You are previewing Privacy What Developers and IT Professionals Should Know.
O'Reilly logo
Privacy What Developers and IT Professionals Should Know

Book Description

Praise for J.C. Cannon's Privacy

"A wonderful exploration of the multifaceted work being done to protect the privacy of users, clients, companies, customers, and everyone in between."

—Peter Wayner, author of Translucent Databases

"Cannon provides an invaluable map to guide developers through the dark forest created by the collision of cutting-edge software development and personal privacy."

—Eric Fredericksen, Sr. Software Engineer, PhD., Foundstone, Inc.

"Cannon's book is the most comprehensive work today on privacy for managers and developers. I cannot name any technical areas not covered. No practitioners should miss it."

—Ray Lai, Principal Engineer, Sun Microsystems, Inc., co-author of Core Security Patterns and author of J2EE Platform Web Services

"Every developer should care deeply about privacy and this is the best book I've read on the subject. Get it, read it, and live it."

—Keith Ballinger, Program Manager, Advanced Web Services, Microsoft

"J.C. Cannon's book demonstrates that information and communication technology can contribute in a significant way to restoring individual privacy and raises more awareness of the complexity and importance of this societal problem."

—Dr. John J. Borking, Former Commissioner and Vice-President of the Dutch Data Protection Authority

"If you are planning, implementing, coding, or managing a Privacy campaign in your company or your personal computing, there is no more relevant reference. J.C. Cannon nails the issues."

—Rick Kingslan, CISSP, Microsoft MVP-Windows Server: Directory Services and Right Management, West Corporation

"It's often been said that security is a process, not a product. Privacy is no different! Unlike other privacy books, J.C. Cannon's book has something valuable to convey to everyone involved in the privacy process, from executives to designers and developers, many of whom aren't thinking about privacy but should be."

—Keith Brown, Co-founder of Pluralsight and author of The .NET Developer's Guide to Windows Security and Programming Windows Security

"J.C. Cannon's new book on electronic privacy is an important addition to the available works in this emerging field of study and practice. Through many humorous (and occasionally frightening) examples of privacy gone wrong, J.C. helps you better understand how to protect your privacy and how to build privacy awareness into your organization and its development process. Keenly illustrating both the pros and cons of various privacy-enhancing and potentially privacy-invading technologies, J.C.'s analysis is thorough and well-balanced. J.C. also explains many of the legal implications of electronic privacy policies and technologies, providing an invaluable domestic and international view."

—Steve Riley, Product Manager, Security Business and Technology Unit, Windows Division, Microsoft

"Privacy concerns are pervasive in today's high-tech existence. The issues covered by this book should be among the foremost concerns of developers and technology management alike."

—Len Sassaman, Security Architect, Anonymizer, Inc.

You're responsible for your customers' private information. If you betray their trust, it can destroy your business. Privacy policies are no longer enough. You must make sure your systems truly protect privacy—and it isn't easy. That's where this book comes in.

J.C. Cannon, Microsoft's top privacy technology strategist, covers every facet of protecting customer privacy, both technical and organizational. You'll learn how to systematically build privacy safeguards into any application, Web site, or enterprise system, in any environment, on any platform. You'll discover the best practices for building business infrastructure and processes that protect customer privacy. You'll even learn how to help your customers work with you in protecting their own privacy. Coverage includes

  • How privacy and security relate—and why security isn't enough

  • Understanding your legal obligations to protect privacy

  • Contemporary privacy policies, privacy-invasive technologies, and privacy-enhancing solutions

  • Auditing existing systems to identify privacy problem areas

  • Protecting your organization against privacy intrusions

  • Integrating privacy throughout the development process

  • Developing privacy-aware applications: a complete sample application

  • Building a team to promote customer privacy: staffing, training, evangelization, and quick-response

  • Protecting data and databases via role-based access control

  • Using Digital Rights Management to restrict customer information

  • Privacy from the customer's standpoint: spam avoidance, P3P, and other tools and resources

  • Whether you're a manager, IT professional, developer, or security specialist, this book delivers all the information you need to protect your customers—and your organization.

    The accompanying CD-ROM provides sample privacy-enabling source code and additional privacy resources for developers and managers.

    J. C. CANNON, privacy strategist at Microsoft's Corporate Privacy Group, specializes in implementing application technologies that maximize consumer control over privacy and enable developers to create privacy-aware applications. He works closely with Microsoft product groups and external developers to help them build privacy into applications. He also contributed the chapter on privacy to Michael Howard's Writing Secure Code (Microsoft Press 2003). Cannon has spent nearly twenty-five years in software development.

    © Copyright Pearson Education. All rights reserved.

