Threat 2 cover
19/12/08
09:18
Page 1
Threat 2.0
Threat 2.0 Security and compliance for Web 2.0 sites
Threat 2.0 Se...
18 downloads
704 Views
1MB Size
Report
This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form
Threat 2 cover
19/12/08
09:18
Page 1
Threat 2.0
Threat 2.0 Security and compliance for Web 2.0 sites
Threat 2.0 Security and compliance for Web 2.0 sites
IT Governance Research Team
IT Governance Research Team
IT Governance Research Team
Threat 2.0 Security & compliance for Web 2.0 sites
Threat 2.0 Security and compliance for Web 2.0 sites
IT GOVERNANCE RESEARCH TEAM
Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publishers and the author cannot accept responsibility for any errors or omissions, however caused. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the author. Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form, or by any means, with the prior permission in writing of the publisher or, in the case of reprographic reproduction, in accordance with the terms of licences issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publishers at the following address: IT Governance Publishing IT Governance Limited Unit 3, Clive Court Bartholomew’s Walk Cambridgeshire Business Park Ely Cambridgeshire CB7 4EH United Kingdom www.itgovernance.co.uk © IT Governance Research Team 2009 The authors have asserted the rights of the authors under the Copyright, Designs and Patents Act, 1988, to be identified as the authors of this work. First published in the United Kingdom in 2009 by IT Governance Publishing. ISBN 978-1-905356-85-0
FOREWORD
Web 2.0 – a widespread series of developments in the way websites are designed and accessed, and more widely known as ‘social networking sites’ – is a new and exciting way for websites to work. The extent to which Web 2.0 sites (such as Wikipedia, FaceBook, and YouTube) also rely on user-generated content adds to their immediacy, excitement and relevance. Web 2.0 sites do, however, come with their own set of risks – risks to users, to their confidential information, and to associated parties. It is not unusual, when technology is evolving so quickly, and is subject to such rapid take up, for such security risks to be bypassed – to the detriment of users. This book is probably the first book on this subject to be published; it has its origins in the detailed research which we did into Web 2.0 during Autumn 2008 and provides organisations with core guidance on how to ensure that their websites remain secure – and comply with the rapidly evolving regulatory requirements that cover personal data and computer security.
5
CONTENTS
Chapter 1: Web 2.0.............................................7 The benefits of Web 2.0 technologies...............8 Risks associated with Web 2.0 technologies...10 The exponential growth of Web-based personal data ................................................................13 Legislative lag.................................................15 Chapter 2: The threat landscape.....................18 Chapter 3: Making Web 2.0 sites secure.........23 Ajax security issues.........................................23 Secure Web development................................25 Protecting users and companies from user entered content................................................26 Internet good practice.....................................29 Filtering..........................................................33 Chapter 4: Ensuring Web 2.0 sites are compliant...........................................................35 Copyright and Intellectual property infringement....................................................37 PCI..................................................................39 Protection against breach of confidentiality and reputation damage...........................................41 Privacy............................................................44 Processing of personal data – data protection and data breach notification............................56 Chapter 5: Summary of recommendations.....65 Chapter 6: Conclusion......................................68 Appendix: Glossary..........................................70 ITG Resources...................................................83
6
CHAPTER 1: WEB 2.0
There is no doubt that Web 2.0 technologies bring many benefits. For example, the viral nature of Web 2.0 technologies such as social networking is an extremely powerful tool, which can be used to engage a large number of Web users very quickly for collaborative, knowledge sharing and networking purposes. However, the interactivity and openness of Web 2.0 technologies in themselves also create risks. Sophos have reported that there has been a phenomenal growth in web threats over the last year1. Malware is present not only on malicious websites, but there is also a growing number of trusted and reputable websites which are compromised. For example, in April 2008 the Cambridge University Press website was compromised2. Visitors to its online dictionary were subject to attempts to run an unauthorised hacker’s script on their computers. The risks from Web 2.0 technologies are compounded by the exponential growth in the volume of web-based personal data. In addition, the time lag between the fast moving pace of Web technology development and the speed at which legislation evolves means that complying with legislation can be complex and unclear.
1
Mid-Year Report: Malware, Spam and Web Threats in 2008, Mike Harris, Sophos (2008). 2 Security threat report update, Sophos (July 2008). 7
1: Web 2.0 The benefits of Web 2.0 technologies The business benefits of Web 2.0 technologies include: •
The central, online storage of documents enabling increased collaboration and group knowledge in real time and across geographic boundaries.
•
Improved and more interactive relationship with customers.
•
Increased vertical networking among colleagues in larger organisations.
•
Improved communication.
•
Improved partnership working.
•
Incentivised working conditions for the younger members of the workforce.
The following sections detail the ways in which Web 2.0 technologies can be used to provide benefits in specific business areas. Product innovation: increased efficiency and cost savings derived from the speed of sharing, combined with enabling a central location for sharing files and drawings. Collaboration tools also enable employees to be tapped for ideas which are then hosted and developed in a single virtual location. Sales, marketing and market research: the main benefit of these tools for sales and marketing and market research is in lead generation and brand awareness. Video, blogging, social networking, forums and videoconferencing all enable customers to be 8
1: Web 2.0 tapped for ideas, feedback, preferences and recommendations which can then in turn be used to advertise products and feed the marketing and sales process. For example, Amazon has a function on their website that suggests, based on one’s previous purchases, ‘other products which you might like to buy’. Production: Web 2.0 tools such as wikis and collaboration tools can be used to gain and generate input from a wide number of employees, which is available to view in a central place. HR processes: Web 2.0 technologies, particularly interactive videos, can also be used for employee training. Younger employees (under 30) are far more familiar with Web 2.0 technologies. For example, they may be more used to communicating using social networking sites rather than e-mail. There are many organisations who suggest that organisations must ‘adapt and embrace Web 2.0 technologies such as wikis and social networks’ to attract and retain younger employees3. An organisation’s use of up-to-date technologies increases an employee’s sense of pride in working for that organisation and may make them feel much more engaged. Finance: Web 2.0 technologies can be used to share management information reports so that they are available in a single, shared area, accessible through a browser, and capable of interrogation with interactive and graphical tools. 3
Web 2.0 technologies are seen as vital to attracting younger employees, Nextgov (23 October 2008). 9
1: Web 2.0 Procurement: Web 2.0 technologies can be used to improve the procurement or purchasing process for an organisation. They provide a low cost method for finding the best priced goods. . Traditionally, procurement officers for organisations generate separate quotes from preferred suppliers they have identified. Web 2.0 technologies enable the process to be centralised and potential suppliers to find and inform them about their products and services. Suppliers can upload information about their products, including photographs, videos and reviews from other customers. Education and training: Web 2.0 tools can be used in an interactive manner in education to enhance the learning experience. In addition, the same arguments that are being used for the introduction of Web 2.0 technologies for younger employees in companies are relevant to schools. Children as young as 7 or 8 are using Web 2.0 technologies such as instant messaging and interactive websites at home. Risks associated with Web 2.0 technologies There are, however, risks associated with Web 2.0 technologies which need to be managed. The technologies and trends which are helping to revolutionise the way in which we use the web, also create security risks. Trends such as usercreated content, synchronous communication, openness and transparency, online collaboration and the viral nature of Web 2.0 all create security risks.
10
1: Web 2.0 The following table summarises the security risks associated with the Web 2.0 trends:
Synchronous communication
User-created content
Web 2.0 trend
Web 2.0 technologies
Type of security risk
Blogs
User created content input to a website creates a website entry point for hackers and malware.
Wikis Social networking Collaboration tools Video sharing, photo sharing Instant messaging Live blogging, e.g. Twitter
11
Outbound data leaks and inbound malware. Technologies such as Twitter and Instant Messaging, unlike e-mail, do not have any automatic backup facility. The speed of the communication means that it is possible to download or export files without leaving any trace or record of having done so.
Online collaboration
Openness and transparency
1: Web 2.0 Mashups Technologies that enable music, video and photo sharing. Social networking Open source software
Copyright and Intellectual property. Opponents of open source software have expressed concerns about the methodology, project documentation, the rigour of the testing method, risk assessment, project management, security, quality, implementation and maintenance in respect of Open Source4. Many collaborative tools provide file sharing capabilities, a vector through which confidential information could be exported or malware imported.
Table 1: Types of security risk associated with Web 2.0 trends and technologies
4 Achieving Quality in Open Source Software, Mark Aberdour, IEEE Software (2007). 12
1: Web 2.0 The uploading and downloading of files, particularly media files such as video and music, also creates high bandwidth requirements, which can slow down an organisation’s network. The exponential growth of Web-based personal data The sheer volume of data stored in organisations today also creates additional compliance difficulties. The amount of personal data which is stored and aggregated electronically is greater now than ever before. Examples include: 1
2
3
4
Companies increasingly use personal information to better target products and services and to try and establish a relationship with customers through learning key pieces of personal information. For example, Amazon uses information about previous purchasing, and previous Web activity in order to target products that the customer might be interested in purchasing in the future. The public sector increasingly holds personal data electronically. Examples include driving licence information, tax, national insurance, child benefit and electoral roll. The data held often includes bank account numbers and personally identifiable information. Credit companies such as Experian hold records of financial transactions and credit card ownership to provide comments on customer creditworthiness. Transport operators will use information from travel tickets purchased online to develop a picture of an individual’s travel patterns. 13
1: Web 2.0 5
6
Search engines such as Google store volumes of personal data which is cached in Google’s memory and therefore available in searches. Governments use personal data for crime detection and surveillance purposes. For example, government agencies may mine personal data such as phone, medical, travel records or websites visited5. The National Research Council say: Each time a person makes a telephone call, uses a credit card, pays taxes, or takes a trip, he or she leaves digital tracks, records that often end up in massive corporate or government databases ... Agencies use sophisticated techniques to mine some of these databases – searching for information on particular suspects, and looking for unusual patterns of activity that may indicate a terrorist network ... Although some laws limit what types of data the government may collect, there are few legal limits on how agencies can use already-collected data, including those gathered by private companies8.
