Disclaimer: Nothing in this document should be interpreted as legal advice.
The purpose of this document is to acquaint the application developer ("you") with Intel's privacy philosophy and how privacy and security controls can be easily incorporated into your exploration, planning, and development efforts. The intention is to briefly define the must have requirements as well as describe recommendations based on Fair Information Practices Principles1 and offer additional reading resources for more information. This document will help prepare you to proactively design your application to protect and respect customers' privacy interests.
You should be aware that compliance with international privacy standards and regulations can be complicated and includes legal risks. If the application or business objective does not require processing personal information from the user, the best practice is not to process such information.
1. Privacy Requirements for the Intel AppUp® center
These requirements must be satisfied at time of submission and in subsequent application updates for distribution through the store. Applications not meeting these requirements may be rejected or removed from the store. Although Intel may not be able to validate these requirement for applications that are submitted, any user complaints related to personal information misuse may be considered as grounds for removing an application from the store.
- 1.1. Notice to users - If your application collects any personal information, the user must be notified about what is being collected, why it is being collected (purpose) and whether the information will be shared with anyone else.
- 1.1.2. Definitions of personal information may vary in different countries. Developers should use a very broad interpretation of this term to include any information that is directly or may be associated with a person. Examples can include: Images, location, name, address, birthday, gender, logged activities, survey responses, etc.
- 1.2. Use limitation - Personal information may only be used for the purpose described in the notice.
- 1.3. Explicit opt-in for transfer to third parties - If you share any collected personal information with third parties, you must obtain the user's permission before the information is transferred.
- 1.3.1. Implementation Example: Identify the third party, the information to be shared and the purpose for sharing the information before asking for user consent. Consent should not be sought for "blanket" approval to share with "any" third parties for "any legal" purpose.
- 1.3.2. Implementation Example: In a social media context, users may have active control over third parties to which they want to share their personal information. In this case, the user should be made aware of what the third party can do with such access. (i.e. Can they download the personal information and use it in any way they desire, or only view the information online?)
- 1.4. Storage and transmission of personal information should be done in a reasonably secure manner.
- 1.4.1. Implementation Example: Transmission of personal information should be done with SSL or similar security.
1 Federal Trade Commission overview of the Fair Information Practice Principles
2. Privacy Guidelines for the Intel AppUp® center
Privacy should be a key part of the requirements and design of your application. The requirements should be formed to ensure that the application not only meets these privacy and security guidelines but complies with any regulatory requirements in the countries where you make the application available. In addition, the code review process should verify privacy and security standards and policies.
Intel defines privacy as an individual's right to have a private life, to be left alone and to be able to decide when their personal information is collected, used or disclosed. Any information that can be used to identify, contact, or locate someone is considered personal information (e.g. name, address, telephone number, mobile phone number, e-mail address, social security number, government identification number, etc.). In addition, any information which is linked to personal information or from which other personal information can easily be derived is considered personal information too.
When you submit your application to the Intel AppUp® center for validation, you also need to declare if you process personal information of end-users. If your notification is found to be incomplete or incorrect during the validation process, Intel may decide not to post your application in the store. Intel does not assume any responsibility that your application is in compliance with applicable privacy rules and regulations if the application passes validation.
All developers have a role and responsibility in understanding privacy compliance requirements and associated risks2. Below is a summary that highlights what privacy compliance actions can be taken to mitigate certain business, consumer, and legal risks.
Some data elements are considered more sensitive than others (e.g. biometrics, children's personal information, etc.) and may require additional compliance efforts with statutory rules and regulations. You should review these with your legal counsel.
2 Defined by the AICPA.
3 Federal Trade Commission overview of the Fair Information Practice Principles.
3. Privacy Concepts in Application Development
When you develop an application that collects, shares, stores, or transmits personal information, you will need to comply with international privacy rules and regulations The concepts described below can provide specific foundational requirement that should be comprehended within your application development efforts.
- 3.1. Purpose
Before any personal information collection, you should clearly define the reason why you need to collect personal information prior to obtaining it from an individual. You may not use personal information for any other reason than the purpose specified to the individual at the time of collection without their prior consent, including secondary uses, like direct marketing purposes.
Recommendations on how to prepare for addressing the Purpose within your application
- Document your personal information business requirements.
- Document a data flow diagram
- A list of the personal information that is collected, stored, shared, and transmitted
- The method to protect the personal information
- Methods of accessing the personal information
- The user interface that can be used to control the data capture, storage, and transmission
- Document any considered secondary use of the personal information by the developer and third parties and subsequent notice requirements
- 3.2 Notice, Choice, and Consent
You should provide a clear explanation (Notice) of your personal information handling practices at the time of collection. The notice should be easy to find and easy to read. You should obtain affirmative opt-in consent4 from an individual before collecting their personal information if required by law.
