OWASP - User contributions [en]

OWASP Top 10 Privacy Risks Project

2019-12-19T12:28:29Z

Florian Stahl:

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]
* [https://www.owasp.org/images/2/27/Presentation_HowToBoostPrivacy_IAPP_Intensive_2016.pdf Presentation of countermeasures from IAPP Data Protection Intensive 2016]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| style="padding-left:25px;width:200px;" valign="top" |

== News ==
* [Ongoing] Update of the OWASP Top 10 Privacy Risks
* [8 April 2016] Countermeasures v1.0 published
* [1 July 2015] German Translation available
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [20 Feb 2014] Project Start

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015] 
[https://privacyscore.org/ Check your website with PRIVACYSCORE]

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]]
|-
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">No.</td>
<td bgcolor="#D8D8D8">Title</td>
<td bgcolor="#D8D8D8">Frequency</td>
<td bgcolor="#D8D8D8">Impact    </td>
<td bgcolor="#D8D8D8">Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor="orange">High</td>
<td bgcolor="orange">High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://groups.google.com/a/owasp.org/forum/#!forum/top-10-privacy-risks-project/join mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Update 2019-2020===
Impact rating (open discussion): https://docs.google.com/document/d/1VuusvZnhHpWvmPFeAovM68iB_Do3XFZCH2EsITGuAKg/edit 
Privacy Risk Candidate List: https://docs.google.com/document/d/1eEU7TsoaPG56-zhJi4bi1SD53Jto84GQ8dDGTajL8TY/edit 
Method Update: https://docs.google.com/document/d/1AlAg2cybvo5VX-frzF5uHeAcib3X2rTAA2p97XH8fHw/edit

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
 Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">Nr.</td>
<td bgcolor="#D8D8D8">Titel</td>
<td bgcolor="#D8D8D8">Häufigkeit</td>
<td bgcolor="#D8D8D8">Schaden    </td>
<td bgcolor="#D8D8D8">Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>

===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

==Japanese==
[https://speakerdeck.com/owaspjapan/introducing-owasp-top10-privacy-risks-number-owasp-night-21th Link to slidedeck]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2019-12-19T11:25:02Z

Florian Stahl:

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]
* [https://www.owasp.org/images/2/27/Presentation_HowToBoostPrivacy_IAPP_Intensive_2016.pdf Presentation of countermeasures from IAPP Data Protection Intensive 2016]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| style="padding-left:25px;width:200px;" valign="top" |

== News ==
* [Ongoing] Update of the OWASP Top 10 Privacy Risks
* [8 April 2016] Countermeasures v1.0 published
* [1 July 2015] German Translation available
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [20 Feb 2014] Project Start

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015] 
[https://privacyscore.org/ Check your website with PRIVACYSCORE]

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]]
|-
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">No.</td>
<td bgcolor="#D8D8D8">Title</td>
<td bgcolor="#D8D8D8">Frequency</td>
<td bgcolor="#D8D8D8">Impact    </td>
<td bgcolor="#D8D8D8">Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor="orange">High</td>
<td bgcolor="orange">High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://groups.google.com/a/owasp.org/forum/#!forum/top-10-privacy-risks-project/join mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Update 2019-2020===
Impact rating (open discussion): https://docs.google.com/document/d/1VuusvZnhHpWvmPFeAovM68iB_Do3XFZCH2EsITGuAKg/edit 
Privacy Risk Candidate List: https://docs.google.com/document/d/1eEU7TsoaPG56-zhJi4bi1SD53Jto84GQ8dDGTajL8TY/edit 
Method Update: https://docs.google.com/document/d/1AlAg2cybvo5VX-frzF5uHeAcib3X2rTAA2p97XH8fHw/edit

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
 Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">Nr.</td>
<td bgcolor="#D8D8D8">Titel</td>
<td bgcolor="#D8D8D8">Häufigkeit</td>
<td bgcolor="#D8D8D8">Schaden    </td>
<td bgcolor="#D8D8D8">Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

==Japanese==
[https://speakerdeck.com/owaspjapan/introducing-owasp-top10-privacy-risks-number-owasp-night-21th Link to slidedeck]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2019-12-19T11:24:20Z

Florian Stahl: Added link to update impact rating

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]
* [https://www.owasp.org/images/2/27/Presentation_HowToBoostPrivacy_IAPP_Intensive_2016.pdf Presentation of countermeasures from IAPP Data Protection Intensive 2016]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| style="padding-left:25px;width:200px;" valign="top" |

== News ==
* [Ongoing] Update of the OWASP Top 10 Privacy Risks
* [8 April 2016] Countermeasures v1.0 published
* [1 July 2015] German Translation available
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [20 Feb 2014] Project Start

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015] 
[https://privacyscore.org/ Check your website with PRIVACYSCORE]

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]]
|-
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">No.</td>
<td bgcolor="#D8D8D8">Title</td>
<td bgcolor="#D8D8D8">Frequency</td>
<td bgcolor="#D8D8D8">Impact    </td>
<td bgcolor="#D8D8D8">Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor="orange">High</td>
<td bgcolor="orange">High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://groups.google.com/a/owasp.org/forum/#!forum/top-10-privacy-risks-project/join mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Update 2019-2020===
Impact rating (open discussion): https://docs.google.com/document/d/1VuusvZnhHpWvmPFeAovM68iB_Do3XFZCH2EsITGuAKg/edit
Privacy Risk Candidate List: https://docs.google.com/document/d/1eEU7TsoaPG56-zhJi4bi1SD53Jto84GQ8dDGTajL8TY/edit
Method Update: https://docs.google.com/document/d/1AlAg2cybvo5VX-frzF5uHeAcib3X2rTAA2p97XH8fHw/edit

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
 Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">Nr.</td>
<td bgcolor="#D8D8D8">Titel</td>
<td bgcolor="#D8D8D8">Häufigkeit</td>
<td bgcolor="#D8D8D8">Schaden    </td>
<td bgcolor="#D8D8D8">Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

==Japanese==
[https://speakerdeck.com/owaspjapan/introducing-owasp-top10-privacy-risks-number-owasp-night-21th Link to slidedeck]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

Projects/OWASP Top 10 Privacy Risks Project/Roadmap

2019-12-19T11:20:25Z

Florian Stahl: /* Timeline */

==Timeline==
* 20 February 2014: Project start
* ...
* 21 September 2014: Publication of v1.0 of the Top 10 Privacy Risks
* ...
* 8 April 2016: Publication of Countermeasures v1.0
* ...
* 19 December 2018: Call for Participation to Update the OWASP Top 10 Privacy Risks
* January 2019: Core Team Established
* May 2019: Assessment Method Reviewed & Optimized
* October 2019: Candidate Risks for the Top 10 list identified
* ~ June 2020: Risks (impact and likelihood) assessed and Top 10 Privacy Risks 2019 published
* End of 2020: Update of the Countermeasures

OWASP Top 10 Privacy Risks Project

2019-12-19T11:17:07Z

Florian Stahl:

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]
* [https://www.owasp.org/images/2/27/Presentation_HowToBoostPrivacy_IAPP_Intensive_2016.pdf Presentation of countermeasures from IAPP Data Protection Intensive 2016]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| style="padding-left:25px;width:200px;" valign="top" |

== News ==
* [Ongoing] Update of the OWASP Top 10 Privacy Risks
* [8 April 2016] Countermeasures v1.0 published
* [1 July 2015] German Translation available
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [20 Feb 2014] Project Start

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015] 
[https://privacyscore.org/ Check your website with PRIVACYSCORE]

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]]
|-
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">No.</td>
<td bgcolor="#D8D8D8">Title</td>
<td bgcolor="#D8D8D8">Frequency</td>
<td bgcolor="#D8D8D8">Impact    </td>
<td bgcolor="#D8D8D8">Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor="orange">High</td>
<td bgcolor="orange">High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://groups.google.com/a/owasp.org/forum/#!forum/top-10-privacy-risks-project/join mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Privacy Risk Candidate List 2019: https://docs.google.com/document/d/1eEU7TsoaPG56-zhJi4bi1SD53Jto84GQ8dDGTajL8TY/edit 
Method Update 2019: https://docs.google.com/document/d/1AlAg2cybvo5VX-frzF5uHeAcib3X2rTAA2p97XH8fHw/edit

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
 Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">Nr.</td>
<td bgcolor="#D8D8D8">Titel</td>
<td bgcolor="#D8D8D8">Häufigkeit</td>
<td bgcolor="#D8D8D8">Schaden    </td>
<td bgcolor="#D8D8D8">Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

==Japanese==
[https://speakerdeck.com/owaspjapan/introducing-owasp-top10-privacy-risks-number-owasp-night-21th Link to slidedeck]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