5
All Counterterrorism Programs That Collect and Mine Data Should Be Evaluated for Effectiveness, Privacy Impacts; Congress Should Consider New Privacy Safeguards, The National Academies (7 October 2008). http://www8.nationalacademies.org/onpinews/newsitem. aspx?RecordID=10072008A 14
1: Web 2.0 Legislative lag The rate at which IT technology, and in particular Web technology, has changed, has meant that the corresponding legislation has been unable to keep pace. There are no binding international treaties or law around information security, which means that complying with local legislation around matters that have both a local and international aspect, such as data protection, privacy and electronic communications, can be complex. In the US, much of the data protection and privacy legislation is still at a state level, rather than a federal level, which means that multi-state compliance can be complex and difficult. The European Data Protection Directive, 95/46/EC, is now 13 years old and was written at a time when information requirements were different from those today. It was established in a context where data sharing and reuse were considered threats rather than realities, and where the fear of all-encompassing electronic databases was very dominant. The Rand Corporation express this as follows: While the Directive should not necessarily be considered backdated, it is important to realise that it was written in a very specific societal context, and that it is the result of extensive negotiations between countries with differing legal traditions. The outcome is a compromise text, containing a mixture of provisions and obligations which were almost invariably considered essential in some countries, but barely acceptable in others… 15
1: Web 2.0 The protection of privacy is coming under strain due to the increasing availability and ability to process large quantities of data; the growing use of and demand for personal information, by the public and private sectors; how this personal information is used and its accountability and finally the way that this pressure is managed – or how people are reacting to this pressure. Finally technology presents opportunities to use and abuse personal information in many ways 6. However, the EU Data Protection Directive established the legal definition of personal data, the definition of data subjects and their rights and the definition of sensitive personal data. There has been some legal action by the governments of Canada, the US, Australia and the UK, much of which is driven by concerns for children’s safety, rather than the protection of personal data and corporate information. There has been a significant dearth of legal cases involving data protection legislation and websites employing Web 2.0 technologies. There have not been any reported cases in the UK of prosecutions by the UK Information Commissioner’s Office (ICO) involving social networking sites. Privacy is legally a difficult concept to define; the legislation is historically based on human rights legislation.
6
Review of EU Data Protection Directive, Inception Report, Robinson et al, RAND corporation (2008). http:// www.rand.org/pubs/working_papers/WR607/ 16
1: Web 2.0 It is entirely possible that many of the companies providing Web 2.0 services may breach current privacy and data protection legislation.
17
CHAPTER 2: THE THREAT LANDSCAPE
Nick Sears, the EMEA Vice-President for FaceTime, says that the Internet ‘threat landscape’ is very different from and more complex than that of ten years ago in 1998.7 Ninety per cent of Web traffic in 1998 came from e-mail, http and ftp. In 2008, Internet traffic is additionally made up of social networking, blogs, Voice over Internet Protocol (VoIP) traffic, videostreaming, webconferencing and Instant Messaging (IM). This means that both the outbound threats of data and information leakage and inbound security threats of malware, security vulnerabilities and phishing are different. Many of the collaborative tools also provide file-sharing capabilities, a vector through which confidential information could be exported or malware imported. The nature of hacking attacks is increasingly moving from exploiting vulnerabilities to focusing on the application code itself8. Websites which accept input from users provide openings for attacks such as SQL injections and cross-site scripting. SQL injection attacks: A Structured Query Language (SQL) injection attack is a type of exploit whereby hackers are able to execute SQL 7
Securely tapping into the business benefits of Web 2.0 technology, Infosecurity webinar (11 June 2008). Strategies to protect your web applications and your organisaiton, John Pescatore, Gartner, IT Briefing centre webcast. 18
8
2: The threat landscape statements via an Internet browser 9. Hackers are able to execute SQL statements via the input to a Web application. SQL is a programming language used for getting information from and updating data in a relational database. It is based on mathematical set theory. An example of an SQL injection attack would be where, instead of entering personal details on a sales website, say, where a postcode or zip code should be, a hacker may enter SQL commands which then return information. SQL injections can result in data being corrupted, or enable attackers to retrieve data such as credit card numbers. They can prove to be extremely costly for organisations. It therefore makes sense to prevent SQL injection attacks from occurring. A well written application will not allow SQL commands to be accepted as user input. There is a need to develop Web applications10 which are more secure, and to keep them secure. Cross–site scripting: (XSS11) attacks involve the injection of code such as JavaScript or VBScript onto a web page which is returned from a server to a user’s browser. If this code is then executed by the user, they are exposed to a variety of threats, including cookie theft, keystroke logging, screen scraping and denial of service. 9
SQL Injection, Smoothwall. http://www.smoothwall.net/support/glossary.php#S 10 See: Application Security in the ISO27001 Environment), Vinod Vasudevan et al, IT Governance Publishing (2008). 11 Web 2.0 Security for Dummies, Clearswift (2007). 19
2: The threat landscape For example, it was an XSS attack that compromised the Cambridge University Press website12. Cookie Theft: A cookie is a small data file13 that a website stores on a surfer’s computer and which contains information about the user (e.g. user preferences) that is relevant to the user’s experience of the website. Cookie theft occurs when an attacker uses an injection of code to obtain data held in cookies without the user’s knowledge. For example, the attacker can add code to the browser to display a comment ‘Click here!’. When the user clicks on the link, their cookies are downloaded to the attacker’s server. Keystroke logging: occurs when hackers record key depressions on a computer keyboard using special software14. This software can either be installed on the computer (in which case it could be detected by AntiSpyware software) or it can run inside a secret device attached to the computer, in which case AntiSpyware software will not detect it. Keystroke logging can lead to the theft of user identification and authentication data. Screen scraping: As the name suggests, screen scraping is a technique in which a computer program extracts data from the display output of 12
The word of the day is drive-by, Sophos (11 April 2008). http://www.sophos.com/security/blog/2008/04/1292.html 13 A Dictionary of Information Security Terms, Abbreviations and Acronyms, Alan Calder and Steve Watkins, IT Governance Publishing (2007). 20
2: The threat landscape another program. Within the context of IT security screen scraping can reveal further authentication information selected by the user from dropdown lists, etc14. Denial of service: A denial of service (DOS) attack is designed to put an organisation out of business, or to interrupt the activities of an individual or group of individuals, for a time by freezing its systems15. This is usually done by flooding a web server (or other device) with e-mail messages or other data so that it is overwhelmed and unable to provide a normal service to authorised users. Blended attacks can be designed to specifically target Web 2.0 technologies. These attacks include mass-mailing virus-delivery mechanisms which are used to insert Trojans into target systems. Hackers can use these Trojans to bypass firewalls and other defences. For example, in December 2006, the JS.Qspace worm was discovered by Symantec on MySpace16. This worm injects code which directs the user to a phishing page. The phishing page attempts to steal MySpace credentials by asking users for e-mail addresses and passwords. Another example of a blended attack is the Monster.com resume thefts of August 2007:17 14
Screen Scraping, Wikipedia, http://en.wikipedia.org/wiki/Screen_scraping 15 A Dictionary of Information Security Terms, Abbreviations and Acronyms, Alan Calder and Steve Watkins, IT Governance Publishing (2007). 16 www.symantec.com/security_response/writeup.jsp? docid=2006-120313-2523-99&tabid=2. 21
2: The threat landscape Hackers used malware (Infostealer.Monstres) to gain unauthorised access to the Monster.com resume database and to steal job seekers’ contact information. Compromised data included the name, address, telephone number, and e-mail address of people who registered with the job seeking service. Neither Social Security numbers nor credit card records are thought to have been exposed. However, the compromised data has been used to craft targeted phishing attacks that sought to trick users into downloading malicious software. Typically, this sort of software is designed to intercept and pass on the details of financial transactions.
17
Internet Risk Management in the Web 2.0 World, Forrester Computing (2007). 22
CHAPTER 3: MAKING WEB 2.0 SITES SECURE
Organisations need to understand and respond to the security issues which Web 2.0 technologies bring. Hacking attacks can, for instance, be prevented by ensuring that Web 2.0 code is developed securely. Gartner say18 that organisations need to look at application development processes and ensure that security forms part of the Web application development process at the requirements gathering stage. Ajax security issues Ajax (Asynchronous JavaScript and Extensible Markup Language or XML) is a set of technologies which enable greater processing to be carried out on the client computer, rather than on the server. In the traditional Web application, the user clicked and then waited some number of seconds for the server to respond and refresh the page. In contrast, Ajax-enabled web pages are far more reactive, giving the user the appearance that pages are updating instantly. This is illustrated by the application ‘Google Maps’, where the page and map are refreshed instantly as the cursor is moved. Ajax is not a new technology, but rather a combination of existing technologies being used in a new way.
18
Strategies to protect your web applications and your organisation, John Pescatore, Gartner, IT Briefing centre webcast. 23
3: Making Web 2.0 sites secure Ajax creates security vulnerabilities by creating an increased number of Ajax endpoints, Ajax bridges and Ajax frameworks. In contrast to typical Web 1.0 applications, Ajax applications send a greater number of smaller requests to the server which, in turn, create many more points of input. The inputs are also referred to as Ajax endpoints. The greater number of endpoints provides greater opportunities for traffic to be attacked.
Figure 1: Figure depicting the trend in the increased number of calls to the web server from Web 1.0 to Web 2.0 Ajax bridges also create a security risk. Ajax bridges enable connections between Ajax and third party websites. An attack can occur through malicious requests from one site to another through an Ajax bridge. In addition, the traffic from one site to another may not be checked because it is thought to be trusted. Furthermore, Ajax frameworks such as prototype conio.net or script.aculo.us, which can simplify development of Ajax applications, ‘do not address security issues in a rigorous manner’ according to Clearswift. 24
3: Making Web 2.0 sites secure Secure Web development More technical and specific recommendations for preventing SQL injection attacks can be found on the Sophos and Microsoft web pages. Microsoft suggest the following19: •
Use SQL Parameterised Queries
•
Use Stored Procedures
•
Use SQL Execute-only Permission.
