- Privacy Definition
- PrivaCV Groups
- Applicable Law
I, Christopher Lozinski, am committed to providing privacy for your professinal information on PrivaCV.com. I wrote this web page to explain how I define privacy, and what are the threats and risks to your professinal privacy if you use this website.
2. Privacy Definition
Privacy is also about how your information is used.
At PrivaCV, you get tp decide who can see what. You can even decide whether or not to allow PrivaCV recruiters, to see different parts of your infomation.
As a candidate you control which group of people have access to your resume, contact information and questionaire. As someone who is hiring, you get to control who has access to the job description, your contact information, and what I call Hiring Manager information. If you post your resume or job, you will see exactly what information is collected. I also collect the date that your information was posted or edited. I am not quite sure yet who will get to see that. I am also required to keep web server logs for six months. In the future this site will also support references, comments and other content types.
How will your information be used? The web site will show it to peole in groups that you have authorized. Of course once someone sees your information, I have no control over how they use it. If you give me access to your informion, I will use it to help find you a better job, or a good candidate. The server will use this informiaiotn to send you emails, as described below in the section on emails. Your information will also be used to respoind to court orders or administrative actions.
So waht are the groups that can access your information? PrivaCV has seven (7) categories of users. Candidate are people looking for work. They will post their resume, contact info and answers to questions online. Hiring managers are those who are trying to hire these people. Recruiters are people who make their money placing people. PrivaCV recruiters, are people who work for PrivaCV.com. That is currently just me. 3rd Party recruiters work for other companies. Public includes everyone. System Administrator are the people who run the site, currently also just me.
The privaCV servers will be sending out emails to users. If you are a candidate, then you will receive emails valid for people with your skill sets, and citizenship. Eventually you will be able to choose to see only job announcements from a particular group, or for particular locations. Most people found the old specialtyjobmarkets.com job announcements to be quite low noise. PrivaCV job announcements will soon have an even better signal-to-noise ratio.
Of course if hiring managers do not give me access to their job postings, then I cannot proof read them, and so I cannot email them out to candidates.
While I do not sell your informaiton, I do need to make money. I place people. If you are kind enough to allow PriaCV staff (me) access to your information, I may use that information to find you a better job or a good candidate. Placing people would include introducing candidates and jobs to each other. Sometimes I will first communicate with the candidate about the job, sometimes with the hiring manager first about the candidate, but that only happens if both parties choose to give me access to their information.
PrivaCV uses session cookies on this website to authenticate you. Session cookies expire when you close your browser.
The european data retention directive requires me to keep web server logs for six months. The PrivaCV applications log the date you posted information, and the date you edited your information. The ISP that runs the email servers is required to keep copies for six months.
9a Spoofing Attacks.
From Wikipedia: " In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage." I exoect that the primary security problem will be people spoofing me. People who belong to one group, prentending to be part of another group, in order to get access to your PrivaCV information. The data in this database will soon be hugely valuable, and there are parties out there whose profession is to get access to such information. PrivaCV will be a serious target for spoofing attacks.
9b. Man-in-the-Middle Attacks.
From Wikipeidia: In computer security, a man-in-the-middle attack... is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other." Maybe you went to a search engine to find this website. You entered a search term. There is now a permanent record of that search on their servers. You clicked on some links. There is also a permanent record of your interest in those sites. Or maybe a friend recommended this website, and sent you a message. If you did not use encryption, there is likely to be a copy of that message on someone else's servers. If you sent it internationally, there may be multiple copies of that message. In any case, you clicked over to this website. That required a call on DNS servers, to look up the IP address for this domain name. So your dns query may be stored. Then your browser visits our website. The ISPs along the way may have a record that you visited this site and how long you spent here. Currently they are also able to get a copy of the informaton that you transmit to this site. All of this information is potentially sold and resold. You have limited ability to delete it, track it or control its use. These are all man-in-the-middle attacks on your privacy.
I am much more concerned about spoofing attacks than man-in-the-middle attacks. Almost none of the registered users of this website have the technical ability to perform man-in-the-middle attacks. And the groups that have that ability, the internet providers, I do not believe are interested in spamming you about your resume or job description. Eventually I intent to implement https, but for now I am much more focussed on the inevitable spoofing attacks.
9c. Physical World Attacks
Another important part of security is physical security. How does the system respond to attacks in the physical world. The servers are on a VPS at an ISP. Probably okay, but if I receive a court or administrative order, or some big netherworld spy agency, or Mafia group leans on me to hand over your information, I will do so. But physical world attacks are very low on my list of concerns.
10. Applicable Law
I am a US and Polish citizen ang a Polish resident. My server is running in the US, my email server is in Canada, and the candidate and hiring managers may be anywhere in the world. As a Polish resident I am subject to the Europen Privacy Directive and the European Data Retention Directive as implemented in Polish law. As a US citizen, and with servers in the US, I am subject to barely existing US privacy laws, and to National Security Letters. To date I have not received a National Security Letter.
You can reach me at: