OWASP Top 10 Privacy Risks
Thank you for visiting OWASP.org. We recently migrated our community to a new web platform and regretably the content for this page needed to be programmatically ported from its previous wiki page. There’s still some work to be done. The historical content can be found here.
Please visit our Page Migration Guide for more information about updating pages for the new website as well as examples of github markdown.
This is an example of a Project or Chapter Page.
Main
name = Florian Stahl |
Stefan Burgmair @</p>
Top 10 Privacy Risks
Top 10 Privacy Risks 2014
Version 1.0 of the OWASP Top 10 Privacy Risks list. Further information and related countermeasures are provided in this PDF document.
| No. | Title | Frequency | Impact | Description |
| P1 | Web Application Vulnerabilities | High | Very high | Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them. |
| P2 | Operator-sided Data Leakage | High | Very high | Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness. |
| P3 | Insufficient Data Breach Response | High | Very high | Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks. |
| P4 | Insufficient Deletion of Personal Data | Very high | High | Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request. |
| P5 | Non-transparent Policies, Terms and Conditions | Very high | High | Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers. |
| P6 | Collection of data not required for the primary purpose | Very high | High | Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent. |
| P7 | Sharing of Data with Third Party | High | High | Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons). |
| P8 | Outdated personal data | High | Very high | The use of outdated, incorrect or bogus user data. Failure to update or correct the data. |
| P9 | Missing or insufficient Session Expiration | Medium | Very high | Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness. |
| P10 | Insecure Data Transfer | Medium | Very high | Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation. |
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high
Participation and Discussion
Participate
Some ways you can help:
- Discuss with us in the mailing list or Google docs
- Tell your colleagues and friends about the project
- Provide feedback (feel free to contact us)
- Apply the results in practice to improve web application privacy
Sign up to our mailing list to stay informed.
Discussions and Documentation
To avoid overwriting issues we use Google Docs for our discussions.
Current discussions
Privacy Risk Candidate List 2019: https://docs.google.com/document/d/1eEU7TsoaPG56-zhJi4bi1SD53Jto84GQ8dDGTajL8TY/edit Method Update 2019: https://docs.google.com/document/d/1AlAg2cybvo5VX-frzF5uHeAcib3X2rTAA2p97XH8fHw/edit
Closed discussions and documents
Countermeasures document: https://docs.google.com/document/d/1GaoJDPtyXMv09wIw9xXTVPYTR_6fQROlptszPhxVc1s/edit?usp=sharing Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit Draft list: https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit Brainstorming for countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit
Survey Results
A survey was performed to determine the frequency of occurrence of privacy violations in web applications.
63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.
Here is a summary of the results or you can download the full report.
Part 1:
Q1 Do or did you work as a:
Software Developer 26.98%
Software Designer 12.70%
Legal Practitioner 4.76%
Software Project Manager 11.11%
Data Privacy Expert 33.33%
Security Expert 66.67%
Public Servant 12.70%
Other 11.11%
Q2 In total, how many years of professional experience do you have related to privacy?
Average: 6.2 years
Q3 In total, how many years of professional experience do you have related to web applications?
Average: 8.1 years
Part 2:
The following ratings are between 1 and 4.
The possible choices for answers where:
[1] Up to one out of four web applications. (0-25%)
[2] Up to ev ery second web application. (26-50%)
[3] Up to three out of four web applications. (51-75%)
[4] More than three out of four web applications. (76-100%)
[excluded] N/A
01. Collection of data not required for main purpose
Average Rating: 3.1
02. Collection of Incorrect Data
Average Rating: 2.0
03. Collection without consent
Average Rating: 3.0
04. Problems with getting Consent
Average Rating: 2.6
05. Outdated Personal Data
Average Rating: 2.6
06. Inability of users to modify stored data
Average Rating: 2.3
07. Insufficient deletion of personal data
Average Rating: 3.3
08. Unrelated use
Average Rating: 2.7
09. Data Aggregation and Profiling
Average Rating: 2.4
10. Sharing of data with third party
Average Rating: 2.8
11. Operator-sided Data Leakage
Average Rating: 2.7
12. Insecure data transfer
Average Rating: 2.3
13. Web Application Vulnerabilities
Average Rating: 2.9
14. Insufficient Data Breach Response
Average Rating: 2.6
15. Form field design issues
Average Rating: 2.2
16. Missing or Insufficient Session Expiration
Average Rating: 2.4
17. Misleading Content
Average Rating: 2.3
18. Non-transparent Policies, Terms and Conditions
Average Rating: 3.2
19. Inappropriate Policies, Terms and Conditions
Average Rating: 2.7
20. Transfer or processing through third party
Average Rating: 2.6
FAQs
Frequently Asked Questions
Why is this project only about web applications and not about any kind of software?
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user’s behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. This is why the subject is so important, especially for web applications.
Are the Top 10 Privacy Risks applicable for mobile apps as well?
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.
What is the difference between this project and the OWASP Top 10?
