What do these organizations have in common? City Of Toronto Canada Post Municipal Property Assessment Corp Facing The Privacy Challenge Donald E Sheehy, CA*CISA What Underlying Message Conflicting messages and views exist Sun Microsystem s CEO Scott McNealy was once quoted: "There is no privacy on the Internet. Get over it. Alternatively Doing an AltaVista search on the string Internet Privacy Issues yields almost 2,000,000 hits Privacy is regarded as the number one issue affecting Internet based E-Commerce (E-Marketer) Significant number of articles appear daily on privacy and related issues (look at Yahoo News or Computerworld.com) We have new act appearing in Ontario and the US WE HAVE NOT GOT OVER IT! Some of The Recent Headlines A comprehensive data privacy bill to be introduced next year in the U.S. House will apply to online and off-line practices, affecting virtually every company that does business in the U.S International privacy policies are permeating planning at corporations struggling to comply with the European Union's privacy rules and an emerging set of strict Canadian data sharing requirements. Even Microsoft as Privacy Champion? dont look now but Microsoft is making a grab for the mantle of Internet privacy champion by pushing a standard few have embraced. The movecould backfire and further muddle the intractable debate about Internet privacy And some more personal Security experts discovered a flaw this week in the Web site operated by Verizon Wireless that potentially exposed the private customer information of those who used the Web site to view their personal cell phone bills. (Sept 16) Customer information exposed by Playboy.com hacker (November 21, 2001) Playboy.com has spent several days contacting customers and doing an online security audit after a hacker broke into the site's online store last weekend and got access to customer information and credit card numbers. What Ill be Covering What is meant by privacy Current global legislation and dealing with enterprise privacy risk that they cause Dealing with special privacy concerns for Internet How the CA can help What is Privacy? Right to be left alone (1890, Harvard Business Review) Freedom from intrusion or public attention The protection of the collection, storage, destruction and dissemination of personal information ( EU, Canada and US Safe Harbor) What does it consist of ? Personally Identifiable Information (factual or subjective) Name Address Salary Employee files, Credit records Medical records etc Sensitive Information (factual or subjective) Union/political affiliation Ethic origin Sexual Orientation Health Conditions Religious affiliation etc Enterprise- wide vs. Internet Privacy Enterprise-wide privacy includes all records, systems of an organization whether electronic or not. Internet privacy also known as online privacy, refers to the systems that encompass a web presence and records that hole data obtained via the presence Internet privacy is a subset of enterprise- wide privacy Legislation OECD Guidelines (1980) European Union (EU Directive 95/46EC, 1995, effective 1998) Canada (Personal Info Protect & Electronic Documents Act (PIPEDA), April 2000) Australia (Privacy Amendment (private sector) Act 2000) UK (Data Protection Act, 1998) US Privacy Legislation Safe Harbor (July 2000) Facilitate trade and commerce between the US and EU Voluntary and self-regulatory program Graham Leach Bliley (July 2001) Primary financial institutions (banks, insurance, securities and others with credit operations) Restricts disclosure of non-public info about customers to third parties Requires clear and conspicuous privacy policy posting, including sharing with third parties Childrens Online Privacy Protection Act (COPPA) April 2000 online collection of personal information from children under 13. spell out what a Web site operator must include in a privacy policy, when/how to seek verifiable consent from a parent and what responsibilities an operator has to protect children's privacy and safety online Health Insurance Portability and Accountability Act (HIPPA) Applies to health info created or maintained by health care providers who engage in certain electronic transactions, health plans and healthcare clearinghouses Quick Comparison PIPEDA Principles Challenges Accountability in charge Identifying purpose reason for collection Consent needed to collect Limiting Collection to that required for the specific purpose Limiting Use, disclosure and retention to a minimum Accuracy of info Safeguards to protect Openness about policy Individual Access to see/correct Challenging compliance Why Deal With Privacy Risk In many countries to ensure compliance with law and regulations In any event stay out of public eye Increase management awareness and sensitivity, force change Evidence due care and commitment Goals for assessment Id. the nature of PII associated with business process Document its collection,use, disclosure and destruction Provide mgt with tool to make informed decisions based on understanding of privacy risk Ensure accountability Create consistent format and structured process Reduce Revisions What the profession is doing enterprise level CICA and AICPA Projects in process Consultation between AICPA/CICA and governments ISACA publications A Guide to Cross-Border Privacy Impact Assessments, Thomas J. Carol PWC assessment tool on Ontario PC siteMove to assurance reporting on privacy compliance Firm methodologies for consulting and advising Specific Challenges for Internet (Online) Privacy What are the Concerns for Internet Privacy? What information can be discovered by visiting a site? What information is being collected, why, do they really need it? Is the site secure enough to stop people from accessing the information I give to a site in a transaction? Who really is watching what I do when I surf? What will happen to my information? Other On-line Concerns I am not sure of who I am doing business with I dont like the traceability I am afraid I will get scammed The Challenges Cookies Browsers Bugs Web Security Concern for Cookies What are they? What can they do? Why are they used? Good or bad? Cookie Recipe (user and site info) Name: What the programmer chooses for the