Transcript Main Title
Web Applications: Get a Grip on Privacy Michael Corn CAMP 2008 Outline Relationship to Identity Management Free Speech Privacy Censorship Concerns Visibility and Public use of Resources Outsourcing Hosting or Linking to External Content Relationship to Identity Management Relatively few unique challenges – Most content is user generated – Students are surprisingly savvy about privacy matters http://www.pewinternet.org/pdfs/PIP_Teens_Privacy _SNS_Report_Final.pdf Greatest challenges are – – – – the demand for “opaque authentication” desire for public visibility desire for public interaction (esp. blogs) faculty expectations of technology Privacy Privacy and the Web do not have to be orthogonal, but try very hard to be so FERPA, FERPA, FERPA – Misinformation Faculty behavior implies that pedagogical concerns trump personal privacy Opaque authentication - few (if any) tools See FERPA Scenarios Privacy II Link to your campus Privacy policy or whatever serves that purpose It should include: – – – – – – What data web sites may collect Survey's that take place on the web Public discussion forums eCommerce FERPA, SSNs, Cookies, and other security matters Legal conditions (warranties and liability). Illinois’s Web Privacy Notice: http://www.vpaa.uillinois.edu/policies/web_privacy.asp Free Speech Understand the ‘limits’ on the use of your resources – Political campaigning (policy and Illinois State law) – Commercial activity All forms of communication can be construed as part of the educational environment - but not everywhere Define the purpose and scope of a service Free Speech II Creating a Terms of Use (ToU) statement; Communicating the ToU to the consumers and ensuring they acknowledge its receipt; and Responding to violations in a timely yet transparent fashion Guidelines for creating a Terms of Use http://www.uiuc.edu/alwaysillinois/terms https://agora.cs.uiuc.edu/x/AR Censorship Concerns Before deploying a Wiki or blog, consider the following: – Are you concerned that individuals will use your forums to disparage your unit? – Are you prepared to face individuals whose content you have removed and explain why said content is unprofessional and/or inappropriate? – Are you prepared to sanction individuals who consistently violate your ToU by prohibiting their use of the resource? – What is your comfort level for critical speech or aggressive disagreement being displayed on your resource? Visibility and Public use of Resources Electronic resources should be made visible only to those population using those resources. – Require authentication to your resource (a login and password) and limit access and visibility – Control search engines If your resource is open to the public Internet by design, then it is even more critical to address the issue of a Terms of Use statement before users can access the resource. Hosting or Linking to External Content Scenario: Faculty/staff/student/alumni is doing fieldwork and blogging about it using a commercial service; your public affairs office (or the department) wants to feature the blog on their web site - what issues are you facing? – Permission to include content – Appropriateness of content (watch for commercial sponsorship) – Privacy of individuals in photos – Use of ‘departure flag’ for links to non-University resources Outsourcing General Principles: – Data stored on third-party servers or systems must be secured to at least the same degree as the Campus or University would meet. – Student data and access to systems by students will require vetting by the Campus Security Office and the Office of Admissions and Records to ensure compliance with FERPA and other campus security and privacy related policies. – The burden this brings to vendors is non-trivial; many vendors simply will not be able to comply with the high-standard the Campus has for security and confidential or high-risk data. See Sample Procurement Language Summary Create a service description document (SDD) that identifies the users of the service (both participants and observers) and a description of what the purpose of the service is (e.g., "to build a sense of community among our graduate students" or "to discuss topics relevant to rocket science"). Create a Terms of Use document. Place a link to the ToU on every web page or in the 'signature block' of any auto-generated email messages. Place a link to your University’s Privacy Policy on the main pages of your service. Create a mechanism for users to report inappropriate usage. This can be as simple as the email address for the individual responsible for the service or a form that permits anonymous reporting. Be very careful about outsourcing arrangements. Resources Guidelines for Writing a Terms of Use – https://netfiles.uiuc.edu/xythoswfs/webui/_xy-27100251_2-t_iA5QhDUx Sample Procurement Language – https://netfiles.uiuc.edu/xythoswfs/webui/_xy-27100249_2-t_bvKcsRzh Guidelines for Wikis and Blogs (written version of this presentation) – https://netfiles.uiuc.edu/xythoswfs/webui/_xy-27100252_2-t_eMOLgXmi FERPA Scenarios – https://netfiles.uiuc.edu/xythoswfs/webui/_xy-27100250_2-t_AUdATNzA Feel free to contact me: Mike Corn [email protected]