OWASP Top 10 Privacy Risks Project

=Main=



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

The project in a nutshell
The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

Top 10 Privacy Risks

 * P1   Web Application Vulnerabilities
 * P2   Operator-sided Data Leakage
 * P3   Insufficient Data Breach Response
 * P4   Insufficient Deletion of personal data
 * P5   Non-transparent Policies, Terms and Conditions
 * P6   Collection of data not required for the primary purpose
 * P7   Sharing of data with third party
 * P8   Outdated personal data
 * P9   Missing or Insufficient Session Expiration
 * P10 Insecure Data Transfer

Further information is provided in the Top 10 Privacy Risks tab.

Contact us
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

Quick Download

 * Top 10 Privacy Risks Countermeasures v1.0 (PDF)
 * Top 10 Privacy Risks Presentation (PPTX)
 * Results presentation at German OWASP Day 2014
 * Presentation from IAPP Global Privacy Summit 2015

Licensing
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

Download Infographic version



 * valign="top" style="padding-left:25px;width:200px;" |

News & Events

 * [20 Feb 2014] Project Start
 * [21 Sep 2014] Top 10 Privacy Risks v1.0 published
 * [1 July 2015] German Translation available
 * [8 April 2016] Countermeasures v1.0 published
 * [20 April 2016] Presentation at IAPP Privacy Intensive, London

Classifications

 * }

=Top 10 Privacy Risks=

Top 10 Privacy Risks 2014
Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in this PDF document.

Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

Participate
Some ways you can help:
 * Discuss with us in the mailing list or Google docs
 * Tell your colleagues and friends about the project
 * Provide feedback (feel free to contact us)
 * Apply the results in practice to improve web application privacy

Sign up to our mailing list to stay informed.

Discussions and Documentation
To avoid overwriting issues we use Google Docs for our discussions.

Current discussions
Currently no ongoing discussions. Feel free to contact us for feedback and ideas.

Closed discussions and documents
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

Survey Results
A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can download the full report.

Part 1:

Q1 Do or did you work as a:

Software Developer		26.98%

Software Designer		12.70%

Legal Practitioner		 4.76%

Software Project Manager	11.11%

Data Privacy Expert		33.33%

Security Expert			66.67%

Public Servant			12.70%

Other				11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

Why is this project only about web applications and not about any kind of software?
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

Are the Top 10 Privacy Risks applicable for mobile apps as well?
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

What is the difference between this project and the OWASP Top 10?
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

Why should companies and other organisations be concerned about privacy risks?
Privacy risks may have serious consequences for an organisation, such as: (Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)
 * perceived harm to privacy;
 * a failure to meet public expectations on both the use and protection of personal information;
 * retrospective imposition of regulatory conditions;
 * low adoption rates or poor participation in the scheme from both the public and partner organisations;
 * the costs of redesigning the system or retro-fitting solutions;
 * failure of a project or completed system;
 * withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
 * failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.

= Translation = Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.

Presentation
Video and presentation from it-sa Security Expo and Congress 2015

Japanese
Link to slidedeck

= Acknowledgements =

Volunteers
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:


 * Stefan Burgmair
 * R. Jason Cronk
 * Edward Delaporte
 * Tim Gough
 * Prof. Hans-Joachim Hof
 * Lukasz Olejnik
 * Florian Stahl

Partners

 * University of Applied Sciences Munich
 * European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)
 * International Association of Privacy Professionals (IAPP)

Sponsors

 * msg systems

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=