Recommendations for preventing XSS attacks can also be found on www.SearchSecurity.com. SearchSecurity.com also provides a general guide for protection against Web application and hacking attacks, including safe coding guidance. Google have also announced that they intend to introduce warnings for potentially hackable sites20. The aim of this is to alert website administrators 21 about vulnerabilities due to the outdated version of their Web applications, starting with Wordpress 22. Google have also provided a ‘Safe Browsing Diagnostic’ page. Dancho Danchev from ZDNet 19
Giving SQL Injection the Respect it Deserves, Microsoft (2008). http://blogs.msdn.com/sdl/archive/2008/05/15/givingsql-injection-the-respect-it-deserves.aspx 20 Message Center warnings for hackable sites, Google (16 October 2008). http://googlewebmastercentral.blogspot.com/2008/10/me ssage-center-warnings-for-hackable.html 21 Throughout this report the term website administrator has been used to refer to the administrator or operator responsible for the administration of the website. 22 Google to introduce warnings for potentially hackable sites, ZDnet (22 October 2008). http://blogs.zdnet.com/security/?p=2055&tag=nl.e589 25
3: Making Web 2.0 sites secure has reported that this can provide key benefits for administrators of websites23. Protecting users and companies from user entered content Users need to be protected from posting content to websites that is defamatory, libellous, offensive or threatening, that breaches confidentiality or that causes reputation damage. Website administrators need to consider not only protecting themselves from legal infringements, but also protecting users of websites from themselves. This means not just making a privacy policy available in the small text and thereby hoping to absolve the company of responsibility, but by creating appropriate field validation and putting timely and easy to read warning notes up for users. Customers may post comments or photographs to a website which for legal reasons might later have to be removed; the following issues should therefore be considered as part of the overall compliance profile of the website: •
23
There would need to be the facility to search for every single illegal contribution that a user had made on the website. It is a fairly common feature of Wiki software, for instance, to track comments made by a user, and as such it should be perfectly possible to delete all content from an individual user.
Google introducing Safe Browsing diagnostic to help owners of compromised sites, ZDnet (22 May 2008). http://blogs.zdnet.com/security/?p=1170 26
3: Making Web 2.0 sites secure •
Websites must make it clear that they are not responsible for content (which includes any payload carried by that content) downloaded from the website to other websites. Website administrators need to make it clear that they do not accept comments which are libellous or defamatory, and ensure that users take responsibility for content that they post to a website. A good example is provided by the ‘comments policy’ posted on the ‘Economist’ website.
Figure 2: Example comments policy from the Economist website Kev Brace from JISC legal reports24 suggests that website administrators should provide guides and protocols which ensure fairness for all users. JISC legal information service also suggests that user profiles can be set up 24
Legally web 2.0, Kev Brace (21 October 2008) http://kev-brace.blogspot.com/2008/10/legallyweb20.html 27
3: Making Web 2.0 sites secure to use the user’s name or an alias25. The advantage of using an alias is that this protects the actual name of the user26 from exposure and compromise. •
Websites need to have clear statements that they are unable to guarantee the deletion of anything posted to their website which for any reason a user later wants deleted.
The BSI PAS 78 Web Accessibility Standards have been developed by the former UK Disability Rights Commission (DRC) in collaboration with the UK British Standards Institute (BSI). This publicly available specification (PAS) outlines good practice in commissioning websites that are accessible to and usable by disabled people27. It is applicable to all public and private organisations that wish to observe good practice under the existing voluntary guidelines and the relevant legislation on this subject. It is intended for use by those responsible for commissioning public-facing websites and web-based services. It is relevant to all Web 2.0 sites, as these are designed with user participation in mind.
25
Web 2.0 Services, JISC Legal – Data Protection (2008). http://www.jisclegal.ac.uk/publications/DPACodeofPract ice.htm#_Toc197501973 26 Web 2.0 Services, JISC Legal – Data Protection. http:// www.jisclegal.ac.uk/publications/DPACodeofPractice.ht m#_Toc197501973 27 PAS 78@ 2006, Guide to good practice in commissioning, British Standards Institute (2006). http:// www.bsi-global.com/en/Shop/Publication-Detail/? pid=000000000030129227 28
3: Making Web 2.0 sites secure The areas that PAS78 covers include: •
how disabled people use websites
•
defining the accessibility policy for the website
•
Web technologies
•
accessibility testing and maintenance
•
contracting Web design and accessibility auditing services.
It provides recommendations for: •
the management of the process of, and guidance on, upholding existing W3C guidelines and specifications
•
involving disabled people in the development process and using the current software-based compliance testing tools that can assist with this.
Internet good practice In addition to the recommendations provided above, the UK has launched Internet good practice guidelines. Whilst these are not enforceable in law, they nevertheless provide recommendations for good practice. These recommendations have been endorsed by industrial sponsors which include AOL, Microsoft, O2, the BBC, MySpace, T Mobile, Vodafone, Google, Yahoo and Orange. The UK launched the Good Practice Guidance for Providers of Social Networking and Other User Interactive Services in the House of Lords in April
29
3: Making Web 2.0 sites secure 28
2008 . The following sections describe the recommendations given. General principles: Make safety information available during the registration process, prominent on the homepage and in appropriate places within the service (e.g. in a welcome email/ message). Include instructions for tools which can help protect the user to maintain their privacy and prevent unwanted contact or communication, such as: •
‘Ignore’ functions;
•
removing people from their ‘friends’ or contact list; and
•
how to review and remove unwanted comments on their site.
Editorial responsibility: Ensure that advertising displayed on social networking services within the European Union is compliant with the Unfair Commercial Practices Directive. (www.berr.gov.uk/consumers/buyingselling/ucp/in dex.html) Registration: Provide clear information about how details collected in registration will be used, including what information will appear on their profile, what will be public, and what will be private. Users should then be given the
28 Good practice guidance for the providers of social networking and other user interactive services 2008. http://police.homeoffice.gov.uk/publications/operationalpolicing/social-networking-guidance 30
3: Making Web 2.0 sites secure opportunity to hide, limit availability to, or edit this information. Carefully consider the implications of automatically mapping across personal information disclosed during registration to the user’s profile. In this instance users should be informed of this process to afford them the opportunity to hide, limit availability to, or edit their personal information. Capture an IP address or MSISDN or unique identifier (for mobile devices) with a date and time stamp at registration, regularly refreshed with repeated use of the service, including at each login, with a date and time stamp. This measure can improve the traceability of both registered and unregistered users (e.g. those leaving comments in a user’s guest book). Set the default for full profiles to ‘private’ or to the user’s approved contact list for those registering under the age of 18. A setting to private should ensure that the full profile cannot be viewed or the user contacted except by ‘friends’ on their contact list unless they actively choose to change their settings to public or equivalent. Prompt the user and require their consent before integrating or ‘scraping’ one or more existing address books, contact lists or ‘friends’ list (e.g. email or IM). This should remain under user control, as a user may not necessarily wish for ‘friends’ approved in one service to also be ‘friends’ in a social networking service.
31
3: Making Web 2.0 sites secure Consider reminding users to review their contact lists on a regular basis to ensure that their ‘profile’ is shared as they wish. User profile and controls: Inform users in a prominent place what information they submit to their profile will be made public and what will be private. Users should be supported to understand the implications of the profile settings. For example, inclusion of a symbol (such as a lock or a key) may enable users to quickly identify the status of their personal details. Inform users of the available options for how their profile or web page can be searched by others either on the site or through search engines. The option of a public profile on the site which is not searchable via search engines should be offered to all users. Provide warnings to users about uploading photos to their profile. Provide advice to users about the implications of posting certain information – both from a safety and responsible use perspective. For example, the implications of posting or using: •
personal data which may identify their home address, especially in open profiles;
•
images which contain location information, especially in open profiles;
•
images of other people without first obtaining their permission; and
•
inappropriate user names and images.
Inform users and make it as clear as possible what options users have to adjust privacy settings and to manage ‘who sees what’ and whom they interact 32
3: Making Web 2.0 sites secure with. For example, these settings could include features which allow users to select who can leave comments or post content on their pages. Consider making privacy settings available for all aspects of the service for such things as journals, blog entries, image galleries and guest books. Filtering Filtering controls enable all traffic to be scanned for malware and illegal or inappropriate use of the website. There are now filtering technologies available on a ‘Software as a service’ (Saas) basis. Web filters can be used to discover, remove and terminate threats from spyware, adware and malware. Web filtering can also be carried out according to ‘payload identification’. Payload, within the context of Web filtering, is the amount of damaging material contained within a packet of data. Identifying Web traffic and file payload provides the following benefits: •
Organisations can set policies on individual files that are or are not allowed to be received or sent by users, and to where.
•
Organisations can set policies on file transfers depending on the direction in which they are traveling. This is particularly important for office-type documents being sent to WebMail sites.
•
Security controls are not fooled by false data types. One of the means by which malware 33
3: Making Web 2.0 sites secure and spyware can be downloaded is by masquerading as a different file type, one which is recognised as safe. •
Content that breaches policy – such as that containing the word ‘confidential’, project names, credit card numbers, personally identifiable information, DRM tags, watermarks and so on – is easily identifiable.
Payload content analysis enables policies to be set on any traffic generated using files, blogs and IM between an individual browser and Web 2.0 applications. The type of malware that makes it past the Web filtering gateway may be of the zero-day variety. These need to be tracked using behavioural or heuristics-based detection. This type of detection is based on analysing data behaviour that is abnormal and probability analysis, rather than tracking known vulnerabilities.
34
CHAPTER 4: ENSURING WEB 2.0 SITES ARE COMPLIANT
In addition to protection against malware and hacking, organisations also need to ensure that the content of posts input to a website do not breach the following: •
Copyright and intellectual property laws
•
Confidentiality and reputation requirements
•
Privacy laws
•
Data protection laws.