Projects/OWASP Top 10 Privacy Risks Project/Roadmap

2019-06-07T08:12:06Z

Florian Stahl: /* Timeline */

==Timeline==
* 20 February 2014: Project start
* ...
* 21 September 2014: Publication of v1.0 of the Top 10 Privacy Risks
* ...
* 8 April 2016: Publication of Countermeasures v1.0
* ...
* 19 December 2018: Call for Participation to Update the OWASP Top 10 Privacy Risks in 2019
* 31 January 2019: Core Team Established
* 31 May 2019: Assessment Method Reviewed & Optimized
* 31 July 2019: Candidate Risks for the Top 10 list identified
* 15 December 2019: Risks (impact and likelihood) assessed and Top 10 Privacy Risks 2019 published
* 2020: Update of the Countermeasures

OWASP Top 10 Privacy Risks Project

2019-06-07T08:09:41Z

Florian Stahl: /* Participate */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]
* [https://www.owasp.org/images/2/27/Presentation_HowToBoostPrivacy_IAPP_Intensive_2016.pdf Presentation of countermeasures from IAPP Data Protection Intensive 2016]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| style="padding-left:25px;width:200px;" valign="top" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [8 April 2016] Countermeasures v1.0 published
* [19 December 2018] Call for Participation for the OWASP Top 10 Privacy Risks 2019

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015] 
[https://privacyscore.org/ Check your website with PRIVACYSCORE]

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]]
|-
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">No.</td>
<td bgcolor="#D8D8D8">Title</td>
<td bgcolor="#D8D8D8">Frequency</td>
<td bgcolor="#D8D8D8">Impact    </td>
<td bgcolor="#D8D8D8">Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor="orange">High</td>
<td bgcolor="orange">High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://groups.google.com/a/owasp.org/forum/#!forum/top-10-privacy-risks-project/join mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Privacy Risk Candidate List 2019: https://docs.google.com/document/d/1eEU7TsoaPG56-zhJi4bi1SD53Jto84GQ8dDGTajL8TY/edit 
Method Update 2019: https://docs.google.com/document/d/1AlAg2cybvo5VX-frzF5uHeAcib3X2rTAA2p97XH8fHw/edit

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
 Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">Nr.</td>
<td bgcolor="#D8D8D8">Titel</td>
<td bgcolor="#D8D8D8">Häufigkeit</td>
<td bgcolor="#D8D8D8">Schaden    </td>
<td bgcolor="#D8D8D8">Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

==Japanese==
[https://speakerdeck.com/owaspjapan/introducing-owasp-top10-privacy-risks-number-owasp-night-21th Link to slidedeck]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2019-06-07T07:34:56Z

Florian Stahl: /* Current discussions */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]
* [https://www.owasp.org/images/2/27/Presentation_HowToBoostPrivacy_IAPP_Intensive_2016.pdf Presentation of countermeasures from IAPP Data Protection Intensive 2016]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| style="padding-left:25px;width:200px;" valign="top" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [8 April 2016] Countermeasures v1.0 published
* [19 December 2018] Call for Participation for the OWASP Top 10 Privacy Risks 2019

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015] 
[https://privacyscore.org/ Check your website with PRIVACYSCORE]

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]]
|-
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">No.</td>
<td bgcolor="#D8D8D8">Title</td>
<td bgcolor="#D8D8D8">Frequency</td>
<td bgcolor="#D8D8D8">Impact    </td>
<td bgcolor="#D8D8D8">Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor="orange">High</td>
<td bgcolor="orange">High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Privacy Risk Candidate List 2019: https://docs.google.com/document/d/1eEU7TsoaPG56-zhJi4bi1SD53Jto84GQ8dDGTajL8TY/edit 
Method Update 2019: https://docs.google.com/document/d/1AlAg2cybvo5VX-frzF5uHeAcib3X2rTAA2p97XH8fHw/edit

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
 Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">Nr.</td>
<td bgcolor="#D8D8D8">Titel</td>
<td bgcolor="#D8D8D8">Häufigkeit</td>
<td bgcolor="#D8D8D8">Schaden    </td>
<td bgcolor="#D8D8D8">Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

==Japanese==
[https://speakerdeck.com/owaspjapan/introducing-owasp-top10-privacy-risks-number-owasp-night-21th Link to slidedeck]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2019-03-04T13:28:36Z

Florian Stahl:

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]
* [https://www.owasp.org/images/2/27/Presentation_HowToBoostPrivacy_IAPP_Intensive_2016.pdf Presentation of countermeasures from IAPP Data Protection Intensive 2016]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| style="padding-left:25px;width:200px;" valign="top" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [8 April 2016] Countermeasures v1.0 published
* [19 December 2018] Call for Participation for the OWASP Top 10 Privacy Risks 2019

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015] 
[https://privacyscore.org/ Check your website with PRIVACYSCORE]

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]]
|-
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">No.</td>
<td bgcolor="#D8D8D8">Title</td>
<td bgcolor="#D8D8D8">Frequency</td>
<td bgcolor="#D8D8D8">Impact    </td>
<td bgcolor="#D8D8D8">Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor="orange">High</td>
<td bgcolor="orange">High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Method Update 2019: https://docs.google.com/document/d/1AlAg2cybvo5VX-frzF5uHeAcib3X2rTAA2p97XH8fHw/edit

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
 Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">Nr.</td>
<td bgcolor="#D8D8D8">Titel</td>
<td bgcolor="#D8D8D8">Häufigkeit</td>
<td bgcolor="#D8D8D8">Schaden    </td>
<td bgcolor="#D8D8D8">Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

==Japanese==
[https://speakerdeck.com/owaspjapan/introducing-owasp-top10-privacy-risks-number-owasp-night-21th Link to slidedeck]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2019-03-04T13:27:43Z

Florian Stahl:

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]
* [https://www.owasp.org/images/2/27/Presentation_HowToBoostPrivacy_IAPP_Intensive_2016.pdf Presentation of countermeasures from IAPP Data Protection Intensive 2016]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| style="padding-left:25px;width:200px;" valign="top" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [8 April 2016] Countermeasures v1.0 published
* [19 December 2018] Call for Participation for the OWASP Top 10 Privacy Risks 2019

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015] 
[https://privacyscore.org/ Check your website with PRIVACYSCORE]

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]]
|-
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">No.</td>
<td bgcolor="#D8D8D8">Title</td>
<td bgcolor="#D8D8D8">Frequency</td>
<td bgcolor="#D8D8D8">Impact    </td>
<td bgcolor="#D8D8D8">Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor="orange">High</td>
<td bgcolor="orange">High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Method Update 2019: https://docs.google.com/document/d/1AlAg2cybvo5VX-frzF5uHeAcib3X2rTAA2p97XH8fHw/edit
 Feel free to contact us for participation.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
 Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">Nr.</td>
<td bgcolor="#D8D8D8">Titel</td>
<td bgcolor="#D8D8D8">Häufigkeit</td>
<td bgcolor="#D8D8D8">Schaden    </td>
<td bgcolor="#D8D8D8">Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

==Japanese==
[https://speakerdeck.com/owaspjapan/introducing-owasp-top10-privacy-risks-number-owasp-night-21th Link to slidedeck]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2019-03-04T13:27:13Z

Florian Stahl:

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]
* [https://www.owasp.org/images/2/27/Presentation_HowToBoostPrivacy_IAPP_Intensive_2016.pdf Presentation of countermeasures from IAPP Data Protection Intensive 2016]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| style="padding-left:25px;width:200px;" valign="top" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [8 April 2016] Countermeasures v1.0 published
* [19 December 2018] Call for Participation for the OWASP Top 10 Privacy Risks 2019

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015] 
[https://privacyscore.org/ Check your website with PRIVACYSCORE]

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]]
|-
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">No.</td>
<td bgcolor="#D8D8D8">Title</td>
<td bgcolor="#D8D8D8">Frequency</td>
<td bgcolor="#D8D8D8">Impact    </td>
<td bgcolor="#D8D8D8">Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor="orange">High</td>
<td bgcolor="orange">High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Method Update 2019: https://docs.google.com/document/d/1AlAg2cybvo5VX-frzF5uHeAcib3X2rTAA2p97XH8fHw/edit
 Feel free to contact us for participation.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
 Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">Nr.</td>
<td bgcolor="#D8D8D8">Titel</td>
<td bgcolor="#D8D8D8">Häufigkeit</td>
<td bgcolor="#D8D8D8">Schaden    </td>
<td bgcolor="#D8D8D8">Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

==Japanese==
[https://speakerdeck.com/owaspjapan/introducing-owasp-top10-privacy-risks-number-owasp-night-21th Link to slidedeck]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2019-03-04T13:01:21Z

Florian Stahl:

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]
* [https://www.owasp.org/images/2/27/Presentation_HowToBoostPrivacy_IAPP_Intensive_2016.pdf Presentation of countermeasures from IAPP Data Protection Intensive 2016]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| style="padding-left:25px;width:200px;" valign="top" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [8 April 2016] Countermeasures v1.0 published
* [19 December 2018] Call for Participation for the OWASP Top 10 Privacy Risks 2019

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015] 
[https://privacyscore.org/ Check your website with PRIVACYSCORE]

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]]
|-
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">No.</td>
<td bgcolor="#D8D8D8">Title</td>
<td bgcolor="#D8D8D8">Frequency</td>
<td bgcolor="#D8D8D8">Impact    </td>
<td bgcolor="#D8D8D8">Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor="orange">High</td>
<td bgcolor="orange">High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Discussion on the assessment method and an update for the OWASP Top 10 Privacy Risks 2019 will start on 1 February 2019. Feel free to contact us for participation.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
 Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">Nr.</td>
<td bgcolor="#D8D8D8">Titel</td>
<td bgcolor="#D8D8D8">Häufigkeit</td>
<td bgcolor="#D8D8D8">Schaden    </td>
<td bgcolor="#D8D8D8">Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

==Japanese==
[https://speakerdeck.com/owaspjapan/introducing-owasp-top10-privacy-risks-number-owasp-night-21th Link to slidedeck]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

Projects/OWASP Top 10 Privacy Risks Project/Roadmap

2018-12-19T12:04:23Z

Florian Stahl:

==Timeline==
* 20 February 2014: Project start
* ...
* 21 September 2014: Publication of v1.0 of the Top 10 Privacy Risks
* ...
* 8 April 2016: Publication of Countermeasures v1.0
* ...
* 19 December 2018: Call for Participation to Update the OWASP Top 10 Privacy Risks in 2019
* 31 January 2019: Core Team Established
* 31 March 2019: Assessment Method Reviewed & Optimized
* 15 June 2019: Candidate Risks for the Top 10 list identified
* 31 October 2019: Risks (impact and likelihood) assessed and Top 10 Privacy Risks 2019 published
* 31 December 2019: Update of the Countermeasures

Projects/OWASP Top 10 Privacy Risks Project/Roadmap

2018-12-19T09:31:06Z

Florian Stahl:

==Timeline==
* 20 February 2014: Project start
* ...
* 21 September 2014: Publication of v1.0 of the Top 10 Privacy Risks
* ...
* 8 April 2016: Publication of Countermeasures v1.0
* ...
* 19 December 2018: Call for Participation to Update the OWASP Top 10 Privacy Risks in 2019
* 31 January 2019: Core Team Established
* 31 March 2019: Assessment Method Reviewed & Optimized
* 15 June 2019: Candidate Risks for the Top 10 list identified
* 31 October 2019: Risks (impact and likelihood) assessed and Top 10 Privacy Risks 2019 published

OWASP Top 10 Privacy Risks Project

2018-12-19T09:26:14Z

Florian Stahl: /* Download Infographic version */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]
* [https://www.owasp.org/images/2/27/Presentation_HowToBoostPrivacy_IAPP_Intensive_2016.pdf Presentation of countermeasures from IAPP Data Protection Intensive 2016]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| style="padding-left:25px;width:200px;" valign="top" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [8 April 2016] Countermeasures v1.0 published
* [19 December 2018] Call for Participation for the OWASP Top 10 Privacy Risks 2019

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015] 
[https://privacyscore.org/ Check your website with PRIVACYSCORE]

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]]
|-
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">No.</td>
<td bgcolor="#D8D8D8">Title</td>
<td bgcolor="#D8D8D8">Frequency</td>
<td bgcolor="#D8D8D8">Impact    </td>
<td bgcolor="#D8D8D8">Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor="orange">High</td>
<td bgcolor="orange">High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Discussion on the assessment method and an update for the OWASP Top 10 Privacy Risks 2019 will start on 1 February 2019. Feel free to contact us for participation.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">Nr.</td>
<td bgcolor="#D8D8D8">Titel</td>
<td bgcolor="#D8D8D8">Häufigkeit</td>
<td bgcolor="#D8D8D8">Schaden    </td>
<td bgcolor="#D8D8D8">Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

==Japanese==
[https://speakerdeck.com/owaspjapan/introducing-owasp-top10-privacy-risks-number-owasp-night-21th Link to slidedeck]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2018-12-19T09:24:53Z

Florian Stahl: /* Participation and Discussion */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]
* [https://www.owasp.org/images/2/27/Presentation_HowToBoostPrivacy_IAPP_Intensive_2016.pdf Presentation of countermeasures from IAPP Data Protection Intensive 2016]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| style="padding-left:25px;width:200px;" valign="top" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [8 April 2016] Countermeasures v1.0 published
* [18 May 2017] Presentation at Data Protection Congress, Berlin

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015] 
[https://privacyscore.org/ Check your website with PRIVACYSCORE]

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]]
|-
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">No.</td>
<td bgcolor="#D8D8D8">Title</td>
<td bgcolor="#D8D8D8">Frequency</td>
<td bgcolor="#D8D8D8">Impact    </td>
<td bgcolor="#D8D8D8">Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor="orange">High</td>
<td bgcolor="orange">High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor="orange">High</td>
<td bgcolor="red">Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor="yellow">Medium</td>
<td bgcolor="red">Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Discussion on the assessment method and an update for the OWASP Top 10 Privacy Risks 2019 will start on 1 February 2019. Feel free to contact us for participation.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellspacing="3" cellpadding="3" border="1">
<tr>
<td bgcolor="#D8D8D8">Nr.</td>
<td bgcolor="#D8D8D8">Titel</td>
<td bgcolor="#D8D8D8">Häufigkeit</td>
<td bgcolor="#D8D8D8">Schaden    </td>
<td bgcolor="#D8D8D8">Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor="red">Very high</td>
<td bgcolor="orange">High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor="red">Sehr hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="orange">Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor="orange">Hoch</td>
<td bgcolor="red">Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor="yellow">Mittel</td>
<td bgcolor="red">Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

==Japanese==
[https://speakerdeck.com/owaspjapan/introducing-owasp-top10-privacy-risks-number-owasp-night-21th Link to slidedeck]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

Projects/OWASP Top 10 Privacy Risks Project/Roadmap

2018-12-19T09:22:27Z

Florian Stahl:

==Timeline==
* 20 February 2014: Project start
* ...
* 21 September 2014: Publication of v1.0 of the Top 10 Privacy Risks
* ...
* 8 April 2016: Publication of Countermeasures v1.0
* ...
* 19 December 2018: Call for Participation to Update the OWASP Top 10 Privacy Risks in 2019
* 31 January 2019: Core Team Established
* 31 March 2019: Assessment Method Reviewed & Optimized
* 15 June 2019: Candidate Risks for the Top 10 list identified
* 31 October 2019: Risks Assessed and Top 10 Privacy Risks 2019 published

Projects/OWASP Top 10 Privacy Risks Project/Roadmap

2018-12-19T09:20:07Z

Florian Stahl: /* Timeline */

==Timeline==
* 20 February 2014: Project start
* ...
* 21 September 2014: Publication of v1.0 of the Top 10 Privacy Risks
* ...
* 8 April 2016: Publication of Countermeasures v1.0
* ...
* 19 December 2018: Call for Participation to Update the OWASP Top 10 Privacy Risks in 2019
* 31 January 2019: Core Team Established
* 31 March 2019: Assessment Process Reviewed & Optimized
* 15 June 2019: Candidate Risks for the Top 10 list identified
* 31 October 2019: Risks Assessed and Top 10 Privacy Risks 2019 published

User:Florian Stahl

2018-05-14T14:06:22Z

Florian Stahl: Updated current position

Florian Stahl is a German security and privacy consultant and evangelist. He achieved his master’s with honors in information systems science at the University of Regensburg in Germany and his master's in computer science at Växjö Universitet in Sweden. Florian started his professional career at the Swedish security software vendor Cryptzone in Gothenburg in 2006. He came back to Germany in 2009 and worked as consultant for Ernst & Young in Munich before moving on to msg systems in 2011 where he held positions as Lead Consultant and Senior Manager. Since 2018 he is working as Senior Cyber Security Expert for AVL. Florian has CISSP, CISM and CIPT certifications and speaks fluent German, English and Swedish. His aim is to follow a holistic approach by combining technical, organisational and social measures to protect information. He is regular speaker at conferences, member of the Internet Privacy Engineering Network (IPEN) and writes articles on his blog [http://securitybydesign.de/ securitybydesign.de]. He leads the [[OWASP_Top_10_Privacy_Risks_Project]].

Top 10 2014-I5 Privacy Concerns

2018-05-14T13:59:47Z

Florian Stahl:

<center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=Top_10_IoT_Vulnerabilities__282014_29 Back To The Internet of Things Top 10]</center>

{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}}
{{Top_10:SummaryTableTemplate|exploitability=2|prevalence=2|detectability=1|impact=1|year=2013|language=en}}
{{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider anyone who has access to the device itself, the network the device is connected to, the mobile application and the cloud connection including external and internal users.

</td>
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Attacker uses multiple vectors such as insufficient authentication, lack of transport encryption or insecure network services to view personal data which is not being properly protected or is being collected unnecessarily. Attack could come from external or internal users.

</td>
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Privacy concerns generated by the collection of personal data in addition to the lack of proper protection of that data is prevalent. Privacy concerns are easy to discover by simply reviewing the data that is being collected as the user sets up and activates the device. Automated tools can also look for specific patterns of data that may indicate collection of personal data or other sensitive data.

