Wednesday, April 24, 2024
HomeProtectPrivacy Basics & Compliance Detector

Privacy Basics & Compliance Detector

Earlier this year I had a conversation regarding basic privacy principles and core requirements that every website owner should consider and apply to the design and implementation of their own site. It was a good conversation throughout which we discussed important data points about website privacy and different applicable regulations in the United States and worldwide. However, I realized that it was a highly conceptual and theoretical discussion and did not impart the necessary knowledge needed to put these ideas into action. There was really no easy way to quickly demonstrate the basics, so because of this I was trapped in theory without a bridge to practical implementation. Thus, some of the points were lost. Taking this experience back to the team at AvePoint, we realized we could do something really special. We decided to augment our community education and outreach efforts with a first-of-its-kind online educational tester for online privacy, Compliance Detector.

Generally speaking this is hard to accomplish, on first blush, because there are so many different rules, regulations, and guidelines. An online tester, unable to be customized, would introduce issues regarding the different methods of privacy implementation and validation. This did not stop us from building the solution. With a little thought and innovation, we came up with the basic questions that needed to be asked of every web property – ones that could be validated without site specific customization. The questions we developed are:

1. When a website is collecting user data, has Secure Sockets Layer (SSL) protocols been implemented?

2. Is the website using visitor tracking?

3. Does the website have a privacy policy (Notice) link?

4. Has the website implemented Platform for Privacy Preferences Project (P3P)?

5. Does the website include links to external sites?

6. Does the website include forms that use the “get” method?

7. Does the website expose credit card information?

8. Does the website expose other forms of Personally Identifiable information (PII)?

These basic questions could be asked and answered as well as demonstrated with just a few quick steps in Compliance Detector to help people to understand how they were doing against some core principles of appropriate online privacy protection. These principles include:

· Management

· Collection and protection of personal or sensitive personal data

· Utilization of tracking technologies

· Proper notice and implementation of privacy policy/privacy notices

To find out how Compliance Detector does all of this, please read below.

SSL

With regards to implementation of SSL – our first question – Compliance Detector is coded to find input fields in a website with a high probability of collecting personally identifiable information and if it is found, to assure that basic SSL is implemented. If no relevant inputs are found, the system will set the result to a value of “not applicable”, and if inputs are found matching the requirement then the SSL test is performed. If the site is using SSL it passes and if it is either not using SSL or is mixed then it fails. Now this is an interesting result to some because the argument might be made that if something is partially SSL enabled, the connection could still be secure. This is, of course, flawed logic because there is no good argument to develop something that might be secure or should be secure versus building something that is in fact secure, and further, why not take that extra step to ensure your customers and website visitors know that your site is secure? It is somewhat illogical to ask customers to guess or make their own determination if your site is secure, and you may in fact lose customers through this approach.

Visitor Tracking

Our second question – visitor tracking – is a bit more complex. Visitor tracking can be accomplished in many ways, so for the Compliance Detector it was important to cover angles that could be most helpful. Thus our checks covers web beacons, third-party cookies, and third-party cookies with a high probability of containing PII. All of these tracking methods could easily be checked and, like our first question, the results could range from “not applicable” to “pass” or “fail”. The answer to this question becomes very important in developing your privacy notice or even complying with individual cookie rules and regulations.

Privacy Policy Usage

Our third question, Privacy Policy Usage, does two specific checks: First it checks to see that all pages collecting information have a link to the site owner’s privacy policy (Notice), and a second more general check looks for a privacy policy link on every page. Compliance Detector can pass or fail a page based on having or not having a link to the privacy policy. The test is very basic where the engine looks for a link with the word privacy in it.

P3P

Another way to detect privacy policy is with a P3P file – a machine-readable privacy policy. This is our fourth question – P3P compliance – and it involves a simple check to locate a P3P file on the server and, in the case of P3P, there is only a pass or human review result because the P3P file is not required globally and thus a general tool cannot fail by default.

External Links

The fifth question asks whether a website is using external links. This is another informational check. It cannot pass or fail, but the results indicate a human review is required. This educational check stresses the importance of understanding if your site links to external pages. Site owners should always be conscious of how and where they link to third parties, and of course notify users when they are leaving one website to go to another one. This also may be required under statute, regulation, or external or internal policies.

“Get” Method

Our sixth question considers whether forms on the website use the “get” method. This question and associated checks evaluate and identify an area where data could leak out via web server logs. A “get” will actually have a URL that has the fields that were completed, and thus have the potential of storing unprotected PII or Protected Health Information (PHI) in web server logs. This check could have a result of “Not Applicable”, “Pass”, or “Human Review”.

PII and PHI

Our seventh and eighth questions deal with more PII and PHI. These additional checks alert a user to the need to review for information that has a probability of being PII or PHI

By using the Compliance Detector, a person’s “Privacy IQ” can be moved up a notch as there is relevant information and best practices on each element being tested. For any of the rules, testers can simply select the link that has the check name, and in a flash they are brought to a page to read about the element being tested.

Compliance Detector’s results allow a site owner to understand how to ask and answer questions about their site, and, more importantly, it helps educate them about common requirements in most jurisdictions. It is important to remember some basic privacy best practices when looking at Compliance Detector.

If you use a privacy policy (notice), make sure you do what it says – If you say you do not collect information then you should not collect user information even through the use of tracking technology. Do what you say and say what you do. Additionally, if you are collecting user data via user inputs, make sure that the page is secure and the browser padlock indicates the same. Mixed content, on the other hand, provides a loophole that can be exploited and add an insecure nature to a transaction that should be 100 percent secure.

In closing, Compliance Detector is the first of its kind: a privacy education solution that is aimed at making the web a more secure and safe place for commerce. At its core, Compliance Detector aims to achieve this by educating on basic security and privacy constructs for websites. Combining Compliance Detector with other educational and outreach programs in your organization can go a long way toward achieving your privacy goals – including implementing privacy by design. For those that need a commercial product that can be specifically tuned to your website and specific privacy and security engineering methodologies you could use Compliance Guardian. Compliance Guardian powers Compliance Detector and is a product designed to ensure that information is available and accessible to the people who should have it and protected from the people who should not. If you would like material for any organizational events that you may be holding please feel free to contact us. We are happy to support your educational events related to privacy worldwide.

Additional Reading:

· What Google has to Say about Website Settings and Web Security Indicators:

· Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) – By the National Institute of Standards and Technology (NIST)

· When to trust a website by Microsoft

· AvePoint Compliance Guardian

· Compliance Detector

1 COMMENT

  1. Rob, This is a great details explanation of the usefulness of Compliance Detector for Basic Privacy checks and a great explanation of why it looks for what it does.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

More Stories