The following sections list some of the most relevant legislation from around the world in this area. UK Copyright and intellectual property: Copyright, Designs and Patents Act (1988). Confidentiality and reputation: Data Protection Act (1998). Privacy: The Privacy and Electronic Communications Regulations (2003). Data protection: Data Protection Act (1998). US Copyright and intellectual property: Digital Millennium Copyright Act (1998). Confidentiality and reputation: Communications Decency Act (1996). 35
4: Ensuring Web 2.0 sites are compliant Privacy: Federal Trade Commission Children’s Online Privacy Protection Act (COPPA, 1998). The US Federal Electronic Communications Privacy Act (2000). Data protection: Individual US state level data breach law at a state level. Europe Copyright and intellectual property: EU Copyright Law is a mosaic of directives and court decisions29. Confidentiality and reputation: EU Data Protection Directive (95/46/EC). Privacy: The European Convention on Human Rights (1950). Data protection: EU Data Protection Directive (95/46/EC). Canada Copyright and intellectual property: Copyright Act (1985). Privacy and Data protection: Personal Information Protection and Electronic Documents Act (2000).
29
For more information, see http://en.wikipedia.org/wiki/ Copyright_law_of_the_European_Union 36
4: Ensuring Web 2.0 sites are compliant Copyright and Intellectual property infringement Intellectual property includes copyright, patents and trademarks. The Electronic Frontier Foundation (EFF) argues that ‘copyright is almost certainly the biggest liability risk these [Web 2.0] sites face’.30 They quote the example of a Web 2.0 site which protected itself from copyright infringement by using the Digital Millennium Copyright Act (DMCA) safe harbour. The DMCA is a federal law applicable in the US only. The law provides a mechanism whereby a publisher of content on the Web can be required to ‘take-down’ content appearing on their website31. The company in question, Veoh, provide a streaming video site that hosts videos uploaded by users. When a user downloaded copyrighted adult films onto the Veoh website, Veoh complied with the DCMA legislation and responded as follows: •
They responded to a compliant DMCA takedown notices on a same-day basis;
•
They notified users of its policies against copyright infringement;
30
Required Reading for “User-Generated Content” Sites: Io Group v. Veoh, Fred von Lohmann, EFF (28 August 2008). http://www.eff.org/deeplinks/2008/08/required-readinguser-generated-content-sites-io-g 31 Web Design and the DMCA: Giving and Getting Take Down Notices, Digital Web Magazine (5 November 2007). http://www.digitalweb.com/articles/dmca_and_take_down_notices/ 37
4: Ensuring Web 2.0 sites are compliant •
They registered a Copyright Agent with the Copyright Office;
•
They terminated users who were repeat infringers;
•
They blocked new registrations from the same e-mail addresses, and
•
They used hashes to stop the same infringing videos from being uploaded by other users.
Within the education sector, tools such as social software, blogs and wikis raise issues about the nature of creativity because content tends to created more through merging and adapting other content, rather than being truly original. There are ramifications about intellectual property rights, copyright and plagiarism. The recommendations given to websites which are used as educational resources are that students should be taught to properly acknowledge their sources. The British Broadcasting Corporation (BBC) is to provide guidelines governing the content staff are allowed to put on their profile pages on social networking sites in order to protect the corporation’s brand32. This includes restricting BBC journalists from using pictures from sites such as Facebook and MySpace in news stories without the permission of the copyright owner.
32 BBC restricts staff online networking, Mark Sweeney, The Guardian (12 March 2008). http://www.guardian.co.uk/media/2008/mar/12/facebook .digitalmedia 38
4: Ensuring Web 2.0 sites are compliant PCI The Payment Card Industry (PCI) Data Security Standard 1.2, section 6.6 guidelines, which took effect in October, 2008, provide recommendations for writing secure Web applications specifically in order to protect customers’ credit card information33. The PCI DSS is a set of requirements for enhancing payment card data security. It was developed by the major credit card companies as a guideline to enable organisations that process card payments to prevent credit card fraud, cracking and various other security vulnerabilities and threats. This is neither a regulatory requirement nor a legal requirement, but a private standard that is contractually enforced. It is unique in the data protection environment in that it is a privately developed international standard. The PCI DSS was originally developed by Visa International and MasterCard Worldwide, and endorsed by other payment providers including American Express, Diner’s Club, JCB and Discover Financial Services. It included the requirements of Visa’s Cardholder Information Security Program (CISP) and MasterCard’s Site Data Protection (SDP). It is designed to protect payment providers and merchants from identity theft and credit card security breaches. 33
More rogue than ever before, SC Magazine (31 October 2008). http://newsteam.scmagazineblogs.com/category/consume r-threats/ 39
4: Ensuring Web 2.0 sites are compliant The current, applicable version of the PCI DSS standard is version 1.2 and is controlled by the PCI Security Standards Council (SSC).34 The PCI DSS is not a law but rather a contractual obligation that is applied and enforced by means of fines or other restrictions by the payment providers. It must be met by all organisations that accept or store information from credit/debit cards issued by credit card companies. Compliance requirements are dependent on a merchant’s activity level. There are four levels, based on the annual number of credit/debit card transactions. In addition, while the PCI DSS is a common standard, each payment brand has its own compliance programme. The PCI DSS applies to any type of media on which card data may be held, and includes hard disk drives, floppy disks, magnetic tape and backup media, along with printed or handwritten credit or debit card receipts where the full card number is printed. While the PCI standard was not written to map specifically to ISO27001, CobiT or any other existing framework, it sits clearly within the ISO17799 (now ISO27002) framework. Organisations that have implemented an ISO27001 ISMS should also be able, with minor additional work, to demonstrate their conformance with the PCI standard. 34
Full details of the PCI DSS are available on www.itgovernance.co.uk/pci_dss.aspx 40
4: Ensuring Web 2.0 sites are compliant Protection against breach of confidentiality and reputation damage One of the risks of Web 2.0 technologies is that content will be posted which is defamatory, libellous or which breaches confidentiality. For example, Kev Brace describes how he posted an e-mail to a wiki which was available for public view35. Even though the wiki was hidden, it was still possible to spider this and for the e-mail to be displayed on the Google search. Fortunately the text was comparatively harmless but, nevertheless, as Kev Brace comments, the event still caused ‘acute embarrassment’. He also tells a story of a lecturer who used a wiki to relate stories of personal abuse which were supposed to be hidden but were, in fact, on public view. There are examples where employees have posted derogatory comments about competitors or other organisations on a blog36. Jonathan Naylor, writing on behalf of MessageLabs, says that 37: ... an employer will usually be liable for the wrongful acts committed by their employees in the course of their 35 Legally web 2.0, Kev Brace (21 October 2008) http://kev-brace.blogspot.com/2008/10/legallyweb20.html 36 Risks in a Web 2.0 World, Jason Short, Risk Management Magazine (2008). http://www.rmmagazine.com/MGTemplate.cfm? Section=RMMagazine&NavMenuID=128&template=/M agazine/DisplayMagazines.cfm&IssueID=328&AID=37 60&Volume=55&ShowArticle=1 37 Legal Risks: Employee Use of the Internet and Email, Jonathan Naylor, Messagelabs (July 2008). 41
4: Ensuring Web 2.0 sites are compliant employment; a principle that may also cover the acts of an employee that are incidental to their employment. There are strong policy reasons why courts generally wish to find an employer liable for the acts of any employee (the most obvious being that someone who has been injured by an employee may not be able to recover adequate financial compensation if their only claim is against an individual rather than an organisation) ... with a sufficient link to the employment (even if indirect) employers may be liable even for extreme acts committed by employees. Jason Short, from Risk Management magazine, says that 38: Publicly traded companies have another level of concern and must consider applicable regulations, especially given the recent SEC announcement that companies can now use corporate blogs for public disclosures. Under certain circumstances, companies will now be able to rely on their websites and blogs to meet the public disclosure requirements under Regulation FD (Fair Disclosure). Notably, the SEC outlines boundaries for sharing information as well as holding 38
“Risks in a Web 2.0 World”, Jason Short, Risk Management, Risks in a Web 2.0 World, Jason Short, Risk Management Magazine (2008). http://www.rmmagazine.com/MGTemplate.cfm? Section=RMMagazine&NavMenuID=128&template=/M agazine/DisplayMagazines.cfm&IssueID=328&AID=37 60&Volume=55&ShowArticle=1 42
4: Ensuring Web 2.0 sites are compliant companies and their employees liable for the information they post on blogs and discussion forums. Generally, a website administrator is not responsible for content posted to their website by a user which is defamatory or breaches confidentiality. In the US, the Communications Decency Act addresses liability for online defamation from posted content, and generally provides that the website administrator is not liable for defamatory content posted by others39. However, there are some examples from US case law where the company operating the website can be liable. An example of this is the recent case within the US of Roommates.com, where the Ninth Circuit federal court of appeals issued an opinion saying that Roommates.com didn’t qualify for immunity . 40
Within the UK, under the terms of the DPA, data subjects (someone about whom personal data is stored) have the right to have data held about them amended or deleted if the data is inaccurate. They are also entitled to take steps to prevent personal data being processed if the processing is likely to 39
Thomas Smedinghoff (2008), partner at Wildman Harrold, focussing on the legal issues regarding electronic transactions, information security, and digital signature authentication issues from both a transactional and public policy perspective. http://www.wildman.com/ smedinghoff/ 40 United States Court of appeals for the ninth circuit (3 April 2008). http://www.ca9.uscourts.gov/coa/newopinions.nsf/F7155 9D8162BA7EE8825741F00771BC1/$file/0456916.pdf? openelement 43