cookie. Domain: The domain name from the server that created and sent the cookie. Path: Information about the path of the Web page a user was reading when the cookie was sent. This setting helps restrict other sites or areas within a site from accessing cookie data. Expiration date: When the cookie is set to expire, in the format date-month-year-time (24-hour time, GMT). Secure: If this value is set in the cookie, the information is encrypted during transmission between the server and the browser. Value: The specific data being stored for future recognition and action by the Web server; no white space, semicolons or commas can be included, and a 4K-byte limit is desirable. Cookies - uses Identify return visitors Maintain shopping basket information Maintain user information Types Static (session) Persistent ( staying on the user's hard disk for months or even for years) Cookies good or bad? Cannot obtain information NOT provided by the user Cannot be used between sites... usually Can reveal information provided to the site to other vendors (e.g.; DoubleClick) Can provide functionality and ease of site use Can possibly transmit viruses Some final thoughts on cookies 64 federal agency Web sites use software to track the habits of users despite rules banning the practice, according to preliminary findings in a report to Congress on Internet privacy that was released last week (Office of Inspector General). The European Parliament on Tuesday [Nov 13] voted to adopt an amend. to the draft directive on electronic data collection and privacy to restrict the use of cookies. If the vote is ratified, Web sites will have to explicitly ask users if they want to accept cookies--a move that the advertising industry says could be damaging to business. Microsoft cooks cookies? Microsoft issues patch for hole in Internet Explorer (November 15, 2001) Versions 5.5 and 6 that can expose cookie data to malicious hackers. Microsoft P3P ( in new browser version)- creating problem with cookies 97/100 esp P&G site The browser a real privacy hole Internet users are remote node on the network Reveals Operating system Program(s) running Path to/within the site IP address Creating a More Secure Browsing Session in IE Turn off script language ( Java, Active X) Eliminate history information. To prevent Explorer from replacing the History.html folder, put a locked or read only file in that folder Delete cookies and preferences re cookies. Select Edit/Preferences/Receiving Files/Cookies Select Internet Preferences file selected, choose File/Get Info then check the Locked box Secure the cache ( delete cache.waf file.. Can be done by making alias into a wipefile program Web bugs and your privacy. Web bugs - defined A web bug is a graphic on a web page or in anmessage that is designed to monitor who is reading the web page ormessage The word "bug" is being used to denote a small, eavesdropping device Programming example How common are they? Common on free pages created through Geocities and AOL Estimated 18% of all personal pages, Estimated 16% for home pages of major companies Who was the biggest user last March? What do they do? Usually used to count visitors Gather statistical information about web sites without collecting personal information General profiling for banner adds etc. Why a Problem By sharing info among bugs across different sites, they can be used to track peoples movements If visitor has given personal info at one linked site, then info can be linked through the bugs to other sites What can be done? Not too much... 1x1 pixel Hard to distinguish for normal GIF files Free detection softwareCurrently works with Internet Explorer 5.0 or greater for Windows. Can privacy exist without security? NO! Can security exist without privacy? YES! A Question of Security The web security problem Securing the web server and its data Securing information while in transit Securing the users computer What are the risks? Denial of service Theft Proprietary information or data Hardware and software Private customer information Confidential business information Methods of attack Trojan horse Poor CGI script Java and activeX (often used to leak info) Spoofing Lax password control Virus threats The forgotten areas Physical restriction Data backup What can be done? Policy management and change Three Ds of protection SysTrust SM WebTrust SM Trust Services Three Ds of security policy And... eep t imple tupid What CAs are doing WebTrust System defined by criteria Report issued to management posted on website Six Principles Security Privacy Availability Transaction Integrity Confidentiality Customized Assertions Certification Authorities Independent Verification Independent verification can allay the majority of these fears as does financial statement audit Public accounting is quality controlled the world over Also serves as valuable eCommerce consulting tool in understanding best practices Follows standardized process from Web site to Web site giving comfort to oversight authorities Trust Services & Independent Verification Affords a broad scope of assurance to consumers, business owners and oversight authorities. Audit Level Testing of the following areas: Effective Fraud Deterrent Business Practices Privacy Security Transaction Fulfillment Testing Consumer Recourse Provision Strong International Presence & Growing! The Trust Services Advantage Independent verification CAs are the acknowledged providers of assurance and trust International network for building trust Flexible solution to meet needs of consumers, merchants, ISPs, and business- to-business markets Evidence of increase in sales for merchants A Global Range Independent verification services such as WebTrust & SysTrust are offered in: 3Germany 3United Kingdom & Ireland 3United States 3Canada 3France 3Australia & New Zealand 3Denmark, Sweden 3Netherlands, Belgium, Spain, Hong Kong 3Israel In Conclusion Cant relax on a corporate level you need to gear up for all the privacy legislation facing you Look for controls, policies and procedures services that will help your enterprise and its web presence meet the privacy challenge head-on Look for help from your qualified CA and legal You cant relax on a personal level No Relaxing! X