</td>
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Collection of personal data along with a lack of protection of that data can lead to compromise of a user's personal data.

</td>
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider the business impact of personal data that is collected unnecessarily or isn't protected properly. Data could be stolen. Could your customers be harmed by having this personal data exposed?

</td>
{{Top_10_2010:SummaryTableEndTemplate|year=2013}}

{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=Does My Device Present Privacy Concerns?|position=firstLeft|year=2013|language=en}}
Checking for Privacy Concerns includes:
* Identifying all data types that are being collected by the device, its mobile application and any cloud interfaces
* The device and it's various components should only collect what is necessary to perform its function
* Personally identifiable information can be exposed when not properly encrypted while at rest on storage mediums and during transit over networks
* Reviewing who has access to personal information that is collected
* Determining if data collected can be de-identified or anonymized
* Determining if data collected is beyond what is needed for proper operation of the device (Does the end-user have a choice for this data collection?)
* Determining if a data retention policy is in place

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=How Do I Prevent Privacy Concerns?|position=right|year=2013|language=en}}
Minimizing privacy concerns requires:
# Ensuring only data critical to the functionality of the device is collected
# Ensuring that any data collected is of a less sensitive nature (i.e., try not to collect sensitive data)
# Ensuring that any data collected is de-identified or anonymized
# Ensuring any data collected is properly protected with encryption
# Ensuring the device and all of its components properly protect personal information
# Ensuring only authorized individuals have access to collected personal information
# Ensuring that retention limits are set for collected data
# Ensuring that end-users are provided with "Notice and Choice" if data collected is more than what would be expected from the product
# Ensuring the role based access control/authorization to the collected data/analyzed data is applied
# Ensuring that the analyzed data is de-identified

Please review the following tabs for more detail based on whether you are a [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Manufacturers Manufacturer], [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Developers Developer] or [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Consumers Consumer]
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013|language=en}}
'''Scenario #1:''' Collection of personal data.

{{Top_10_2010:ExampleBeginTemplate|year=2013}}
Date of birth, home address, phone number, etc.

{{Top_10_2010:ExampleEndTemplate}}
'''Scenario #2:''' Collection of financial and/or health information.
{{Top_10_2010:ExampleBeginTemplate|year=2013}}
Credit card data and bank account information.

{{Top_10_2010:ExampleEndTemplate}}
In the cases above, exposure of any of the data examples could lead to identity theft or compromise of accounts.

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=1|year=2013|language=en}}
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}

[https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure Top 10 2013-A6-Sensitive Data Exposure] 
[https://www.owasp.org/index.php/OWASP_Top_10_Privacy_Risks_Project Top 10 Privacy Risks Project]

{{Top_10_2010:SubSubsectionExternalReferencesTemplate}} 
[https://www.ftc.gov/tips-advice/business-center/guidance/careful-connections-building-security-internet-things FTC: Careful Connections: Building Security in the Internet of Things]
[https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf FTC: Internet of Things, Privacy & Security in a Connected World]

OWASP Top 10 Privacy Risks Project

2017-09-26T12:07:56Z

Florian Stahl: Added link to PRIVACYSCORE

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]
* [https://www.owasp.org/images/2/27/Presentation_HowToBoostPrivacy_IAPP_Intensive_2016.pdf Presentation of countermeasures from IAPP Data Protection Intensive 2016]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [8 April 2016] Countermeasures v1.0 published
* [18 May 2017] Presentation at Data Protection Congress, Berlin

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015] 
[https://privacyscore.org/ Check your website with PRIVACYSCORE]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Currently no ongoing discussions. Feel free to contact us for feedback and ideas.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

==Japanese==
[https://speakerdeck.com/owaspjapan/introducing-owasp-top10-privacy-risks-number-owasp-night-21th Link to slidedeck]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2017-06-01T04:44:54Z

Florian Stahl:

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]
* [https://www.owasp.org/images/2/27/Presentation_HowToBoostPrivacy_IAPP_Intensive_2016.pdf Presentation of countermeasures from IAPP Data Protection Intensive 2016]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [8 April 2016] Countermeasures v1.0 published
* [18 May 2017] Presentation at Data Protection Congress, Berlin

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Currently no ongoing discussions. Feel free to contact us for feedback and ideas.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

==Japanese==
[https://speakerdeck.com/owaspjapan/introducing-owasp-top10-privacy-risks-number-owasp-night-21th Link to slidedeck]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

IoT Security Guidance

2017-02-14T09:45:06Z

Florian Stahl:

<center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project Back To The Internet of Things Project]</center>

== '''Manufacturer IoT Security Guidance''' ==

(DRAFT)

The goal of this section is help manufacturers build more secure products in the Internet of Things space. The guidance below is at a basic level, giving builders of products a basic set of guidelines to consider from their perspective. This is not a comprehensive list of considerations, and should not be treated as such, but ensuring that these fundamentals are covered will greatly improve the security of any IoT product.

{| border="1" class="wikitable" style="text-align: left"
! Category
! IoT Security Consideration
|-
| '''I1: Insecure Web Interface'''
|
* Ensure that any web interface in the product disallows weak passwords
* Ensure that any web interface in the product has an account lockout mechanism
* Ensure that any web interface in the product has been tested for XSS, SQLi and CSRF vulnerabilities
* Ensure that any web interface has the ability to use HTTPS to protect transmitted information
* Include web application firewalls to protect any web interfaces
* Ensure that any web interface allows the owner to change the default username and password
|-
| '''I2: Insufficient Authentication/Authorization'''
|
* Ensure that any access requiring authentication requires strong passwords
* Ensure that user roles can be properly segregated in multi-user environments
* Implement two-factor authentication where possible
* Ensure password recovery mechanisms are secure
* Ensure that users have the option to require strong passwords
* Ensure that users have the option to force password expiration after a specific period
* Ensure that users have the option to change the default username and password
|-
| '''I3: Insecure Network Services'''
|
* Ensure all devices operate with a minimal number of network ports active
* Ensure all devices do not make network ports and/or services available to the internet via UPnP for example
* Review all required network services for vulnerabilities such as buffer overflows or denial of service
|-
| '''I4: Lack of Transport Encryption'''
|
* Ensure all communication between system components is encrypted as well as encrypting traffic between the system or device and the internet
* Use recommended and accepted encryption practices and avoid proprietary protocols
* Ensure SSL/TLS implementations are up to date and properly configured
* Consider making a firewall option available for the product
|-
| '''I5: Privacy Concerns'''
|
* Ensure only the minimal amount of personal information is collected from consumers
* Ensure all collected personal data is properly protected using encryption at rest and in transit
* Ensure only authorized individuals have access to collected personal information
* Ensure only less sensitive data is collected
* Ensuring data is de-identified or anonymized
* Ensuring a data retention policy is in place
* Ensuring end-users are given a choice for data collected beyond what is needed for proper operation of the device
|-
| '''I6: Insecure Cloud Interface'''
|
* Ensure all cloud interfaces are reviewed for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces)
* Ensure that any cloud-based web interface disallows weak passwords
* Ensure that any cloud-based web interface has an account lockout mechanism
* Implement two-factor authentication for cloud-based web interfaces
* Ensure that all cloud interfaces use transport encryption
* Ensure that any cloud-based web interface has been tested for XSS, SQLi and CSRF vulnerabilities
* Ensure that users have the option to require strong passwords
* Ensure that users have the option to force password expiration after a specific period
* Ensure that users have the option to change the default username and password
|-
| '''I7: Insecure Mobile Interface'''
|
* Ensure that any mobile application disallows weak passwords
* Ensure that any mobile application has an account lockout mechanism
* Implement two-factor authentication for mobile applications (e.g Apple's Touch ID)
* Ensure that any mobile application uses transport encryption
* Ensure that users have the option to require strong passwords
* Ensure that users have the option to force password expiration after a specific period
* Ensure that users have the option to change the default username and password
|-
| '''I8: Insufficient Security Configurability'''
|
* Ensure password security options are made available (e.g. Enabling 20 character passwords or enabling two-factor authentication)
* Ensure encryption options are made available (e.g. Enabling AES-256 where AES-128 is the default setting)
* Ensure secure logging is available for security events
* Ensure alerts and notifications are available to the user for security events
|-
| '''I9: Insecure Software/Firmware'''
|
* Ensure all system devices have update capability and can be updated quickly when vulnerabilities are discovered
* Ensure update files are encrypted and that the files are also transmitted using encryption
* Ensure that update files are signed and then validated by the device before installing
* Ensure update servers are secure
* Ensure the product has the ability to implement scheduled updates
|-
| '''I10: Poor Physical Security'''
|
* Ensure the device is produced with a minimal number of physical external ports (e.g. USB ports)
* Ensure the firmware of Operating System can not be accessed via unintended methods such as through an unnecessary USB port
* Ensure the product is tamper resistant
* Ensure the product has the ability to limit administrative capabilities in some fashion, possibly by only connecting locally for admin functions
* Ensure the product has the ability to disable external ports such as USB
|}

===General Recommendations===

Consider the following recommendation for all Internet of Things products:
* Avoid the potential for persistent vulnerabilities in devices that have no update capability by ensuring that all devices and systems are built with the ability to be updated when vulnerabilities are discovered
* Rebranded devices used as part of a system should be properly configured so that unnecessary or unintended services do not remain active after the rebranding

[ NOTE: Given the fact that each deployment and every environment is different, it is important to weigh the pros and cons of implementing the advice above before taking each step. ]

== '''Developer IoT Security Guidance''' ==

(DRAFT)

The goal of this section is help developers build more secure applications in the Internet of Things space. The guidance below is at a basic level, giving developers of applications a basic set of guidelines to consider from their perspective. This is not a comprehensive list of considerations, and should not be treated as such, but ensuring that these fundamentals are covered will greatly improve the security of any IoT product. Strongly consider using a [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Framework_Assessment Secure IoT Framework] in order to proactively address many of the concerns listed below.

