Information Security Jobs: Privacy Standards

By Peter H. Gregory

The term privacy has several meanings and interpretations. However, it is especially important in information security. In several contexts, privacy is a social and political hot button. But this discussion is focused on how privacy pertains to business and information security. First, a definition: Privacy is concerned with the safeguarding and proper use of citizens’ personal and sensitive information.

Let’s dissect this definition a little more:

  • Safeguarding personally sensitive information: In this vein, privacy is information security focused on one type of data — that of citizens’ personal information. In practice, protecting personally sensitive information is really not any different from protecting any other information in an organization. For people to do their jobs, they need to understand how this information is collected, stored, processed, and removed. Then you can use the tools in your toolboxes to maximize protection.

  • Proper use of personally sensitive information: Mainly, is the data safeguarded, and is it used only for purposes explicitly stated, or is it also sold to marketing companies who will bombard people with unwanted emails, telephone calls, and junk mail? This aspect of privacy is of concern to us, but it’s somewhat outside our core concern — unless you’re the chief privacy officer in an organization, in which case it’s your main concern!

Permitted uses of private information

A common practice for organizations that collect personally sensitive information about citizens is the publication of a privacy policy. Often seen on corporate and government websites, a privacy policy typically provides a detailed account of the methods used to collect, store, and process users’ personal information.

Usually, a privacy policy explains how this information may be forwarded to other organizations for a variety of purposes, methods available for users to verify, correct, and remove their data, and the ability to opt out of certain activities, features, and uses of their data.

In the United States, the Federal Trade Commission has kept a close eye on organizations’ published privacy policies and has levied fines or lawsuits on organizations that violate their own published privacy policy.

Cookies, beacons, and other online tracking

In the online world, many people are wary of the methods used by certain organizations to track users’ Internet usage for the purpose of delivering targeted advertising. One of the more controversial practices is Google’s method of reading the contents of an e‐mail message and delivering ads to the user based on keywords in the message.

Another less controversial method, but one that still has many persons’ blood boiling, is the use of tracking cookies, web beacons, and other tricks to track the Internet site visitation habits of individual users.

Cookies are small data objects sent from a website and stored by a user’s browser on the user’s local computer. There are three types of cookies used today:

  • Session cookie: This type of cookie is used between web servers and users’ web browsers to establish and maintain a user’s session with the website. Web servers use session cookies to distinguish one user from another. Also known as authentication cookies, session cookies are usually considered an acceptable use of cookies.

  • Tracking cookie: This cookie is typically used to improve a user’s experience when visiting a website. For instance, tracking cookies store a user’s language preference, landing page, currency, and so on. A tracking cookie is also called a persistent cookie and originates from the same domain in the browser’s address bar.

  • Thirdparty cookie: This tracking cookie is sent from a website not in the browser’s address bar. Third‐party cookies are often used for advertising tracking and other uses often not associated with the core functionality of the website that a user is visiting.

Web beacons, also known as web bugs or tracking bugs, are objects that a user’s browser or email client downloads when a user is viewing a web page or HTML‐encoded email message. When a user’s browser or email client downloads a web page or email message containing a web beacon, this downloading is logged in the beacon’s web server log, facilitating tracking of the viewing of the web page or email message by the user. Web beacons take the following forms:

  • 1×1 GIF (image) file that is transparent or the same color as the web page, which makes it effectively invisible to the end user

  • 1×1 HTML frame that is invisible to the user

  • JavaScript file that is invisible to the user

Flash cookies are tracking objects similar to browser cookies and are used by Adobe Flash browser plug‐ins. Flash cookies can be used for purposes similar to those for tracking cookies.