4: Ensuring Web 2.0 sites are compliant cause substantial damage or distress which is unjustified41. Another risk associated with website feedback and comments is that, potentially, this could open the door to negative comments. However, negative comments and feedback can be turned around and organisations are usually better off once they learn to deal with them. Organisations uses sites such as Twitter and Facebook to ‘listen in’ on what people are saying about their company or products. They can also use such feedback to respond very rapidly to negative feedback. One US presidential candidate in the 2008 elections created a website specifically to provide rapid rebuttal of allegations. Privacy Organisations have to retain their corporate information for specified time periods. They will have regulatory and contractual obligations to ensure the privacy of specific types of information, such as personal data and financially sensitive information. In the process of responding to legal action, they may have to be able to provide information to support their legal position. This is nothing new. However, the use of Web 2.0 technologies radically increases the complexity of the task. Information and data contained within Web 2.0 sites, particularly social networking sites, is likely to be subject to privacy legislation, but the whole 41
Data Protection Act: Your Rights and How to Enforce Them, ICO (2007). 44
4: Ensuring Web 2.0 sites are compliant area is extremely complex. Privacy is a difficult concept to define; it is also a concept about which it is difficult to identify an international legal consensus. In the UK, it is increasingly being defined by case law. For example, the ‘Durant vs. FSA’ case in 2004 in the UK redefined the meaning of ‘personal data’ and ‘privacy’. 42 Michael Durant wanted to access personal data held on him by the UK Financial Services Authority (FSA). He took his case to the Court of Appeal. In this case, the Court of Appeal defined ‘personal data’ as meaning: information that is biographical in nature, focuses on the individual and affects [a person’s] privacy, whether in his personal or family life, business or professional capacity. Concern about privacy settings, particularly with regard to social networking sites, is evidenced by the growth in these issues by the governments in the UK, the US and Australia. Interestingly, this appears to have originally been driven by concerns for children’s safety, rather than the protection of personal and corporate information. In the US, the attorneys general of 49 states and the District of Columbia challenged Facebook and reached an agreement to introduce safeguards to reduce the risks to children from use of the site43. In the UK, 42
Watchdog issues Data Protection Guidance after landmark case, Out-law.com (February 2004). http://www.out-law.com/page-4273 43 After long negotiations, Facebook agrees to safety plan with state Ags, Caroline McCarthy, CNET News (8 May 2008). http://news.cnet.com/8301-13577_3-9939058-36.html 45
4: Ensuring Web 2.0 sites are compliant the Prime Minister commissioned child psychologist Dr Tanya Byron to investigate the risks to children from exposure to potentially harmful or inappropriate material on the Internet44. The UK has also recently launched the Good Practice Guidance for Providers of Social Networking and Other User Interactive Services in the House of Lords45, with contributions from the Australian Communications and Media Authority (ACMA). Much privacy legislation has been based on human rights, and it’s worth reviewing the original declarations on this issue. On December 10, 1948 the General Assembly of the United Nations adopted and proclaimed the Universal Declaration of Human Rights. Article 12 states: No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks. The European Convention on Human Rights, Article 8, states:
44
Safer Children in a Digital World: the report of the Byron Review, Tanya Byron (March 2008). http://www.dfes.gov.uk/byronreview/ 45 Good practice guidance for the providers of social networking and other user interactive services (April 2008). http://police.homeoffice.gov.uk/publications/operationalpolicing/social-networking-guidance 46
4: Ensuring Web 2.0 sites are compliant Everyone has the right to respect for his private and family life, his home and his correspondence. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. Privacy International (PI) is a human rights group that acts as a watchdog on surveillance and privacy invasions by governments and corporations. PI have carried out an investigation into the privacy practices of key Internet based companies including AOL, Apple, Facebook, Yahoo and Google46. Search, e-mail, e-commerce and social networking sites were ranked according to twenty parameters. The report was compiled using data from public sources, information from present and former company staff, technical analysis and interviews with company representatives. The report placed Google at the bottom of the rankings. This was due to: The diversity and specificity of Google’s product range and the ability of the 46
A Race to the Bottom – Privacy Ranking of Internet Service Companies (9 June 2007). http://www.privacyinternational.org/article.shtml? cmd[347]=x-347-553961 47
4: Ensuring Web 2.0 sites are compliant company to share extracted data between these tools, and in part it is due to Google’s market dominance and the sheer size of its user base. Google’s status in the ranking is also due to its aggressive use of invasive or potentially invasive technologies and techniques A summary of what PI saw as Google’s main privacy failures is listed below: •
Google retains a large quantity of information about a user, often for an unstated or indefinite length of time, without clear limitation on subsequent use or disclosure, and without an opportunity to delete or withdraw personal data even if the user wishes to terminate the service.
•
Google maintains records of all search strings and the associated IP-addresses and time stamps for at least 18 to 24 months and does not provide users with an expungement option. There is a prevailing view amongst privacy experts that 18 to 24 months is unacceptable and possibly unlawful in many parts of the world.
•
Google has access to additional personal information, including hobbies, employment, address, and phone number, contained within user profiles in Orkut. Orkut is the social networking tool from Google.
•
Google collects all search results entered through Google Toolbar and identifies all Google Toolbar users with a unique cookie that allows Google to track the user’s webmovement. 48
4: Ensuring Web 2.0 sites are compliant PI conclude by saying that the current trend of capturing ad space revenue through the exploitation of new technologies and tools will result in one of the greatest privacy challenges in recent decades. However, the technologies and expertise are available to create strong privacy protections. UK Website administrators may use cookies to track the on-line movements of an individual. This information may be collated to provide a profile on a customer’s website usage. Regulation 6 of the Privacy and Electronic Communications Regulations 200347 provides rules about the way in which electronic communications networks are allowed to store information or gain access to information stored in the terminal equipment of a subscriber or user and includes devices such as cookies. The regulations ‘require that subscribers and users should, to some extent, be given the choice as to which of their online activities are monitored in this way’. The ICO says that, under the regulations, website administrators must ‘tell visitors to your site wherever a cookie or other tracking system
47 The Privacy and Electronic Communications Regulations 2003, ICO. http://www.ico.gov.uk/what_we_cover/privacy_and_elec tronic_communications/the_basics.aspx 49
4: Ensuring Web 2.0 sites are compliant collects information, and you must give them the opportunity to refuse their continued use’.48 The regulations also advise that cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment: •
is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
•
is given the opportunity to refuse the storage of, or access to, that information.
Many organisations comply with this legislation by providing a privacy policy. The UK Information Commissioner has said49 that: If you choose to let people know [about the use of cookies] through the privacy statement, it is important to have some reference to the use of tracking technology clearly displayed to all visitors. Examples of privacy policies include the HMRC (HM Revenue and Customs). See Chapter 4, section: Processing of personal data – data protection and data breach notification for 48
Data Protection Good Practice Note, Collecting personal information using websites, ICO. http://www.ico.gov.uk/upload/documents/library/data_pr otection/practical_application/collecting_personal_infor mation_from_websites_v1.0.pdf 49 Data Protection Good Practice Note. Collecting personal information from website, Information Commissioner’s Office, UKs (June 2007). http://www.ico.gov.uk/upload/documents/library/data_pr otection/practical_application/collecting_personal_infor mation_from_websites_v1.0.pdf (this is actually version 2.0). 50
4: Ensuring Web 2.0 sites are compliant guidance on creating privacy policies. Further information about the use of cookies can be found at ‘AllAboutCookies’. US In the US, websites that collect information from children under the age of thirteen are required to comply with the Federal Trade Commission (FTC) Children’s Online Privacy Protection Act (COPPA). These rules spell out what a website administrator must include in a privacy policy, when and how to seek verifiable consent from a parent and what responsibilities an operator has to protect children’s privacy and safety online. The Act defines children’s personal information as: Information about a child that is collected online, such as full name, home address, e-mail address, telephone number or any other information that would allow someone to identify or contact the child. The Act and Rule also cover other types of information – for example, hobbies, interests and information collected through cookies or other types of tracking mechanisms – when they are tied to individually identifiable information. The FTC may bring enforcement actions and impose civil penalties for violations of this Act in the same manner as for other Rules under the FTC Act. These penalties are usually in the form of fines. All FTC enforcement actions are listed on the FTC site.
51
4: Ensuring Web 2.0 sites are compliant In the US, Facebook has recently reached agreement on a user safety agreement with the attorneys general of 49 states and the District of Columbia50 government in the US. The social networking site has agreed to develop age verification technology, send warning messages when an under-18 user may be giving personal information to an unknown adult, restrict the ability for people to change their ages on the site, and to keep abreast of inappropriate content and harassment on the site. In September, 2006, the Xanga social networking site agreed to pay a $1million fine51 to settle with authorities over allegations that it collected, used and disclosed personal details of children under-13. The FTC said that Xanga had committed an offence under the Children’s Online Privacy Protection Act (COPPA). The US federal Electronic Communications Privacy Act sets provisions on privacy rights of individuals using communication devices including computers52.
