About Blogory.org Privacy Policy and Security Risk

Blogory's Privacy Policy and Security Risks Read More

Privacy Policy and Security Risk


 

  1. Introduction
  2. Privacy Definition
  3. PrivaCV Privacy Policy
  4. PrivaCV Groups
  5. Emails
  6. Recruiting
  7. Cookies 
  8. Logging
  9. Security
    1. Spoofing Attacks
    2. Man-in-the-Middle Attacks
    3. Physical World Attacks
  10. Applicable Law
  11. Address
  12. Conclusion

1. Introduction

I, Christopher Lozinski, am committed to providing privacy for your professinal information on PrivaCV.com. I wrote this web page to explain how I define privacy, and what are the threats and risks to your professinal privacy if you use this website. 

2. Privacy Definition

"Privacy is having control over who gets to see what." Rick Falkvinge, Swedish Pirate Party Founder.  A privacy policy lays out who can see your information. Security is a measure of how robust is a particular implementation of a privacy policy.  

Privacy is also about how your information is used.   

3. PrivaCV Privacy Policy

At PrivaCV, you get tp decide who can see what.  You can even decide whether  or not to allow PrivaCV recruiters, to see different parts of your infomation.  

As a candidate you control which group of people have access to your resume, contact information and questionaire.  As someone who is hiring, you get to control who has access to the job description, your contact information, and what I call Hiring Manager information.  If you post your resume or job, you will see exactly what information is collected.  I also collect the date that your information was posted or edited.  I am not quite sure yet who will get to see that.  I am also required to keep web server logs for six months.  In the future this site will also support references, comments and other content types.  

How will your information be used?  The web site will show it to peole in groups that you have authorized.  Of course once someone sees your information, I have no control over how they use it.  If you give me access to your informion,  I will use it to help find you a better job, or a good candidate.  The server will use this informiaiotn to send you emails, as described below in the section on emails. Your information will also be used to respoind to court orders or administrative actions. 

That is it.  Your informaitn will never be used for any other purposes.  If this privacy policy changes, you will be notified by email, and you will have the ability to delete your data or change the privacy settings. 

4, PrivaCVGroups

So waht are the groups that can access your information?  PrivaCV has seven (7) categories of users. Candidate are people looking for work.  They will post their resume, contact info and answers to questions online.  Hiring managers are those who are trying to hire these people.  Recruiters are people who make their money placing people.  PrivaCV recruiters, are people who work for PrivaCV.com.  That is currently just me.  3rd Party recruiters work for other companies.  Public includes everyone.   System Administrator are the people who run the site, currently also just me.   

5. Emails

The privaCV servers will be sending out emails to users.    If you are a candidate, then you will receive emails valid for people with your skill sets, and citizenship.   Eventually you will  be able to choose to see only job announcements from a particular group, or for particular locations.   Most people found the old specialtyjobmarkets.com job announcements to be quite low noise.  PrivaCV job announcements will soon have an even better signal-to-noise ratio. 

PrivaCV may send emails with resumes to people who post job announcements. Everyone registered may receive emails from the system administrator about certain events: when you register,  the privacy policy changes, something affects your account, you lose your password and presumably in a few other situations to be added here as the need arises.

Of course if hiring managers do not give me access to their job postings, then I cannot proof read them, and so  I cannot email them out to candidates.  

6. Recruitimg

While I do not sell your informaiton, I do need to make money.   I place people.  If you are kind enough to allow PriaCV staff (me) access to your information, I may use that information to find you a better job or a good candidate.  Placing people would include introducing candidates and jobs to each other.   Sometimes I will first communicate with the candidate about the job, sometimes with the hiring manager first about the candidate, but that only happens if  both parties choose to give me access to their information.  

7. Cookies

PrivaCV uses session cookies on this website to authenticate you. Session cookies expire when you close your browser. 

8. Logging

The european data retention directive requires me to keep web server logs for six months.     The PrivaCV applications log the date you posted information, and the date you edited your information.   The ISP that runs the email servers is required to keep copies for six months.  

 

9. Security

 How secure is this PrivaCV policy?    Security is a measure of how robust is a particular implementation of a privacy policy. Since I do not want to facilitate attacks, I am not at liberty to discuss specific security practices.     I do expect security to improve rapidly here, as the software evolves and I learn what the attacks are.   Security is best understood based on possible attacks.  What groups are likely to attck the privacy policy, and how robust is the policy against such attacks.  

9a Spoofing Attacks. 

From Wikipedia: " In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage."  I exoect that the primary security problem will be people spoofing me.  People who belong to one group, prentending to be part of another group, in order to get access to your PrivaCV information.  The data in this database will soon be hugely valuable, and there are parties out there whose profession is to get access to such information.  PrivaCV will be a serious target for spoofing attacks.  

9b. Man-in-the-Middle Attacks. 

From Wikipeidia: In computer security, a  man-in-the-middle attack...  is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other." Maybe you went to a search engine to find this website. You entered a search term. There is now a permanent record of that search on their servers. You clicked on some links. There is also a permanent record of your interest in those sites. Or maybe a friend recommended this website, and sent you a message. If you did not use encryption, there is likely to be a copy of that message on someone else's servers. If you sent it internationally, there may be multiple copies of that message. In any case, you clicked over to this website. That required a call on DNS servers, to look up the IP address for this domain name. So your dns query may be stored. Then your browser visits our website. The ISPs along the way may have a record that you visited this site and how long you spent here. Currently they are also able to get a copy of the informaton that you transmit to this site. All of this information is potentially sold and resold. You have limited ability to delete it, track it or control its use.  These are all man-in-the-middle attacks on your privacy. 
I am much more concerned about spoofing attacks than man-in-the-middle attacks.   Almost none of the registered users of this website have the technical ability to perform man-in-the-middle attacks.   And the groups that have that ability, the internet providers, I do not believe are interested in spamming you about your resume or job description.  Eventually I intent to implement https, but for now I am much more focussed on the inevitable spoofing attacks.  

 

9c. Physical World Attacks

Another important part of security is physical security. How does the system respond to attacks in the physical world. The servers are on a VPS at an ISP. Probably okay, but if I receive a court or administrative order, or some big netherworld spy agency, or Mafia group leans on me to hand over your information, I will do so.  But physical world attacks are very low on my list of concerns.  

10. Applicable Law

I am a  US and Polish citizen ang a Polish resident.  My server is running in the US, my email server is in Canada, and the candidate and hiring managers may be anywhere in the world.  As a Polish resident I am subject to the Europen Privacy Directive and the European Data Retention Directive  as implemented in Polish law.   As a US citizen, and with servers in the US, I am subject to barely existing US privacy laws, and to National Security Letters. To date I have not received a National Security Letter.  

11. Address

You can reach me at:

Christopher Lozinski
Krolewska 51
30-081 Krakow
POLAND

12. Conclusion.  

This is clearly a unique privacy and security policy, but then what PrivaCV is trying to do is very unique.  While increasingly sites are trying to provide privacy, providing the right mix of privacy and publicity is a challenge.   Indeed the dominant internet business model is that companies can do what they please with your information.   I am also pleasantly surprised at how much attention this privacy policy is receiving.  A lot of people have read it. Your comments are most welcome. 




Powered by Zopache, Grok, Zope and ZODB