Guide to getting started with Web 2.

0: aspects relating to privacy and security in collaborative platforms

INFORMATION SECURITY OBSERVATORY

Edition: February 2011

The "Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms" has been developed by the INTECO Information Security Observatory team: Pablo Pérez San-José (management) Cristina Gutiérrez Borge (coordination) Susana de la Fuente Rodríguez Laura García Pérez Eduardo Álvarez Alonso

The National Institute of Communication Technologies (INTECO), public cooperation assigned to the Ministry of Industry, Tourism and Trade through the State Department for Telecommunications and for the Information Society, is a platform for developing the Knowledge Society through projects in the area of innovation and technology. The mission of INTECO is to provide value and innovation to individuals, SMEs, Public Authorities and the information technology sector through developing projects which contribute towards increasing confidence in our country’s Information Society services, while also promoting an international course of participation. To do this, INTECO will develop actions in the following areas: Security Technology, Accessibility, ICT Quality and Training. The Information Security Observatory (http://observatorio.inteco.es) falls within INTECO’s strategic course of action concerning Technological Security, and is a national and international icon in serving Spanish citizens, companies and authorities in order to describe, analyse, assess and spread the Information Society’s culture of security and trust.
This publication belongs to the National Institute of Communication Technologies (INTECO) and is under a Creative Commons Non-commercial 2. 5 Spain Recognition license, and thus it is permitted to copy, distribute and communicate this work publicly under the following conditions: • Recognition: The contents of this report can be reproduced in whole or in part by third parties, by citing its origin and making express reference to both INTECO and its website: www.inteco.es. This recognition may in no case suggest that INTECO supports or endorses the third party's use of its work. Non-commercial use: The original material and derivative works can be distributed, copied and displayed while their use is not commercial.

For any reuse or distribution, you must make the license terms of this work clear to others. Any of these conditions can be waived if you get permission from INTECO as owner of the copyright. Nothing in this license impairs or restricts the moral rights of INTECO. http://creativecommons.org/licenses/by-nc/2.5/es/ This document complies with the accessibility conditions of PDF (Portable Document Format). This is a structured and labelled document provided with alternatives to all non-text element, language mark up and appropriate reading order. For more information on preparing accessible PDF documents, you can consult the guide available in the section Accessibility > Training > Manuals and Guides on the webpage http://www.inteco.es

Content
Content

1 WEB 2.0 ................................................................................................... 4
1.1 CONCEPT.............................................................................................................4 1.2 TYPE .....................................................................................................................5 1.3 WEB 2.0 IN FIGURES ..........................................................................................8 1.4 THE ROLE OF MOBILE TECHNOLOGIES IN THE FUTURE OF WEB 2.0......11

2

WEB 2.0 IN SOCIAL, PROFESSIONAL AND EDUCATIONAL DEVELOPMENT .................................................................................... 12
2.1 SOCIAL ENVIRONMENT ...................................................................................12 2.2 EDUCATIONAL ENVIRONMENT.......................................................................13 2.3 PROFESSIONAL ENVIRONMENT ....................................................................14

3 RIGHTS AND FREEDOMS TO PROTECT IN WEB 2.0........................ 15
3.1 FREEDOM OF EXPRESSION ON WEB 2.0 ......................................................15 3.2 FREEDOM OF INFORMATION ON WEB 2.0 ....................................................15 3.3 INTIMACY, PRIVACY AND SELF-IMAGE ON WEB 2.0 ...................................16 3.4 DATA PROTECTION ON WEB 2.0 ....................................................................17 3.5 INTELLECTUAL PROPERTY ON WEB 2.0.......................................................17

4 RISKS IN USING WEB 2.0 .................................................................... 19 5 OBLIGATIONS AND RESPONSIBILITIES WHEN USING WEB 2.0.... 22
5.1 RESPONSIBILITIES OF DIFFERENT PLAYERS..............................................22 5.2 FAQ (FREQUENTLY ASKED QUESTIONS) .....................................................25

6 RECOMMENDATIONS FOR SAFE AND RESPONSIBLE USAGE OF WEB 2.0 ................................................................................................. 27
6.1 GOOD PRIVACY PRACTICES ON WEB 2.0.....................................................27 6.2 GOOD SECURITY PRACTICES ON WEB 2.0...................................................29

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 3 of 31

1. Web 2.0
1 WEB 2.0

1.1

CONCEPT

Internet has created a new scenario in which personal relationships take centre stage. The interaction possibilities with the new tools offer access to a new audience with an interest in sharing, expressing and communicating have formed a new model characterised by the importance of content and user communities. The new platforms and collaborative tools have produced a shift from Web 1.0 based on static pages for information purposes only, without the ability to generate user participation, into a dynamic website where there is a relationship that generates a sum of knowledge and/or experiences. That is, Web 2.0 and Social Web are people collaborating, sharing and participating in an open multi-directional channel that allows maximum interaction between users and offers new possibilities for collaboration, expression and participation. Meanwhile, there is no stopping the evolution of the Web, the emergence of new technologies associated with the terms Web 3.0, Web 4.0 and Web 5.0 will enable the integration of network objects, the development of sensory and emotional networks or the integration of the Semantic Web by providing access to relevant, personalised information that will change their structure as it is known.

