SlideShare a Scribd company logo
1 of 26
Download to read offline
How to Build “Privacy by Design” into Web and Mobile


                                            #privacy360 | @tariktech


#privacy360   |   @tariktech
Privacy by Design




              To build privacy and data protection up front, into the design
              specifications and architecture of information and communication
              systems, technologies and business practices.




#privacy360   |   @tariktech
NOT (Privacy by Design)




#privacy360   |   @tariktech
Why Should You Care?



                                Want to do the right thing

                                Competitive differentiation

                                Anticipate regulation

                                Users will be users




#privacy360   |   @tariktech
Big Data Platform + “Privacy by Design”




                               Small Data Is Better
#privacy360   |   @tariktech
Key Privacy Principles



                                     Transparency

                                     Data portability

                                     Right to be forgotten

                                     Anonymity

                                     Control




#privacy360   |   @tariktech
It Starts with Company Culture



                          Everyone is a Chief Privacy/Security Officer

                          Train key staff

                          Think of your customers as Owners – not users

                          Background checks where appropriate




#privacy360   |   @tariktech
Legal / Policy



                                User-centric legal model – not CYA

                                Owner Data Agreement

                                Always opt-in

                                Mind towards regulation to come




#privacy360   |   @tariktech
Business Partners and Vendors

                         Do not give any 3rd parties access to customer

                         Require HTTPS for login, data exchange and APIs

                         Do not give any 3rd parties access to customer

                         Do not sell customer data

                         Do not co-mingle data between clients

                         Do not provide analytics except as a service to you

                         Do not have any privacy/security incidents

                         Do background checks on employees


#privacy360   |   @tariktech
Marketing



                                Responsible performance tracking

                                Try Open Source

                                Avoid free stuff with strings attached

                                Minimize Owner exposure to 3rd

                                 parties




#privacy360   |   @tariktech
Platform Architecture Considerations
              ‣ Hosting Provider           ‣ Mobile Applications

              ‣ Hardware / Cloud           ‣ APIs

              ‣ Networking                 ‣ Message Queues

              ‣ Security                   ‣ Notifications / Alerts

              ‣ CDNs                       ‣ Search Servers

              ‣ Web Servers                ‣ Logs

              ‣ Reverse Proxies            ‣ Analytics / Reports

              ‣ Caching                    ‣ Exports (Download my data)

              ‣ Database(s)                ‣ Admin accounts (superpowers?)

              ‣ Backups                    ‣ Password Management

              ‣ Languages / Framework(s)   ‣ Session Management


#privacy360    |   @tariktech
Simplified Platform Architecture
                                               Browser                Mobile App


                                                                            HTTPS Encryption




                                  Alerts                  Firewalls



                                  Search        Load Balancers / Proxies



                                  Queue                  Web Servers



                               Cache Servers             App Servers



                                 Backups           Database Servers


#privacy360   |   @tariktech
Potential Data Traps!
                Cache + History + Bookmarks
                                                                                                   Offline
                                                   Browser                Mobile App                Data
                    3rd Party Social Plugins
                      Widgets / Analytics

                                                                                HTTPS Encryption



              Email                                                                                Log
              SMS                      Alerts                 Firewalls



              Index                   Search        Load Balancers / Proxies                       Log




         Messages                     Queue                  Web Servers                           Log




          Server
                                   Cache Servers             App Servers                           Log
          Cache




                                     Backups           Database Servers


#privacy360     |     @tariktech
Don’t Take Candy From Strangers




                          https://www.youtube.com/watch?v=Ouof1OzhL8k




#privacy360   |   @tariktech
…Or At Least Cut The Strings


       <iframe
       src="//www.facebook.com/plugins/like.php?href=http%3A%2F%2Fblog.
       personal.com&amp;send=false&amp;layout=standard&amp;width=450      Phones Home on Load
       &amp;show_faces=false&amp;action=like&amp;colorscheme=light&am
       p;font&amp;height=35" scrolling="no" frameborder="0"
       style="border:none; overflow:hidden; width:450px; height:35px;"
       allowTransparency="true">
       </iframe>