There are two main differences. First, the OWASP Top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 do not address software such as cookies or trackers, or organisational issues like privacy notices, profiling, or the sharing of data with third parties.
Why should companies and other organisations be concerned about privacy risks?
Privacy risks may have serious consequences for an organisation, such as:
- perceived harm to privacy;
- a failure to meet public expectations on both the use and protection of personal information;
- retrospective imposition of regulatory conditions;
- low adoption rates or poor participation in the scheme from both the public and partner organisations;
- the costs of redesigning the system or retro-fitting solutions;
- failure of a project or completed system;
- withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
- failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)
Translation
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
German
Top 10 Datenschutzrisiken
| Nr. | Titel | Häufigkeit | Schaden | Beschreibung |
| Hoch | Sehr hoch | Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen. </td>|||
| Hoch | Sehr hoch | Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness). </td>|||
| Hoch | Sehr hoch | Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen. </td>|||
| Sehr hoch | Hoch | Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht. </td>|||
| Very high | High | Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet. </td>|||
| Sehr hoch | Hoch | Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat. </td>|||
| Hoch | Hoch | Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons). </td>|||
| Hoch | Sehr hoch | Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt. </td>|||
| Mittel | Sehr hoch | Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden. </td>|||
| Mittel | Sehr hoch | Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind. </td>
Presentation
Video and presentation from it-sa Security Expo and Congress 2015
Flyer
Japanese
Acknowledgements
Volunteers
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:
- Stefan Burgmair
- R. Jason Cronk
- Edward Delaporte
- Tim Gough
- Prof. Hans-Joachim Hof
- Lukasz Olejnik
- Florian Stahl
Partners
- University of Applied Sciences Munich
- European Data Protection Supervisory’s Internet Privacy Engineering Network (IPEN)
- International Association of Privacy Professionals (IAPP)
Sponsors
Feel free to contact us in case you are also interested to support the OWASP Top 10 Privacy Risks project.
Project About
NOTOC
Category:OWASP Project Category:OWASP_Builders Category:OWASP_Defenders Category:OWASP_Document
Top 10 Privacy Risks
Version 1.0 of the OWASP Top 10 Privacy Risks list from 2014. Further information and related countermeasures are provided in this PDF document.
The type shows if a risk is rather 
organizational, 
technical, or both.
| # | Type | Title | Frequency | Impact | Description |
| P1 | |
Web Application Vulnerabilities | High | Very high | Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them. |
| P2 |
|
Operator-sided Data Leakage | High | Very high | Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness. |
| P3 |
|
Insufficient Data Breach Response | High | Very high | Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks. |
| P4 |
|
Insufficient Deletion of Personal Data | Very high | High | Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request. |
| P5 | |
Non-transparent Policies, Terms and Conditions | Very high | High | Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers. |
| P6 | |
Collection of data not required for the primary purpose | Very high | High | Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent. |
| P7 |
|
Sharing of Data with Third Party | High | High | Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons). |
| P8 |
|
Outdated personal data | High | Very high | The use of outdated, incorrect or bogus user data. Failure to update or correct the data. |
| P9 | |
Missing or insufficient Session Expiration | Medium | Very high | Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness. |
| P10 | |
Insecure Data Transfer | Medium | Very high | Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation. |
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high
Participate
Some ways you can help:
- Discuss with us in the mailing list or Google docs
- Tell your colleagues and friends about the project
- Provide feedback (feel free to contact us)
- Apply the results in practice to improve web application privacy
Sign up to our mailing list to stay informed.
Discussions and Documentation
To avoid overwriting issues we use Google Docs for our discussions.
Ongoing
Impact Rating 2020
Privacy Risk Candidate List 2019/2020
Method Update 2019
Closed discussions and documents
Countermeasures document
Method description
Privacy Risk list 2014
Draft list
Impact rating 2014
Calculation of the complete Privacy Risks list v1.0
Brainstorming for countermeasures
Volunteers
The Top 10 Privacy Risk list v1.0 was developed by a team of volunteers. The primary contributors have been:
- Stefan Burgmair
- R. Jason Cronk
- Edward Delaporte
- Tim Gough
- Prof. Hans-Joachim Hof
- Lukasz Olejnik
- Florian Stahl
Sponsors
Please contact us if you are interested to support the OWASP Top 10 Privacy Risks project. Your company logo will be displayed on the project website and you will receive an individual web-based training on the project content for free.
Currently project documentation is available in English and German. If you are interested in helping to translate to another language, please contact the project leaders.
