[Owasp-leaders] Assistance with FTC Protecting Consumer Privacy

Colin Watson colin.watson at owasp.org
Wed Jan 26 05:04:55 EST 2011


Over at the Industry Committee, among other things, we've begun a
response to the US Federal Trade Commission (FTC) on their document:

   Protecting Consumer Privacy in an Era of Rapid Change - A Framework
for Businesses and Policymakers
   FTC Staff Report, 1 December 2010

Why does this matter?  It could feed directly into guidance for
businesses who operate online, and contained within that guidance will
be security matters.  Businesses may be more likely to concern
themselves with the privacy of customer (and other personal) data than
other security reasons.  And what happens in the USA is important
elsewhere too.

The FTC staff report has many questions on protecting consumer data,
and a few of these appear to be points which OWASP could contribute
to.  We know from elsewhere, that agencies really do appreciate
receiving feedback on their draft standards and discussions documents,
and I think OWASP can be relatively unbiased in its response.  Other
than increasing the visibility of application security, OWASP doesn't
have too many other "axes to grind".  And, we have some great
technical knowledge which could complement the responses from other

It's also important we provide correct advice.  Therefore I'd like to
ask if you can look over the draft response, and suggest ways to
extend the points, or correct inaccuracies or anything which might be
confusing.  We have avoided general privacy and non-application
information security issues, as these aspects will probably be
responded to by others.  What can we, as OWASP, say to help the FTC?

The types of things which seem to be relevant are:

- what can be done for legacy systems
- the need to allow legitimate state management mechanisms
- the need for security event logging and monitoring
- privacy enhancing technologies need to be selected, configured and
operated securely
- consideration of third-party hosted code
- "Do not track" headers or persistent cookies

We need to avoid personal opinions, or drifting onto topics OWASP
doesn't have a current viewpoint on.  Should we refer to some OWASP
projects?  If so, which ones?  The beginnings of the response text is

   Draft Version 2

There is a deadline for submissions of 18th February, but I'd like to
get this completed in the next week or so -before the summit.

If you can help, please let me know, or use the Industry Committee
mailing list to send ideas.  Or edit the Draft 2 on the wiki.


Colin Watson
OWASP Global Industry Committee

More information about the OWASP-Leaders mailing list