Guide to getting started with Web 2.

0:
aspects relating to privacy and security
in collaborative platforms

INFORMATION SECURITY OBSERVATORY

 Edition: February 2011

The "Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative
platforms" has been developed by the INTECO Information Security Observatory team:

Pablo Pérez San-José (management)

Cristina Gutiérrez Borge (coordination)

Susana de la Fuente Rodríguez

Laura García Pérez

Eduardo Álvarez Alonso

The National Institute of Communication Technologies (INTECO), public cooperation assigned to

the Ministry of Industry, Tourism and Trade through the State Department for Telecommunications
and for the Information Society, is a platform for developing the Knowledge Society through projects in
the area of innovation and technology.

The mission of INTECO is to provide value and innovation to individuals, SMEs, Public Authorities and
the information technology sector through developing projects which contribute towards increasing
confidence in our country’s Information Society services, while also promoting an international course
of participation. To do this, INTECO will develop actions in the following areas: Security Technology,
Accessibility, ICT Quality and Training.

The Information Security Observatory (http://observatorio.inteco.es) falls within INTECO’s strategic

course of action concerning Technological Security, and is a national and international icon in serving
Spanish citizens, companies and authorities in order to describe, analyse, assess and spread the
Information Society’s culture of security and trust.

This publication belongs to the National Institute of Communication Technologies (INTECO) and is under a Creative
Commons Non-commercial 2. 5 Spain Recognition license, and thus it is permitted to copy, distribute and communicate
this work publicly under the following conditions:
• Recognition: The contents of this report can be reproduced in whole or in part by third parties, by citing its origin
and making express reference to both INTECO and its website: www.inteco.es. This recognition may in no case
suggest that INTECO supports or endorses the third party's use of its work.
• Non-commercial use: The original material and derivative works can be distributed, copied and displayed while
their use is not commercial.
For any reuse or distribution, you must make the license terms of this work clear to others. Any of these conditions can be
waived if you get permission from INTECO as owner of the copyright. Nothing in this license impairs or restricts the moral
rights of INTECO. http://creativecommons.org/licenses/by-nc/2.5/es/
This document complies with the accessibility conditions of PDF (Portable Document Format). This is a structured and
labelled document provided with alternatives to all non-text element, language mark up and appropriate reading order.
For more information on preparing accessible PDF documents, you can consult the guide available in the section
Accessibility > Training > Manuals and Guides on the webpage http://www.inteco.es
Content
Content

1 WEB 2.0 ................................................................................................... 4

1.1 CONCEPT.............................................................................................................4

1.2 TYPE .....................................................................................................................5

1.3 WEB 2.0 IN FIGURES ..........................................................................................8

1.4 THE ROLE OF MOBILE TECHNOLOGIES IN THE FUTURE OF WEB 2.0......11

2 WEB 2.0 IN SOCIAL, PROFESSIONAL AND EDUCATIONAL

DEVELOPMENT .................................................................................... 12
2.1 SOCIAL ENVIRONMENT ...................................................................................12

2.2 EDUCATIONAL ENVIRONMENT.......................................................................13

2.3 PROFESSIONAL ENVIRONMENT ....................................................................14

3 RIGHTS AND FREEDOMS TO PROTECT IN WEB 2.0........................ 15

3.1 FREEDOM OF EXPRESSION ON WEB 2.0 ......................................................15

3.2 FREEDOM OF INFORMATION ON WEB 2.0 ....................................................15

3.3 INTIMACY, PRIVACY AND SELF-IMAGE ON WEB 2.0 ...................................16

3.4 DATA PROTECTION ON WEB 2.0 ....................................................................17

3.5 INTELLECTUAL PROPERTY ON WEB 2.0.......................................................17

4 RISKS IN USING WEB 2.0 .................................................................... 19

5 OBLIGATIONS AND RESPONSIBILITIES WHEN USING WEB 2.0.... 22
5.1 RESPONSIBILITIES OF DIFFERENT PLAYERS..............................................22

5.2 FAQ (FREQUENTLY ASKED QUESTIONS) .....................................................25

6 RECOMMENDATIONS FOR SAFE AND RESPONSIBLE USAGE OF

WEB 2.0 ................................................................................................. 27
6.1 GOOD PRIVACY PRACTICES ON WEB 2.0.....................................................27

6.2 GOOD SECURITY PRACTICES ON WEB 2.0...................................................29

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 3 of 31
Information Security Observatory
1. Web 2.0
1 WEB 2.0

1.1 CONCEPT

Internet has created a new scenario in which personal relationships take centre stage. The
interaction possibilities with the new tools offer access to a new audience with an interest in
sharing, expressing and communicating have formed a new model characterised by the
importance of content and user communities.

The new platforms and collaborative tools have produced a shift from Web 1.0 based on static
pages for information purposes only, without the ability to generate user participation, into a
dynamic website where there is a relationship that generates a sum of knowledge and/or
experiences. That is, Web 2.0 and Social Web are people collaborating, sharing and
participating in an open multi-directional channel that allows maximum interaction between
users and offers new possibilities for collaboration, expression and participation.

Meanwhile, there is no stopping the evolution of the Web, the emergence of new technologies
associated with the terms Web 3.0, Web 4.0 and Web 5.0 will enable the integration of network
objects, the development of sensory and emotional networks or the integration of the Semantic
Web by providing access to relevant, personalised information that will change their structure
as it is known.

Illustration 1: Evolution of means of social communication 1

1
Available at: http://www.attentionscan.com/2009/07/social-media-timeline.html

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 4 of 31
Information Security Observatory
While the Information Society assists new achievements in Web 2.0, there are new challenges
in security and user privacy.

Thus the need to effectively protect citizens in using such tools requires both a new level of
awareness of them concerning the risks in using such media, as well as a better understanding
of rules and effectively exercising the rights guaranteed to them.

Internet users are concerned about the security and privacy of their information online,
especially in social networks: users are increasingly restricting access to their profile to only
friends or acquaintances (66.2% in the third quarter of 2010 compared to 60.6% in the same
period in 2009) 2 .

To that end, this Guide provides a set of guidelines for the reader that facilitate their approach
to Web 2.0, the risks that may arise and obligations of different participants in this
multidirectional "game" to ensure users’ full enjoyment in the digital collaboration experience.

1.2 TYPE

The possibilities of Web 2.0 are almost unlimited; although the approach provided herein is
based on the concept of interactive collaboration that is common to different types of platforms.
Between the diversity of tools that arise daily in Web 2.0, social networks, blogs, wikis and
syndication tools are the most important among Internet users 3 .

1.2.1 Social networks

Social networks are virtual spaces where each user has a public profile that reflects personal
details, status and information about oneself. In turn it has tools to interact with and meet other
users, for example by creating interest groups.

Social networks emerged in the mid 90's; although 2003 saw them take off, with the creation of
MySpace (a portal that was mainly focused on bands and fans) and Facebook (a social
network created in the beginning for college students and now exceeds 600 million users 4 ).

Other leading social networks in Spain today are Tuenti, Windows Live Messenger or Linkedin
and Xing in the professional field 5 .

2
Data taken from the study on information security and e-Trust in Spanish households (3rd quarter 2010)
http://www.inteco.es/Seguridad/Observatorio/Estudios_e_Informes/Estudios_e_Informes_1/Estudio_hogares_3T2010
3
Source: http://www.focus.com/fyi/other/boom-social-sites/
4
Information taken from:
http://www.facebooknoticias.com/2011/01/09/facebook-empieza-2011-con-600-millones-de-usuarios-registrados/
5
Source: http://www.iabspain.biz/General/Informe_Redes_Sociales_IAB_nov_09.pdf

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 5 of 31
Information Security Observatory
To learn more about security and privacy in social networks,
please consult the Observatory’s specific publications on
INTECO Information Security 6 .

1.2.2 Blogs
A blog is a website where the author posts entries on topics of
interest or as a personal blog, and these are stored
chronologically. It also enables comments (posts) to be added
by readers, becoming an interactive tool that are true opinion
forums.

The importance of the blogging community, the “blogosphere”, is

increasing at a social, cultural and political level. Complete
independence to write means comments are a live indication of
what is really concerning society.

Posts usually contain text, but as a result of podcasting

(incorporation of multimedia files to posts), images, sound and
video can also be included. Currently there are variants of the
original concept of a blog, including photoblogs and videoblogs.

The evolution of this model gives way to microblogging. The

best example of this phenomenon is Twitter, created in 2006
and by 2010 it had surpassed the number of Myspace visits 7 .
Answering the question "What is happening?" by using less than
140 characters has become the new phenomenon of social
Web. The recent addition of new functionality allows the
evolution of microblogging. An example of which is Foursquare,
incorporating geopositioning and social games.

1.2.3 Wikis
A wiki is a website that allows its participants to change or edit
its content, making the actual page an easy and accessible
platform so the various users can contribute content in an online
document. Thus, the portal is growing thanks to the work of a
community of individuals with a common interest.

6
Available at: http://www.inteco.es/Seguridad/Observatorio
7
Available at: http://blogs.wsj.com/digits/2010/09/28/tweet-this-milestone-twitter-passes-myspace/?mod=rss_WSJBlog&mod=

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 6 of 31
Information Security Observatory
The first wiki was created in 1995 by Ward Cunningham, an encyclopaedia of programming
that, over time, became a portal on extreme programming 8 .

The best example of this model of communication on the Web is the Wikipedia, a compendium
of human knowledge in a permanent process of construction, with editions in 271 languages
and in which hundreds of thousands of users are involved on a daily basis.

1.2.4 Forums
Forums are included among the collaborative tools. These usually exist in addition to a website
allowing users to discuss and share relevant information with respect to the website’s topic, in
a free and informal way, creating a community with a common interest. There are also
specialised forums on specific individual or general topics.

Forums are emerging as an evolution of BBS 9 (Bulletin Board System) and Usenet 10 news
systems and are one of the first systems to enable user participation on the Web. While still
used by millions of people, their use has been declining over recent years in favour of more
advanced systems such as social networks and these are being used as complementary tools
in them.

1.2.5 Syndication of content

RSS (Really Simple Syndication) is a format allowing news and other content for web sites or
blogs for which there is a special interest (which are called feeds) to be gathered in an
automated way in a program called RSS reader or adder and view them quickly.

These programs display the content in different ways, indicating the headlines already read,
and provide a notice when the websites you have added have
been updated.

1.2.6 Bookmarking
Bookmarking also helps you organise your favourite websites by
tagging portals and news through relevant keywords, called
tags.

Users can see how many people have used a tag and find all
the resources that have been assigned. They can also find out
who created each reference and access other references to the creator.

