What do these organizations
have in common?
City Of Toronto
Municipal Property Assessment Corp
Donald E Sheehy, CA*CISA
What Underlying Message
Conflicting messages and views exist
s CEO Scott
"There is no
Get over it.”
Doing an AltaVista search on the string
“Internet Privacy Issues” yields almost 2,000,000 hits
Privacy is regarded as the number one issue
affecting Internet based E
Significant number of articles appear daily on
privacy and related issues (look at Yahoo News or
We have new act appearing in Ontario and the US
WE HAVE NOT GOT OVER IT
Some of The Recent Headlines
“A comprehensive data privacy bill to be introduced
next year in the U.S. House will apply to online and
line practices, affecting virtually every company
that does business in the U.S”
“International privacy policies are permeating
planning at corporations struggling to comply with
the European Union's privacy rules and an
emerging set of strict Canadian data sharing
“don’t look now but Microsoft is making a
grab for the mantle of Internet privacy
champion by pushing a standard few have
embraced…. The move…could backfire
and further muddle the intractable debate
about Internet privacy”
And some more personal
“Security experts discovered a flaw this week in the
Web site operated by Verizon Wireless that
potentially exposed the private customer
information of those who used the Web site to view
their personal cell phone bills”. (Sept 16)
Customer information exposed by Playboy.com
hacker (November 21, 2001) Playboy.com has
spent several days contacting customers and doing
an online security audit after a hacker broke into
the site's online store last weekend and got access
to customer information and credit card numbers.
What I’ll be Covering
What is meant by privacy
Current global legislation and dealing with
enterprise privacy risk that they cause
Dealing with special privacy concerns for
How the CA can help
What is Privacy?
Right to be left alone (1890, Harvard
Freedom from intrusion or public attention
The protection of the collection, storage,
destruction and dissemination of personal
information ( EU, Canada and US Safe
What does it consist of ?
Information (factual or
Medical records etc
(factual or subjective)
wide vs. Internet
wide privacy includes all
records, systems of an organization
whether electronic or not.
also known as online
privacy, refers to the systems that
encompass a web presence and records
that hole data obtained via the presence
Internet privacy is a subset of enterprise
OECD Guidelines (1980)
European Union (EU Directive 95/46EC,
1995, effective 1998)
Canada (Personal Info Protect & Electronic
Documents Act (PIPEDA), April 2000)
Australia (Privacy Amendment (private
sector) Act 2000)
UK (Data Protection Act, 1998)
US Privacy Legislation
Safe Harbor (July 2000)
Facilitate trade and commerce between the US and
Voluntary and self
Graham Leach Bliley (July 2001)
Primary financial institutions (banks, insurance,
securities and others with credit operations)
Restricts disclosure of non
public info about
customers to third parties
posting, including sharing with third parties
Children’s Online Privacy Protection Act (COPPA) April
online collection of personal information from children
spell out what a Web site operator must include in a
parent and what responsibilities an operator has to protect
children's privacy and safety online
Health Insurance Portability and Accountability Act
Applies to health info created or maintained by health care
providers who engage in certain electronic transactions,
health plans and healthcare clearinghouses
reason for collection
that required for the
Limiting Use, disclosure
Why Deal With Privacy Risk
In many countries to ensure compliance
with law and regulations
In any event
stay out of public eye
Increase management awareness and
sensitivity, force change
Evidence due care and commitment
Goals for assessment
Id. the nature of PII associated
with business process
Document its collection,use,
disclosure and destruction
Provide mgt with tool to make
informed decisions based on
understanding of privacy risk
Create consistent format and
What the profession is doing
CICA and AICPA Projects in process
Consultation between AICPA/CICA and
ISACA publications … A Guide to Cross
Privacy Impact Assessments, Thomas J. Carol
PWC assessment tool on Ontario PC site
Move to assurance reporting
Firm methodologies for consulting and advising
Specific Challenges for
Internet (Online) Privacy
What are the Concerns for
What information can be “discovered” by visiting a
What information is being collected, why, do they
really need it?
Is the site secure enough to stop people from
accessing the information I give to a site in a
Who really is watching what I do when I surf?
What will happen to my information?
I am not sure of who I am doing business
I don’t like the traceability
I am afraid I will get scammed
Concern for Cookies
What are they?
What can they do?
Why are they used?
Good or bad?
Cookie Recipe (user
and site info)
: What the programmer chooses for the cookie.
: The domain name from the server that created and
sent the cookie.