Illustration 1: Evolution of means of social communication 1

1

Available at: http://www.attentionscan.com/2009/07/social-media-timeline.html

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 4 of 31

While the Information Society assists new achievements in Web 2.0, there are new challenges in security and user privacy. Thus the need to effectively protect citizens in using such tools requires both a new level of awareness of them concerning the risks in using such media, as well as a better understanding of rules and effectively exercising the rights guaranteed to them. Internet users are concerned about the security and privacy of their information online, especially in social networks: users are increasingly restricting access to their profile to only friends or acquaintances (66.2% in the third quarter of 2010 compared to 60.6% in the same period in 2009) 2 . To that end, this Guide provides a set of guidelines for the reader that facilitate their approach to Web 2.0, the risks that may arise and obligations of different participants in this multidirectional "game" to ensure users’ full enjoyment in the digital collaboration experience. 1.2 TYPE

The possibilities of Web 2.0 are almost unlimited; although the approach provided herein is based on the concept of interactive collaboration that is common to different types of platforms. Between the diversity of tools that arise daily in Web 2.0, social networks, blogs, wikis and syndication tools are the most important among Internet users 3 . 1.2.1 Social networks

Social networks are virtual spaces where each user has a public profile that reflects personal details, status and information about oneself. In turn it has tools to interact with and meet other users, for example by creating interest groups. Social networks emerged in the mid 90's; although 2003 saw them take off, with the creation of MySpace (a portal that was mainly focused on bands and fans) and Facebook (a social network created in the beginning for college students and now exceeds 600 million users 4 ). Other leading social networks in Spain today are Tuenti, Windows Live Messenger or Linkedin and Xing in the professional field 5 .

2

Data taken from the study on information security and e-Trust in Spanish households (3rd quarter 2010) http://www.inteco.es/Seguridad/Observatorio/Estudios_e_Informes/Estudios_e_Informes_1/Estudio_hogares_3T2010 Source: http://www.focus.com/fyi/other/boom-social-sites/ Information taken from:

3 4

http://www.facebooknoticias.com/2011/01/09/facebook-empieza-2011-con-600-millones-de-usuarios-registrados/
5

Source: http://www.iabspain.biz/General/Informe_Redes_Sociales_IAB_nov_09.pdf

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 5 of 31

To learn more about security and privacy in social networks, please consult the Observatory’s specific publications on INTECO Information Security 6 . 1.2.2 Blogs

A blog is a website where the author posts entries on topics of interest or as a personal blog, and these are stored chronologically. It also enables comments (posts) to be added by readers, becoming an interactive tool that are true opinion forums. The importance of the blogging community, the “blogosphere”, is increasing at a social, cultural and political level. Complete independence to write means comments are a live indication of what is really concerning society. Posts usually contain text, but as a result of podcasting (incorporation of multimedia files to posts), images, sound and video can also be included. Currently there are variants of the original concept of a blog, including photoblogs and videoblogs. The evolution of this model gives way to microblogging. The best example of this phenomenon is Twitter, created in 2006 and by 2010 it had surpassed the number of Myspace visits 7 . Answering the question "What is happening?" by using less than 140 characters has become the new phenomenon of social Web. The recent addition of new functionality allows the evolution of microblogging. An example of which is Foursquare, incorporating geopositioning and social games. 1.2.3 Wikis

A wiki is a website that allows its participants to change or edit its content, making the actual page an easy and accessible platform so the various users can contribute content in an online document. Thus, the portal is growing thanks to the work of a community of individuals with a common interest.

6 7

Available at: http://www.inteco.es/Seguridad/Observatorio Available at: http://blogs.wsj.com/digits/2010/09/28/tweet-this-milestone-twitter-passes-myspace/?mod=rss_WSJBlog&mod=

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 6 of 31

The first wiki was created in 1995 by Ward Cunningham, an encyclopaedia of programming that, over time, became a portal on extreme programming 8 . The best example of this model of communication on the Web is the Wikipedia, a compendium of human knowledge in a permanent process of construction, with editions in 271 languages and in which hundreds of thousands of users are involved on a daily basis. 1.2.4 Forums

Forums are included among the collaborative tools. These usually exist in addition to a website allowing users to discuss and share relevant information with respect to the website’s topic, in a free and informal way, creating a community with a common interest. There are also specialised forums on specific individual or general topics. Forums are emerging as an evolution of BBS 9 (Bulletin Board System) and Usenet 10 news systems and are one of the first systems to enable user participation on the Web. While still used by millions of people, their use has been declining over recent years in favour of more advanced systems such as social networks and these are being used as complementary tools in them. 1.2.5 Syndication of content

RSS (Really Simple Syndication) is a format allowing news and other content for web sites or blogs for which there is a special interest (which are called feeds) to be gathered in an automated way in a program called RSS reader or adder and view them quickly. These programs display the content in different ways, indicating the headlines already read, and provide a notice when the websites you have added have been updated. 1.2.6 Bookmarking

Bookmarking also helps you organise your favourite websites by tagging portals and news through relevant keywords, called tags. Users can see how many people have used a tag and find all the resources that have been assigned. They can also find out who created each reference and access other references to the creator.
8 9

Extreme Programming (XP) is a software design methodology, based on simplicity and agility.