8
Extreme Programming (XP) is a software design methodology, based on simplicity and agility.
9
A Bulletin Board System or BBS is software for computer networks that allows users to connect to the system (via Internet or
through a telephone line) and using a terminal program (or telnet if via the Internet), to perform functions such as downloading
software and data, reading news and exchanging messages with other users.
10
Usenet is an acronym for Users Network, consisting of a comprehensive system of online discussion networks evolving UUCP
(UNIX-to-UNIX Copy Protocol) through which users can read or send messages (called articles) to different newsgroups sorted
hierarchically.

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 7 of 31
Information Security Observatory
Thus, the user community creates a unique structure of keywords over time to define
resources, something that has been called 'folksonomy'.

Sites like del.icio.us and Digg let you share your favourite links with friends and followers, by
featuring items that seem interesting to other users to cast their vote on what has been shared.
Some social networks include this tool to give functionality to its service.

1.2.7 Tools
In addition to the main platforms described, there are many tools that focus on content
generation. Two of the most representative examples are YouTube and Flickr, with which users
can upload, share and view videos and photos.

In addition, users can find communities specialising in music (iTunes, Spotify, Last.fm), video
(Vimeo, Dailymotion), virtual worlds (Second Life), games (World of Warcraft), office
applications (Google docs, Office Live) or live broadcasts (Justin.tv).

Illustration 2: An interconnected network

1.3 WEB 2.0 IN FIGURES

The current situation is marked by the rapid and steady increase in overall numbers, driven by
the popularity of platforms and capabilities provided by new technologies. Here are the strokes
to paint a picture on the use of Web 2.0 by Internet users worldwide. 11

11
The data shown in this chapter have been taken from: Blogs and Microblogs the 2.0 environment – March 2010. Esic, unless
another source is explicitly indicated, recorded in the corresponding footnote.

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 8 of 31
Information Security Observatory
On the Internet...

• The number of Internet users exceeded billion in 2010 12 .

• 225 million new users in 2010, of which 162 million belong to users in developing
countries.

Chart 1: Web users (Millions of users)

63.2 21.3
110.9

204.7

825.1

266.2

475.1

Asia Europe North America Latin America África Middle East Oceania

Source: Internetworldstats 13

On blogs…

• 133

• 120,000

• 1,500,000

• 77% of internet users say they read blogs every day.

12
Source: The world in 2010: facts and figures from the Information Technology and Communications - International
Telecommunications Union (ITU) Available at: http://www.itu.int/ITU-D/ict/material/FactsFigures2010.pdf
13
Available at: http://www.internetworldstats.com/stats.htm

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 9 of 31
Information Security Observatory
 Chart 2: Distribution of blog users by age

60%
53.3%

50%

40%

30%

20.2% 19.4%
20%

10% 7.1%

0%
Under 20 Between 21 and 35 Between 36 and 50 Over 51

Age of blog users

Source: Technorati 14

On microblogging…

• 150,000,000

• 70 million tweets (comments) daily 15

.

• 800 tweets per second.

On social networks…

• 8 in 10 Internet users are members of a social network.

• 600,000,000 Facebook users. 16

• 260,000,000,000 visits per month to this social network.

• Over 6,000,000 visits per minute.

14
Available at: http://images.vizworld.com/wp-content/uploads/2010/07/the-internet.jpg
15
Information taken from: http://www.slideshare.net/raffikrikorian/twitter-by-the-numbers?from=ss_embed
16
Source: ComScore, WSJ Available at: http://technorati.com/state-of-the-blogosphere/

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 10 of 31
Information Security Observatory
On other 2.0 tools…

• Over Foursquare users.

• 2,000,000 videos played per day in Youtube 17

.

• Every minute hours of video are uploaded to Youtube 18 .

As also threats on Web 2.0...

• Approximately 1 in 4communications suspected of being fraudulent in the Internet

target social networks 19 .

• Facebook has become the fourth most spoofed website worldwide 20

.

1.4 THE ROLE OF MOBILE TECHNOLOGIES IN THE FUTURE OF WEB 2.0

The various Web 2.0 platforms and tools are committed to integrating mobile technologies and
spreading a new model of connecting to the Internet.

This model will allow the number of hits and page updates, profiles and user input in Web 2.0
to reach levels close to real time, changing the current media landscape. In turn, the
interoperability between different platforms and the rise and development of tools will allow
users to completely do without local applications in favour of both mobile applications as well
as cloud computing.

Therefore, the emergence of new mobile devices with more functionality and the creation of
platforms such as Android, iOS, Windows Phone 7 or WebOS form the basis for using these
channels from anywhere with a simple Internet connection.

17
Data from the Website-monitoring.com 10/05/2010. Available at: http://www.cleancutmedia.com/wp-
content/uploads/2010/05/youtube-infographic-statistics.jpg
18
Available at: http://youtube-espanol.blogspot.com/2010/03/lo-logramos-un-dia-de-video-por-minuto.html
19
According data from the Anti-Phishing Working Group (APWG) for the first quarter of 2010 and included in the Study on Internet
fraud 2nd quarter of 2010, available at:
http://www.inteco.es/Seguridad/Observatorio/Estudios_e_Informes/Estudios_e_Informes_1/estudio_fraude_2T2010
20
Source: http://www.bitdefender.es/NW1659-es--Facebook-se-convierte-en-la-cuarta-empresa-m%C3%A1s-suplantada-en-los-
ataques-de-phishing.html

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 11 of 31
Information Security Observatory
 Web 2.0 in social, professional and
2. educational development

2 WEB 2.0 IN SOCIAL, PROFESSIONAL AND EDUCATIONAL DEVELOPMENT

2.1 SOCIAL ENVIRONMENT

Insofar as the use of Web 2.0 has been expanded, new citizens have opportunities for
participating in a social context:

• The user feels useful and integrated into a group that communicates with you and you
share hobbies and interests.

• People become active explorers of knowledge, according to their interest, enthusiasm

and willingness to learn, increasing their search, analysis and decision-making ability.

• The importance of personal and professional recommendations increases, providing, in

addition to unlimited information, a voice, a platform and access to a global market.

Web 2.0 makes an amalgam of tools available to the individual that extends the opportunities
of contacting with others.

• Applications to create and maintain personal website such as social networks or blogs
through participating in collaborative sites such as wikis.

• Applications for posting and spreading information: videos with YouTube, pictures with
Flickr, presentations with SlideShare.

• Applications for searching and accessing updated information: Google, Bing,

GoogleReader, Google News, Twitter, specialised search engines...

• Other online applications such as calendars, geolocation tools, shared virtual books,
news, office online, tele-training platforms, digital whiteboards, etc.

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 12 of 31
Information Security Observatory
All are tools that allow interaction and communication between people who could not otherwise
do so, encouraging cooperation and allowing a group to be created based on the successive
individual contributions.

2.2 EDUCATIONAL ENVIRONMENT

Web 2.0 offers a new perspective to educators, teachers and researchers of teaching and
education, as the tools provided act as a complement to the comprehensive education of
students. 21

By creating participatory and collaborative environments:

• Online spaces for storing, classifying, posting and/or spreading text and audiovisual
content are enabled, which students can access.

• Digital skills are developed and improved, from searching and selecting information and
its process to making it knowledge until its publication and transmission by various
means.

• Environments for developing networks of centres and teachers are provided to reflect
on educational issues, help, develop and share resources.

• New tools are appearing such as eBooks or tablets, which enable integration between
the teacher and student in real time.

From the student’s standpoint, using the possibilities offered by so-called Web 2.0 allows the
individual to use a new set of tools and functionality that can support their education, taking into
account that the student, especially considering children, is a true digital city, seeing ICT as
part of their daily life.

Educational platforms are online tools allowing teachers to work together in all subjects and
be able to structure lessons in collaborative working groups among their students and among
researchers.

Different categories or methods of using these media can be distinguished in different training
situations:

21
This paragraph is based on the following sources:
- Orihuela, José Luis. Review of the Blogs Revolution. When Blogs became people’s means of communication. Universidad Oberta
de Catalunya.
- Blogs and Wikis for teaching. Training trainers There is talent 2009.
- VV.AA. Wikis and teaching Innovation Journal of Distance Education.

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 13 of 31
Information Security Observatory
 • Systems for managing teaching resources: The teacher presents, in addition to
classroom sessions, a series of activities the student must develop using the media’s
resources.

• Teacher blogs: groups of teachers who share teaching experiences, strategies and
resources.

• Class or tutor diaries: where the evolution of a group of students, the degree of
achieving the set objectives, methodological issues or behavioural aspects and
attitudes concerning the students are narrated chronologically.

• Individual workbooks: These are the author‘s dynamic pages. They will replace jotters
in the school environment, providing the incentive to be visited on the Internet and
enriched by the contributions of other students and teachers.

2.3 PROFESSIONAL ENVIRONMENT

The majority of blogs, wikis, forums and other collaborative platforms found on the Web are
personal, although there is a growing trend in companies to use them for business purposes.

Thus, they are platforms for internal use, from which companies share knowledge within the
organisation and with partners, and external platforms that serve as a marketing tool as well
as creating and maintaining customer relationships. In both cases, the role of management is
essential to promote using these channels in an open and multidirectional way in order to
enhance their effectiveness.

The new scenario of the social web is a new reality affecting companies as a whole by
providing them with a number of advantages. The main ones are the possibility to create better
channels for idea sharing, easy access, fast and direct access to experts (both internal and
external) and lower communication and operational costs 22 .

Other advantages are the ability to share all information via web platforms, the immediate
propagation of content and information, continuous innovation that occurs in the network and
access at all times to information from anywhere using mobile devices.

22
Available at:
http://www.mckinseyquarterly.com/Business_Technology/BT_Strategy/How_companies_are_benefiting_from_Web_20_McKinsey_
Global_Survey_Results_2432?pagenum=2#1

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 14 of 31
Information Security Observatory
 3. Rights and freedoms to Project in Web 2.0
3 RIGHTS AND FREEDOMS TO PROTECT IN WEB 2.0

Web 2.0 allows citizens to create an impartial and diverse source, but the anonymity it provides
is often used inappropriately, pushing the boundaries of individual rights at the expense of the
rights of others.

The various legal interests in digital 2.0 communications will now be discussed in depth, giving
examples that facilitate the reader's understanding as far as possible 23 .

3.1 FREEDOM OF EXPRESSION ON WEB 2.0

The principal law allowing expression in both the Internet

and outside it is freedom of expression, included in the
Spanish Constitution in Article 20 that allows thoughts,
ideas and opinions to be freely expressed and spread
through words, in writing or any other means of
reproduction and freely communicate or receive truthful
information by any media.

This law entitles citizens to carry out participatory work on the various platforms.

Anyone can participate in forums, blogs, wikis and social networks, but its participants should
maintain respect for the other participants and to others, not without a certain dose of common
sense.

3.2 FREEDOM OF INFORMATION ON WEB 2.0

Related to freedom of expression, a second right, freedom of information, stands out.

However it differs from the previous one as it has some objective criteria:

• The information must be accurate, i.e., requiring the existence of a basis in objective
and real facts.

23
In writing this chapter, we have relied upon the following documents:
- Spanish Data Protection Authority (2010) "Study on the privacy of personal data and the security of
http://www.agpd.es/portalwebAGPD/canaldocumentacion/publicaciones/common/Estudios/est_inteco_redesso_022009.pdf
- Law on the Web (2009) "Legal Guide for bloggers and podcasters"
http://www.derechoenred.com/blog/documentos/GUIA_LEGAL_BLOGGERS_POCASTERS.pdf
- Mata, Miguel Angel (2009) “Freedom of expression online”
http://www.miguelangelmata.com/2009/10/23/libertad-de-expresion-en-internet/
- Maeztu, David (2008) "Newspapers and Blogs: Legal issues, differences, similarities and jurisprudential treatment in Spain."
http://derechoynormas.blogspot.com/2008/04/prensa-y-blogs-aspectos-legales.html
- Maeztu, David (2006) “Legal obligations of blogs (I): Tax obligations”
http://derechoynormas.blogspot.com/2006/12/obligaciones-jurdicas-de-los-blogs-i.html

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 15 of 31
Information Security Observatory
 • The information must have public relevance, with facts affecting private parties in daily
events or activities lacking such relevance.

These elements are the key in differentiating participation in Web 2.0 with the traditional press,
given the possibility of finding references to people from a nearby environment on which
comments and opinion are not always going to be covered by freedom of information.

Commenting on the intimacies of a "close" person that does not have the character of a public
figure would not be covered under the protection of freedom of information act and in light of
comments made, could push the limits of the right to freedom of expression.

3.3 INTIMACY, PRIVACY AND SELF-IMAGE ON WEB 2.0

The right to reputation, self-image and personal privacy is enshrined in the Spanish
Constitution (Article 18), and developed in Organic Law 1/1982,
Civil Protection of the Right to reputation, personal and family
privacy and self-image.

This is one of the main rights that may get damaged while
participating in Web 2.0 platforms, as it implies interference in
the personal sphere of the individual concerned through
comments, information or opinions that represent libel or slander, such as:

• Disclosing facts concerning the private life of a person or family that affect their
reputation and good name, as well as disclosing or posting the contents of letters,
memoranda or other intimate personal writings.

• Capturing, reproducing or posting photographs or films of a person in places or times in

their private lives or outside of them, except in cases provided for in the law itself.

• Using the name, voice or image of a person for advertising or commercial purposes.

• Attributing events or stating value judgments through actions or expressions that in any
way impair the dignity of another person or damage their reputation.

Furthermore, the area of individual privacy highlights the secrecy of communications, which
means that any private communication is protected by law That is to say, intercepting
messages of others or using devices to listen, transmit, record or reproduce these
communications is a legal offense, punishable by a fine.

Identity supplanting in profiles and pages of Web 2.0 is frequent. The malicious user is logged
on as another user and posts comments, photos, and so on that are fake. This activity is
typified by the Spanish Penal Code.

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 16 of 31
Information Security Observatory
3.4 DATA PROTECTION ON WEB 2.0

The right to data protection is a fundamental right, which is derived directly from the Spanish
Constitution of 1978 (Article 18.4) in line with European standards. Organic Law 15/1999 of 13
December on the Protection of Personal Data (LOPD) develops this right depth.

Insofar as each Internet user can play a leading role, edit his personal page, participate in
wikis, create his website or maintain his blog, this assumes a legal liability.

Respecting the data protection rights of others involved 24 :

• Do not post information that does not meet the requirements relating to truth, public
interest and respect for the dignity of people, particularly youth and children.

• Do not spread rumours or unsubstantiated information.

• Correct or remove information if requested by the person affected.

• Never post information that puts your family at risk and especially children, friends,
neighbours, etc.

• Be particularly careful about posting information on places where you or a third party is
at any time, as it could pose a serious risk to your integrity.

• Do not record or post pictures, videos or any other record without the consent of those
affected.

• In the case of children under 14, the Data Protection Act requires parents or guardians
to give consent to their data being processed.

Sometimes, the platforms have all or part of the user profile in a public format by default, so
any user can access the personal information of others without the real owner of the data
having to give his consent.

3.5 INTELLECTUAL PROPERTY ON WEB 2.0

Intellectual property is the right people have to their own creations or works, as acknowledged
by Royal Decree 10/1996 of 12 April by approving the Law on Intellectual Property.

In the Web 2.0 context, in collaborative platforms users can use:

24
Source: AEPD Internet Guide recommendations. Available at:
http://www.agpd.es/portalwebAGPD/canaldocumentacion/publicaciones/common/pdfs/guia_recomendaciones_internet_052009.pd
f

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 17 of 31
Information Security Observatory
 • Any work they have created (provided they have not relinquished their rights of
exploitation to others).

• Works with permission of its owners of rights, either directly or

through any of the currently existing licenses (Creative
Commons, GPL, etc.)

• Works fallen into the public domain 25 .

• Works permanently displayed in public (posters, sculptures,

etc.)

• Talks or lectures given in public with an informative purpose (and not merely
commercial.)

• Work on current issues, as described above.

Therefore, under this law, the following may NOT be used on 2.0 platforms:

• Works and loans protected by intellectual property unless they meet one of the
exceptions mentioned above.