{| border="1" class="wikitable" style="text-align:left;"
! Category
! IoT Security Consideration
! Recommendations
|- style="vertical-align:top;"
| '''I1: Insecure Web Interface'''
|
* Ensure that any web interface coding is written to prevent the use of weak passwords
* Ensure that any web interface coding is written to include an account lockout mechanism
* Ensure that any web interface coding has been tested for XSS, SQLi and CSRF vulnerabilities
* Ensure that any web interface has the ability to use HTTPS to protect transmitted information
* Ensure that any web interface coding is written to allow the owner to change the username and password
* Consider the use of web application firewalls to protect any web interfaces
|
When building a web interface consider implementing lessons learned from web application security. Employ a [https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities#Generic_Application_Frameworks framework] that utilizes security controls to ensure that vulnerabilities are mitigated in code. Be sure to plan for eventual upgrades or security fixes to the framework as well. If you use optional plugins to the framework be sure to review them for security.

Deploy and protect the web interface in the same way you would any web application. Utilize encrypted transport protocols if possible, being sure to validate certificates. Limit access in whatever ways possible. Assume users will not change configuration so deploy in a secure manner with strong credentials already in place.
|- style="vertical-align:top;"
| '''I2: Insufficient Authentication/Authorization'''
|
* Ensure that applications are written to require strong passwords where authentication is needed
* Ensure the application takes into account multi-user environments and includes functionality for role separation
* Implement two-factor authentication where possible
* Ensure password recovery mechanisms are written to function in a secure manner
* Ensure that applications are written to include the option to require strong passwords
* Ensure that applications are written to include the option to force password expiration after a specific period
* Ensure that applications are written to include the option to change the default username and password
|
Refer to the [https://www.owasp.org/index.php/Authentication_Cheat_Sheet OWASP Authentication Cheat Sheet]
|- style="vertical-align:top;"
| '''I3: Insecure Network Services'''
|
* Ensure applications that use network services don't respond poorly to buffer overflow, fuzzing or denial of service attacks
* Ensure applications test ports are taken out of service before going to production
|
Try to utilize tested, proven, networking stacks and interfaces that handle exceptions gracefully. Be sure that any test or maintenance interfaces are disabled or properly protected. Avoid exposing unauthenticated protocols (such as TFTP) or unencrypted channels (such as telnet) if possible. Consider the attack surface that device network services present. Turn off unnecessary services and deploy measures to protect required services, detect malicious activity, and react to an attack with measures such as lock-outs or temporary firewall rules.
|- style="vertical-align:top;"
| '''I4: Lack of Transport Encryption'''
|
* Ensure all applications are written to make use of encrypted communication between devices and between devices and the internet
* Use recommended and accepted encryption practices and avoid proprietary protocols
* Consider making a firewall option available for the application
|
Utilize encrypted protocols wherever possible to protect all data in transit. Where protocol encryption is not possible consider encrypting data before transfer.
|- style="vertical-align:top;"
| '''I5: Privacy Concerns'''
|
* Ensure only the minimal amount of personal information is collected from consumers
* Ensure all collected personal data is properly protected using encryption at rest and in transit
* Ensuring data is de-identified or anonymized
* Ensuring end-users are given a choice for data collected beyond what is needed for proper operation of the device
|
Data can present unintended privacy concerns when aggregated. As a rule collect the minimal amount of data possible. Consult with data scientists, legal and compliance teams to determine risk of data collection and storage. Consider implications of consent and the fact that IoT devices may not present an interface for collecting consent and may passively collect data about people other than owners and operators. IoT may collect information about individuals who cannot provide consent (such as minors) and data collection should be modified accordingly.

Also refer to the [https://www.owasp.org/index.php/OWASP_Top_10_Privacy_Risks_Project OWASP Top 10 Privacy Risks].
|- style="vertical-align:top;"
| '''I6: Insecure Cloud Interface'''
|
* Ensure all cloud interfaces are reviewed for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces)
* Ensure that any cloud-based web interface coding is written to disallows weak passwords
* Ensure that any cloud-based web interface coding is written to include an account lockout mechanism
* Implement two-factor authentication for cloud-based web interfaces
* Ensure that any cloud interface coding has been tested for XSS, SQLi and CSRF vulnerabilities
* Ensure that all cloud interfaces use transport encryption
* Ensure that cloud interfaces are written to include the option to require strong passwords
* Ensure that cloud interfaces are written to include the option to force password expiration after a specific period
* Ensure that cloud interfaces are written to include the option to change the default username and password
|
Cloud security presents unique security considerations, as well as countermeasures. Be sure to consult your cloud provider about options for security mechanisms. Consult the OWASP [https://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project Cloud Top 10 Security Risks] documents.
|- style="vertical-align:top;"
| '''I7: Insecure Mobile Interface'''
|
* Ensure that any mobile application coding is written to disallows weak passwords
* Ensure that any mobile application coding is written to include an account lockout mechanism
* Implement two-factor authentication for mobile applications (e.g Apple's Touch ID)
* Ensure that any mobile application uses transport encryption
* Ensure that mobile interfaces are written to include the option to require strong passwords
* Ensure that mobile interfaces are written to include the option to force password expiration after a specific period
* Ensure that mobile interfaces are written to include the option to change the default username and password
* Ensure that mobile interfaces only collect the minimum amount of personal information needed
|
Mobile interfaces to IoT ecosystems require targeted security. Consult the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Project] for further guidance.
|- style="vertical-align:top;"
| '''I8: Insufficient Security Configurability'''
|
* Ensure applications are written to include password security options (e.g. Enabling 20 character passwords or enabling two-factor authentication)
* Ensure applications are written to include encryption options (e.g. Enabling AES-256 where AES-128 is the default setting)
* Ensure all applications are written to produce logs for security events
* Ensure all applications are written to produce alerts and notifications to the user for security events
|
Security can be a value proposition. Design should take into consideration a sliding scale of security requirements. Architect projects with secure defaults and allow consumers to select options to be enabled or disabled. IoT design should be forward compatible with respect to security - as cipher suites increase and new security technologies become widely available IoT design should be able to adopt these new technologies.

Remember the security lifecycle of protect, detect, and react. Design systems to allow for the detection of malicious activity as well as self defending capabilities and a reaction plan should a compromise be detected. Design all stages of the lifecycle to be evolutionary so improvements can be added to a system or device future releases, updates, or patches.
|- style="vertical-align:top;"
| '''I9: Insecure Software/Firmware'''
|
* Ensure all applications are written to include update capability and can be updated quickly when vulnerabilities are discovered
* Ensure all applications are written to process encrypted update files and that the files are transmitted using encryption
* Ensure all applications are written to process signed files and then validate that file before installation
|
Many IoT deployments are either brownfield (i.e. applied over existing infrastructure) and/or have an extremely long deployment cycle. To maintain the security of devices over time it is critical to plan for patches and updates.

Confidentiality, Integrity, and Availability (CIA) are primary concerns when providing binaries and updates to edge devices. Encrypt updates before distribution, providing decryption keys along with download instructions to authorized devices. Updates should have cryptographic signatures using public key cryptography that can be verified by devices. A cryptographic signature allows for distribution of updates over untrusted channels, such as Content Delivery Network (CDN), peer-to-peer, or machine to machine (M2M).

Devices should always validate cryptographic certificates and discard updates that are not properly delivered or signed. If unencrypted updates are utilized be sure that a cryptographic hash of the update is provided over an encrypted channel so the device can detect tampering.

Provide a mechanism for issuing, updating and revoking cryptographic keys as well. Key management and lifecycle should be taken into consideration prior to deployment. This includes the SSL trust store, or root trust, on a device, which may have to be modified over the lifespan of the device.
|- style="vertical-align:top;"
| '''I10: Poor Physical Security'''
|
* Ensure applications are written to utilize a minimal number of physical external ports (e.g. USB ports) on the device
* Ensure all applications can not be accessed via unintended methods such as through an unnecessary USB port
* Ensure all applications are written to allow for disabling of unused physical ports such as USB
* Consider writing applications to limit administrative capabilities to a local interface only
|
Plan on having IoT edge devices fall into malicious hands. Utilize whatever physical security protections are available. Disable any testing or debugging interfaces, utilize Hardware Security Modules (HSM's), cryptographic co-processors, and Trusted Platform Modules (TPM's) wherever possible.

