Earlier this year I had a conversation regarding basic privacy principles and core requirements that every website owner should consider and apply to the design and implementation of their own site. It was a good conversation throughout which we discussed important data points about website privacy and different applicable regulations in the United States and worldwide. However, I realized that it was a highly conceptual and theoretical discussion and did not impart the necessary knowledge needed to put these ideas into action. There was really no easy way to quickly demonstrate the basics, so because of this I was trapped in theory without a bridge to practical implementation. Thus, some of the points were lost. Taking this experience back to the team at AvePoint, we realized we could do something really special. We decided to augment our community education and outreach efforts with a first-of-its-kind online educational tester for online privacy, Compliance Detector.
Generally speaking this is hard to accomplish, on first blush, because there are so many different rules, regulations, and guidelines. An online tester, unable to be customized, would introduce issues regarding the different methods of privacy implementation and validation. This did not stop us from building the solution. With a little thought and innovation, we came up with the basic questions that needed to be asked of every web property – ones that could be validated without site specific customization. The questions we developed are:
1. When a website is collecting user data, has Secure Sockets Layer (SSL) protocols been implemented?
2. Is the website using visitor tracking?
4. Has the website implemented Platform for Privacy Preferences Project (P3P)?
5. Does the website include links to external sites?
6. Does the website include forms that use the “get” method?
7. Does the website expose credit card information?
8. Does the website expose other forms of Personally Identifiable information (PII)?
These basic questions could be asked and answered as well as demonstrated with just a few quick steps in Compliance Detector to help people to understand how they were doing against some core principles of appropriate online privacy protection. These principles include:
· Collection and protection of personal or sensitive personal data
· Utilization of tracking technologies
To find out how Compliance Detector does all of this, please read below.
With regards to implementation of SSL – our first question – Compliance Detector is coded to find input fields in a website with a high probability of collecting personally identifiable information and if it is found, to assure that basic SSL is implemented. If no relevant inputs are found, the system will set the result to a value of “not applicable”, and if inputs are found matching the requirement then the SSL test is performed. If the site is using SSL it passes and if it is either not using SSL or is mixed then it fails. Now this is an interesting result to some because the argument might be made that if something is partially SSL enabled, the connection could still be secure. This is, of course, flawed logic because there is no good argument to develop something that might be secure or should be secure versus building something that is in fact secure, and further, why not take that extra step to ensure your customers and website visitors know that your site is secure? It is somewhat illogical to ask customers to guess or make their own determination if your site is secure, and you may in fact lose customers through this approach.
Our second question – visitor tracking – is a bit more complex. Visitor tracking can be accomplished in many ways, so for the Compliance Detector it was important to cover angles that could be most helpful. Thus our checks covers web beacons, third-party cookies, and third-party cookies with a high probability of containing PII. All of these tracking methods could easily be checked and, like our first question, the results could range from “not applicable” to “pass” or “fail”. The answer to this question becomes very important in developing your privacy notice or even complying with individual cookie rules and regulations.
The fifth question asks whether a website is using external links. This is another informational check. It cannot pass or fail, but the results indicate a human review is required. This educational check stresses the importance of understanding if your site links to external pages. Site owners should always be conscious of how and where they link to third parties, and of course notify users when they are leaving one website to go to another one. This also may be required under statute, regulation, or external or internal policies.
Our sixth question considers whether forms on the website use the “get” method. This question and associated checks evaluate and identify an area where data could leak out via web server logs. A “get” will actually have a URL that has the fields that were completed, and thus have the potential of storing unprotected PII or Protected Health Information (PHI) in web server logs. This check could have a result of “Not Applicable”, “Pass”, or “Human Review”.
PII and PHI
Our seventh and eighth questions deal with more PII and PHI. These additional checks alert a user to the need to review for information that has a probability of being PII or PHI
By using the Compliance Detector, a person’s “Privacy IQ” can be moved up a notch as there is relevant information and best practices on each element being tested. For any of the rules, testers can simply select the link that has the check name, and in a flash they are brought to a page to read about the element being tested.
Compliance Detector’s results allow a site owner to understand how to ask and answer questions about their site, and, more importantly, it helps educate them about common requirements in most jurisdictions. It is important to remember some basic privacy best practices when looking at Compliance Detector.
In closing, Compliance Detector is the first of its kind: a privacy education solution that is aimed at making the web a more secure and safe place for commerce. At its core, Compliance Detector aims to achieve this by educating on basic security and privacy constructs for websites. Combining Compliance Detector with other educational and outreach programs in your organization can go a long way toward achieving your privacy goals – including implementing privacy by design. For those that need a commercial product that can be specifically tuned to your website and specific privacy and security engineering methodologies you could use Compliance Guardian. Compliance Guardian powers Compliance Detector and is a product designed to ensure that information is available and accessible to the people who should have it and protected from the people who should not. If you would like material for any organizational events that you may be holding please feel free to contact us. We are happy to support your educational events related to privacy worldwide.