Whenever you want to use some work (texts, photographs, videos, etc.) on the Internet, you
should go to the legal notice of the page where you found the content and see if it allows it to
be reproduced.

25
This usually occurs 70 years after the death of the author and 50 years from publication (for sound recordings or audiovisual
content).

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 18 of 31
Information Security Observatory
4. Risks in using Web 2.0
4 RISKS IN USING WEB 2.0

Having the materials to be protected is necessary to understand that there are a number of
risks and it is important to be able to adopt measures to ensure security and privacy and
therefore, fully enjoy the 2.0 environment.

• Risks of libel or slander.

• Risks in communications.

• Risks against privacy.

• Risks against intellectual property.

Among the existing risks in collaborative communications, the technological component

plays a fundamental role. The current capacity of malware or malicious code to exploit
vulnerabilities and security flaws in collaborative platforms multiply the potential impact of their
attacks on profile information and in the user hardware and software:

• Infection and/or alteration of hardware, applications and programs, of both the user
and his network of contacts.

• Stealing personal information such as usernames and passwords, photos, hobbies,

card numbers ... information that can be used for profit or publicity.

• User's identity supplanting, by creating fake accounts on behalf of other users, or

stealing access data to profiles in order to replace the actual user.

Here are some of the techniques used to carry out attacks on security and privacy in
collaborative platforms.

• Social Spammer and Scammer. Using these platforms gives the opportunity to send
unwanted e-mails, whether the purpose is purely advertising (spam) and if it involves
fraud or undue profit (scam).

• Tabnabbing. This technique is based on making the most of the tab browsing system.
When the user goes from one tab to another, the one which remains in the background
becomes a page to access services and platforms (such as Gmail, YouTube,
Facebook, etc.) The user, not noticing, enters his details to access these services, and
is, therefore, providing this information to the owner of the spoof page.

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 19 of 31
Information Security Observatory
 Illustration 5: Example of tabnabbing

• Pharming. This software attack consists of amending or replacing the file of the domain
name server by changing the IP address of the legitimate address of the Web 2.0
platform. When writing the name of the platform in the address bar, the browser
automatically redirects the user to another IP address, which houses a spoof website.
When trying to access the service, the user is providing his access details to the
cyberattacker.

Both phishing and pharming are heavily exploited by criminals to collection the personal
details of Internet users, as well as sensitive data or that relating to economic aspects
(credit cards, PIN of users, etc.)

• Clickjacking. In this case, by clicking on “I like it” (buttons to share views on content),
phrases are updated in the user's status that are redirected to spam sites or malware.
Messages related to fraudulent websites can also be found, such as the following
example in Twitter:

Illustration 4: Example of clickjaking in Twitter

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 20 of 31
Information Security Observatory
 In this regard, Twitter is expanding the use of shortening URLs (given the limitations of
characters per message) that link to malicious websites.

• Worms. Worms are one of the threats with the greatest impact because they have
different variants designed for Web 2.0 platforms, as is the case of the Koobface worm
and its variants for major social networks. This type of malware uses compromised user
accounts to propagate by placing infected links in those that easily tap the victim user's
contacts.

• Installing and using cookies 26 without the user knowing. Another risk associated
with the user participating in platforms lies in the possibility that the site uses cookies to
allow the platform to know the user's activity within it. Through these tools, you can see
the place where the user is gaining access, the connection time, the device from which
he is gaining access (fixed or mobile), the operating system used, the most visited
places within a website, the number of clicks, and lots of data regarding the
development of the user's life on the Web.

26
A cookie is a piece of information that is stored in the hard drive of a visitor of a website through his browser, upon the request of
the server’s website.

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 21 of 31
Information Security Observatory
 Obligations and responsabilities when
5. using Web 2.0

5 OBLIGATIONS AND RESPONSIBILITIES WHEN USING WEB 2.0

The evolution of the Web has allowed a shift from a model in which the Internet user was in a
passive role as a mere reader to playing an active and leading role.

In Web 2.0, it is not necessary to have expert knowledge of applications and services, as they
are designed to be easy and intuitive. Simply register to access a set of programs and services
to participate in the new platforms and maintain real-time interaction with other users on the
Web

This activity will identify various roles: users, administrators, moderators and service providers.
Act 34/2002 of 11 July, on services of the information society and e-commerce (LSSICE)
identifies the different players in this activity and establishes the civil liability regime they are
subject to.

5.1 RESPONSIBILITIES OF DIFFERENT PLAYERS

5.1.1 Users
Who they are:

Web 2.0 users are those Internet users who participate in it, either by editing and posting
comments, uploading videos, pictures, etc. or commenting on what others have posted. In
short, anyone browsing actively platforms that makes up this social universe.

Registering any tool or platform as a user implies adherence to conditions set by the service
provider.

Obligations:

Users can upload all types of content to your site, but always with a responsible use of freedom
of expression.

The following exceed the user's roles and are therefore unlawful conduct:

• Committing the crime of libel or slander when you make a false accusation of a crime to
someone else or show expressions that violate the right to reputation, self-image and
personal privacy.

• Engaging in breaching the Intellectual Property Act (copyright) to publish any

copyrighted work that does not have the owner’s express permission or not making
proper use of the right to quote, either on texts (articles, books, notes, etc.), or
multimedia content (music, audio, video, software, etc.)

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 22 of 31
Information Security Observatory
 • Violating trademark or design rights, trade secrets or breaching industry rights
(patents).

• Attacking against data protection rights by publishing privacy information of third parties
(publishing a personal e-mail).

