OWASP Top 10 Privacy Risks Project

Why is this project only about web applications and not about any kind of software?

Web applications can easily collect data from users without their permission or informing them about the usage of their data. Trackers and cookies deliberately enable the monitoring of the users behaviour, often for selling those data. That is the reason why this subject is so important, especialy for web applications.

What is the difference between this project and the OWASP top 10?

There are two main differences. First, the OWASP top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP top 10 does neither regard intended parts of the software like cookies or trackers nor organisational issues like privacy agreements or profiling.

Why should companys and other organisations be concerned about privacy risks?

Privacy risks may have serious consequences for an organisation, such as:

• perceived harm to privacy;
• a failure to meet public expectations on the protection of personal information;
• retrospective imposition of regulatory conditions;
• low adoption rates or poor participation in the scheme from both the public and partner organisations;
• the costs of redesigning the system or retro-fitting solutions;
• collapse of a project or completed system;
• withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
• failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.

(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)

Volunteers

The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

• Stefan Burgmair
• R. Jason Cronk
• Edward Delaporte
• Prof. Hans-Joachim Hof
• Florian Stahl

Partners

• University of Applied Sciences Munich
• msg systems
• European Data Protection Supervisory Internet Privacy Engineering Network (IPEN)
• International Association of Privacy Professionals (IAPP)

As of February 2014, the proceeding is:

• Collection of interested participants and supporters (building a team) – until march 14
• Developing a method for identifying the risks – until mid-march 2014
• Creating a draft list of risks - until first week of april 2014
• Discussing the draft list - until end of april 2014
• Developing a rating method - until end of april 2014
• Rating the risks, creating the list of Top 10 Privacy Risks (Version 1.0) and discus the results - until end of may 2014
• Creating papers, best practices, etc. - Q3/2014
• Ongoing improvement, rerating etc. - Q3/2014

Involvement in the development and promotion of the project is actively encouraged! You do not have to be a security or privacy expert in order to contribute. Some of the ways you can help:

• Discuss with us at the Forum for Discussions and Progress
• Answer the questionnaire for identifying and rating the Top 10 privacy list (will be provided soon)
• Tell your colleagues and friends about the project
• Provide feedback and input (feel free to contact us)

Sign up to our mailing list to stay informed.

To avoid overwriting issues we will use google docs for our discussions.

Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit

Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit