Website Privacy: I Like Big Data I Cannot Lie
By now, most people understand that websites collect data behind the scenes (often without notice). You may even opt to volunteer information by filling out and submitting an online form. But what rights do the website owners have to your data? Who can they share it with? What are your rights?
These are all great questions that we’ll talk about in this article.
Privacy Policy
[space10]
Every website which collects data should publish a Privacy Policy. This is not only for the users’ sake but also to protect the website’s owners. This privacy policy should explain how the site owners may use and disclose your data, the types of collected data, and how a user can contact the owner if they have concerns.
Okay, so now you know where to look to find out how your data is being used and what your rights are. But what if you want to submit confidential information? If you own the website, how do you keep confidential information secure?
SSL Certificates
[space10]
SSL (Secure Socket Layer) certificates are the modern standard in website security technology. When you visit a site that has a properly installed certificate, a secure link is established between the web server and your browser. This link ensures that the data passed between these two points remains private and confidential. When you complete a form on an SSL secured website you can be assured that your data will be protected against interception. Even if it somehow gets intercepted by an unintended 3rd party, that person would only see garbled nonsense. Modern 256-bit encryption is so secure that even if 70 billion modern processors were focused on cracking a single value, it would still take 77 septillion years to crack it (that’s 77 followed by 24 zeros)!
You can tell if a website is protected by an SSL certificate by looking at the URL of the page you’re viewing – check if it starts with https:// (the “s” stands for secure). Also check to the left of the address to make sure a green padlock appears (or its equivalent in your browser of choice).
Data Process Protection
[space10]
As a user, once you verify that the site is SSL secured and has an agreeable Privacy Policy, clicking “Submit” still transfers control of your data over to the website’s owner. As an owner, it is important to regularly review internal protocols to make sure that you are living up to the published Privacy Policy. If your form has the potential to collect identifying healthcare information, this becomes a mandated legal requirement.
Online Form Sent to Email
[space10]
Some online forms send data directly to the recipient’s email address. Email is still one of the least secure forms of online communication. Often an email will get copied and stored in plain text on several servers during routine transit – a footprint which doesn’t disappear for years. For this reason, you should never email confidential information unless both the sender and recipient are using end-to-end encryption.
Products like Proofpoint offer email encryption for organizations. They also have products which scan incoming and/or outgoing email to ensure that their organization is not sending or receiving sensitive data – those emails get stopped by the gatekeeper. These are great tools to minimize risk.
Online Form Sent to 3rd Party Program
[space10]
There are many 3rd party products available that encrypt online form submissions and send them to a secure document server for retrieval using a private decryption key. The intended recipient may receive an email about the form but the email will not contain any actual data. You will still need to review the 3rd party product you’re subscribing to and ensure that their security procedures are adequate.
Appletree MediaWorks has experience collecting and securely storing online data and documents for our clients. We would be happy to discuss your company’s security needs.
Key points to a secure data system include:
- SSL Certificate on the entire website (this makes Google happy too)
- Secure Passwords and separate accounts for each user
- Document encryption and decryption process
- Document authentication and retrieval system
- A Web Application Firewall
- Storing documents outside of the live website
- Retrieving and viewing the uploaded documents only through SSL
- Audit report with logins, document access logs and IP addresses
- A procedure for truly deleting information off of servers and computers (multi-pass)
- MySQL injection prevention
- Training staff on proper privileged document handling procedures
Improper Data Procedures
[space10]
My family recently had an experience with an insurance company that collected lots of personal information on their paper application forms. They insisted on using paper applications because they were more “secure”. They cited concerns that the data might be hackable if it was online. As an IT professional, I knew it would be much easier to steal paper from a desk than it would be to hack it from a secure environment. But I trusted that this professional company had staff trained on proper document handling procedures.
The company then made a simple and foolish mistake. They scanned in our application and attached it to an email and sent it back to me with a question. We had a long discussion about the risk they just put our family in by sending this form over email. As IT professionals, we offered them other workflow options that did not involve sending secure data through insecure channels. They are now paying for identity theft services for our family because of their mishandling of our secure information. This is a good example of how improper training and knowledge of these issues can become very costly for a company – and how the right knowledge can help you hold companies accountable when and if your data is ever compromised.