                                  <a
                                  href="https://www.facebook.com/sharer.php?u=http%3A%2F%2F
     No Strings Attached
                                  blog.personal.com">
                                  <img src="/pathtoimage/facebook.gif">
                                  </a>




#privacy360   |   @tariktech
Data-driven Platform

                                   Browser                Mobile App


                                                                HTTPS Encryption




                                              Firewalls



                                    Load Balancers / Proxies
                    Email
                    SMS

                                             Web Servers



                   Alerts                    App Servers                           Log




#privacy360   |   @tariktech
Supporting True Portability and Deletion

              A InstanceNameAlreadyExistsException occurred in info#create:


               * URL     : https://www.personal.com/owner/info
               * IP address: 127.0.0.1
               * Parameters: {"authenticity_token"=>"43w3oYPUAOU4eFhUdCHV1obgIaeSIO1Yk68ajcR1TOE=",
              "template_id"=>"0040", "card_nickname”"[FILTERED]", "card_type”"[FILTERED]",
              "card_type_otherP3”"[FILTERED]", "card_network”"[FILTERED]", "credit_name_on_card”,
              "credit_card_number”"[FILTERED]", "expiration_date”"[FILTERED]", "security_code”,
              "credit_website_address”"[FILTERED]", "card_contact_number”"[FILTERED]",
              "credit_card_auto_pay”"[FILTERED]",
              "credit_card_account_debited_during_auto_pay”"[FILTERED]", "credit_notes”"[FILTERED]",
              "password”"[FILTERED]", "owner_id"=>"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"}


              • data: {:session_id=>"c3c5c361c1e89…[omitted]", :_csrf_token=>"43w3oYPUAOU4…[omitted]",
                :expires_at=>Mon Jan 02 14:46:56 -0500 2012}




#privacy360     |   @tariktech
What About Mobile?



                                Secure API (HTTPS only)

                                Don’t take data without the Owner’s consent

                                Understand offline data storage/encryption options

                                Understand platform leakage potential




#privacy360   |   @tariktech
Mobile Pitfalls




#privacy360   |   @tariktech
Mobile Pitfalls




#privacy360   |   @tariktech
Mobile Pitfalls




#privacy360   |   @tariktech
Mobile Pitfalls
                                                 Image Cache




#privacy360   |   @tariktech
Mobile Pitfalls




#privacy360   |   @tariktech
Mobile Pitfalls




#privacy360   |   @tariktech
Mobile Pitfalls
                                                 Image Cache




#privacy360   |   @tariktech
Thank You.
                               Please send questions or comments to @TarikTech




#privacy360   |   @tariktech

More Related Content

Recently uploaded

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 

Recently uploaded (20)

