From a leader in the field, the first book on how to build privacy safeguards into web sites and applications, a topic of growing importance
° Shows how to identify privacy problem areas and implement privacy features
° Describes how to build applications that are privacy aware
° Author is one of the top experts on privacy, managing the corporate privacy group at Microsoft
° The cost to businesses of not taking privacy into account when building applications is too great to ignore
Praise for J.C. Cannon's Privacy
"A wonderful exploration of the multifaceted work being done to protect the privacy of users, clients, companies, customers, and everyone in between."
–Peter Wayner, author of Translucent Databases
"Cannon provides an invaluable map to guide developers through the dark forest created by the collision of cutting-edge software development and personal privacy."
–Eric Fredericksen, Sr. Software Engineer, PhD., Foundstone, Inc.
"Cannon's book is the most comprehensive work today on privacy for managers and developers. I cannot name any technical areas not covered. No practitioners should miss it."
–Ray Lai, Principal Engineer, Sun Microsystems, Inc., co-author of Core Security Patterns and author of J2EE Platform Web Services
"Every developer should care deeply about privacy and this is the best book I've read on the subject. Get it, read it, and live it."
–Keith Ballinger, Program Manager, Advanced Web Services, Microsoft
"J.C. Cannon's book demonstrates that information and communication technology can contribute in a significant way to restoring individual privacy and raises more awareness of the complexity and importance of this societal problem."
–Dr. John J. Borking, Former Commissioner and Vice-President of the Dutch Data Protection Authority
"If you are planning, implementing, coding, or managing a Privacy campaign in your company or your personal computing, there is no more relevant reference. J.C. Cannon nails the issues."
–Rick Kingslan, CISSP, Microsoft MVP-Windows Server: Directory Services and Right Management, West Corporation
"It's often been said that security is a process, not a product. Privacy is no different! Unlike other privacy books, J.C. Cannon's book has something valuable to convey to everyone involved in the privacy process, from executives to designers and developers, many of whom aren't thinking about privacy but should be."
–Keith Brown, Co-founder of Pluralsight and author of The .NET Developer's Guide to Windows Security and Programming Windows Security
"J.C. Cannon's new book on electronic privacy is an important addition to the available works in this emerging field of study and practice. Through many humorous (and occasionally frightening) examples of privacy gone wrong, J.C. helps you better understand how to protect your privacy and how to build privacy awareness into your organization and its development process. Keenly illustrating both the pros and cons of various privacy-enhancing and potentially privacy-invading technologies, J.C.'s analysis is thorough and well-balanced. J.C. also explains many of the legal implications of electronic privacy policies and technologies, providing an invaluable domestic and international view."
–Steve Riley, Product Manager, Security Business and Technology Unit, Windows Division, Microsoft
"Privacy concerns are pervasive in today's high-tech existence. The issues covered by this book should be among the foremost concerns of developers and technology management alike."
–Len Sassaman, Security Architect, Anonymizer, Inc.
You're responsible for your customers' private information. If you betray their trust, it can destroy your business. Privacy policies are no longer enough. You must make sure your systems truly protect privacy–and it isn't easy. That's where this book comes in.
J.C. Cannon, Microsoft's top privacy technology strategist, covers every facet of protecting customer privacy, both technical and organizational. You'll learn how to systematically build privacy safeguards into any application, Web site, or enterprise system, in any environment, on any platform. You'll discover the best practices for building business infrastructure and processes that protect customer privacy. You'll even learn how to help your customers work with you in protecting their own privacy. Coverage includes
Whether you're a manager, IT professional, developer, or security specialist, this book delivers all the information you need to protect your customers–and your organization.
I. PRIVACY FOR EVERYONE.
1. An Overview of Privacy.
Who's Watching Our Data?
Technologies That Communicate with the Internet.
Answering the Call for Privacy.
The Path to Trustworthiness.
The Privacy Mantras.
2. The Importance of Privacy-Enhancing and Privacy-Aware Technologies.
The Goal of PATs and PETs: The Constant Pursuit of Anonymity.
Anonymizers and Pseudonymizers.
Secure File Deletion.
Online Privacy Protection Suites.
The Importance of Privacy-Aware Solutions.
Finding Business Value in Privacy-Aware Solutions.
Centralized Privacy Setting Management.
Ability to View Data to Be Transmitted to the Internet.
Clear Tracks and Personal Info.
Documentation of Privacy-Related Data.
3. Privacy Legislation.
Regulations Changing the Way Companies Do Business.
Microsoft Office 2003.
Major Privacy Legislation.
Organisation for Economic Co-operation and Development (OECD).
EU Directive on Data Protection.
Personal Information Protection and Electronic Document Act (PIPEDA).
The U.S. Safe Harbor Privacy Principles.
Children's Online Privacy Protection Act (COPPA).
Computer Fraud and Abuse Act (CFAA).
Gramm-Leach-Bliley Act (GLBA).
Health Insurance Portability and Accountability Act (HIPAA).
4. Managing Windows Privacy.
Privacy Disclosure Documents for Microsoft Windows.
First Privacy Statement.
Using Group Policy for Centralized Setting Management.
Online Help and Top Issues.
Windows Error Reporting.
Using the Windows Error Reporting Dialog.
Using Group Policy to Manage Windows Error Reporting.
Configure Automatic Updates.
Specify Intranet Microsoft Update Service Location.
Reschedule Automatic Updates Scheduled Installations.
No Auto-Restart for Scheduled Automatic Updates Installations.
My Recent Documents.
Windows Media Player 9.
Microsoft Office 2003.
Microsoft Office 2003 Online Settings.
Microsoft Word 2003 Metadata Settings.
Microsoft Office Remove Hidden Data Tool.
Creating a Custom ADM File.
Creating a Custom GPO for Privacy.