• Committing child porn crimes by posting any representation of a child under eighteen
years of age devoted to sexually explicit activities or any representation of their genitals
for predominantly sexual purposes.

Responsibilities:

The responsibility shall always be with the person committing the crime. However, such
responsibility can be extended to others due to a lack of properly monitoring the platform as
discussed below.

For example, posting a video of another person, who has not given their express consent to
such disclosure or even for this video to be recorded, is an attack on their reputation and
privacy.

5.1.2 Administrators and moderators

Who they are:

• The administrators (may or may not be the owners of the site), are responsible for
managing the site, and have the necessary options to edit and delete content. They can
act as moderators in the absence of these.

• Moderators control the tone and content of the information written on the platform,
trying to maintain a cordial and pleasant environment for all users. To do this, they can
modify or delete comments made by others, temporarily remove a message, or close
and delete threads, and other mechanisms designated by the platform.

Obligations:

They are obliged to ensure the proper use of the platform so that crimes are not committed in
it. Spanish law requires the existence of content moderation, as even when the comment is
anonymous, the administrator is still responsible for it.

Responsibilities:

Their responsibilities are derived from management duties as well as control and monitoring
ones. They may act a priori or also after a comment has been posted.

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 23 of 31
Information Security Observatory
The Spanish law provides two ways to enforce such liability, subsidiary and cascading liability
according to Article 30 of the Criminal Code, when the media were considered as traditional
media, or, when they were not, responsibility as necessary cooperator according to Article 28
of the Code.

It is good practice for the administrator of a forum to include a publishing policy on its website
to prevent posts by users as well as providing the possibility for other users to report these
situations and a more effective control can later be carried out.

5.1.3 Companies providing intermediary services on the Internet

Who they are:

They are web hosting service providers, 2.0 web services, data hosting services, access
providers, telecommunications operators.

Obligations:

• Informing customers about key data such as service providers (ID and email address),
services provided and the terms of the provision, data protection policy and technical
means to increase user safety

• Cooperating with public bodies to carry out tasks that cannot be done without their help.

Responsibilities:

• They are responsible for the content if they have actual knowledge that the activity or
information to which they refer is unlawful or harms property or rights of a third party
liable for damages.

• They are responsible for the personal data used in the profile search engines or
customised advertising campaigns.

When creating a blog or personal site, any individual may choose to use existing tools or pages
on the Web and offer this service (for example, Wordpress or Myspace), or they can go to a
hosting company and create a custom domain. In both cases, companies offering services fall
into this category.

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 24 of 31
Information Security Observatory
5.2 FAQ (FREQUENTLY ASKED QUESTIONS)

If you create a custom domain to host a personal website where other users can
comment, are you responsible for the comments posted by these other users?

Until you identify the true author of the comment, case law can apply cascading responsibility
to the owner of the personal website. In this respect, whether or not advertising is included on
the page (and thus generating a profit) determines the owner’s responsibility:

• If it has advertising: the owner is considered to be the service provider and has limited
liability to the provisions of article 16 of the LSSICE (Law of Information Society
Services and Electronic Commerce).

• If it does not have advertising: the Criminal Code is applied to assign the owner’s
responsibility, it can be considered as traditional media or a necessary cooperator.

Illustration 5: Outline of the responsibility of the owner of a Web 2.0 website

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 25 of 31
Information Security Observatory
Can you ask the owner of the site to identify the author of the comments?

If a reader identifies an incorrect or defamatory comment against him on a website, he may ask
the site’s owner to identify the author of the comment through the data available to them,
usually the IP address.

According to the criteria of the Spanish Data Protection Authority, it is currently considered that
the IP address is personal data so it will only be communicated when required by the courts.
Therefore, it is recommended to keep this information in such a way that it cannot be destroyed
and be able to provide it to the court if required.

Can I demand a correction or reply by the author of the comment in the case of an attack
against my reputation, self-image and personal privacy?

Yes, you may demand that the author and in ascending order, the site’s owner, remedy the
damage done to the affected party.

The right to rectification covers individuals for incorrect and incomplete information and
provides that the correction must be addressed to the director of the medium or the site’s
owner. The right of reply covers erroneous opinions, although it is not formally embodied in the
Spanish system.

Can you close a personal website if it breaches a right?

In Article 20.5, the EC prohibits seizing publications, recordings and other media if this is not
done under court order. However, the Bill of Sustainable Economy, in the process of approval
in the Senate 27 , amends the current judicial proceeding in its second final provision.

This Act establishes a Commission on Intellectual Property, in cases where it considers there is
a breach of intellectual property rights; it may ask the judge for the service provider to provide
the data for a particular customer to be identified. The Commission may also issue resolutions
to close posts with the authorisation of a judge being required to implement these resolutions.

27
As of date of publication of this guide

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 26 of 31
Information Security Observatory
 Recommendation for safe and responsible
6. usage of Web 2.0

6 RECOMMENDATIONS FOR SAFE AND RESPONSIBLE USAGE OF WEB 2.0

6.1 GOOD PRIVACY PRACTICES ON WEB 2.0

Having seen the potential risks of Web 2.0, a set of privacy guidelines, aimed at each group
involved will now be provided.

6.1.1 Users
In Web 2.0 users must comply with privacy rules, concerning their own data, as well as if what
they publish is from a third party.

• Users must protect their information. It is therefore

necessary to read the privacy policy, setting limits
on who can or cannot access the information
published.