50
After long negotiations, Facebook agrees to safety plan with state Ags, Caroline McCarthy, CNET News (8 May 2008). http://news.cnet.com/8301-13577_3-9939058-36.html 51 Xanga.com to Pay $1 Million for Violating Children’s Online Privacy Protection Rule, FTC (7 September 2006). http://www.ftc.gov/opa/2006/09/xanga.shtm 52 What is the Electronic Communications Privacy Act, wiseGEEK. http://www.wisegeek.com/what-is-theelectronic-communications-privacy-act.htm 52
4: Ensuring Web 2.0 sites are compliant Canada In Canada, data protection and privacy is covered by the ‘Personal Information Protection and Electronic Documents Act’ (PIPEDA). PIPEDA was designed to satisfy the EU that Canadian privacy laws were adequate for the protection of EU citizens. The Canadian Internet Policy and Public Interest Clinic (CIPPIC) has recently filed a complaint against Facebook, accusing Facebook of 22 separate privacy violations53. They believe Facebook violates the PIPEDA. CIPPIC was established at the University of Ottawa, Faculty of Law in the fall of 2003. It is the first legal clinic of its kind in Canada. It has external advisors from the universities of Harvard, Stanford and California at Berkeley. CIPPIC projects include consumer protection online, copyright law and identity theft as well as privacy. The clinic was originally funded by Amazon.com but is now funded by the University of Ottawa. It fulfils public policy debate issues as well as providing legal education experience for students of law. CIPPIC’s complaint argues that Facebook fails to inform members how their information is disclosed to third parties for advertising and other profit-making purposes. It also argues that the site has failed to obtain permission from members for such uses of their personal information. The complaint says that: 53 CIPPIC files privacy complaint against Facebook, (30 May 2008). http://www.cippic.ca/index.php? mact=News,cntnt01,detail,0&cntnt01articleid=339&cntn t01returnid=216 53
4: Ensuring Web 2.0 sites are compliant Facebook purports to provide users with a high level of control over their data, but our investigation found that this is not entirely true. For example, even if you select the strongest privacy settings, your information may be shared more widely if your Facebook Friends have lower privacy settings. As well, if you add a third party application offered on Facebook, you have no choice but to let the application developer access all your information even if they don’t need it ... although Facebook has taken steps to allow for more control over sharing one’s information on the site, its default settings are for sharing in most cases. Changing those settings requires a high level of aptitude and experience with the site. We believe that many Facebook users, especially young people, don’t appreciate the extent to which their often sensitive personal information is being shared beyond their social circle54. Facebook’s response was to accuse CIPPIC of making ‘serious’ errors. ‘We pride ourselves on the industry-leading controls we offer users over their personal information,’ said a company spokesperson. We’ve reviewed the complaint and found it has serious factual errors – most notably its neglect of the fact that almost all 54
Facebook faces accusations of 22 privacy violations, SC Magazine (2 June 2008). http://www.scmagazineuk.com/Facebook-facesaccusations-of-22-privacy-violations/article/110782/ 54
4: Ensuring Web 2.0 sites are compliant Facebook data is willingly shared by users. The complaint also misinterprets PIPEDA in a manner that would effectively forbid voluntary online sharing of information and ignores key elements of Facebook’s privacy policy and architecture. The Canadian Privacy Commissioner will now take up the complaint. It has been reported that it could take up to one year to report her findings. The privacy commissioner apparently often prefers negotiation to resolve disputes, but can seek court injunctions if negotiation fails. The report isn’t as yet listed on the website of the Canadian Privacy Commissioner, but the full Pipeda complaint submitted by CIPPIC is available at http://www.cippic.ca/uploads/CIPPICFacebookCo mplaint_29May08.pdf. Australia Australia passed its Privacy Act in 1988. Allens Arthur Robinson report that: to date, the drafts of the Internet Industry Association Content Service Code have not made specific provision for social networking sites or user-generated content. Unlike the UK Internet industry, which is self-regulated, Australia employs a co-regulatory model that provides for regulation through a combination of
55
4: Ensuring Web 2.0 sites are compliant legislation, industry codes, guidelines and standards55. However, there is not currently any legislative provision for social networking sites. As a contributor to the UK guidelines, Australia was responsible for many of the recommendations included in the Good Practice Guidance for Providers of Social Networking and Other User Interactive Services. Processing of personal data – data protection and data breach notification In legal terms, data protection is generally regarded as an extension of the safeguards to a person’s right to privacy in respect of the processing of personal information stored about them. Worldwide, data protection and data breach disclosure legislation is still very much evolving and in its infancy. The European Union (EU) has a more mature approach to data protection than the US and many other countries. The EU has a single data protection regime that is implemented similarly in each member country. In contrast, the US has no national regime but rather a complex mix of state breach laws and sectoral data protection regulation.
55
Focus: Communications, Media & Technology (April 2008). http://www.aar.com.au/pubs/cmt/focmtapr08.htm#The_ G. 56
4: Ensuring Web 2.0 sites are compliant A summary of the worldwide data protection and data breach legislation is provided in the following sections. Europe Data protection legislation within Europe is driven by the European Directive on Data Protection (Directive 95/46/EC, 1995). The purpose of the directive is to protect the ‘fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data’. US The US data breach legislation is currently at state level. Some 37 US states have now passed ‘data breach’ laws. Variations in these laws are in the areas of notification; likelihood of harm; length of notification; encryption; publicly available data; the data to be covered and the geographical area of jurisdiction. These breach laws describe what a company must do if private information about state residents is made public as the result of a security breach.56 UK The Date Protection Act of 1998 (DPA 1998) requires any organisation that processes personal data within the UK to comply with eight enforceable principles of what it identifies as good practice (see below). The DPA is concerned with 56
See Data breaches: Trends, costs and best practices, published by ITGP in April 2008. 57
4: Ensuring Web 2.0 sites are compliant personal as opposed to corporate data. It applies to electronic data as well as to paper records. It applies to storage media, which includes CCTV, websites and the Internet as well as to databases. The eight principles of the DPA are that: 1 2
3
4 5
6 7
8
Personal data shall be processed fairly and lawfully. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Personal data shall be accurate and, where necessary, kept up to date. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. Personal data shall be processed in accordance with the rights of data subjects under this Act. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 58
4: Ensuring Web 2.0 sites are compliant If a website collects personal information, the website administrator, as a data controller, is legally responsible for ensuring that the processing of any personal data is in conformity with the Data Protection Act (DPA)57. Website administrators are also responsible for ensuring that individuals using the site are aware of 58: •
The identity of the person or organisation responsible for operating the website and of anyone else who collects personal information through the site;
•
What the information will be processed for ;
•
Any other information needed to make sure the processing is fair to individuals, taking account of the specific circumstances of the processing. This will include telling individuals if information is disclosed about them to third parties, including to other companies within the same group;
•
The physical address of the website operator, unless this is clearly available on the site.
57
Web 2.0 Services, JISC Legal – Data Protection. http:// www.jisclegal.ac.uk/publications/DPACodeofPractice.ht m#_Toc197501973 58 Data Protection Good Practice Note, Collecting personal information from websites, Information Commissioner’s Office, UK (June 2007). http://www.ico.gov.uk/upload/documents/library/data_pr otection/practical_application/collecting_personal_infor mation_from_websites_v1.0.pdf 59
4: Ensuring Web 2.0 sites are compliant This information is often included as part of a privacy policy. Harbottle and Lewis59 suggest that sites such as social networking sites should obtain consent from the user to store the user’s personal details when they complete registration. Harbottle and Lewis also comment that ‘the situation where a user uploads personal data, whether a photograph of or text relating to a third party, is difficult to resolve’. The safe harbour provisions of the European Directive on Electronic Commerce do not necessarily apply. A site owner may unwittingly find itself a data controller in respect of personal data for someone who is not a member of its site. In this kind of situation, how would a site owner respond to a subject access request from the third party featured in a photograph? They suggest that a site owner needs to impose restrictions on the photos that can be uploaded and reserve the right to remove them at any time. Website administrators should also bear in mind that users will not necessarily visit a website through its home page. The ICO suggest that a ‘layered’ privacy notice should be used, consisting of three linked notices which are increasingly concise. Guidance for this can be obtained from the OECD website. Guidance on how to assess a privacy notice and create layered notices has been produced by the Centre for Information Policy Leadership in their 59
Harbottle and Lewis is a London-based law firm. They provide legal services to organisations and individuals, in particular those working in the media and entertainment industries 60
4: Ensuring Web 2.0 sites are compliant document ‘Ten steps to develop a multilayered privacy notice’. The UK Information Commissioner’s Office (ICO) suggests using their padlock symbol 60 to ‘alert people to the fact that their information is being collected, and direct them to sources, which will clearly explain how their information is to be used’.
Principle 3 of the UK DPA is likely to be particularly relevant where the data is to be processed for a purpose other than the provision of the service directly requested by the user, for example, counting visitors to a website. Principle 4 of the UK DPA is relevant to the rights of a user to keep data held about themselves up to date. A data subject is entitled to make a written request to the data controller for information about themselves. The following data needs to be provided: •
A description of data about them
•
The purposes for which it is being processed
•
A list of the people to whom it may be disclosed
60 Be Open, ICO. http://www.ico.gov.uk/upload/documents/pdfs/padlock_s ignpost_22_05_06.pdf 61
4: Ensuring Web 2.0 sites are compliant •
The name of the organisation that is carrying out the processing of their data.
The UK ICO says that ‘Any website which collects information from you has to follow the principles in the Data Protection Act’.61 The DPA would imply that anyone has the right to complain to the ICO if they feel that their personal information is being misused or used for marketing purposes, and that the ICO has legal powers to investigate this. However, there have not been any reported cases in the UK of prosecutions by the ICO involving social networking sites. The ICO does provide guidance about how people – particularly young people – can protect their personal details when using social networking sites. What is personal data? Much of the recent legal controversy surrounding the implication of the DPA and the EU Data Protection Directive with regard to data stored on websites has to do with the legal definition of personal data. This especially applies to social networking profiles and IP addresses. Social networking profiles The UK Information Commissioner has said that: If the operator intends to link [a] profile to a name and postal address, or an e-mail
61
Keeping your personal info personal, ICO. http://www.ico.gov.uk/Youth/section2/intro.aspx 62
4: Ensuring Web 2.0 sites are compliant address, this is personal information covered by the Data Protection Act 199862. IP addresses A German court has ruled in October 2008 that: website operators are allowed to store the Internet protocol (IP) addresses of their visitors without violating data protection legislation. Without additional information, IP addresses do not count as personal data63. The UK ICO says that: Many IP addresses, particularly those allocated to individuals, are ‘dynamic’. This means that each time a user connects to their Internet service provider (ISP), they are given an IP address, and this will be different each time. So if it is only the ISP who can link the IP address to an individual it is difficult to see how the [DPA] Act can cover collecting dynamic IP addresses without any other identifying or distinguishing information. Some IP 62
Data Protection Good Practice Note. Collecting personal information from websites, Information Commissioner’s Office, UK (June 2007). http://www.ico.gov.uk/upload/documents/library/data_pr otection/practical_application/collecting_personal_infor mation_from_websites_v1.0.pdf (this is actually version 2.0). 63 IP addresses in server logs not personal data: Ruling, The Register (15 October 2008). http://www.theregister.co.uk/2008/10/15/ip_address_pers onal_data_ruling/ 63
4: Ensuring Web 2.0 sites are compliant addresses are ‘static’, and these are different. Like some cookies, they can be linked to a particular computer which may then be linked to an individual user. Where a link is established and profiles are created based on static IP addresses, the addresses and the profiles would be personal information and covered by the Act. However, it is not easy to distinguish between dynamic and static IP addresses, so there is limited scope for using them for personalised profiling64.