5. Managing Spam.
Spam As a Privacy Issue.
The Cost of Spam.
What Can Be Done to Fight Spam.
Challenge-Response for Account Creation.
Client-Side Antispam Solutions.
Spam and Infected Attachments.
Server-Side Antispam Solutions.
Block List Companies.
Antispam Server Software.
Developing E-Mail-Friendly Solutions.
Protecting Legitimate Bulk E-Mail.
6. Privacy-Invasive Devices.
Radio Frequency Identification (RFID) Tags.
Blocking RFID Tags.
Subdermal RFID Devices.
Other RFID Tag Uses.
Market Acceptance of RFID Tags.
Problems with RFID Tags.
RFID Tags and Privacy Concerns.
Obtaining RFID Tags.
Radar-Based Through-the-Wall Surveillance System.
Spotme Conferencing Device.
nTAG Smart ID Badges.
Devices That Look Under Clothing.
Passive Millimeter Wave Scanners.
Backscatter X-Ray Devices.
A Legal View of New Technology.
II. PRIVACY AND THE ORGANIZATION.
7. Building a Privacy Organizational Infrastructure.
The Absence of a Privacy Infrastructure Can Be Costly.
Understanding Your Company's Data Handling Practices.
The Chief Privacy Officer.
The Corporate Privacy Group.
Providing Privacy Training.
Building a Privacy Hierarchy for Developing Solutions.
Creating a Privacy Council.
Developing a Privacy Standard.
8. The Privacy Response Center.
Providing Customer Service for Privacy Issues.
Handling Privacy Issues.
The Importance of a Privacy Response Center.
Organizing a Privacy Response Center.
Integrating the PRC with Product Groups.
Working with Foreign Subsidiaries.
Recording Privacy Issues.
Online Privacy Form.
Improving the Privacy Response Process.
III. PRIVACY AND THE DEVELOPER.
9. Platform for Privacy Preferences Project (P3P).
Surveillance: Good or Bad?
Introducing P3P for Expressing Web Site Privacy.
Deploying P3P at a Web Site.
The P3P Reference File.
P3P Policy File.
P3P Compact Policy.
Browsers and P3P Integration.
AT&T Privacy Bird.
P3P Creation Tools.
P3P Policy Editor.
Joint Research Centre.
A P3P Preference Exchange Language (APPEL).
10. Integrating Privacy into the Development Process.
Start with a Solid Infrastructure.
Get Privacy Training.
Create a Plan.
Integrating Privacy into Development.
Privacy Response Team.
Creating a Deployment Guide.
The Privacy Specification.
User Control Analysis.
User Access Analysis.
Phone Home Disclosure.
The Privacy Review.
Starting the Privacy Review.
Management by Exception.
Who Should be Involved?
Running the Meeting.
Privacy Review Scope.
Privacy Review Template.
11. Performing a Privacy Analysis.
Helpful Hints for Diagramming.
Number Processes, Data Stores, and Dataflows.
Use Underscores to Connect Words in a Title When Creating Documentation.
Use a Prefix on Names or Identifiers to Avoid Confusion.
Context-Level Application Decomposition.
Level 0 Application Decomposition.
Rolling Up an Application Decomposition.
An Application Decomposition Rollup Example.
12. A Sample Privacy-Aware Application.
F_1.0 User requests.
F_2.0 User responses.
F_3.0 Displ priv stat req.
F_ 4.0 Online data requests.
F_ 5.0 Priv report data.
F_6.0 Config data.
D_ 1.0 Local registry.
D_ 2.0 PrivacyReport.txt.
Installing the Application.
The Privacy Statement.
Tying Privacy Settings to Group Policy.
Encrypting Local Data.
13. Protecting Database Data.
Using Row-Level Security to Protect Data.
Using Column-Level Security to Protect Data.
Data Retention Policy.
Data Classification and Isolation.
Determining What to Encrypt.
Selecting the Right Encryption Algorithm.
Determining the Encryption Key Length to Use.
Type A Bias.
Type B Bias.
Type C Bias.
Type D Bias.
Advanced Perturbation Techniques.
IBM Tivoli Privacy Manager.
14. Managing Access to Data: A Coding Example.
Categorizing the Columns of a Table.
Categorizing the Rows of a Table.
Setting Up the Application.
Setting Up the Web Files.
Setting Up the Database.
Setting Up Authorization Manager.
Setting Up CAPICOM.
Testing the Database Version of the Application.
Viewing Patient Information.
Testing the Authorization Manager Version of the Application.
15. Digital Rights Management.
The Digital Millennium Copyright Act.
The Use of DRM to Defend Privacy.
DRM, Copy-Protection Redux.
Rights Management Languages.
Digital Property Rights Language (DPRL).
eXtensible Media Commerce Language (XMCL).
eXtensible Rights Markup Language (XrML).
Open Digital Rights Language (ODRL).
Making a Choice.
Rights Management Applications.
Electronic Media Management System.
Windows Rights Management Services.
Information Rights Management.
Developing DRM Solutions.
ContentGuard XrML SDK.
Nokia Content Publishing Toolkit.
Open Digital Rights Language.
Windows Rights Management Client SDK.
Windows Rights Management Services SDK.
A. Privacy Section for a Feature Specification.
Web Service Component.
B. Privacy Review Template.
C. Data Analysis Template.
D. List of Privacy Content.
E. Privacy Checklist.
F. Privacy Standard.
Follow Fair Information Practices.
Collection of Data.
Antispam Software and Information.
Anti-Spyware Software and Information.
Privacy Advocacy and Consulting Groups.
Privacy Certification Programs.
Privacy Tools and Technology Companies.
The Fight Against the Invasion of Privacy.
Protecting Online and Personal Privacy.
Security and Privacy.