The first workshop of the Internet Privacy Engineering Network (IPEN), recently founded by the European Data Protection Supervisor (EDPS), could not have had a more symbolic location: Berlin State Parliament, right beside the remaining parts of the Berlin Wall that separated Western Germany from the German Democratic Republic until 1989. Surveillance of its citizens by the Stasi (state security) was widespread in Eastern Germany, and, 25 years later, we are back in a situation where mass surveillance is supported by the globalized Internet and has been heavily enforced by Western governments to fight terrorism. Further, insecure protocols and the lack of technical measures to protect data in current Internet technology make it easy to circumvent privacy. For these reasons and more, IPEN was founded to support the development of privacy-friendly technologies and raise awareness not only among software engineers.

During IPEN’s first gathering on 26 September, leading data protection experts like Peter Hustinx, the outgoing EDPS, Peter Schaar, EAID, several data protection authority representatives and privacy engineers from all over Europe came together. Founded by Achim Klabunde, head of IT Policy of the EDPS, IPEN is part of the growing movement to bring people with legal backgrounds together with engineers with an aim to build privacy into everyday tools in the process.

Further information about the event was published in a press release and on Twitter.

The Open Web Application Security Project’s (OWASP) Top 10 Privacy Risks Project, which I lead, was chosen as an IPEN member from an early stage, and Stefan Burgmair and I presented our initial version of the Top 10 Privacy Risks last week. We’re providing engineers and business architects with guidance and raising awareness for common privacy risks in web applications. The project created a list of the most important technical and organizational privacy risks, which currently looks like this in year one:

P1 Web Application Vulnerabilities

P2 Operator-Sided Data Leakage

P3 Insufficient Data Breach Response

P4 Insufficient Deletion of Personal Data

P5 Non-transparent Policies, Terms and Conditions

P6 Collection of Data Not Required for the User-Consented Purpose

P7 Sharing of Data with Third Party

P8 Outdated Personal Data

P9 Missing or Insufficient Session Expiration

P10 Insecure Data Transfer

We got very positive feedback after presenting the results but also challenging questions about our method, briefly explained here: We calculated the risk by multiplying the frequency of certain privacy violations in web applications with their impact. The frequency of 20 potential risks was first determined with a survey. The impact considered financial and reputational damage for companies (40 percent) and individuals (40 percent) and threats for personal freedom (20 percent).

Furthermore, we got inspiring ideas from the workshop participants on how to further develop the OWASP Top 10 Privacy Risks Project. Planned steps now include detailing the description of the risks and providing countermeasures adequate to account for the risks. We also heard the need to market the project more widely through a variety of channels. (We could still use volunteers…)

In the long-term and going forward, the risks will be recalculated from time to time, as both the frequency of occurrence and the impact are likely to change, and we’ll constantly be on the lookout for threats posed by new technologies coming into the marketplace.

Photo credit: Chris.Jeriko via photopin cc