A Bulletin Board System or BBS is software for computer networks that allows users to connect to the system (via Internet or through a telephone line) and using a terminal program (or telnet if via the Internet), to perform functions such as downloading software and data, reading news and exchanging messages with other users. Usenet is an acronym for Users Network, consisting of a comprehensive system of online discussion networks evolving UUCP (UNIX-to-UNIX Copy Protocol) through which users can read or send messages (called articles) to different newsgroups sorted hierarchically.
10

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 7 of 31

Thus, the user community creates a unique structure of keywords over time to define resources, something that has been called 'folksonomy'. Sites like del.icio.us and Digg let you share your favourite links with friends and followers, by featuring items that seem interesting to other users to cast their vote on what has been shared. Some social networks include this tool to give functionality to its service. 1.2.7 Tools

In addition to the main platforms described, there are many tools that focus on content generation. Two of the most representative examples are YouTube and Flickr, with which users can upload, share and view videos and photos. In addition, users can find communities specialising in music (iTunes, Spotify, Last.fm), video (Vimeo, Dailymotion), virtual worlds (Second Life), games (World of Warcraft), office applications (Google docs, Office Live) or live broadcasts (Justin.tv).

Illustration 2: An interconnected network

1.3

WEB 2.0 IN FIGURES

The current situation is marked by the rapid and steady increase in overall numbers, driven by the popularity of platforms and capabilities provided by new technologies. Here are the strokes to paint a picture on the use of Web 2.0 by Internet users worldwide. 11

11

The data shown in this chapter have been taken from: Blogs and Microblogs the 2.0 environment – March 2010. Esic, unless another source is explicitly indicated, recorded in the corresponding footnote.

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 8 of 31

On the Internet... • • The number of Internet users exceeded billion in 2010 12 .

225

million new users in 2010, of which

162 million belong to users in developing

countries.
Chart 1: Web users (Millions of users)
63.2 21.3 110.9

204.7 825.1

266.2

475.1

Asia

Europe

North America

Latin America

África

Middle East

Oceania

Source: Internetworldstats 13

On blogs… • • • •

133
120,000
1,500,000
77% of internet users say they read blogs every day.

Source: The world in 2010: facts and figures from the Information Technology and Communications - International Telecommunications Union (ITU) Available at: http://www.itu.int/ITU-D/ict/material/FactsFigures2010.pdf
13

12

Available at: http://www.internetworldstats.com/stats.htm

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 9 of 31

Chart 2: Distribution of blog users by age
60% 53.3% 50% 40% 30% 20.2% 20% 10% 0% Under 20 Between 21 and 35 Between 36 and 50 Over 51 7.1% 19.4%

Age of blog users

Source: Technorati 14

On microblogging… • • •

150,000,000
70 million tweets (comments) daily
800 tweets per second.
15

.

On social networks… •

8 in 10 Internet users are members of a social network. 600,000,000 Facebook users.
16

• • •
14 15 16

260,000,000,000 visits per month to this social network.
Over

6,000,000 visits per minute.

Available at: http://images.vizworld.com/wp-content/uploads/2010/07/the-internet.jpg Information taken from: http://www.slideshare.net/raffikrikorian/twitter-by-the-numbers?from=ss_embed Source: ComScore, WSJ Available at: http://technorati.com/state-of-the-blogosphere/

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 10 of 31

On other 2.0 tools… • • • Over Foursquare users.

2,000,000 videos played per day in Youtube

17

.

Every minute hours of video are uploaded to Youtube 18 .

As also threats on Web 2.0... • Approximately

1 in 4communications suspected of being fraudulent in the Internet fourth most spoofed website worldwide
20

target social networks 19 . • 1.4 Facebook has become the .

THE ROLE OF MOBILE TECHNOLOGIES IN THE FUTURE OF WEB 2.0

The various Web 2.0 platforms and tools are committed to integrating mobile technologies and spreading a new model of connecting to the Internet. This model will allow the number of hits and page updates, profiles and user input in Web 2.0 to reach levels close to real time, changing the current media landscape. In turn, the interoperability between different platforms and the rise and development of tools will allow users to completely do without local applications in favour of both mobile applications as well as cloud computing. Therefore, the emergence of new mobile devices with more functionality and the creation of platforms such as Android, iOS, Windows Phone 7 or WebOS form the basis for using these channels from anywhere with a simple Internet connection.

Data from the Website-monitoring.com 10/05/2010. Available at: http://www.cleancutmedia.com/wpcontent/uploads/2010/05/youtube-infographic-statistics.jpg
18 19

17

Available at: http://youtube-espanol.blogspot.com/2010/03/lo-logramos-un-dia-de-video-por-minuto.html

According data from the Anti-Phishing Working Group (APWG) for the first quarter of 2010 and included in the Study on Internet fraud 2nd quarter of 2010, available at: http://www.inteco.es/Seguridad/Observatorio/Estudios_e_Informes/Estudios_e_Informes_1/estudio_fraude_2T2010

Source: http://www.bitdefender.es/NW1659-es--Facebook-se-convierte-en-la-cuarta-empresa-m%C3%A1s-suplantada-en-losataques-de-phishing.html

