OWASP Top 10 Privacy Risks
Versão 2.0 OWASP LAB
The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.
Top 10 Privacy Risks
The following table shows version 2.0 of the OWASP Top 10 Privacy Risks and compares it to the ranking of 2014.
2021 2014 Title
P1 1 Web Application Vulnerabilities
P2 2 Operator-sided Data Leakage
P3 3 Insufficient Data Breach Response
P4 New Consent on Everything
P5 5 Non-transparent Policies, Terms and Conditions
P6 4 Insufficient Deletion of User Data
P7 New Insufficient Data Quality
P8 9 Missing or Insufficient Session Expiration
P9 13 Inability of Users to Access and Modify Data
P10 6 Collection of Data Not Required for the User-Consented Purpose
Detailed information is provided in the Top 10 Privacy Risks tab.
Top 10 Privacy Risks
Version 2.0 of the OWASP Top 10 Privacy Risks list from 2021. Further information and related countermeasures will be provided soon.
The type shows if a risk is rather organizational, technical, or both.
Type Title Frequency Impact Description
P1 Web Application Vulnerabilities High Very high Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
P2 Operator-sided Data Leakage High Very high Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
P3 Insufficient Data Breach Response High Very high Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
P4 Consent on Everything Very high High Aggregation or inappropriate use of consent to legitimate processing. Consent is “on everything” and not collected separately for each purpose (e.g. use of website and profiling for advertising).
P5 Non-transparent Policies, Terms and Conditions Very high High Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
P6 Insufficient Deletion of Personal Data High High Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
P7 Insufficient Data Quality Medium Very high The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
P8 Missing or insufficient Session Expiration Medium Very high Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
P9 Inability of users to access and modify data High High Users do not have the ability to access, change or delete data related to them.
P10 Collection of data not required for the user-consented purpose High High Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
Participate
Some ways you can help:
⦁ Discuss with us in the mailing list or Google docs
⦁ Tell your colleagues and friends about the project
⦁ Provide feedback (feel free to contact us)
⦁ Apply the results in practice to improve web application privacy
Sign up to our mailing list to stay informed.
Discussions and Documentation
To avoid overwriting issues we use Google Docs for our discussions.
Ongoing
Countermeasures v2.1
Closed discussions and documents
Calculation of the complete Privacy Risks list v2.0
Impact Rating 2020
Privacy Risk Candidate List 2020
Method Update 2019
Countermeasures v1.0
Method description
Privacy Risk list 2014
Draft list
Impact rating 2014
Calculation of the complete Privacy Risks list v1.0
Frequently Asked Questions
Why is this project only about web applications and not about any kind of software?
Web applications can easily collect data from users without their permission or without adequately informing them how their data is used. Cookies, and other trackers, enable the monitoring of user’s behaviour, and this information may be used for a variety of commercial purposes, including targeted advertising, profiling, and the sale of aggregated data. Thus, the topic is very important, especially for web applications.
Are the Top 10 Privacy Risks applicable for mobile apps as well?
Privacy risks for mobile apps are very similar. The rating might be slightly different and there might be some additional risks related to the loss of devices and the use of location data, but in general the Top 10 Privacy Risks are applicable for mobile apps as well.
What is the difference between this project and the OWASP Top 10?
There are two main differences. First, the OWASP Top 10 describes technical security risks that are not primarily affecting privacy. Second, the OWASP Top 10 do not address organisational issues like privacy notices, profiling, or the sharing of data with third parties.
Why should companies and other organisations be concerned about privacy risks?
Privacy risks may have serious consequences for an organisation, such as:
⦁ perceived harm to privacy;
⦁ a failure to meet public expectations on both the use and protection of personal information;
⦁ retrospective imposition of regulatory conditions;
⦁ low adoption rates or poor participation in the scheme from both the public and partner organisations;
⦁ the costs of redesigning the system or retro-fitting solutions;
⦁ failure of a project or completed system;
⦁ withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
⦁ failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
Source of privacy risks: ICO Handbook on Privacy Impact Assessment (PIA)