• A good practice is to resort to the use of

pseudonyms and personal nicknames; therefore,
letting you to have a "digital identity".

• You should not publish excessive information about your personal or family life, i.e.,
information you would not communicate to people not close to you.

• You should pay particular attention when publishing audiovisual content and graphics,
especially if they are images relating to others.

• Before publishing a photo, it is advisable to consider whether it is appropriate to post or

whether such action could have consequences, involving people at work, school,
university or in your close or personal environment.

• If want to use or reproduce any work on the Web (graphic or not), you should look at
the legal notice on the website where you are and view the conditions of reproducing it.

• Go to the Spanish Data Protection Authority, AEPD (www.agpd.es), to exercise your

rights granted by the Data Protection Act regarding personal data protection. You can
download a template of a claim form at the AEPD website.

6.1.2 Administrators and moderators

In this group, the privacy guidelines relate to protecting users’ personal data and information,
as well as by adhering to the law the users of the platform they operate.

• As set out in the Data Protection Act, any person seeking personal information (related
to search engines, profiles, etc.) must fulfil some obligations and deal with the

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 27 of 31
Information Security Observatory
 consequences of such processing. Among other things, it should have person
designated to performing data processing:

o The file must be entered in the AEPD Registry and the files adapted to current
legislation (Data Protection Act and Regulation).

o It is obliged to inform users about the site’s Privacy Policy, as well as the
purpose for which personal data are being collected, the person in charge of
process the data and the rights available to the user.

o It must seek the consent of the party concerned in order to transmit their
information.

o It allows users to exercise their rights of access, rectification, cancellation and

opposition.

• It is important to effectively carry out monitoring and control on the participants and their
information. If there are any incorrect or illicit comments or information, mediate the
discussion and/or delete comments.

• Technological measures must be implemented to ascertain the age of users, such as:
using certificates recognising electronic signatures or applications that detect the type
of site visited and the services in most demand.

• There is a duty to cooperate with national Security Forces to identify users who commit
illicit acts.

6.1.3 Companies providing intermediary services to the information society

Information entered by users on the Web is stored by information society intermediary service
providers (search engines, registration forms, use of cross-data, etc.) Actions relating to
privacy should be directed to properly processing the personal data of users of the platforms.

• As in the case of the Administrators, to meet the obligations under the Data Protection
Act in relation to processing personal data.

• In addition, the law prohibits sending "marketing communications" by e-mail or any

other means of electronic communication "that has not been previously requested or
expressly authorised by the recipients."

• Do not retain personal data in an excessive amount or without just cause, unless this is
being done to cooperate with national Security Forces.

• Finally, information should be provided to users about the potential liability they may
incur for breaching intellectual property rights.

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 28 of 31
Information Security Observatory
6.2 GOOD SECURITY PRACTICES ON WEB 2.0

Security threats on Web 2.0 have a higher growth potential than other media due to its network
structure. Therefore, all parties involved must follow safety guidelines.

6.2.1 Users
Users are most harmed by malware attacks, which can affect both the information in
collaborative platforms, as well as their own computers and devices. To avoid this, we
recommend:

• Keeping both the operating system and any applications you have installed in your
computer updated. This is essential given that an updated browser has blocking filters
against new threats and unwanted intrusions.

• Using passwords to access different profiles.

• Checking the legitimacy of the websites you want to access, monitoring the URLs in the
browser window.

• When browsing, you should only download files or applications from trusted sources, to
prevent malicious code or malware. You are also recommended to analyse downloaded
items with an antivirus before running them.

6.2.2 Administrators and moderators

These players on Web 2.0 platforms are recommended to do the following:

• Have internal tools aimed at reducing cases of identity supplanting within the Web,
allowing the legitimate owners of the service to be able to authenticate their true
identity, to thus recover and block the person illegitimately accessing the other’s profile.

• Integrate systems to detect the level of security of the passwords chosen by users at
the time of registration, indicating whether or not it is secure and informing them of the
recommended minimum requirements.

6.2.3 Companies providing intermediary services to the information society

Service providers of the information society related to collaborative platforms should take into
account that these services are based on large databases with personal data of users that use
them. For this reason, they must:

• Guarantee that the Web is safe from attacks by third parties and that it prevents, or at
least reduces, the possibility of their success.

• It is vital that the platform correctly chooses an Internet Service Provider (ISP) that has
a high level of security.

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 29 of 31
Information Security Observatory
 In this respect, it is recommended that the ISP always ensure, at least the following
aspects:

o Services provided by the ISP to this type of platform will focus on secure
servers, backup centres, secure access, etc.

o Tools to detect prevent and block malicious code must be used in servers and
within the application. In this respect, encouraging strategic agreements with
security companies is recommended.

o Using security applications aimed at ensuring, or where appropriate, minimising

the possibility of receiving unwanted commercial messages through the platform
(spam/scam).

o In turn they must report on existing tools for filtering and restricting access to
certain content and services on the Internet that is unwanted or potentially
harmful to children and young people.

Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 30 of 31
Information Security Observatory
 Web http://observatorio.inteco.es

Information Security Observatory Scribd Channel:

http://www.scribd.com/ObservaINTECO

Information Security Observatory Twitter Channel:

http://twitter.com/ObservaINTECO

Information Security Observatory Blog:

http://www.inteco.es/blog/Seguridad/Observatorio/BlogSeguridad/

observatorio@inteco.es

www.inteco.es
Guide to getting started with Web 2.0: aspects relating to privacy and security in collaborative platforms Page 31 of 31
Information Security Observatory