20

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 11 of 31

2.
2

Web 2.0 in social, professional educational development

and

WEB 2.0 IN SOCIAL, PROFESSIONAL AND EDUCATIONAL DEVELOPMENT

2.1

SOCIAL ENVIRONMENT

Insofar as the use of Web 2.0 has been expanded, new citizens have opportunities for participating in a social context: • The user feels useful and integrated into a group that communicates with you and you share hobbies and interests. • People become active explorers of knowledge, according to their interest, enthusiasm and willingness to learn, increasing their search, analysis and decision-making ability. The importance of personal and professional recommendations increases, providing, in addition to unlimited information, a voice, a platform and access to a global market. Web 2.0 makes an amalgam of tools available to the individual that extends the opportunities of contacting with others. • Applications to create and maintain personal website such as social networks or blogs through participating in collaborative sites such as wikis. Applications for posting and spreading information: videos with YouTube, pictures with Flickr, presentations with SlideShare. • Applications for searching and accessing updated information: Google, Bing, GoogleReader, Google News, Twitter, specialised search engines... Other online applications such as calendars, geolocation tools, shared virtual books, news, office online, tele-training platforms, digital whiteboards, etc.

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 12 of 31

All are tools that allow interaction and communication between people who could not otherwise do so, encouraging cooperation and allowing a group to be created based on the successive individual contributions. 2.2 EDUCATIONAL ENVIRONMENT

Web 2.0 offers a new perspective to educators, teachers and researchers of teaching and education, as the tools provided act as a complement to the comprehensive education of students. 21 By creating participatory and collaborative environments: • Online spaces for storing, classifying, posting and/or spreading text and audiovisual content are enabled, which students can access. Digital skills are developed and improved, from searching and selecting information and its process to making it knowledge until its publication and transmission by various means. • Environments for developing networks of centres and teachers are provided to reflect on educational issues, help, develop and share resources. New tools are appearing such as eBooks or tablets, which enable integration between the teacher and student in real time. From the student’s standpoint, using the possibilities offered by so-called Web 2.0 allows the individual to use a new set of tools and functionality that can support their education, taking into account that the student, especially considering children, is a true digital city, seeing ICT as part of their daily life. Educational platforms are online tools allowing teachers to work together in all subjects and be able to structure lessons in collaborative working groups among their students and among researchers. Different categories or methods of using these media can be distinguished in different training situations:

21

This paragraph is based on the following sources:

- Orihuela, José Luis. Review of the Blogs Revolution. When Blogs became people’s means of communication. Universidad Oberta de Catalunya. - Blogs and Wikis for teaching. Training trainers There is talent 2009. - VV.AA. Wikis and teaching Innovation Journal of Distance Education.

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 13 of 31

Systems for managing teaching resources: The teacher presents, in addition to classroom sessions, a series of activities the student must develop using the media’s resources.

Teacher blogs: groups of teachers who share teaching experiences, strategies and resources. Class or tutor diaries: where the evolution of a group of students, the degree of achieving the set objectives, methodological issues or behavioural aspects and attitudes concerning the students are narrated chronologically.

Individual workbooks: These are the author‘s dynamic pages. They will replace jotters in the school environment, providing the incentive to be visited on the Internet and enriched by the contributions of other students and teachers. PROFESSIONAL ENVIRONMENT

2.3

The majority of blogs, wikis, forums and other collaborative platforms found on the Web are personal, although there is a growing trend in companies to use them for business purposes. Thus, they are platforms for internal use, from which companies share knowledge within the organisation and with partners, and external platforms that serve as a marketing tool as well as creating and maintaining customer relationships. In both cases, the role of management is essential to promote using these channels in an open and multidirectional way in order to enhance their effectiveness. The new scenario of the social web is a new reality affecting companies as a whole by providing them with a number of advantages. The main ones are the possibility to create better channels for idea sharing, easy access, fast and direct access to experts (both internal and external) and lower communication and operational costs 22 . Other advantages are the ability to share all information via web platforms, the immediate propagation of content and information, continuous innovation that occurs in the network and access at all times to information from anywhere using mobile devices.

Available at: http://www.mckinseyquarterly.com/Business_Technology/BT_Strategy/How_companies_are_benefiting_from_Web_20_McKinsey_ Global_Survey_Results_2432?pagenum=2#1

22

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 14 of 31

3. Rights and freedoms to Project in Web 2.0
3 RIGHTS AND FREEDOMS TO PROTECT IN WEB 2.0

Web 2.0 allows citizens to create an impartial and diverse source, but the anonymity it provides is often used inappropriately, pushing the boundaries of individual rights at the expense of the rights of others. The various legal interests in digital 2.0 communications will now be discussed in depth, giving examples that facilitate the reader's understanding as far as possible 23 . 3.1 FREEDOM OF EXPRESSION ON WEB 2.0

The principal law allowing expression in both the Internet and outside it is freedom of expression, included in the Spanish Constitution in Article 20 that allows thoughts, ideas and opinions to be freely expressed and spread through words, in writing or any other means of reproduction and freely communicate or receive truthful information by any media. This law entitles citizens to carry out participatory work on the various platforms. Anyone can participate in forums, blogs, wikis and social networks, but its participants should maintain respect for the other participants and to others, not without a certain dose of common sense. 3.2 FREEDOM OF INFORMATION ON WEB 2.0

Related to freedom of expression, a second right, freedom of information, stands out. However it differs from the previous one as it has some objective criteria: • The information must be accurate, i.e., requiring the existence of a basis in objective and real facts.