Recommendations on how to develop notice, choice, and consent into your application
- When installing an application or completing a registration form, configure the default to not collect personal information.
- Use radio buttons, check boxes, or menu selections to notify the individual of their choices and require the individual to select before proceeding.
- If an individual elects not to have personal information collected, allow the individual to participate as a guest if possible.
- Add a convenient location in your menu where individuals can revisit your personal information handling practices (e.g. privacy option in help menu, privacy footer in website).
- When transferring the personal information to third parties, you need to inform the individual. If an individual elects not to have personal information transferred to third parties, you need to honor their decision.
- Inform the individual for how long you will retain the personal information. Don't retain it for longer than required to meet your business objectives (e.g. not beyond the end of a support agreement) or to comply with applicable law.
4 Opt-in consent means that individuals must take some sort of affirmative action, indicating their desire to participate in a given program or service, like filling out a registration page, or submitting their email address to receive a newsletter.
- 3.3. Access to and Accuracy of Personal Information
You should provide individuals reasonable access to their personal information so the individual can ensure their personal information is accurate, complete and current.
Recommendations on how to develop access and accuracy into your application
- Create a secure user profile that requires a unique identifier and password combination to allow the individual to maintain their personal information.
- Organize all of the individual's personal information into a single menu selection or tab that displays all of their personal information for easy reviewing and editing.
- When an individual updates sensitive personal information, for example, passwords, or financial personal information, send a electronic message to the individual stating their <insert> personal information has been updated on <date time> by <e-mail address or unique identifier>
- 3.4. Minimization and Retention of Personal Information
You should collect and/or process only the personal information required for a specific purpose and not retain personal information longer than necessary to satisfy the purpose for which it was collected.
Recommendations on how to develop minimization and retention into your application
- If the individual's personal information is not needed, don't collect it. Deploy uses of pseudonyms5 or unique identifiers where possible.
- Scrutinize the amount of required data elements. Look for opportunities to make personal information collections optional or not all.
- All personal information collected should have an expiration date associated with it. Formalize the lifecycle of data by developing a Data Retention Policy for all personal information data elements and include your practices in the privacy statement.
5 Pseudonymity has characteristics similar to anonymity in that you are not identifiable, but you can be tracked through an alias or persona that you have adopted.
- 3.5. Security and Transfer of Personal Information
You should take reasonable measures to protect personal information from unauthorized access, use, modification, disclosure or loss. Recommendations on how to develop security into your application
- When collecting personal information on the wire, don't transmit in clear text. Implement encryption techniques like https or SSL.
- Allow the individual a menu of choice on how their information is disclosed. Allow selections from everyone to no one or allow the individual to generate their own customizations.
4. Security Controls to Preserve Privacy
To ensure individual's privacy is preserved and compliance to appropriate regulatory standards has been met certain security controls must be employed. The following are some of the vulnerabilities which lead to privacy violations:
- Injection flaws,
- Insecure Direct Object Reference,
- Information Leakage and Improper Error Handling,
- Broken Authentication and Session Management, and
- Failure to Restrict URL access.
Completing a code review and/or vulnerability scan will help to catch these vulnerabilities. You should develop security controls necessary to preserve the individual's personal information and account log-in information.
- 4.1. Input Validation
Input validation is the process of verifying the input, to ensure it is in the expected format. This involves checking for data length, type, syntax and correct business rules, before displaying or storing data. This mitigation against Cross-Site Scripting (XSS) attacks is quite prevalent. Recommendations on how to perform input validation
- There are multiple strategies for input validation, for instance whitelist and blacklist validation. It is recommended, to do a combination of both. Utilize a whitelist to constrain input to the known good data and validate the format, length, and type. Then test for known malicious input using blacklist validation.
- Canonicalization is the process from converting data to its simplest form. Web applications utilize this process when converting form URL encoding to IP address. It is essential to be aware of potential canonicalization errors. Inputs must be decoded and then canonicalized before being validated. This is essential because an application should not decode the same input more than once because it could be used to bypass whitelist schemes.
- 4.2. Enforce Least Privileges
Individuals should only have the least amount of access or privileges to an application which allows them to complete their necessary objective. Following this recommendation can help to prevent individuals from having access to someone else's personal information or any other sensitive information. In addition, this concept can be used to limit access of a program or even a process. It is essential to determine the necessary information and resources to complete a legitimate task. Having a clear understanding of how data is flowing in the application will help to limit privileges. Recommendation on how to enforce least privileges
- Always enforce the principal of least privileges for an individual's or process' access to any database or backend system. The access should be based on the privileges necessary to complete the business objective.
- 4.3. Information Leakage
Information leakage occurs when information about an application's configuration or internal workings are exposed. The information which is leaked could be sensitive data or could allow an illegitimate individual to gain access to the application. A common example is leaking information via an error message by showing debug information. Information leakage can also be more subtle such as revealing state information by the duration it takes to process certain operations. Recommendations on how to prevent personal information disclosure
- All developers working on a single application should use a common approach to handle exceptions.
- Limit contents of error handling messages. An alternative to would be to create a default sanitized error message.
- Utilize similar or identical error messages.
- An additional mitigation strategy for sensitive transactions could be to implement random wait times for all transactions to hide this detail from an attacker.
- Different components in an application such as a database and web server will have different error messages. It is necessary to verify error messages and attempt to disable or limit detailed error handling.
- 4.4. Direct Object Reference
A direct object reference occurs when a developer displays a file, directory, database record, a key or any other type of reference. An attacker can use this information to get access without authorization. For instance, if an error message for an online store displays a database file location. An attacker could then download the database and gather information about the store's customers. This vulnerability can be detected using vulnerability scanning tools or a manual code review process. In addition, it could be avoided by using indirect methods such as an index or indirect reference map rather than putting the actual location of the file, directory, or etc. Recommended controls to prevent direct object reference include
- Avoid displaying object references whenever possible.
- Object references should be validated using a whitelist or "accept known good" approach, i.e. verify paths for all directories.
- Confirm the user access the reference object has the necessary privileges and authorization.
- 4.5. Authentication and Session Management
HTTP cookies are often used to prove the individual has authenticated and to manage the session. Developers should avoid the usage of custom cookies. Flaws in authentication and session management usually involve failure to protect credentials and session tokens. This leads to session hijacking and the ability of illegitimate individuals to gain access to the application. This can be prevented my ensuring that login occurs on an encrypted page, and all credentials or session tokens are encrypted in transit using SSL. Methods for ensuing secure authentication and session management
- Use SSL to transmit all cookies which are used for authentication or session management, not just for the login page.
- Leverage session management frameworks with built-in session management instead of building your own.
- Upon successful authentication or a change in privilege a new session tokens should be generated.
- Pages should include a logout which will destroy cookies on the server and client-side.
- Application should include a timeout which is appropriate to the data classification.
- HTTP cookies should not contain any personal information.
Ensuring privacy of your customers and fellow developers is critical. Everyone has the right to be left alone and manage their personal information. As developers it is essential to not only know applicable rules and regulations, but to understand how privacy should be incorporated as part of the fundamental design of an application. Security can provide controls to support privacy but it is crucial to understand fundamental privacy philosophies.
Appendix A: Privacy Compliance - Top 10 List
10. Children: You should not knowingly collect personal information from children under 13.
9. Transparency (Notice): You are required to provide transparency to individuals about what personal information we collect by >100 state, local and international laws.
8. Retention: You should not retain information longer than is necessary to achieve your business objectives or to comply with applicable law.
7. Choice: Opt-in gives the individual choice to consent to communication from you.You should consider implementing opt-in practices, although you may not always be required by law, to only contact individuals who have proactively expressed a desire to be contacted.
6. Spam: You may be subject to the CAN-SPAM Act in many situations and therefore should provide clear information in the email regarding the source of commercial emails, and details on how to unsubscribe.
5. Vendors: You must make certain your vendors comply with your privacy policies.
4. Sensitive Data: Many privacy laws classify certain categories of personal information as "sensitive" and greatly restrict their collection and processing. Sensitive data elements include ethnicity, race, political opinions, and sexual orientation. When dealing with these categories of data, you should contact your legal counsel.
3. International Transfer: The European Union substantially limits the international transfer of personal information. Intel has certified to a "safe harbor" to transfer such data to the US. (See: www.export.gov/safeharbor/ for more info on international transfer & safe harbor). If you don't certify for safe harbor you should obtain explicit consent from individuals prior to transferring their personal information; review international transfers with your legal counsel.
2. Security Breach Notification: Over 40 US states have security breach notification requirements, and other countries are looking to pass similar laws.
1. Privacy Compliance: Intel may terminate your application distribution agreement if you violate applicable privacy legislation, if you don't provide clear notice upon submitting your application for validation or if end-users complain about your data processing activities.