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 

How to Build Privacy By Design into Web and Mobile

  • 1. How to Build “Privacy by Design” into Web and Mobile #privacy360 | @tariktech #privacy360 | @tariktech
  • 2. Privacy by Design To build privacy and data protection up front, into the design specifications and architecture of information and communication systems, technologies and business practices. #privacy360 | @tariktech
  • 3. NOT (Privacy by Design) #privacy360 | @tariktech
  • 4. Why Should You Care?  Want to do the right thing  Competitive differentiation  Anticipate regulation  Users will be users #privacy360 | @tariktech
  • 5. Big Data Platform + “Privacy by Design” Small Data Is Better #privacy360 | @tariktech
  • 6. Key Privacy Principles  Transparency  Data portability  Right to be forgotten  Anonymity  Control #privacy360 | @tariktech
  • 7. It Starts with Company Culture  Everyone is a Chief Privacy/Security Officer  Train key staff  Think of your customers as Owners – not users  Background checks where appropriate #privacy360 | @tariktech
  • 8. Legal / Policy  User-centric legal model – not CYA  Owner Data Agreement  Always opt-in  Mind towards regulation to come #privacy360 | @tariktech
  • 9. Business Partners and Vendors  Do not give any 3rd parties access to customer  Require HTTPS for login, data exchange and APIs  Do not give any 3rd parties access to customer  Do not sell customer data  Do not co-mingle data between clients  Do not provide analytics except as a service to you  Do not have any privacy/security incidents  Do background checks on employees #privacy360 | @tariktech
  • 10. Marketing  Responsible performance tracking  Try Open Source  Avoid free stuff with strings attached  Minimize Owner exposure to 3rd parties #privacy360 | @tariktech
  • 11. Platform Architecture Considerations ‣ Hosting Provider ‣ Mobile Applications ‣ Hardware / Cloud ‣ APIs ‣ Networking ‣ Message Queues ‣ Security ‣ Notifications / Alerts ‣ CDNs ‣ Search Servers ‣ Web Servers ‣ Logs ‣ Reverse Proxies ‣ Analytics / Reports ‣ Caching ‣ Exports (Download my data) ‣ Database(s) ‣ Admin accounts (superpowers?) ‣ Backups ‣ Password Management ‣ Languages / Framework(s) ‣ Session Management #privacy360 | @tariktech
  • 12. Simplified Platform Architecture Browser Mobile App HTTPS Encryption Alerts Firewalls Search Load Balancers / Proxies Queue Web Servers Cache Servers App Servers Backups Database Servers #privacy360 | @tariktech
  • 13. Potential Data Traps! Cache + History + Bookmarks Offline Browser Mobile App Data 3rd Party Social Plugins Widgets / Analytics HTTPS Encryption Email Log SMS Alerts Firewalls Index Search Load Balancers / Proxies Log Messages Queue Web Servers Log Server Cache Servers App Servers Log Cache Backups Database Servers #privacy360 | @tariktech
  • 14. Don’t Take Candy From Strangers https://www.youtube.com/watch?v=Ouof1OzhL8k #privacy360 | @tariktech
  • 15. …Or At Least Cut The Strings <iframe src="//www.facebook.com/plugins/like.php?href=http%3A%2F%2Fblog. personal.com&amp;send=false&amp;layout=standard&amp;width=450 Phones Home on Load &amp;show_faces=false&amp;action=like&amp;colorscheme=light&am p;font&amp;height=35" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:450px; height:35px;" allowTransparency="true"> </iframe> <a href="https://www.facebook.com/sharer.php?u=http%3A%2F%2F No Strings Attached blog.personal.com"> <img src="/pathtoimage/facebook.gif"> </a> #privacy360 | @tariktech
  • 16. Data-driven Platform Browser Mobile App HTTPS Encryption Firewalls Load Balancers / Proxies Email SMS Web Servers Alerts App Servers Log #privacy360 | @tariktech
  • 17. Supporting True Portability and Deletion A InstanceNameAlreadyExistsException occurred in info#create: * URL : https://www.personal.com/owner/info * IP address: 127.0.0.1 * Parameters: {"authenticity_token"=>"43w3oYPUAOU4eFhUdCHV1obgIaeSIO1Yk68ajcR1TOE=", "template_id"=>"0040", "card_nickname”"[FILTERED]", "card_type”"[FILTERED]", "card_type_otherP3”"[FILTERED]", "card_network”"[FILTERED]", "credit_name_on_card”, "credit_card_number”"[FILTERED]", "expiration_date”"[FILTERED]", "security_code”, "credit_website_address”"[FILTERED]", "card_contact_number”"[FILTERED]", "credit_card_auto_pay”"[FILTERED]", "credit_card_account_debited_during_auto_pay”"[FILTERED]", "credit_notes”"[FILTERED]", "password”"[FILTERED]", "owner_id"=>"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"} • data: {:session_id=>"c3c5c361c1e89…[omitted]", :_csrf_token=>"43w3oYPUAOU4…[omitted]", :expires_at=>Mon Jan 02 14:46:56 -0500 2012} #privacy360 | @tariktech
  • 18. What About Mobile?  Secure API (HTTPS only)  Don’t take data without the Owner’s consent  Understand offline data storage/encryption options  Understand platform leakage potential #privacy360 | @tariktech
  • 22. Mobile Pitfalls Image Cache #privacy360 | @tariktech
  • 25. Mobile Pitfalls Image Cache #privacy360 | @tariktech
  • 26. Thank You. Please send questions or comments to @TarikTech #privacy360 | @tariktech