23

In writing this chapter, we have relied upon the following documents:

- Spanish Data Protection Authority (2010) "Study on the privacy of personal data and the security of http://www.agpd.es/portalwebAGPD/canaldocumentacion/publicaciones/common/Estudios/est_inteco_redesso_022009.pdf - Law on the Web (2009) "Legal Guide for bloggers and podcasters" http://www.derechoenred.com/blog/documentos/GUIA_LEGAL_BLOGGERS_POCASTERS.pdf - Mata, Miguel Angel (2009) “Freedom of expression online” http://www.miguelangelmata.com/2009/10/23/libertad-de-expresion-en-internet/ - Maeztu, David (2008) "Newspapers and Blogs: Legal issues, differences, similarities and jurisprudential treatment in Spain." http://derechoynormas.blogspot.com/2008/04/prensa-y-blogs-aspectos-legales.html - Maeztu, David (2006) “Legal obligations of blogs (I): Tax obligations” http://derechoynormas.blogspot.com/2006/12/obligaciones-jurdicas-de-los-blogs-i.html

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 15 of 31

The information must have public relevance, with facts affecting private parties in daily events or activities lacking such relevance.

These elements are the key in differentiating participation in Web 2.0 with the traditional press, given the possibility of finding references to people from a nearby environment on which comments and opinion are not always going to be covered by freedom of information. Commenting on the intimacies of a "close" person that does not have the character of a public figure would not be covered under the protection of freedom of information act and in light of comments made, could push the limits of the right to freedom of expression. 3.3 INTIMACY, PRIVACY AND SELF-IMAGE ON WEB 2.0

The right to reputation, self-image and personal privacy is enshrined in the Spanish Constitution (Article 18), and developed in Organic Law 1/1982, Civil Protection of the Right to reputation, personal and family privacy and self-image. This is one of the main rights that may get damaged while participating in Web 2.0 platforms, as it implies interference in the personal sphere of the individual concerned through comments, information or opinions that represent libel or slander, such as: • Disclosing facts concerning the private life of a person or family that affect their reputation and good name, as well as disclosing or posting the contents of letters, memoranda or other intimate personal writings. Capturing, reproducing or posting photographs or films of a person in places or times in their private lives or outside of them, except in cases provided for in the law itself. • • Using the name, voice or image of a person for advertising or commercial purposes. Attributing events or stating value judgments through actions or expressions that in any way impair the dignity of another person or damage their reputation. Furthermore, the area of individual privacy highlights the secrecy of communications, which means that any private communication is protected by law That is to say, intercepting messages of others or using devices to listen, transmit, record or reproduce these communications is a legal offense, punishable by a fine. Identity supplanting in profiles and pages of Web 2.0 is frequent. The malicious user is logged on as another user and posts comments, photos, and so on that are fake. This activity is typified by the Spanish Penal Code.

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 16 of 31

3.4

DATA PROTECTION ON WEB 2.0

The right to data protection is a fundamental right, which is derived directly from the Spanish Constitution of 1978 (Article 18.4) in line with European standards. Organic Law 15/1999 of 13 December on the Protection of Personal Data (LOPD) develops this right depth. Insofar as each Internet user can play a leading role, edit his personal page, participate in wikis, create his website or maintain his blog, this assumes a legal liability. Respecting the data protection rights of others involved 24 : • Do not post information that does not meet the requirements relating to truth, public interest and respect for the dignity of people, particularly youth and children. Do not spread rumours or unsubstantiated information. Correct or remove information if requested by the person affected. Never post information that puts your family at risk and especially children, friends, neighbours, etc. Be particularly careful about posting information on places where you or a third party is at any time, as it could pose a serious risk to your integrity. • Do not record or post pictures, videos or any other record without the consent of those affected. In the case of children under 14, the Data Protection Act requires parents or guardians to give consent to their data being processed. Sometimes, the platforms have all or part of the user profile in a public format by default, so any user can access the personal information of others without the real owner of the data having to give his consent. 3.5 INTELLECTUAL PROPERTY ON WEB 2.0

• • •

Intellectual property is the right people have to their own creations or works, as acknowledged by Royal Decree 10/1996 of 12 April by approving the Law on Intellectual Property. In the Web 2.0 context, in collaborative platforms users can use:

24

Source: AEPD Internet Guide recommendations. Available at:

http://www.agpd.es/portalwebAGPD/canaldocumentacion/publicaciones/common/pdfs/guia_recomendaciones_internet_052009.pd f

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 17 of 31

Any work they have created (provided they have not relinquished their rights of exploitation to others).

Works with permission of its owners of rights, either directly or through any of the currently existing licenses (Creative Commons, GPL, etc.) Works fallen into the public domain 25 . Works permanently displayed in public (posters, sculptures, etc.) Talks or lectures given in public with an informative purpose (and not merely commercial.) Work on current issues, as described above.