German
Top 10 Datenschutzrisiken
Der Typ gibt an, ob ein Risiko eher organisatorisch, technisch oder beides ist.
| # | Typ | Titel | Häufigkeit | Schaden | Beschreibung |
| P1 | |
Schwachstellen in Web-Anwendungen | Hoch | Sehr hoch | Schwachstellen sind ein zentrales Problem in jedem System, mit dem sensible Nutzerdaten erhoben, verarbeitet und genutzt werden. Bestehen Fehler im Design oder in der Implementierung der Applikation, werden Probleme nicht entdeckt oder Sicherheitspatches nicht unverzüglich eingespielt, führt dies mit hoher Wahrscheinlichkeit zu einer Verletzung des Persönlichkeitsrechts. Dieses Risiko wird bereits in anderen Projekten behandelt, wie der OWASP Top 10 Liste der häufigsten Sicherheitsrisiken für Webanwendungen. |
| P2 |
|
Datenabfluss beim Betreiber | Hoch | Sehr hoch | Wird die unerwünschte Preisgabe personenbezogener oder personenbeziehbarer Daten an nicht autorisierte Personen nicht wirksam verhindert, ist dies ein Verlust der Vertraulichkeit. Ursachen sind entweder ein vorsätzlich durchgeführter Datenabzug oder unbeabsichtigte Fehler wie beispielsweise unzureichendes Zugriffsmanagement, unsichere Datenablage, Datendopplung oder fehlendes Problembewusstsein (Awareness). |
| P3 |
|
Unzureichende Reaktion bei einer Datenpanne | Hoch | Sehr hoch | Betroffene werden nicht über mögliche Pannen oder Datenlecks benachrichtigt, die durch Angriffe oder unbeabsichtigte Ereignisse entstehen. Angemessene Abhilfemaßnahmen zum Schließen der Lücken und Beseitigung der Ursache fehlen. |
| P4 |
|
Unzureichende Löschung personen-bezogener Daten | Sehr hoch | Hoch | Personenbezogene Daten werden nicht termingerecht oder nicht effektiv nach Zweckablauf bzw. aufgrund einer Löschanfrage gelöscht. |
| P5 | |
Intransparente Nutzungs-bedingungen | Sehr hoch | Hoch | Informationen zur Datenverarbeitung wie Erhebung, Speicherung und Nutzung personenbezogener Daten sind unzureichend. Diese Informationen sind nicht leicht zugänglich oder für juristische Laien nicht verständlich aufbereitet. |
| P6 | |
Sammeln von Daten, die über den eigentlichen Zweck hinaus gehen | Sehr hoch | Hoch | Es werden Beschreibungsdaten, demographische Daten oder sonstige personenbezogene Daten gesammelt, die nicht für den vereinbarten Zweck der Anwendung benötigt werden. Ebenso werden Daten gesammelt, für deren Erhebung der Nutzer keine Einverständniserklärung abgegeben hat. |
| P7 |
|
Weitergabe von Daten an Dritte | Hoch | Hoch | Personenbezogene Daten werden ohne Einverständnis des Nutzers an Dritte weiter gegeben bzw. diesen zur Verfügung gestellt. Die Weitergabe von Daten und Erkenntnissen erfolgt entweder direkt oder auf Anfrage, gegen Zahlung oder auch durch unsachgemäßen Einsatz von Diensten Dritter wie beispielsweise Widgets für Webseiten (z.B. Landkarten, Buttons von sozialen Netzwerken), Analysetools oder Web Bugs (z.B. Beacons). |
| P8 |
|
Veraltete personen-bezogene Daten | Hoch | Sehr hoch | Es werden veraltete, inkorrekte oder gefälschte personenbezogene Daten genutzt. Datenaktualisierungen oder -korrekturen finden nicht in ausreichendem Maße statt. |
| P9 | |
Fehlendes oder unzureichendes Session-Ende | Mittel | Sehr hoch | Unzureichendes Beenden von Sessions. Dies kann dazu führen, dass zusätzliche Nutzerdaten ohne Einverständnis oder Wissen des Nutzers gesammelt werden. |
| P10 | |
Unsichere Datenüber-tragung | Mittel | Sehr hoch | Die Datenübermittlung erfolgt nicht auf verschlüsselten und sicheren Kanälen, so dass ein unautorisierter Zugriff nicht verhindert wird. Mechanismen zum Verringern der Angriffsfläche, werden nicht umgesetzt. Hierzu gehört es zu verhindern, dass durch das Verhalten der Webanwendung Rückschlüsse auf Nutzerdaten möglich sind. |
Flyer
Japanese
Frequently Asked Questions
Why is this project only about web applications and not about any kind of software?
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user’s behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. Thus, the topic is very important, especially for web applications.
Are the Top 10 Privacy Risks applicable for mobile apps as well?
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.
What is the difference between this project and the OWASP Top 10?
There are two main differences. First, the OWASP Top 10 describes technical security risks that are not primarily affecting privacy. Second, the OWASP Top 10 do not address organisational issues like privacy notices, profiling, or the sharing of data with third parties.
Why should companies and other organisations be concerned about privacy risks?
Privacy risks may have serious consequences for an organisation, such as:
- perceived harm to privacy;
- a failure to meet public expectations on both the use and protection of personal information;
- retrospective imposition of regulatory conditions;
- low adoption rates or poor participation in the scheme from both the public and partner organisations;
- the costs of redesigning the system or retro-fitting solutions;
- failure of a project or completed system;
- withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
- failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
Source of privacy risks: ICO Handbook on Privacy Impact Assessment (PIA)