Everyone should be interested in a recent Blind Spot Report which was created because of the “demand for accountability in respect to privacy protection is growing, and security professionals are finding themselves in part responsible for this issue.” The International Association of Privacy Professionals (IAPP) issued a report entitled “The Top 45 Security and Privacy” with an example of each blind spot. Here is a sampling of important Privacy Blind Spots:
- Enforce Strong Password Policies
- Logging IP Addresses May Violate Privacy Policies
In late 2007 Peter Scharr, Germany’s data protection commissioner, argued that Internet Protocol (IP) addresses should be considered personal information, but a court ruling in Washington state in 2009 decided it wasn’t. Which is it, then? As a general rule of thumb, if you can combine an IP address with other information to identify an individual, it should be considered personal information. In either case, only collect IP addresses when there is a specific purpose for that information. Many organizations make public promises that they don’t capture any personally identifying information. Yet just about every website or web-based application keeps a log of visitors to their sites, most of which capture IP addresses.
- Unauthorized Use of Information
In 2012, Spokeo paid the FTC $800,000 to settle charges that it violated federal law by compiling and selling personal information for use by potential employers. The complaint against Spokeo alleged that it violated the Fair Credit Reporting Act by marketing its consumer profiles without making sure they would be used for legal purposes. Many marketers and sales people scheme to aggregate as much information as possible about their targets in order to give their pitches the best chance of success. The interconnectedness of our modern culture makes this type of activity increasingly easy, but just because you can do something, doesn’t mean you should. “Just about every website or web-based application keeps a log of visitors to their sites”
- Unintentionally Collecting Information from Children
In an effort to boost its audience, Yelp created a streamlined sign-up process for its mobile app. Unfortunately, Yelp neglected to include a check for the applicant’s date of birth. As a result, it accidentally collected personal information from minors and a $450,000 fine from the FTC for violating the Children’s Online Privacy Protection Act. Regulations aggressively protect minors. If you believe your application or service will be used by minors, make sure to include a date check to verify their eligibility to send you their personal information.
- Employees Peeking at Private Information
- Personal Defamatory Remarks on an Internal Social Network
- Unique Identifiers Put Anonymity at Risk
- Collecting Information for Marketing Purposes Without Permission
- Emailing Canadians Without Explicit Consent
- Regulators Are Increasingly Technically Adept
- Responsibility for Sensitive Data Sent to Authorized
- Don’t Collect Information that Reveals Habits of the Individual Without Consent
- Recording Location Information Puts Anonymity At Risk
- Collecting Sensitive Information Without Allowing the User To Opt Out
- De-identification of Data Is Difficult; Really Difficult
- Don’t Collect Data You Can’t Use
Obviously all businesses have many of these blind spots.