Consider the implications of a compromised device. Do not share credentials, application or cryptographic keys across multiple devices to limit the scope of damage due to a physical compromise.

Plan for the transfer of ownership of devices and ensure that data is not transferable along with the ownership.
|}

===General Recommendations===

Consider the following recommendations for all user interfaces (local device, cloud-based and mobile):
* Avoid potential Account Harvesting issues by:
** Ensuring valid user accounts can't be identified by interface error messages
** Ensuring strong passwords are required by users
** Implementing account lockout after 3 - 5 failed login attempts

[ NOTE: Given the fact that each deployment and every environment is different, it is important to weigh the pros and cons of implementing the advice above before taking each step. ]

== '''Consumer IoT Security Guidance''' ==

(DRAFT)

The goal of this section is help consumers purchase secure products in the Internet of Things space. The guidance below is at a basic level, giving consumers a basic set of guidelines to consider from their perspective. This is not a comprehensive list of considerations, and should not be treated as such, but ensuring that these fundamentals are covered will greatly aid the consumer in purchasing a secure IoT product.

{| border="1" class="wikitable" style="text-align: left"
! Category
! IoT Security Consideration
|-
| '''I1: Insecure Web Interface'''
|
* If your system has the option to use HTTPS, ensure it is enabled
* If your system has a two factor authentication option, ensure that it is enabled
* If your system has web application firewall option, ensure that it is enabled
* If your system has a local or cloud-based web application, ensure that you change the default password to a strong one and if possible change the default username as well
* If the system has account lockout functionality, ensure that it is enabled
* Consider employing network segmentation technologies such as firewalls to isolate IoT systems from critical IT systems
|-
| '''I2: Insufficient Authentication/Authorization'''
|
* If your system has a local or cloud-based web application, ensure that you change the default password to a strong one and if possible change the default username as well
* If the system has account lockout functionality, ensure that it is enabled
* If the system has the option to require strong passwords, ensure that is enabled
* If the system has the option to require new passwords after 90 days for example, ensure that is enabled
* If your system has a two factor authentication option, ensure that it is enabled
* If your system has the option to set user privileges, consider setting user privileges to the minimal needed for operation
* Consider employing network segmentation technologies such as firewalls to isolate IoT systems from critical IT systems
|-
| '''I3: Insecure Network Services'''
|
* If your system has a firewall option available, enable it and ensure that it can only be accessed from your client systems
* Consider employing network segmentation technologies such as firewalls to isolate IoT systems from critical IT systems
|-
| '''I4: Lack of Transport Encryption'''
|
* If your system has the option to use HTTPS, ensure it is enabled
|-
| '''I5: Privacy Concerns'''
|
* Do not enter sensitive information into the system that is not absolutely required, e.g. address, DOB, CC, etc.
* Deny data collection if it appears to be beyond what is needed for proper operation of the device (If provided the choice)
|-
| '''I6: Insecure Cloud Interface'''
|
* If your system has the option to use HTTPS, ensure it is enabled
* If your system has a two factor authentication option, ensure that it is enabled
* If your system has web application firewall option, ensure that it is enabled
* If your system has a local or cloud-based web application, ensure that you change the default password to a strong one and if possible change the default username as well
* If the system has account lockout functionality, ensure that it is enabled
* If the system has the option to require strong passwords, ensure that is enabled
* If the system has the option to require new passwords after 90 days for example, ensure that is enabled
|-
| '''I7: Insecure Mobile Interface'''
|
* If the mobile application has the option to require a PIN or password, consider using it for extra security (on client and server)
* If the mobile application has the option to use two factory authentication such as Apple's Touch ID, ensure it is enabled
* If the system has account lockout functionality, ensure that it is enabled
* If the system has the option to require strong passwords, ensure that is enabled
* If the system has the option to require new passwords after 90 days for example, ensure that is enabled
* Do not enter sensitive information into the mobile application that is not absolutely required, e.g. address, DOB, CC, etc.
|-
| '''I8: Insufficient Security Configurability'''
|
* If your system has the option, enable any logging functionality for security-related events
* If your system has the option, enable any alert and notification functionality for security-related events
* If your system has security options for passwords, ensure they are enabled for strong passwords
* If your system has security options for encryption, ensure they are set for an accepted standard such as AES-256
|-
| '''I9: Insecure Software/Firmware'''
|
* If your system has the option to verify updates, ensure it is enabled
* If your system has the option to download updates securely, ensure it is enabled
* If your system has the ability to schedule updates on a regular cadence, consider enabling it
|-
| '''I10: Poor Physical Security'''
|
* If your system has the ability to limit administrative capabilities possible by connecting locally, consider enabling that feature
* Disable any unused physical ports through the administrative interface
|}

===General Recommendations===

If you are looking to purchase a device or system, consider the following recommendations:
* Include security in feature considerations when evaluating a product
* Place Internet of Things devices on a separate network if possible using a firewall

[ NOTE: Given the fact that each deployment and every environment is different, it is important to weigh the pros and cons of implementing the advice above before taking each step. ]

User:Florian Stahl

2017-02-06T07:04:44Z

Florian Stahl:

Florian Stahl is a German security and privacy consultant and evangelist. He achieved his master’s with honors in information systems science at the University of Regensburg in Germany and his master's in computer science at Växjö Universitet in Sweden. Florian started his professional career at the Swedish security software vendor Cryptzone in Gothenburg in 2006. He came back to Germany in 2009 and worked as consultant for Ernst & Young in Munich before moving on to msg systems where he currently holds the position as Senior Manager. Florian has CISSP and CIPT certifications and speaks fluent German, English and Swedish. His aim is to follow a holistic approach by combining technical, organisational and social measures to protect information. He is regular speaker at conferences and writes articles for magazines and on his blog [http://securitybydesign.de/ securitybydesign.de]. He leads the [[OWASP_Top_10_Privacy_Risks_Project]].

OWASP Top 10 Privacy Risks Project

2017-02-06T06:58:59Z

Florian Stahl:

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]
* [https://www.owasp.org/images/2/27/Presentation_HowToBoostPrivacy_IAPP_Intensive_2016.pdf Presentation of countermeasures from IAPP Data Protection Intensive 2016]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [8 April 2016] Countermeasures v1.0 published
* [18 May 2017] Presentation at Data Protection Congress, Berlin
* [31 May 2017] Presentation at EuroCACS 2017, Munich

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Currently no ongoing discussions. Feel free to contact us for feedback and ideas.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

==Japanese==
[https://speakerdeck.com/owaspjapan/introducing-owasp-top10-privacy-risks-number-owasp-night-21th Link to slidedeck]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2017-02-04T14:06:09Z

Florian Stahl: /* News & Events */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]
* [https://www.owasp.org/images/2/27/Presentation_HowToBoostPrivacy_IAPP_Intensive_2016.pdf Presentation of countermeasures from IAPP Data Protection Intensive 2016]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [8 April 2016] Countermeasures v1.0 published
* [29 March 2017] Presentation at IT-Trends Sicherheit, Bochum]
* [18 May 2017] Presentation at Data Protection Congress, Berlin

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Currently no ongoing discussions. Feel free to contact us for feedback and ideas.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

==Japanese==
[https://speakerdeck.com/owaspjapan/introducing-owasp-top10-privacy-risks-number-owasp-night-21th Link to slidedeck]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2017-02-04T14:04:43Z

Florian Stahl: /* News & Events */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]
* [https://www.owasp.org/images/2/27/Presentation_HowToBoostPrivacy_IAPP_Intensive_2016.pdf Presentation of countermeasures from IAPP Data Protection Intensive 2016]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [8 April 2016] Countermeasures v1.0 published
* [18 May 2017] Presentation at Data Protection Congress, Berlin

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Currently no ongoing discussions. Feel free to contact us for feedback and ideas.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

==Japanese==
[https://speakerdeck.com/owaspjapan/introducing-owasp-top10-privacy-risks-number-owasp-night-21th Link to slidedeck]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2016-10-14T05:30:48Z

Florian Stahl: /* Quick Download */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]
* [https://www.owasp.org/images/2/27/Presentation_HowToBoostPrivacy_IAPP_Intensive_2016.pdf Presentation of countermeasures from IAPP Data Protection Intensive 2016]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [8 April 2016] Countermeasures v1.0 published
* [17-18 May 2017] Presentation at Data Protection Congress, Berlin

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Currently no ongoing discussions. Feel free to contact us for feedback and ideas.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

==Japanese==
[https://speakerdeck.com/owaspjapan/introducing-owasp-top10-privacy-risks-number-owasp-night-21th Link to slidedeck]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2016-10-14T05:30:25Z

