top in a short notice but give option to read a detailed notice. (Short Notice + Full Notice)
  3. Mobile Privacy Notices
    1. Problems with geolocation, text messages, metadata from phone calls, medical monitoring, and other information gathered through numerous apps.
    2. Small screen makes privacy notice challenging.
    3. FTC recommended best practices practices for platforms, ad networks, app developers, etc.
    4. Principles are privacy by design (or even privacy by default), transparency, and simplification of consumer choices.
4. Customer Access to Information
  1. Privacy notice should say what sort of notice consumer will receive, and when and how they can access records.
  2. In US, no general legal right to access or correct PI. However, it exists for HIPAA and FCRA.
  3. In EU, it’s fundamental to have right to access and correct PI.

5.4 Collection and Use of Electronic Data

Online Data Collection
1. Web Form – contains black fields, text boxes, check boxes or other inputs areas that end users compete by providing data.
2. When completed, it is sent to a web server that processes and stores the submitted information into a database.
Active vs. Passive Data Collection
1. Active is online data collection.
2. Passive is when information is gathered automatically – often no user knowledge – as the user navigates from page to page of websites through cookies or others.
Desktop Products with Web Interfaces – Google Docs etc.
Third-Party Interactions
Onward Transfers – of information from the original org. that holds the data to a 3rd party (data processor, ensure payment, determining the use of data).

5.5 Digital Advertising

Digital Advertising
1. 1. Many websites rely on online advertising to fund their services to customers.
  2. Targeted advertisements support the websites themselves as well as the ecosystem of advertising and other companies that provide support services for websites.
  3. On the other hand, privacy advocates have expressed concerns – unclear notice and often do not know how to choose whether they received target ads. Users may also be unaware that their browsing habits are being tracked by 3rd parties.
  4. Cookies – help a website or ad network track a user’s browsing activities, potentially across multiple websites visited. Best Practice standpoint, cookies should not store unencrypted PI, provide adequate notice of their usage, not set long expiration dates, disclose the involvement of a 3rd party cookie provider as well as opt-out (in EU, opt-in).
2. Pop-up Ads
3. Adware
4. Web Beacons – Web bug, pixel tag, or clear GIF. It operates as a tag that records an end user’s visit to a particular web page.
5. Digital Fingerprinting – can identify based on information revealed to the website by the user.
6. Search Engines
7. Online Social Networking

5.6 Conclusion

Page updated

Report abuse