    Table of Contents

    1. Copyright
    2. Praise for Privacy
    3. Acknowledgements
    4. About the Author
    5. Foreword
    6. Preface
    7. Privacy for Everyone
      1. An Overview of Privacy
        1. Who's Watching Our Data?
        2. Technologies That Communicate with the Internet
        3. Investigating Applications
        4. Defining Privacy
        5. Answering the Call for Privacy
        6. The Path to Trustworthiness
        7. The Privacy Mantras
        8. Valuing Privacy
        9. Conclusion
        10. References
      2. The Importance of Privacy-Enhancing and Privacy-Aware Technologies
        1. The Goal of PATs and PETs: The Constant Pursuit of Anonymity
        2. Privacy-Enhancing Technologies
        3. Privacy-Aware Technologies
        4. Conclusion
      3. Privacy Legislation
        1. Regulations Changing the Way Companies Do Business
        2. Major Privacy Legislation
        3. Privacy-Certification Programs
        4. Conclusion
      4. Managing Windows Privacy
        1. Privacy Disclosure Documents for Microsoft Windows
        2. Using Group Policy for Centralized Setting Management
        3. Online Help and Top Issues
        4. Windows Error Reporting
        5. Automatic Updates
        6. My Recent Documents
        7. Windows Media Player 9
        8. Microsoft Office 2003
        9. Creating a Custom ADM File
        10. Creating a Custom GPO for Privacy
        11. Conclusion
        12. Resources
      5. Managing Spam
        1. Spam As a Privacy Issue
        2. The Cost of Spam
        3. Spam Litigation
        4. What Can Be Done to Fight Spam
        5. Antispam Approaches
        6. Server-Side Antispam Solutions
        7. Developing E-Mail-Friendly Solutions
        8. Protecting Legitimate Bulk E-Mail
        9. Conclusion
        10. References
      6. Privacy-Invasive Devices
        1. Radio Frequency Identification (RFID) Tags
        2. Radar-Based Through-the-Wall Surveillance System
        3. Spotme Conferencing Device
        4. nTAG Smart ID Badges
        5. Smart Dust
        6. Devices That Look Under Clothing
        7. A Legal View of New Technology
        8. Conclusion
    8. Privacy and the Organization
      1. Building a Privacy Organizational Infrastructure
        1. The Absence of a Privacy Infrastructure Can Be Costly
        2. Understanding Your Company's Data Handling Practices
        3. The Chief Privacy Officer
        4. The Corporate Privacy Group
        5. Building a Privacy Hierarchy for Developing Solutions
        6. Conclusion
      2. The Privacy Response Center
        1. Providing Customer Service for Privacy Issues
        2. Handling Privacy Issues
        3. The Importance of a Privacy Response Center
        4. Organizing a Privacy Response Center
        5. PRC Workflow
        6. Technology Description
        7. Improving the Privacy Response Process
        8. Determining Resources
        9. Conclusion
    9. Privacy and the Developer
      1. Platform for Privacy Preferences Project (P3P)
        1. Surveillance: Good or Bad?
        2. Introducing P3P for Expressing Web Site Privacy
        3. Deploying P3P at a Web Site
        4. Browsers and P3P Integration
        5. P3P Creation Tools
        6. A P3P Preference Exchange Language (APPEL)
        7. Conclusion
        8. References
      2. Integrating Privacy into the Development Process
        1. Getting Started
        2. Integrating Privacy into Development
        3. The Privacy Specification
        4. The Privacy Review
        5. Conclusion
      3. Performing a Privacy Analysis
        1. Helpful Hints for Diagramming
        2. Context-Level Application Decomposition
        3. Level 0 Application Decomposition
        4. Privacy Boundaries
        5. Rolling Up an Application Decomposition
        6. Conclusion
      4. A Sample Privacy-Aware Application
        1. Program Design
        2. Installing the Application
        3. Sample Files
        4. Privacy Disclosure
        5. Privacy Settings
        6. Encrypting Local Data
        7. Conclusion
      5. Protecting Database Data
        1. Physical Security
        2. Programmatic Security
        3. Transaction Auditing
        4. Data Minimization
        5. Translucent Databases
        6. Data Obfuscation
        7. Data Quantization
        8. Query Limitation
        9. Suppression
        10. Encryption
        11. Data Perturbation
        12. Hippocratic Databases
        13. Conclusion
      6. Managing Access to Data: A Coding Example
        1. Program Overview
        2. Program Files
        3. Setting Up the Application
        4. Testing the Database Version of the Application
        5. Testing the Authorization Manager Version of the Application
        6. Conclusion
      7. Digital Rights Management
        1. The Digital Millennium Copyright Act
        2. The Use of DRM to Defend Privacy
        3. DRM, Copy-Protection Redux
        4. Rights Management Languages
        5. Rights Management Applications
        6. Developing DRM Solutions
        7. Conclusion
      8. Privacy Section for a Feature Specification
        1. Privacy
      9. Privacy Review Template
      10. Data Analysis Template
      11. List of Privacy Content
      12. Privacy Checklist
        1. Notice
        2. Choice
        3. Onward Transfer
        4. Access
        5. Security
        6. Data Integrity
        7. Enforcement
      13. Privacy Standard
        1. Overview
        2. Philosophy
        3. Corporate Privacy Policy
        4. Follow Fair Information Practices
        5. Prominent Disclosure
        6. Control
        7. Collection of Data
        8. Retention Policy
      14. References
        1. Links
        2. Books
    10. CD-ROM Warranty
    11. Index