Writing Secure Code, Second Edition
Protecting Customer Privacy
Privacy is not an issue that can be ignored. Hardly a day goes by without the media reporting a pending privacy disaster, and many countries are enacting privacy legislation. In fact, to many users, security and privacy are synonymous.
Privacy issues revolve around the collection and use of personal data. This concept is in keeping with the privacy regulations of the European Union (EU) as well as the Fair Information Practice Principles (FIPP) of the Federal Trade Commission. You can read about FIPP at www.ftc.gov/reports/privacy3/fairinfo.htm.
| Other examples of guidelines and legislation in the United States include the Gramm-Leach-Bliley Act of 1999 (www.senate.gov/~banking/conf) for financial data, and the Health Insurance Portability and Accountability Act (HIPAA) (www.hipaadvisory.com) for health care data. | |
Customers and the media often broaden their definition of privacy to include e-mail spamming, secure private communications, and surfing the Web anonymously. However, privacy issues currently relate mainly to data collection, storage of data, and sharing data with third parties.
| Remember: failure to maintain appropriate privacy standards might lead to legal recourse. | |
Types of Collected User Data
Collected data generally falls into one of five categories and might require the user s consent before you can collect it:
-
Personally identifiable information Examples include first and last names, phone number, address, ZIP or postal codes, e-mail address, credit card number, globally unique identifier (GUID), and IP address. Users must be properly notified, and they must grant their consent before this type of information is collected. Users must also be able to modify inaccurate data.
-
Sensitive data Examples include medical records, financial information, lifestyle information, and political affiliation. Collection of this data also requires user notification and opt-in consent. Users must be able to modify or delete this data.
-
System data System data includes data collected about computer systems, such as browser version or screen resolution. User notification and consent is not required because personally identifiable data is not requested or collected. If system data is collected for purposes other than routine statistical analysis, user notification and consent might be required.
-
Derived system data This includes system data that could reveal personally identifiable information such as usernames or GUIDs. This type of system sniffing requires user notification and consent.
-
Behavioral data Behavioral data indicates user interests. It is derived from the user s behavior rather than from the result of direct user input. For example, repeated visits to a sports Web site imply that the user is a sports fan. User consent is not required, but the site s or application s privacy policy must inform the user that profiling is taking place and how the data will be used.
Collecting User Data
If your application collects user data, you should consider the following simple practices to ensure your user s privacy. These guidelines are derived in part from the Microsoft Statement of Privacy principles of notice, consent, access, security, and enforceability located at www.microsoft.com/info/privacy.htm.
Create a Formal Online Privacy Statement
Every product and service that collects customer information must maintain a formal privacy statement that completely and clearly specifies all the uses for collected information. It must also explain any secondary uses of the information uses not related to the specific use for which the information was collected as well as any transfers of the data to third parties.
Make sure the link to the privacy statement is clear and conspicuous. For Web sites, this means that there should be a clear link from the home page as well as from any page on which customer information is collected. For products, this means that the statement must be accessible from any feature in which customer information is collected such as a product registration screen as well as from the product Help files.
Inform Before Collecting Information
Notify customers with a simple, friendly, and complete explanation of the product s or service s purpose for and use of collected information. Use plain language and clear statements, avoid fine print, and use bulleted points so that the user will want to read the notice. Also inform the customer of any disclosures of his information to third parties for marketing purposes or other secondary uses.
Request the User s Consent
Immediately obtain explicit consent from the user through an appropriate opt-out or opt-in mechanism to collect the data. Also obtain permission for any secondary uses of the data. For example, if the customer provides an e-mail address so that she can receive a confirmation of her purchase, obtain consent to use her e-mail address for future marketing. If she does not consent, do not use the information for the purposes in question.
Do Not Collect Unnecessary Information
Collect only the information required to enable the product or service, and be prepared to defend the need to collect the data. Examples of unnecessary information include social security numbers and religious affiliation. If such information is collected after obtaining consent to do so, do not reuse that information for any purpose that is not spelled out in the privacy statement.
Offer Easy Access to Collected Personal Data
The user must have easy access to the personal information you collect about him and must be able, at a minimum, to correct inaccurate data.
Protect Private Data
Protecting clients data is crucial. You should perform threat analysis of the user s data to determine how best to protect the data. Note that the major threat is information disclosure, and the secondary threat is tampering with data. The prime form of data protection is encryption. For ephemeral data as it travels across a network, use technologies such as SSL/TLS and RPC/DCOM encryption. For persistent data, use EFS or custom code by using CryptoAPI or the System.Security.Cryptography namespace in the .NET Framework.
Children Are Special
Be especially careful collecting personal information from children. Children under 13 years old have legal protections in the United States, and those between 13 and 18 should also be handled with special care.
Err on the Side of Caution
Privacy is about earning customer trust not just about meeting legal requirements. Be conservative and, if in doubt, offer customers a choice before collecting or using their information.