130 likes | 211 Views
Web Applications: Get a Grip on Privacy. Michael Corn CAMP 2008. Outline. Relationship to Identity Management Free Speech Privacy Censorship Concerns Visibility and Public use of Resources Outsourcing Hosting or Linking to External Content. Relationship to Identity Management.
E N D
Web Applications: Get a Grip on Privacy Michael Corn CAMP 2008
Outline • Relationship to Identity Management • Free Speech • Privacy • Censorship Concerns • Visibility and Public use of Resources • Outsourcing • Hosting or Linking to External Content
Relationship to Identity Management • Relatively few unique challenges • Most content is user generated • Students are surprisingly savvy about privacy matters • http://www.pewinternet.org/pdfs/PIP_Teens_Privacy_SNS_Report_Final.pdf • Greatest challenges are • the demand for “opaque authentication” • desire for public visibility • desire for public interaction (esp. blogs) • faculty expectations of technology
Privacy • Privacy and the Web do not have to be orthogonal, but try very hard to be so • FERPA, FERPA, FERPA • Misinformation • Faculty behavior implies that pedagogical concerns trump personal privacy • Opaque authentication - few (if any) tools • See FERPA Scenarios
Privacy II • Link to your campus Privacy policy or whatever serves that purpose • It should include: • What data web sites may collect • Survey's that take place on the web • Public discussion forums • eCommerce • FERPA, SSNs, Cookies, and other security matters • Legal conditions (warranties and liability). • Illinois’s Web Privacy Notice: http://www.vpaa.uillinois.edu/policies/web_privacy.asp
Free Speech • Understand the ‘limits’ on the use of your resources • Political campaigning (policy and Illinois State law) • Commercial activity • All forms of communication can be construed as part of the educational environment - but not everywhere • Define the purpose and scope of a service
Free Speech II • Creating a Terms of Use (ToU) statement; • Communicating the ToU to the consumers and ensuring they acknowledge its receipt; and • Responding to violations in a timely yet transparent fashion Guidelines for creating a Terms of Use http://www.uiuc.edu/alwaysillinois/terms https://agora.cs.uiuc.edu/x/AR
Censorship Concerns • Before deploying a Wiki or blog, consider the following: • Are you concerned that individuals will use your forums to disparage your unit? • Are you prepared to face individuals whose content you have removed and explain why said content is unprofessional and/or inappropriate? • Are you prepared to sanction individuals who consistently violate your ToU by prohibiting their use of the resource? • What is your comfort level for critical speech or aggressive disagreement being displayed on your resource?
Visibility and Public use of Resources • Electronic resources should be made visible only to those population using those resources. • Require authentication to your resource (a login and password) and limit access and visibility • Control search engines • If your resource is open to the public Internet by design, then it is even more critical to address the issue of a Terms of Use statement before users can access the resource.
Hosting or Linking to External Content • Scenario: Faculty/staff/student/alumni is doing fieldwork and blogging about it using a commercial service; your public affairs office (or the department) wants to feature the blog on their web site - what issues are you facing? • Permission to include content • Appropriateness of content (watch for commercial sponsorship) • Privacy of individuals in photos • Use of ‘departure flag’ for links to non-University resources
Outsourcing • General Principles: • Data stored on third-party servers or systems must be secured to at least the same degree as the Campus or University would meet. • Student data and access to systems by students will require vetting by the Campus Security Office and the Office of Admissions and Records to ensure compliance with FERPA and other campus security and privacy related policies. • The burden this brings to vendors is non-trivial; many vendors simply will not be able to comply with the high-standard the Campus has for security and confidential or high-risk data. • See Sample Procurement Language
Summary • Create a service description document (SDD) that identifies the users of the service (both participants and observers) and a description of what the purpose of the service is (e.g., "to build a sense of community among our graduate students" or "to discuss topics relevant to rocket science"). • Create a Terms of Use document. • Place a link to the ToU on every web page or in the 'signature block' of any auto-generated email messages. • Place a link to your University’s Privacy Policy on the main pages of your service. • Create a mechanism for users to report inappropriate usage. This can be as simple as the email address for the individual responsible for the service or a form that permits anonymous reporting. • Be very careful about outsourcing arrangements.
Resources • Guidelines for Writing a Terms of Use • https://netfiles.uiuc.edu/xythoswfs/webui/_xy-27100251_2-t_iA5QhDUx • Sample Procurement Language • https://netfiles.uiuc.edu/xythoswfs/webui/_xy-27100249_2-t_bvKcsRzh • Guidelines for Wikis and Blogs (written version of this presentation) • https://netfiles.uiuc.edu/xythoswfs/webui/_xy-27100252_2-t_eMOLgXmi • FERPA Scenarios • https://netfiles.uiuc.edu/xythoswfs/webui/_xy-27100250_2-t_AUdATNzA • Feel free to contact me: Mike Corn mcorn@uiuc.edu