: Information about the path of the Web page a user was
reading when the cookie was sent. This setting helps restrict
other sites or areas within a site from accessing cookie data.
: When the cookie is set to expire, in the
hour time, GMT).
: If this value is set in the cookie, the information is
encrypted during transmission between the server and the
: The specific data being stored for future recognition
and action by the Web server; no white space, semicolons or
commas can be included, and a 4K
byte limit is desirable.
Identify return visitors
Maintain shopping basket information
Maintain user information
staying on the user's hard disk for
months or even for years)
good or bad?
Cannot obtain information NOT provided by
Cannot be used between sites . . . usually
Can reveal information provided to the site
to other vendors (e.g.; DoubleClick)
Can provide functionality and ease of site
Can possibly transmit viruses
Some final thoughts on
64 federal agency Web sites use software to track
the habits of users despite rules banning the
practice, according to preliminary findings in a
report to Congress on Internet privacy that was
released last week (Office of Inspector General).
The European Parliament on Tuesday [Nov 13]
voted to adopt an amend. to the draft directive on
electronic data collection and privacy to restrict the
have to explicitly ask users if they want to accept
a move that the advertising industry says
could be damaging to business.
Microsoft cooks cookies?
Microsoft issues patch for hole in Internet
Explorer (November 15, 2001) Versions 5.5
and 6 that can expose cookie data to
Microsoft P3P ( in new browser version)
creating problem with cookies 97/100 esp
a real privacy hole
Internet users are “remote” node on the
Path to/within the site
Creating a More Secure
Browsing Session in IE
Turn off script language ( Java, Active X)
Eliminate history information. To prevent Explorer
from replacing the History.html folder, put a locked
or read only file in that folder
Delete cookies and preferences re cookies.
Select Edit/Preferences/Receiving Files/Cookies
Select “Internet Preferences” file selected, choose
File/Get Info then check the “Locked” box
Secure the cache ( delete cache.waf file.. Can be
done by making alias into a “wipefile” program
…and your privacy.
A web bug is a graphic on a web page or in
an email message that is designed to
monitor who is reading the web page or
The word "bug" is being used to denote a
small, eavesdropping device
width=1 height=1 border=0><IMG WIDTH=1
How common are they?
Common on free pages created through
Geocities and AOL
Estimated 18% of all personal pages,
Estimated 16% for home pages
Who was the biggest user last March?
What do they do?
Usually used to count visitors
Gather statistical information about web
sites without collecting personal information
General profiling for banner adds etc.
Why a Problem
By sharing info among bugs across
different sites, they can be used to track
If visitor has given personal info at one
linked site, then info can be linked through
the bugs to other sites
What can be done?
Not too much. . .
Hard to distinguish for normal GIF files
Free detection software
Currently works with Internet Explorer 5.0 or
greater for Windows.
Can privacy exist without security?
Can security exist without privacy?
A Question of Security
The web security problem
Securing the web server and its data
Securing information while in transit
Securing the user’s computer
What are the risks?
Denial of service
Proprietary information or data
Hardware and software
Private customer information
Confidential business information
Methods of attack…
Poor CGI script
Java and activeX (often used to leak info)
Lax password control
The forgotten areas
What can be done?
Policy management and change
Three “Ds” of protection
Three Ds of security policy
And . . .
What CAs are doing
System defined by
Report issued to
Independent verification can allay the
majority of these fears as does financial
Public accounting is quality controlled the
Also serves as valuable eCommerce consulting
tool in understanding best practices
Follows standardized process from Web site to
Web site giving comfort to oversight
Trust Services & Independent Verification
Affords a broad scope of assurance to consumers,
business owners and oversight authorities.
Audit Level Testing of the following areas:
Effective Fraud Deterrent
Transaction Fulfillment Testing
Consumer Recourse Provision
Strong International Presence & Growing!
The Trust Services Advantage
CAs are the acknowledged
providers of assurance and trust
International network for building trust
Flexible solution to meet needs of
consumers, merchants, ISPs, and business
Evidence of increase in sales for merchants
A Global Range
Independent verification services such as WebTrust &
SysTrust are offered in:
United Kingdom & Ireland
Australia & New Zealand
Netherlands, Belgium, Spain, Hong Kong
Can’t relax on a corporate level
you need to gear
up for all the privacy legislation facing you
Look for controls, policies and procedures services
that will help your enterprise and its web presence
meet the privacy challenge head
Look for help from your qualified CA and legal
You can’t relax on a personal level