Listen to this page: audio icon

OWASP Top 10 Privacy Risk Countermeasures

OWASP is the acronym for the Open Web Application Security Project - This is an external link..

7. Sharing of Data With a Third Party

Risk Description

Providing user data to any third-party, without obtaining the user's consent.

  • Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the website like widgets (e.g., maps, social networks, buttons), analytics or web bugs (e.g., beacons).

How to check?

  1. Is personal data transferred to third parties?

  2. Are third party solutions in use (plugins, buttons, maps, videos, advertising, etc.) and which ones?

  3. Is third party tracking disclosed (which third parties and what data).

  4. Can you provide a list of all third parties?

  5. Check each third party against each of the criteria in this document.

  6. Did you rate them regarding privacy?

  7. Is privacy and handling of personal data part of the contract and if yes, what restrictions are in place?

  8. Do you use privacyfriendly implementations of third party content (if available)?

  9. Do you use blacklists of third parties that are forbidden due to privacy concerns?

  10. Do you audit your third parties?

  11. If you transfer data to third parties, or use third party processing, is there a user consent for sharing data?

Countermeasures

Personal data is often shared with third parties through the integration of third party content like user tracking code, advertising banners, social network buttons or videos, and third party hosted JavaScript and style sheet libraries.

The following measures should be considered for a privacy-friendly use of third party content:

  1. Use third party content only where it is required, not by default.

  2. Use your own server as a "proxy" for content.

  3. Deploy full Do Not Track, to the latest W3C standard. Prefer the W3C standard over the unofficial EFF one.

  4. Tokenisation or anonymisation (data masking) should be considered for use before sharing of data with a third party.

  5. Develop a Third Party Monitoring Strategy:

    1. Gateway release for third party content (whitelist or blacklist).

    2. Contractual arrangements regarding Policies, Data usage, etc.

    3. Monitoring of user complaints.

Examples

  • Social network buttons do not transfer data unless they are clicked on: see heiseonline/shariff - This is an external link.

  • Youtube provides the opportunity to enable a privacy-enhanced mode, and only transfers personal data in the case of a click.

References

▲ Top