• •

Therefore, under this law, the following may NOT be used on 2.0 platforms: • Works and loans protected by intellectual property unless they meet one of the exceptions mentioned above.

Whenever you want to use some work (texts, photographs, videos, etc.) on the Internet, you should go to the legal notice of the page where you found the content and see if it allows it to be reproduced.

25

This usually occurs 70 years after the death of the author and 50 years from publication (for sound recordings or audiovisual content).

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 18 of 31

4. Risks in using Web 2.0
4 RISKS IN USING WEB 2.0

Having the materials to be protected is necessary to understand that there are a number of risks and it is important to be able to adopt measures to ensure security and privacy and therefore, fully enjoy the 2.0 environment. • • • • Risks of libel or slander. Risks in communications. Risks against privacy. Risks against intellectual property.

Among the existing risks in collaborative communications, the technological component plays a fundamental role. The current capacity of malware or malicious code to exploit vulnerabilities and security flaws in collaborative platforms multiply the potential impact of their attacks on profile information and in the user hardware and software: • Infection and/or alteration of hardware, applications and programs, of both the user and his network of contacts. Stealing personal information such as usernames and passwords, photos, hobbies, card numbers ... information that can be used for profit or publicity. User's identity supplanting, by creating fake accounts on behalf of other users, or stealing access data to profiles in order to replace the actual user.

Here are some of the techniques used to carry out attacks on security and privacy in collaborative platforms. • Social Spammer and Scammer. Using these platforms gives the opportunity to send unwanted e-mails, whether the purpose is purely advertising (spam) and if it involves fraud or undue profit (scam). Tabnabbing. This technique is based on making the most of the tab browsing system. When the user goes from one tab to another, the one which remains in the background becomes a page to access services and platforms (such as Gmail, YouTube, Facebook, etc.) The user, not noticing, enters his details to access these services, and is, therefore, providing this information to the owner of the spoof page.

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 19 of 31

Illustration 5: Example of tabnabbing

Pharming. This software attack consists of amending or replacing the file of the domain name server by changing the IP address of the legitimate address of the Web 2.0 platform. When writing the name of the platform in the address bar, the browser automatically redirects the user to another IP address, which houses a spoof website. When trying to access the service, the user is providing his access details to the cyberattacker. Both phishing and pharming are heavily exploited by criminals to collection the personal details of Internet users, as well as sensitive data or that relating to economic aspects (credit cards, PIN of users, etc.)

Clickjacking. In this case, by clicking on “I like it” (buttons to share views on content), phrases are updated in the user's status that are redirected to spam sites or malware. Messages related to fraudulent websites can also be found, such as the following example in Twitter:

Illustration 4: Example of clickjaking in Twitter

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 20 of 31

In this regard, Twitter is expanding the use of shortening URLs (given the limitations of characters per message) that link to malicious websites. • Worms. Worms are one of the threats with the greatest impact because they have different variants designed for Web 2.0 platforms, as is the case of the Koobface worm and its variants for major social networks. This type of malware uses compromised user accounts to propagate by placing infected links in those that easily tap the victim user's contacts. • Installing and using cookies 26 without the user knowing. Another risk associated with the user participating in platforms lies in the possibility that the site uses cookies to allow the platform to know the user's activity within it. Through these tools, you can see the place where the user is gaining access, the connection time, the device from which he is gaining access (fixed or mobile), the operating system used, the most visited places within a website, the number of clicks, and lots of data regarding the development of the user's life on the Web.

26

A cookie is a piece of information that is stored in the hard drive of a visitor of a website through his browser, upon the request of the server’s website.

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 21 of 31

5.
5

Obligations and using Web 2.0

responsabilities

when

OBLIGATIONS AND RESPONSIBILITIES WHEN USING WEB 2.0

The evolution of the Web has allowed a shift from a model in which the Internet user was in a passive role as a mere reader to playing an active and leading role. In Web 2.0, it is not necessary to have expert knowledge of applications and services, as they are designed to be easy and intuitive. Simply register to access a set of programs and services to participate in the new platforms and maintain real-time interaction with other users on the Web This activity will identify various roles: users, administrators, moderators and service providers. Act 34/2002 of 11 July, on services of the information society and e-commerce (LSSICE) identifies the different players in this activity and establishes the civil liability regime they are subject to. 5.1 5.1.1 RESPONSIBILITIES OF DIFFERENT PLAYERS Users

Who they are: Web 2.0 users are those Internet users who participate in it, either by editing and posting comments, uploading videos, pictures, etc. or commenting on what others have posted. In short, anyone browsing actively platforms that makes up this social universe. Registering any tool or platform as a user implies adherence to conditions set by the service provider. Obligations: Users can upload all types of content to your site, but always with a responsible use of freedom of expression. The following exceed the user's roles and are therefore unlawful conduct: • Committing the crime of libel or slander when you make a false accusation of a crime to someone else or show expressions that violate the right to reputation, self-image and personal privacy. • Engaging in breaching the Intellectual Property Act (copyright) to publish any copyrighted work that does not have the owner’s express permission or not making proper use of the right to quote, either on texts (articles, books, notes, etc.), or multimedia content (music, audio, video, software, etc.)

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 22 of 31

Violating trademark or design rights, trade secrets or breaching industry rights (patents).

