Key Message:Addressing privacy during software development is just as important as addressing security.
Clearly security and privacy are closely linked when it comes to protecting information, yet when it comes to software development, privacy hasn’t yet pulled the same profile as security. As is the case for security, privacy is most effectively addressed when privacy practices, roles, responsibilities, and review approvals are integrated into your existing software and security development lifecycle. This helps ensure that privacy is at the forefront of developers’ minds as they execute each lifecycle phase.
In this podcast, Ralph Hood and Kim Howell, both with Microsoft’s Trustworthy Computing Initiative, will discuss Microsoft’s top ten privacy practices and how they have been integrated with their security development lifecycle (SDL). Ralph is a lead program manager on the SDL team and Kim is a director in the Privacy group.
Addressing Privacy during Software Development
As is the case for security, it is important for developers to keep privacy at the forefront of their thinking, addressing it as early in the lifecycle as possible.
Key topics include
Integrating privacy practices with security practices and with the software development lifecycle helps minimize the overhead for developers, giving them a single process where this is all defined.
Security and privacy practices address the obligations that a company takes on when they collect and use personal data.
Defining User and Personal Data
First, organizations need to protect Personally Identifiable Information (PII) – anything that would allow you to identify, contact, or locate an individual.
It is also important to protect pseudonymous information – anything collected about a user that would allow you to directly, inferentially, or implicitly derive an identity. The more you collect, the more you can infer.
Key Questions Developers Should Ask
When it comes to collecting user data, developers should always ask “Why am I collecting this data? Is it essential to provide the service I am developing?”
Every time you collect information, you create an obligation to maintain the security of that information for its life span. Having the potential for future use of the information may not be a sufficiently compelling reason for collecting it.
Minimizing the Collection of Personal Data
According to Microsoft’s “Ten Things You Must Do to Protect Privacy,” (see Resources), minimizing the collection of personal data includes the following practices:
Make sure that you map data collection to a business need. You need to understand not only what data you are collecting but its context and associations. For example, if personal data is going to be aggregated, you don’t need to collect PII. If you do collect PII, you need to discard it as soon as possible.
It is important to hold data for the shortest period of time. This can be tackled, for example, by automating the time duration for retaining log files and data that is extracted from log files.
Preventing Unauthorized Access and Inappropriate Use
According to Microsoft’s “Ten Things You Must Do to Protect Privacy,” the following practices should be considered in order to prevent unauthorized access and inappropriate use of personal data:
What constitutes unauthorized access is defined by the level of notice and consent you receive from the user at the time of collection. You must make sure privacy preferences, sources, contact preferences, etc. travel with and stay associated with the user data that you collect in order to insure that during development, only authorized access is permitted.
You need to provide system administrators with the right tools so that they can define and implement their appropriate use policies.
Interacting with Users about Their Data
According to Microsoft’s “Ten Things You Must Do to Protect Privacy,” interacting with users about their data includes the following practices:
You need to consider the type of data you’re collecting and your purpose in collecting it.
Gaining Parental Consent
You need to determine if what you are developing either directly targets or may be attractive to children. Both of these conditions create some obligations when collecting PII.
The U.S. Child Online Protection Act (COPA) is a law that addresses collecting data from minors. Knowingly collecting such information requires parental consent.
Addressing Privacy in the Security Development Lifecycle
The SDL also kicks off a privacy review process. Privacy managers work with development teams starting early on in the design process.
No products ship without a privacy signoff.
An increasing number of organizations are starting to use Microsoft’s privacy guidelines.
Microsoft’s Security Development Lifecycle web site
Microsoft Security Development Lifecycle (SDL) – Version 4.1a, November 6, 2009. Appendix A – Privacy at a Glance summarizes “Ten Things You Must Do to Protect Privacy.”
Microsoft’s SDL blog
Microsoft’s Privacy web site
Microsoft’s Privacy Guidelines for Developing Software Products and Services, Version 3.1, September 2008.