Florian Stahl: /* Quick Download */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]
* [https://www.owasp.org/images/2/27/Presentation_HowToBoostPrivacy_IAPP_Intensive_2016.pdf Presentation of countermeasures from IAPP Data Protection Intensive 2016

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [8 April 2016] Countermeasures v1.0 published
* [17-18 May 2017] Presentation at Data Protection Congress, Berlin

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Currently no ongoing discussions. Feel free to contact us for feedback and ideas.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

==Japanese==
[https://speakerdeck.com/owaspjapan/introducing-owasp-top10-privacy-risks-number-owasp-night-21th Link to slidedeck]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

File:Presentation HowToBoostPrivacy IAPP Intensive 2016.pdf

2016-10-14T05:28:45Z

Florian Stahl: Presentation of the countermeasures for the OWASP Top 10 Privacy Risks at the IAPP Data Protection Intensive in London

Presentation of the countermeasures for the OWASP Top 10 Privacy Risks at the IAPP Data Protection Intensive in London

OWASP Top 10 Privacy Risks Project

2016-10-14T05:22:49Z

Florian Stahl:

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [8 April 2016] Countermeasures v1.0 published
* [17-18 May 2017] Presentation at Data Protection Congress, Berlin

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Currently no ongoing discussions. Feel free to contact us for feedback and ideas.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

==Japanese==
[https://speakerdeck.com/owaspjapan/introducing-owasp-top10-privacy-risks-number-owasp-night-21th Link to slidedeck]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2016-10-13T06:54:47Z

Florian Stahl: /* News & Events */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [8 April 2016] Countermeasures v1.0 published
* [20 April 2016] Presentation at IAPP Privacy Intensive, London
* [17-18 May 2017] Presentation at Data Protection Congress, Berlin

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Currently no ongoing discussions. Feel free to contact us for feedback and ideas.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

==Japanese==
[https://speakerdeck.com/owaspjapan/introducing-owasp-top10-privacy-risks-number-owasp-night-21th Link to slidedeck]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2016-10-13T06:51:12Z

Florian Stahl:

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [8 April 2016] Countermeasures v1.0 published
* [20 April 2016] Presentation at IAPP Privacy Intensive, London
* [17-18 May 2017] Presentation at German "Datenschutzkongress", Berlin

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Currently no ongoing discussions. Feel free to contact us for feedback and ideas.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

==Japanese==
[https://speakerdeck.com/owaspjapan/introducing-owasp-top10-privacy-risks-number-owasp-night-21th Link to slidedeck]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2016-09-11T05:26:10Z

Florian Stahl: /* Translation */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [8 April 2016] Countermeasures v1.0 published
* [20 April 2016] Presentation at IAPP Privacy Intensive, London

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Currently no ongoing discussions. Feel free to contact us for feedback and ideas.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

==Japanese==
[https://speakerdeck.com/owaspjapan/introducing-owasp-top10-privacy-risks-number-owasp-night-21th Link to slidedeck]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2016-04-08T02:30:56Z

Florian Stahl: /* Top 10 Privacy Risks 2014 */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [8 April 2016] Countermeasures v1.0 published
* [20 April 2016] Presentation at IAPP Privacy Intensive, London

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Currently no ongoing discussions. Feel free to contact us for feedback and ideas.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2016-04-08T02:30:31Z

Florian Stahl: /* Top 10 Privacy Risks 2014 */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [8 April 2016] Countermeasures v1.0 published
* [20 April 2016] Presentation at IAPP Privacy Intensive, London

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and countermeasures are provided in [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf this PDF document].

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Currently no ongoing discussions. Feel free to contact us for feedback and ideas.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2016-04-08T02:29:07Z

Florian Stahl: /* Quick Download */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [8 April 2016] Countermeasures v1.0 published
* [20 April 2016] Presentation at IAPP Privacy Intensive, London

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. For background information check the documents in the Participation and Discussions section.

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Currently no ongoing discussions. Feel free to contact us for feedback and ideas.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2016-04-08T02:28:46Z

Florian Stahl: /* News & Events */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks with Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [8 April 2016] Countermeasures v1.0 published
* [20 April 2016] Presentation at IAPP Privacy Intensive, London

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. For background information check the documents in the Participation and Discussions section.

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Currently no ongoing discussions. Feel free to contact us for feedback and ideas.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2016-04-08T02:28:10Z

Florian Stahl: /* Top 10 Privacy Risks 2014 */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks with Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [18 March 2016] Presentation at BeNeLux OWASP Day
* [8 April 2016] Countermeasures v1.0 published
* [20 April 2016] Presentation at IAPP Privacy Intensive, London

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. For background information check the documents in the Participation and Discussions section.

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Currently no ongoing discussions. Feel free to contact us for feedback and ideas.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2016-04-08T02:27:35Z

Florian Stahl: /* News & Events */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks 2014==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks with Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [18 March 2016] Presentation at BeNeLux OWASP Day
* [8 April 2016] Countermeasures v1.0 published
* [20 April 2016] Presentation at IAPP Privacy Intensive, London

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. For background information check the documents in the Participation and Discussions section.

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Currently no ongoing discussions. Feel free to contact us for feedback and ideas.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2016-04-08T02:26:58Z

Florian Stahl: /* Quick Download */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks 2014==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf Top 10 Privacy Risks with Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [18 March 2016] Presentation at BeNeLux OWASP Day
* [20 April 2016] Presentation at IAPP Privacy Intensive, London

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. For background information check the documents in the Participation and Discussions section.

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Currently no ongoing discussions. Feel free to contact us for feedback and ideas.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2016-04-08T02:26:15Z

Florian Stahl: /* Quick Download */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks 2014==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf OWASP Top 10 Privacy Risks with Countermeasures v1.0 (PDF)]
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [18 March 2016] Presentation at BeNeLux OWASP Day
* [20 April 2016] Presentation at IAPP Privacy Intensive, London

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. For background information check the documents in the Participation and Discussions section.

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Currently no ongoing discussions. Feel free to contact us for feedback and ideas.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2016-04-08T02:25:58Z

Florian Stahl: /* Quick Download */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks 2014==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/0/0a/OWASP_Top_10_Privacy_Countermeasures_v1.0.pdf OWASP Top 10 Privacy Risks with Countermeasures v1.0 (PDF)
* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [18 March 2016] Presentation at BeNeLux OWASP Day
* [20 April 2016] Presentation at IAPP Privacy Intensive, London

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. For background information check the documents in the Participation and Discussions section.

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Currently no ongoing discussions. Feel free to contact us for feedback and ideas.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

File:OWASP Top 10 Privacy Countermeasures v1.0.pdf

2016-04-08T02:23:34Z

Florian Stahl: OWASP Top 10 Privacy Risks including countermeasures.

OWASP Top 10 Privacy Risks including countermeasures.

OWASP Top 10 Privacy Risks Project

2016-04-08T02:19:42Z

Florian Stahl: /* Current discussions */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks 2014==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing Countermeasures in Google Docs (working draft version)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [18 March 2016] Presentation at BeNeLux OWASP Day
* [20 April 2016] Presentation at IAPP Privacy Intensive, London

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. For background information check the documents in the Participation and Discussions section.

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Currently no ongoing discussions. Feel free to contact us for feedback and ideas.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2016-04-08T02:19:21Z

Florian Stahl: /* Participation and Discussion */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks 2014==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing Countermeasures in Google Docs (working draft version)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [18 March 2016] Presentation at BeNeLux OWASP Day
* [20 April 2016] Presentation at IAPP Privacy Intensive, London

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. For background information check the documents in the Participation and Discussions section.

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Currently no discussions ongoing. Feel free to contact us for feedback and ideas.

===Closed discussions and documents===
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2016-01-26T06:42:02Z

Florian Stahl: /* News & Events */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks 2014==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing Countermeasures in Google Docs (working draft version)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [1 July 2015] German Translation available
* [18 March 2016] Presentation at BeNeLux OWASP Day
* [20 April 2016] Presentation at IAPP Privacy Intensive, London

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. For background information check the documents in the Participation and Discussions section.

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Countermeasures draft document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing

===Closed discussions and documents===
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2016-01-26T06:39:05Z

Florian Stahl:

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks 2014==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing Countermeasures in Google Docs (working draft version)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [21 May 2015] Presentation at AppSecEU, Amsterdam
* [1 July 2015] German Translation available
* [18 March 2016] Presentation at BeNeLux OWASP Day
* [20 April 2016] Presentation at IAPP Privacy Intensive, London

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. For background information check the documents in the Participation and Discussions section.

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Countermeasures draft document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing

===Closed discussions and documents===
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2016-01-22T12:02:21Z

Florian Stahl:

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks 2014==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing Countermeasures in Google Docs (working draft version)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [21 May 2015] Presentation at AppSecEU, Amsterdam
* [1 July 2015] German Translation available
* [21 October 2015] Presentation at (ISC)² EMEA Congress, Munich
* [20 April 2016] Presentation at IAPP Privacy Intensive, London

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. For background information check the documents in the Participation and Discussions section.