64
Data Protection Good Practice Note. Collecting personal information from websites, Information Commissioner’s Office, UK (June 2007). http://www.ico.gov.uk/upload/documents/library/data_pr otection/practical_application/collecting_personal_infor mation_from_websites_v1.0.pdf (this is actually version 2.0). 64
CHAPTER 5: SUMMARY OF RECOMMENDATIONS
1
2
3
4
5
Websites should display a privacy policy which quite clearly states the purpose for which personal information will be used. The policy should also notify users of its policies against copyright infringement. Harbottle and Lewis65 suggest that website administrators should impose restrictions on the photos that can be uploaded to a website and reserve the right to remove them at any time. The same applies to content in other formats, such as video. There should be a user acceptance policy for employees with guidelines for content which is allowed for websites. The guidelines should include rules restricting employees from using any copyrighted content without the permission of the copyright owner. If the website is to be used as an educational resource, provide guidance to students recommending that they appropriately acknowledge their sources. Security considerations need to be incorporated into the Web software development cycle at the requirements gathering stage.
65 Harbottle and Lewis is a London-based law firm. They provide legal services to organisations and individuals, in particular those working in the media and entertainment industries 65
5: Summary of recommendations 6
7
8
9
10
11
12
13
Use Web filtering technologies to scan for malware and the illegal or inappropriate use of a website. Website administrators should ensure that they have sufficient understanding of copyright, privacy and data protection legislation to ensure compliance. In addition, website administrators should follow the Internet best practice, Good Practice Guidance for Providers of Social Networking and Other User Interactive Services 66 guidelines. Website administrators should be sufficiently flexible to ‘take down’ or remove content on a same-day basis. Website administrators should have a process and policy for terminating users who repeatedly break copyright or website practices. Website administrators should have a ‘Comments Policy’ which makes the responsibility for content clear to users. If negative comments are posted to a website about the organisation, the organisation should look towards turning this around so that it becomes positive feedback. Website administrators need to include a statement about their use of cookies in the privacy policy. Website administrators in the US who collect information from children under the age of
66 Good practice guidance for the providers of social networking and other user interactive services 2008. http://police.homeoffice.gov.uk/publications/operationalpolicing/social-networking-guidance 66
5: Summary of recommendations
14
15
16
17
18
thirteen are required to comply with the FTC, Children’s Online Privacy Protection Act. The processing of personal information collected on a website needs to be carried out in accordance with the DPA and the European Data Protection Directive. The ICO ‘padlock symbol’ may be used to alert users to the fact that personal information about them is being collected. Website administrators need to be clear that they are unable to guarantee the deletion of anything posted to their website. Website administrators should provide guides and protocols which ensure fairness for all users. The use of an alias in the user profile may protect the user from reputation damage or data breaches.
67
CHAPTER 6: CONCLUSION
There is no doubt that Web 2.0 technologies bring many advantages, not least the collaborative power of engaging with so many Web users extremely quickly. Tapscott and Williams, in their book, Wikinomics 67, describe the creation of a Wikipedia account of the London bombings which occurred in 2005: By the end of the day, over twenty-five hundred users had created a comprehensive fourteen-page account of the event that was much more detailed than the information provided by any single news outlet. The first edit was posted to Wikipedia 28 minutes after the first bomb exploded. The volume of contributors and immediacy of responses can be viewed on Wikipedia’s history page. The up-tothe-minute, eyewitness Wikipedia account of the London bombings, complete with on-the-spot photographs, is a testament to the power and enormous value that Web 2.0 technologies can provide. However, the other side of the coin is that the free, uninhibited and undisciplined use of Web 2.0 technologies can pose serious risks. In addition to the risks of reputation damage and breaches of confidentiality, risks associated with Web 2.0 technologies also include hacking attacks and legal non-compliance. 67
Wikinomics, Don Tapscott and Anthony Williams, Atlantic Books (2006). 68
6: Conclusion Many hacking attacks can be prevented simply by ensuring well written code and incorporating security considerations as part of the Web software development cycle. Website administrators and their employers will also need to gain sufficient understanding of the relevant copyright, privacy and data protection regulation to ensure legal compliance and to put themselves into a position to take appropriate, speedy action to deal with transgressions by users.
69
APPENDIX: GLOSSARY
* Terms, with definitions, taken from A Dictionary of Information Security Terms, Abbreviations and Acronyms, Alan Calder and Steve Watkins, IT Governance Publishing (2007). Adware – The name given to any software application in which advertising banners are displayed on the web page. The advertisements can generally be viewed through pop-up windows or through a bar that appears on a computer screen68. Ajax – (Asynchronous JavaScript and Extensible Markup Language or XML) is a set of technologies which enable greater processing to be carried out on the client computer, rather than the server. In the traditional Web application, the user clicked and then waited some number of seconds for the server to respond and refresh the page. In contrast, Ajax-enabled web pages are far more reactive, giving the user the appearance that pages are updating instantly. This is illustrated by the application Google Maps, where the page and map are refreshed instantly as the cursor is moved. Ajax is not a new technology, but rather a combination of existing technologies being used in a new way. Ajax endpoints – In contrast to typical Web 1.0 applications, Ajax applications send a greater
68 adware, SearchCIO-Midmarket.com. http://searchciomidmarket.techtarget.com/sDefinition/0,,sid183_gci5212 93,00.html 70
Appendix: Glossary number of smaller requests to the server which create many more points of input. The inputs are also referred to as Ajax endpoints which provide a greater number of opportunities for that traffic to be attacked. Blogs – Blog is an abbreviation of Weblog, which is a term originally used to describe a web page where the blogger (author or writer of the page) logs all other web pages they find interesting. Readers can subscribe to a blog, post comments to a blog, and select links on a blog. Collaboration tool – A collaboration tool uses a variety of Web 2.0 technologies with the purpose of aiding internal collaboration and communication within the workplace. Copyright owner – Generally speaking, a copyright owner is in the first instance the creator of a literary, dramatic, musical or artistic work. Copyrights in works made during the course of employment are owned by the employer and not the employee69. CSS (cascading style sheets) – A W3C (World Wide Web Consortium) recommended language for defining style (look and feel such as font, size, color, spacing, etc.) for web documents70. It is a technology which enables content (written in HTML or a similar mark-up language) to be separated from its presentation (written in CSS). 69
Who is a copyright owner?, Australian Government (January 2008). http://www.ag.gov.au/www/agd/agd.nsf/ Page/Copyright_Whoisacopyrightowner 70 Glossary, Egghead Design Ltd. www.eggheaddesign.co.uk/glossary.aspx. 71
Appendix: Glossary Because they cascade, some elements take precedence over others. Data – A collection of facts from which conclusions may be drawn71. Data controller – In the context of the UK Data Protection Act, the data controller is the person who determines the purposes for which, and the manner in which, personal information is to be processed. This may be an individual or an organisation and the processing may be carried out jointly or in common with other persons72. Data subject – The living individual who is the subject of the personal information (data)66. Data mining – The process of sorting through data to identify patterns and establish relationships73. On the web, data can be mined using search engines or Spiders. Defamatory – An act of communication that causes someone to be shamed, ridiculed, held in contempt, lowered in the estimation of the community, or to lose employment status or earnings or otherwise suffer a damaged reputation.74 71 WordNet. http://wordnet.princeton.edu/perl/webwn? s=data 72 Glossary of terms, ICO. http://www.ico.gov.uk/tools_and_resources/glossary.asp x 73 Data mining, SearchSQLServer.com. http://searchsqlserver.techtarget.com/sDefinition/0,,sid87 _gci211901,00.html 74 Defamation, The ’Lectric Law Library’s Lexicon. http://www.lectlaw.com/def/d021.htm 72
Appendix: Glossary DRM (digital rights management) – A systematic approach to copyright protection for digital media. The Digital Millennium Copyright Act (DMCA) was enacted on 28 October 1998 in the United States in order to protect the digital rights of copyright owners and consumers75. Exponential – Web 2.0 tools enable users to connect with a very large number of people in a short period of time at low cost. This is referred to as the ‘viral’ nature of Web 2.0: the virus metaphor describes the ability of a virus to reproduce itself very rapidly in a short space of time. The speed with which this can happen, and the number of people who can be involved is also described with more positive connotations, as ‘exponential’. FTP* – File Transfer Protocol is a method of transferring files over the Internet. GMAIL – Google Mail, or Gmail is a free, search–based webmail service available from Google, which also enables e–mails to be picked up on mobiles. Security vulnerabilities in Gmail have caused e–mails to be transferred and stolen with consequent potential data disclosure76. Although Google patched the vulnerability, users of Gmail were not necessarily made aware of the need to repair the derived vulnerability in their own systems. The fact that Web 2.0 companies apparently prefer to downplay such issues might 75
RSS: Glossary, Whatis.com. http://whatis.techtarget.com/definition/0,,sid9_gci11916 98,00.html. 76 Bullseye on Google: Hackers expose holes in Gmail, Blogspot, Search Appliance, Zdnet (25 September 2007). http://blogs.zdnet.com/security/?p=539 73
Appendix: Glossary lead to them becoming a preferred attack vector for hackers and malware jockeys. Folksonomies – A collection of tags used to organise and easily find content on the web. A folksonomy is created collaboratively and is also contributed to by users. Information* – The New Shorter Oxford English Dictionary provides these helpful definitions: ‘knowledge or facts communicated about a particular subject, events, etc; intelligence, news’ and ‘without necessary relation to a recipient: that which inheres in or is represented by a particular arrangements, sequence or set, that may be stored in, transferred by, and responded to by inanimate things’. Clearly information, or data, exists in many forms but, for the purposes of its security, we are concerned with data that has a digital, paper, or voice format. Information is defined by Coleman and Levine as ‘Data put into context by a human to give it meaning’. Instant messaging* – (IM) is a communication methodology that is analogous to a private chat room; it enables you to communicate over the Internet in real time with another person, using text. Internet, the* – The massive, global network of networks, connecting millions of computers, allowing any computer to communicate with any other by any one of a number of protocols. The Internet is not the (World Wide) Web. Intellectual property – Intellectual property (IP) can allow you to own things you create in a similar 74
Appendix: Glossary way to owning physical property77. Intellectual property implies ownership of content which is created intellectually, through thinking, or the creation of ideas. Intellectual property acts define this ownership in law. There are four main types of intellectual property: •
Copyright protects material such as literature, art, music, sound recordings, films and broadcasts.
