Salinger Privacy

  • About
    • About Salinger Privacy
    • Videos, Podcasts and Media Mentions
    • Work with us
  • Consulting
    • Our Consulting Services
    • Privacy Impact Assessment
    • Privacy by Design advice
    • Algorithmic Impact Assessment
    • Privacy Compliance Reviews
  • Training
    • Overview
    • Training Calendar
    • Public Courses and Workshops
    • In-house Privacy Training and Workshops
    • Online Training
    • Webinars
    • IAPP Certifications
    • Training Advisory Services
    • Login
  • Privacy Resources
    • Privacy Resources
    • Compliance Kits
    • Resources on key privacy topics
    • Free Handbook
    • Newsletter
    • Login
  • Who We Are
    • Anna Johnston
    • Melanie Casley
    • Andrea Calleia
    • Stephen Wilson
    • Chris Culnane
  • Blog
  • Contact
  • Compliance Kits
    • For Business
    • For NSW Public Sector
    • For Victorian Public Sector
    • For Australian Government
    • Login

What technology designers need to know to understand privacy

July 10, 2017, Stephen Wilson

Share this post

Share this post on twitter Share this post on Linkedin Share this on Facebook

Privacy is contentious today.  Some say the information age has brought real changes to privacy norms.  With so much private data leaking through breaches, accidents and digital business practices, it’s often said that ‘the genie is out of the bottle’.  Many think privacy has become hopeless.  Yet in Europe and many jurisdictions, privacy rights have been strongly and freshly enforced, and for the very latest digital processes.

For technology designers and security pros coming to grips with privacy, the place to start is the concept of ‘personal information’ – also known as ‘personal data’ in the EU, or PII in the US.  The threshold for data counting as personal information is low: any data about a person whose identity is readily apparent constitutes personal information in most places, regardless of where it came from, or who might be said to ‘own’ it. This is not obvious to engineers without legal training, who may form a more casual understanding of what ‘private’ means.  So it seems paradoxical to them that the words ‘public’ and ‘private’ don’t even figure at all in laws like Australia’s Privacy Act!

There is a cynical myth that ‘Technology outpaces the Law’. In practice, it is the law that challenges technology, not the other way around!  The grandiose claim that the ‘law cannot keep up with technology’ is often a rhetorical device used to embolden developers and entrepreneurs.  New technologies can make it easier to break old laws, but the legal principles in most cases still stand.  If privacy is the fundamental right to be let alone, then there is nothing intrinsic to technology that supersedes that right.  It turns out that technology neutral privacy laws framed over 30 years ago are powerful against very modern trespasses, like wi-fi snooping by Google, over-zealous use of biometrics by Facebook, and intrusive search results extracted from our deep dark pasts by the all-seeing Google. So technology really only outpaces policing.

One of the leading efforts to inculcate privacy into engineering practice has been the ‘Privacy by Design’ movement (PbD), started in the 1990s by Ontario privacy commissioner Dr Ann Cavoukian.  PbD seeks to embed privacy ‘into the design specifications of technologies, business practices, and physical infrastructures’. As such it is basically the same good idea as building in security, or building in quality, because to retrofit these things too late leads to higher costs and disappointing outcomes.

In my view, the problem with the Privacy by Design manifesto is its idealism.  Privacy is actually full of contradictions and competing interests, and we need to be more mature about this.

Just look at the cornerstone privacy principles.  Collection Limitation for example can contradict the security instinct to retain as much data as possible, in case it proves useful one day.  Disclosure Limitation can conflict with usability, because it means PII may be siloed and less freely available to other applications.  And above all, Use Limitation can restrict revenue opportunities in all the raw material digital systems can gather.  Businesses today accumulate masses of personal information (sometimes inadvertently, sometimes by design) as a by-product of online transactions; real privacy means resisting the temptation to exploit it (as Apple promises to). Privacy at its heart is about restraint. Privacy is less about what you do with personal information than what you don’t do with it.

PbD naively asserts that privacy can be maximised along with security and other system objectives, as a “positive sum” game.  But it is better that engineers be aware of the trade-offs that privacy can entail, and that they be equipped to deal with real world compromises entailed by privacy just as they do with other design requirements.  Privacy can take its place in engineering along with all the other real world considerations that need to be carefully weighed, including cost, usability, efficiency, profitability, and security.

 

This is an edited extract from a chapter Stephen contributed to Darek Kloza and Dan Svantesson’s new book Trans-Atlantic Data Privacy Relations as a Challenge for Democracy?

Previously published on the Constellation Research blog.  Minor revisions made for a primarily Australian audience.

Photograph (c) Shutterstock

Filed Under: Uncategorized

If you enjoyed this blog, subscribe to our newsletter to receive more privacy insights and news every month.

Privacy Compliance Kits

Recent Posts

  • OAIC determinations shed light on when data is regulated as ‘personal information’
  • Big Tech, Individuation, and why Privacy must become the Law of Everything
  • Should birds of a feather be FLoC’d together?
  • Why can’t Aunty get the ABCs of privacy right?
  • Privacy law reform in Australia – the good, the bad and the ugly
  • Between 7 and 11 lessons you can learn from the latest OAIC privacy case
  • Privacy and gender: what to ask, when and why
  • What covid apps can teach us about privacy, utility and trust in tech design
  • Cat or carrot? Assessing the privacy risks from algorithmic decisions
  • Not too much identity technology, and not too little

Archive

  • 2022
  • 2021
  • 2020
  • 2019
  • 2018
  • 2017
  • 2016
  • 2015

Search

Salinger Privacy we know privacy inside out

Salinger Privacy can help you navigate the complexity of the regulatory environment, and ensure the trust of your customers.

CONTACT US

T: 02 9043 2632
PO Box 1250, Manly NSW 1655
Email Enquiry

© Salinger Consulting Pty Ltd
ABN 84 110 386 537

Our Privacy Policy

Subscribe to our newsletter.

These details will be added to our mailing list to receive the Salinger Privacy eNews and Product News newsletters. You can unsubscribe or adjust your preferences at any time, from the bottom of any newsletter.