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Countermeasures draft document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing

===Closed discussions and documents===
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Top 10 Privacy Risks Project

2016-01-14T09:53:18Z

Florian Stahl: /* Participation and Discussion */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==The project in a nutshell==

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.

==Top 10 Privacy Risks 2014==

:P1    Web Application Vulnerabilities
:P2    Operator-sided Data Leakage
:P3    Insufficient Data Breach Response
:P4    Insufficient Deletion of personal data
:P5    Non-transparent Policies, Terms and Conditions
:P6    Collection of data not required for the primary purpose
:P7    Sharing of data with third party
:P8    Outdated personal data
:P9    Missing or Insufficient Session Expiration
:P10  Insecure Data Transfer
Further information is provided in the Top 10 Privacy Risks tab.

== Contact us ==

{{Template:Contact
| name = Florian Stahl
| email = florian.stahl@owasp.org
| username = Florian_Stahl
}} 
Stefan Burgmair [mailto:Stefan.Burgmair@owasp.org @]

== Quick Download ==

* [https://www.owasp.org/images/d/df/OWASP_Top10PrivacyRisks_20150529.pptx Top 10 Privacy Risks Presentation (PPTX)]
* [https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing Countermeasures in Google Docs (working draft version)]
* [https://www.owasp.org/images/6/6f/OWASPTop10PrivacyRisks_20141209.pdf Results presentation at German OWASP Day 2014]
* [https://www.owasp.org/images/c/c3/Top10PrivacyRisks_IAPP_Summit_2015.pdf Presentation from IAPP Global Privacy Summit 2015]

==Licensing==
OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Download Infographic version ==
[[File:Top_10_Risks.png | 200px]]

| valign="top" style="padding-left:25px;width:200px;" |

== News & Events ==
* [20 Feb 2014] Project Start
* [21 Sep 2014] Top 10 Privacy Risks v1.0 published
* [5 Mar 2015] Presentation at IAPP Global Privacy Summit, Washington DC
* [21 May 2015] Presentation at AppSecEU, Amsterdam
* [1 July 2015] German Translation available
* [21 October 2015] Presentation at (ISC)² EMEA Congress, Munich

== External Links ==
[http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf OECD Privacy Guidelines]
[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN Internet Privacy Engineering Network - IPEN] 
[https://www.youtube.com/watch?v=mO7bjmUAq-Q Video from IPEN workshop at Berlin state parliament] 
[https://www.youtube.com/watch?v=6SEdnWlSZyk Video from panel discussion at CPDP 2015 in Brussels] 
[https://privacyassociation.org/news/a/on-how-owasp-identifies-privacy-risks-in-web-applications IAPP blogs about the project]
[https://www.youtube.com/watch?v=WXSZiWNyPZA Video from presentation at AppSec EU 2015]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=Top 10 Privacy Risks=

==Top 10 Privacy Risks 2014==

Version 1.0 of the OWASP Top 10 Privacy Risks list. For background information check the documents in the Participation and Discussions section.

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>No.</td>
<td bgcolor=#D8D8D8>Title</td>
<td bgcolor=#D8D8D8>Frequency</td>
<td bgcolor=#D8D8D8>Impact    </td>
<td bgcolor=#D8D8D8>Description</td>

</tr>
<tr>
<td>P1</td>
<td>Web Application Vulnerabilities</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
</td>
</tr>
<tr>
<td>P2</td>
<td>Operator-sided Data Leakage</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
</td>
</tr>
<tr>
<td>P3</td>
<td>Insufficient Data Breach Response</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
</td>
</tr>
<tr>
<td>P4</td>
<td>Insufficient Deletion of Personal Data</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
</td>
</tr>
<tr>
<td>P5</td>
<td>Non-transparent Policies, Terms and Conditions</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
</td>
</tr>
<tr>
<td>P6</td>
<td>Collection of data not required for the primary purpose</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
</td>
</tr>
<tr>
<td>P7</td>
<td>Sharing of Data with Third Party</td>
<td bgcolor=orange>High</td>
<td bgcolor=orange>High</td>
<td>Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Outdated personal data</td>
<td bgcolor=orange>High</td>
<td bgcolor=red>Very high</td>
<td>The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
</td>
</tr>
<tr>
<td>P9</td>
<td>Missing or insufficient Session Expiration</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
</td>
</tr>
<tr>
<td>P10</td>
<td>Insecure Data Transfer</td>
<td bgcolor=yellow>Medium</td>
<td bgcolor=red>Very high</td>
<td>Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.</td>
</tr>
</table>
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

= Participation and Discussion =

==Participate==

Some ways you can help:
* Discuss with us in the mailing list or Google docs
* Tell your colleagues and friends about the project
* Provide feedback (feel free to contact us)
* Apply the results in practice to improve web application privacy

Sign up to our [https://lists.owasp.org/mailman/listinfo/owasp_top_10_privacy_risks_project mailing list] to stay informed.

==Discussions and Documentation==

To avoid overwriting issues we use Google Docs for our discussions.

===Current discussions===
Countermeasures draft document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing

===Closed discussions and documents===
Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
 Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
 Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
 Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
 Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
 Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit

==Survey Results==

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf download the full report].

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

=FAQs=

==Frequently Asked Questions==

===Why is this project only about web applications and not about any kind of software?===
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user's behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.

===Are the Top 10 Privacy Risks applicable for mobile apps as well?===
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.

===What is the difference between this project and the OWASP Top 10?===
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.

===Why should companies and other organisations be concerned about privacy risks?===
Privacy risks may have serious consequences for an organisation, such as:
* perceived harm to privacy;
* a failure to meet public expectations on both the use and protection of personal information;
* retrospective imposition of regulatory conditions;
* low adoption rates or poor participation in the scheme from both the public and partner organisations;
* the costs of redesigning the system or retro-fitting solutions;
* failure of a project or completed system;
* withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
* failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

= Translation =
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
==German==
===Top 10 Datenschutzrisiken===

<table border="1" style="background-color:#FFFFFF;border-collapse:collapse;border:1px solid #000000;color:#000000;width:100%" cellpadding="3" cellspacing="3">
<tr>
<td bgcolor=#D8D8D8>Nr.</td>
<td bgcolor=#D8D8D8>Titel</td>
<td bgcolor=#D8D8D8>Häufigkeit</td>
<td bgcolor=#D8D8D8>Schaden    </td>
<td bgcolor=#D8D8D8>Beschreibung</td>

</tr>
<tr>
<td>P1</td>
<td>Schwachstellen in Webanwendungen</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen.
</td>
</tr>
<tr>
<td>P2</td>
<td>Datenabfluss beim Betreiber</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness).</td>
</tr>
<tr>
<td>P3</td>
<td>Unzureichende Reaktion bei einer Datenpanne</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen.</td>
</tr>
<tr>
<td>P4</td>
<td>Unzureichende Löschung personenbezogener Daten</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht.</td>
</tr>
<tr>
<td>P5</td>
<td>Intransparente Nutzungsbedingungen</td>
<td bgcolor=red>Very high</td>
<td bgcolor=orange>High</td>
<td>Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet.
</td>
</tr>
<tr>
<td>P6</td>
<td>Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen</td>
<td bgcolor=red>Sehr hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat.
</td>
</tr>
<tr>
<td>P7</td>
<td>Weitergabe von Daten an Dritte</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=orange>Hoch</td>
<td>Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons).
</td>
</tr>
<tr>
<td>P8</td>
<td>Veraltete personenbezogene Daten</td>
<td bgcolor=orange>Hoch</td>
<td bgcolor=red>Sehr hoch</td>
<td>Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt.
</td>
</tr>
<tr>
<td>P9</td>
<td>Fehlendes oder unzureichendes Session-Ende</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden.
</td>
</tr>
<tr>
<td>P10</td>
<td>Unsichere Datenübertragung</td>
<td bgcolor=yellow>Mittel</td>
<td bgcolor=red>Sehr hoch</td>
<td>Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind.
</td>
</tr>
</table>
===Presentation===
[https://www.it-sa.de/de/events/2/2015-10-06/forum-rot-management/11939/#12089 Video and presentation] from it-sa Security Expo and Congress 2015

===Flyer===
[[File:Top_10_Privacy_Risks_German.png | 200px]]

= Acknowledgements =
==Volunteers==
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

* Stefan Burgmair
* R. Jason Cronk
* Edward Delaporte
* Tim Gough
* Prof. Hans-Joachim Hof
* Lukasz Olejnik
* Florian Stahl

==Partners==
* [http://www.cs.hm.edu/en/home/index.en.html University of Applied Sciences Munich]
* [https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)]
* [http://privacyassociation.org/ International Association of Privacy Professionals (IAPP)]

==Sponsors==
* [http://www.msg-systems.com/ msg systems]

Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.

=Project About=
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]