•
Designs protect the visual appearance or eye appeal of products.
•
Patents protect the technical and functional aspects of products and processes.
•
Trade Marks protect signs that can distinguish the goods and services of one trader from those of another.
Intellectual property rights are a complex area of law; an appreciation of the complexities of the subject can be gained from referring to the FAQs available from the United States Copyright Office and the US Patent and Trademark Office. Javascript – A type of programming language used for Web applications whereby the commands are interpreted and run one at a time. Javascript is on the client computer for Web 2.0 applications to initiate calls to the server and then to programmatically access and update the client’s browser78. 77
What is intellectual property? UK Intellectual Property Office (2008). http://www.ipo.gov.uk/whatis.htm 78 Simplifying content security, ensuring best-practice email and web use. Web 2.0 Security Technical White Paper, Is the web broken? Clearswift (July 2007). 75
Appendix: Glossary Malware – Denotes software designed for some malicious purpose. Common forms of malware include viruses, worms and Trojans. A virus is able to produce copies of itself but depends on a host file to carry each copy. A worm can also replicate itself but does not rely on a host file to carry it. A worm can replicate itself by means of a transmission medium such as e-mail, instant messaging, Internet Relay Chat or network connections. Trojan malware is an analogy derived from the legend of the wooden horse built by the ancient Greeks built to enable them to enter the walled city of Troy by stealth – by concealing themselves inside the wooden horse. In computer terms a Trojan is hostile code concealed within and purporting to be bona fide code, often with the intention of achieving control over another system or collecting information from within it. Mashups – In the context of Web 2.0, the mechanism by which multiple sources of information can be combined to create a single application. Online collaboration – Web 2.0 online collaboration tools provide users with the ability not only to upload content to the web, but also to upload content to a single, shared space which can be accessed by many users. Web 2.0 online collaboration tools incorporate Web 2.0 technologies such as social networking and wikis within a single application or workspace which is visible to the entire team. They enable users to: 76
Appendix: Glossary •
create and share team documents
•
create individual or group information workspaces
•
post to team- or organisation-wide blogs
•
manage team projects
•
automate employee alerts of changes to content with RSS feeds.
Openness and transparency – The concept of Openness within the context of Web 2.0 relates more to making intellectual ideas, developments or creations available so that they can be developed exponentially by a wider, external community. The antonyms of openness and open source are closed and closed source. Payload – In the context of Web filtering, the damaging material contained in a packet of data. Personal data* – That information about a living person (i.e. not an organisation) that is protected by legislation and regulation. Personally Identifiable Information – (PII) any information relating to an identified or identifiable individual who is the subject of the information such as a Social Security number, date of birth, mother’s maiden name, address, etc.79 Phishing* – Sending e–mails that falsely claim to come from a legitimate company in an attempt to scam users into surrendering information that can be used for identity theft.
79 Identity Theft, About.com. http://idtheft.about.com/od/ glossaryofterms/g/PII.htm 77
Appendix: Glossary RSS – Really Simple Syndication (RSS) is the most well-known type of Web feed. A Web feed is an automatic notification of an update to a website. Notification of new content requires a subscription to that ‘feed’ as well as an RSS reader and/or Atom reader software which enables new content to be viewed. The readers are either downloadable programs or available as online services. Sensitive PII – Includes confidential medical information or information relating to racial or ethnic origins, political or religious beliefs or sexuality that is tied to personal information. Signature defence – An electronic signature which is used by banks to prove themselves as the originators of e-mails combat phishing attacks. Social network – A virtual community, usually via the Internet but also increasingly available via mobile devices such as the iPhone. Social networking websites enable users to create their own online page or profile and to construct and display an online network of contacts, often called ‘friends’. Users create their own pages, link to other members and communicate by voice, chat, instant message, videoconference and blog. They can communicate via their profile both with their ‘friends’ and with people outside their list of contacts. This can be on a one-to-one basis or in a more public way such as a comment, typically posted on a message board for all to see. Software as a service – (SaaS) describes the delivery of a software application as a service via the web. Spider – Whatis define a spider as follows: 78
Appendix: Glossary A spider is a program that visits websites and reads their pages and other information in order to create entries for a search engine index. The major search engines on the Web all have such a program, which is also known as a crawler or a bot. Spiders are typically programmed to visit sites that have been submitted by their owners as new or updated. Entire sites or specific pages can be selectively visited and indexed. Spiders are called spiders because they usually visit many sites in parallel at the same time, their ‘legs’ spanning a large area of the ‘web’. Spiders can crawl through a site’s pages in several ways. One way is to follow all the hypertext links in each page until all the pages have been read80. Spyware – Technology that gathers information about a person or organisation from the Web without their permission81. Synchronous communication – In contrast to Asynchronous communication, Synchronous communication is that which occurs between 2 or more people within 5 seconds. Trojan* – The term ‘Trojan’ is derived from the story of the Trojan horse in the greek story. Within the context of IT security a Trojan is hostile code concealed within, and purporting to be, bona fide code. It is designed to reach a target stealthily and to be executed inadvertently. It may have been installed at the time the software was developed. 80
Spider, Whatis.com. http://whatis.techtarget.com/definition/0,,sid9_gci213035 ,00.html 81 Spyware, SearchSecurity.com. http://searchsecurity.techtarget.com/sDefinition/0,,sid14_ gci214518,00.html 79
Appendix: Glossary They can be programs that, while perhaps appearing to be a useful utility, are designed to secretly damage the host system. Some will also try to open up host systems to outside attack. User created content – Central to Web 2.0 is the idea that content should be created by users, that users can interact with the Web and that users have moved from passive absorbers of Web content to being active interactors with the web. Users not only download content but also upload it. Technologies such as wikis, blogs, video sharing and photo sharing all consist of user-created content. Web 2.0 technologies enable Web content to be created easily by anybody, rather than being solely the output of ‘experts’. Web 2.0 technologies support the rapid creation of new content at speeds much faster than is possible in a Web 1.0 environment. Tapscott and Williams 82 describe the creation of a Wikipedia account of the London bombings which occurred in 2005: By the end of the day, over twenty-five hundred users had created a comprehensive fourteen-page account of the event that was much more detailed than the information provided by any single news outlet. The established media are therefore increasingly using user-generated reports and video clips which provide valuable, comprehensive, up-to-theminute, eyewitness accounts of events. Viral – Web 2.0 tools enable users to connect with a very large number of people in a short period of 82
Wikinomics, Don Tapscott and Anthony Williams (2006). 80
Appendix: Glossary time at low cost. This is referred to as the ‘viral’ nature of Web 2.0: the virus metaphor describes the ability of a virus to reproduce itself very rapidly in a short space of time. The speed with which this can happen, and the number of people who can be involved is also described with more positive connotations, as ‘exponential’. VoIP/VOB* – Voice over IP/Voice over Broadband is a technology that enables voice-tovoice communication across the Internet. Vulnerability * – A weakness of an asset or group of assets that can be exploited by a threat. There are regularly updated central stores of known vulnerabilities. Vulnerability assessment – The (usually automated) evaluation (or vulnerability scanning) of operating systems and applications to identify missing fixes for known problems so that the necessary fixes can be installed and the systems made safe. Vulnerability scanning – An automated process of scanning a network or a series of information assets to establish if they display any of the characteristics of known vulnerabilities. Wikis – Wikipedia describes a wiki as ‘software that allows registered users or anyone to collaboratively create, edit, link, and organize the content of a website, usually for reference material’.83 World Wide Web* (the Web) – An informationsharing construct that sits on top of the Internet, 83
http://en.wikipedia.org/wiki/Wiki 81
Appendix: Glossary and uses HTTP to transmit data. It is not synonymous with the Internet. A browser is required for accessing Web content. ‘Zero-day’ vulnerability – A ‘zero-day’ vulnerability is one where hackers take advantage of vulnerability on the same day as it is announced. For further details, see the IT Governance Best Practice Report: Data breaches: Trends, costs and best practices.
82
ITG RESOURCES
IT Governance Ltd sources, creates and delivers products and services to meet the real-world, evolving IT governance needs of today’s organisations, directors, managers and practitioners. The ITG website (www.itgovernance.co.uk) is the international one-stop-shop for corporate and IT governance information, advice, guidance, books, tools, training and consultancy84. www.27001.com is the IT Governance Ltd website that deals specifically with information security issues. Pocket Guides For full details of the entire range of pocket guides, simply follow the links at www.itgovernance.co.uk/publishing.aspx. Toolkits ITG’s unique range of toolkits includes the IT Governance Framework Toolkit, which contains all the tools and guidance that you will need in order to develop and implement an appropriate IT governance framework for your organisation. Full details can be found at www.itgovernance.co.uk/ products/519. For a free paper on how to use the proprietary CALDER-MOIR IT Governance Framework, and for a free trial version of the toolkit, see www.itgovernance.co.uk/calder_moir.aspx. 84
www.itgovernanceusa.com is the website that is dedicated to delivering the full range of IT Governance products to North America. 83
ITG Resources Best Practice Reports ITG’s new range of Best Practice Reports is now at www.itgovernance.co.uk/best-practice-reports.aspx. These offer you essential, pertinent, expertly researched information on an increasing number of key issues including Web 2.0. Training and Consultancy IT Governance also offers training and consultancy services across the entire spectrum of disciplines in the information governance arena. Details of training courses can be accessed and at www.itgovernance.co.uk/training.aspx descriptions of our consultancy services can be found at www.itgovernance.co.uk/consulting.aspx. Why not contact us to see how we could help you and your organisation? Newsletter IT governance is one of the hottest topics in business today, not least because it is also the fastest moving, so what better way to keep up than by subscribing to ITG’s free monthly newsletter Sentinel? It provides monthly updates and resources across the whole spectrum of IT governance subject matter, including risk management, information security, ITIL and IT service management, project governance, compliance and so much more. Subscribe for your free copy at: www.itgovernance.co.uk/newsletter.aspx
84