Attacking against data protection rights by publishing privacy information of third parties (publishing a personal e-mail). Committing child porn crimes by posting any representation of a child under eighteen years of age devoted to sexually explicit activities or any representation of their genitals for predominantly sexual purposes.

Responsibilities: The responsibility shall always be with the person committing the crime. However, such responsibility can be extended to others due to a lack of properly monitoring the platform as discussed below. For example, posting a video of another person, who has not given their express consent to such disclosure or even for this video to be recorded, is an attack on their reputation and privacy. 5.1.2 Administrators and moderators

Who they are: • The administrators (may or may not be the owners of the site), are responsible for managing the site, and have the necessary options to edit and delete content. They can act as moderators in the absence of these. Moderators control the tone and content of the information written on the platform, trying to maintain a cordial and pleasant environment for all users. To do this, they can modify or delete comments made by others, temporarily remove a message, or close and delete threads, and other mechanisms designated by the platform. Obligations: They are obliged to ensure the proper use of the platform so that crimes are not committed in it. Spanish law requires the existence of content moderation, as even when the comment is anonymous, the administrator is still responsible for it. Responsibilities: Their responsibilities are derived from management duties as well as control and monitoring ones. They may act a priori or also after a comment has been posted.

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 23 of 31

The Spanish law provides two ways to enforce such liability, subsidiary and cascading liability according to Article 30 of the Criminal Code, when the media were considered as traditional media, or, when they were not, responsibility as necessary cooperator according to Article 28 of the Code. It is good practice for the administrator of a forum to include a publishing policy on its website to prevent posts by users as well as providing the possibility for other users to report these situations and a more effective control can later be carried out. 5.1.3 Companies providing intermediary services on the Internet

Who they are: They are web hosting service providers, 2.0 web services, data hosting services, access providers, telecommunications operators. Obligations: • Informing customers about key data such as service providers (ID and email address), services provided and the terms of the provision, data protection policy and technical means to increase user safety • Cooperating with public bodies to carry out tasks that cannot be done without their help.

Responsibilities: • They are responsible for the content if they have actual knowledge that the activity or information to which they refer is unlawful or harms property or rights of a third party liable for damages. • They are responsible for the personal data used in the profile search engines or customised advertising campaigns.

When creating a blog or personal site, any individual may choose to use existing tools or pages on the Web and offer this service (for example, Wordpress or Myspace), or they can go to a hosting company and create a custom domain. In both cases, companies offering services fall into this category.

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 24 of 31

5.2

FAQ (FREQUENTLY ASKED QUESTIONS)

If you create a custom domain to host a personal website where other users can comment, are you responsible for the comments posted by these other users? Until you identify the true author of the comment, case law can apply cascading responsibility to the owner of the personal website. In this respect, whether or not advertising is included on the page (and thus generating a profit) determines the owner’s responsibility: • If it has advertising: the owner is considered to be the service provider and has limited liability to the provisions of article 16 of the LSSICE (Law of Information Society Services and Electronic Commerce). If it does not have advertising: the Criminal Code is applied to assign the owner’s responsibility, it can be considered as traditional media or a necessary cooperator.

Illustration 5: Outline of the responsibility of the owner of a Web 2.0 website

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 25 of 31

Can you ask the owner of the site to identify the author of the comments? If a reader identifies an incorrect or defamatory comment against him on a website, he may ask the site’s owner to identify the author of the comment through the data available to them, usually the IP address. According to the criteria of the Spanish Data Protection Authority, it is currently considered that the IP address is personal data so it will only be communicated when required by the courts. Therefore, it is recommended to keep this information in such a way that it cannot be destroyed and be able to provide it to the court if required. Can I demand a correction or reply by the author of the comment in the case of an attack against my reputation, self-image and personal privacy? Yes, you may demand that the author and in ascending order, the site’s owner, remedy the damage done to the affected party. The right to rectification covers individuals for incorrect and incomplete information and provides that the correction must be addressed to the director of the medium or the site’s owner. The right of reply covers erroneous opinions, although it is not formally embodied in the Spanish system. Can you close a personal website if it breaches a right? In Article 20.5, the EC prohibits seizing publications, recordings and other media if this is not done under court order. However, the Bill of Sustainable Economy, in the process of approval in the Senate 27 , amends the current judicial proceeding in its second final provision. This Act establishes a Commission on Intellectual Property, in cases where it considers there is a breach of intellectual property rights; it may ask the judge for the service provider to provide the data for a particular customer to be identified. The Commission may also issue resolutions to close posts with the authorisation of a judge being required to implement these resolutions.

27

As of date of publication of this guide

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 26 of 31

6.
6

Recommendation for safe and responsible usage of Web 2.0

RECOMMENDATIONS FOR SAFE AND RESPONSIBLE USAGE OF WEB 2.0

6.1

GOOD PRIVACY PRACTICES ON WEB 2.0

Having seen the potential risks of Web 2.0, a set of privacy guidelines, aimed at each group involved will now be provided. 6.1.1 Users

In Web 2.0 users must comply with privacy rules, concerning their own data, as well as if what they publish is from a third party. • Users must protect their information. It is therefore necessary to read the privacy policy, setting limits on who can or cannot access the information published. • A good practice is to resort to the use of pseudonyms and personal nicknames; therefore, letting you to have a "digital identity". You should not publish excessive information about your personal or family life, i.e., information you would not communicate to people not close to you. You should pay particular attention when publishing audiovisual content and graphics, especially if they are images relating to others. Before publishing a photo, it is advisable to consider whether it is appropriate to post or whether such action could have consequences, involving people at work, school, university or in your close or personal environment. • If want to use or reproduce any work on the Web (graphic or not), you should look at the legal notice on the website where you are and view the conditions of reproducing it. Go to the Spanish Data Protection Authority, AEPD (www.agpd.es), to exercise your rights granted by the Data Protection Act regarding personal data protection. You can download a template of a claim form at the AEPD website. 6.1.2 Administrators and moderators

In this group, the privacy guidelines relate to protecting users’ personal data and information, as well as by adhering to the law the users of the platform they operate. • As set out in the Data Protection Act, any person seeking personal information (related to search engines, profiles, etc.) must fulfil some obligations and deal with the

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 27 of 31

consequences of such processing. Among other things, it should have person designated to performing data processing: o The file must be entered in the AEPD Registry and the files adapted to current legislation (Data Protection Act and Regulation). It is obliged to inform users about the site’s Privacy Policy, as well as the purpose for which personal data are being collected, the person in charge of process the data and the rights available to the user. o It must seek the consent of the party concerned in order to transmit their information. It allows users to exercise their rights of access, rectification, cancellation and opposition.

o

o

It is important to effectively carry out monitoring and control on the participants and their information. If there are any incorrect or illicit comments or information, mediate the discussion and/or delete comments. Technological measures must be implemented to ascertain the age of users, such as: using certificates recognising electronic signatures or applications that detect the type of site visited and the services in most demand.

There is a duty to cooperate with national Security Forces to identify users who commit illicit acts. Companies providing intermediary services to the information society

6.1.3

Information entered by users on the Web is stored by information society intermediary service providers (search engines, registration forms, use of cross-data, etc.) Actions relating to privacy should be directed to properly processing the personal data of users of the platforms. • As in the case of the Administrators, to meet the obligations under the Data Protection Act in relation to processing personal data. In addition, the law prohibits sending "marketing communications" by e-mail or any other means of electronic communication "that has not been previously requested or expressly authorised by the recipients." • Do not retain personal data in an excessive amount or without just cause, unless this is being done to cooperate with national Security Forces. Finally, information should be provided to users about the potential liability they may incur for breaching intellectual property rights.

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 28 of 31

6.2

GOOD SECURITY PRACTICES ON WEB 2.0

Security threats on Web 2.0 have a higher growth potential than other media due to its network structure. Therefore, all parties involved must follow safety guidelines. 6.2.1 Users

Users are most harmed by malware attacks, which can affect both the information in collaborative platforms, as well as their own computers and devices. To avoid this, we recommend: • Keeping both the operating system and any applications you have installed in your computer updated. This is essential given that an updated browser has blocking filters against new threats and unwanted intrusions. Using passwords to access different profiles. Checking the legitimacy of the websites you want to access, monitoring the URLs in the browser window. When browsing, you should only download files or applications from trusted sources, to prevent malicious code or malware. You are also recommended to analyse downloaded items with an antivirus before running them. 6.2.2 Administrators and moderators

• •

These players on Web 2.0 platforms are recommended to do the following: • Have internal tools aimed at reducing cases of identity supplanting within the Web, allowing the legitimate owners of the service to be able to authenticate their true identity, to thus recover and block the person illegitimately accessing the other’s profile. Integrate systems to detect the level of security of the passwords chosen by users at the time of registration, indicating whether or not it is secure and informing them of the recommended minimum requirements. 6.2.3 Companies providing intermediary services to the information society

Service providers of the information society related to collaborative platforms should take into account that these services are based on large databases with personal data of users that use them. For this reason, they must: • Guarantee that the Web is safe from attacks by third parties and that it prevents, or at least reduces, the possibility of their success. It is vital that the platform correctly chooses an Internet Service Provider (ISP) that has a high level of security.

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 29 of 31

In this respect, it is recommended that the ISP always ensure, at least the following aspects: o Services provided by the ISP to this type of platform will focus on secure servers, backup centres, secure access, etc. Tools to detect prevent and block malicious code must be used in servers and within the application. In this respect, encouraging strategic agreements with security companies is recommended. o Using security applications aimed at ensuring, or where appropriate, minimising the possibility of receiving unwanted commercial messages through the platform (spam/scam). In turn they must report on existing tools for filtering and restricting access to certain content and services on the Internet that is unwanted or potentially harmful to children and young people.

o

o

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

Page 30 of 31

Web

http://observatorio.inteco.es
Information Security Observatory Scribd Channel:

http://www.scribd.com/ObservaINTECO
Information Security Observatory Twitter Channel:

http://twitter.com/ObservaINTECO
Information Security Observatory Blog:

http://www.inteco.es/blog/Seguridad/Observatorio/BlogSeguridad/ observatorio@inteco.es

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Information Security Observatory

www.inteco.es

Page 31 of 31

Sign up to vote on this title
UsefulNot useful