Daily Dashboard

Experts explore the future of Privacy by Design

September 19, 2012

Schwartz_MathewBy Mathew J. Schwartz

Can privacy be built into websites or smartphone apps, akin to the manner in which developers set up a backend database or ensure that their application code remains clean and secure against potential attacks?

That's one provocative question posed by a recently released paper co-authored by Ira Rubinstein, a senior fellow and adjunct professor at New York University Law School, and Nathan Good, principal and chief scientist of Good Research. Titled "Privacy By Design: A Counterfactual Analysis Of Google And Facebook Privacy Incidents," the paper recently received the IAPP Privacy Law Scholars Award.

The paper reviews 10 recent privacy incidents involving Facebook and Google, and asks if "privacy engineering and usability principles" could have prevented them. In particular, could engineering "fair information practice" principles have been used in advance of the incidents to have removed the privacy problems entirely? Likewise, from a usability standpoint, could the relevant interfaces have been designed to provide the "just-in-time" context that a user needed to make an informed privacy decision?

To learn more about the possibilities and challenges associated with Privacy by Design in advance of a related talk at the IAPP's Navigate 2012 executive forum in Mountain View, CA, I spoke with Rubinstein and Good by phone.

The Privacy Advisor: What drove you to explore the concept of Privacy by Design?

Rubinstein: The starting point is the fact that so many regulators are bringing attention to Privacy by Design as a regulatory tool. It's long been pushed by Ontario Privacy Commissioner Ann Cavoukian in Canada, but lately the FTC has begun to emphasize design, and to make Privacy by Design—or something very much like it—part of their recent consent decrees with Facebook and Google. It's also gotten a lot of attention from European regulators, particularly in the new regulation that would replace the European Data Protection Directive.

But exactly what does Privacy by Design mean? Regulators talk about it a lot in general terms, without going into detail, and without giving guidelines to developers that would allow them to take actionable steps, because the developer needs to know what are the requirements for this software, and what are the specific features that might help meet those requirements? Unless Privacy by Design can be expressed in those requirements, it doesn't add up to anything for the developer; it's too abstract and vague.

The Privacy Advisor: In your review of the Google and Facebook privacy incidents, were there any surprises?

Rubinstein: We looked at 10 privacy incidents, and half could be traced to a delay in releasing new privacy features, which suggests that the companies either knew—or quickly determined—what they needed to do. But the reason for the resulting delay wasn't that clear.

Now, that's a really interesting fact, and it suggests that privacy still isn't being given the priority it needs. That finding also very clearly reinforces the basic mantra of Privacy by Design, which is build it in at the outset instead of adding it in later. In those cases, if they'd built in the feature at the outset, they clearly would have avoided the privacy incident.

The Privacy Advisor: Are privacy sanctions against well-known sites leading to an increase in people's privacy awareness?

Good: When you talk to different people about privacy, they all understand that there are tradeoffs—they understand that if I'm going to be on Facebook, it's going to be doing stuff with their data. But people get complacent, they say there's not a whole lot I can do about it, so I'll just use my little service the way that I use it.

But when they are given the opportunity, it's surprising how much people do use controls. There was a study we just recently did with some students at UC Berkeley, where we were looking at the iPhone and (apps' access to people's locations). We assumed that everyone would have one or the other—all on or all off—but it turned out that  a lot of people did (curate) their location data. They said it didn’t make sense for this app to have location data, but it did make sense for this other app, for example with Maps.

Now, this is still being teased out, but if they're given controls in a meaningful way, they'll use it. It's just a question of building the right methodology.

The Privacy Advisor: How can businesses better empower users with these types of "just in time" controls, so they can make more well-informed privacy decisions?

Good: My rallying cry would be, "Lawyers, hug your usability expert!" These people have a lot of experience and knowledge of the user experience domain. They have a lot to offer, and to my knowledge, they haven't been a big part of the privacy design process. And we've already seen the companies that we talked about in the paper applying usability and user experience resources to the privacy problem.

Rubinstein: Privacy should be designed with the same usability expertise that companies bring to any other aspect of a feature or service. That said—and this is no longer the rallying cry of things—there's some tension here, because companies may fear that if they make their privacy features too effective, it may undermine the amount of personal data they can collect and use. And that goes to much bigger questions of business models and how to adjust business models so users can control their data.

Editor's Note: Adjunct NYU Law Professor Ira Rubenstein and Principal of Good Research Nathan Good will lead “The Future of Privacy by Design,” a discussion of existing practices with the goal of clearly identifying what Privacy by Design is, if it works and how it can be used effectively by organizations as part of the IAPP’s upcoming Navigate executive forum held in conjunction with the 2012 Privacy Academy in San Jose, CA.

Mathew Schwartz reports on information security and privacy issues for InformationWeek, The Privacy Advisor and Inside 1 to 1: Privacy.

Read more by Mathew Schwartz:
Defamation by social media: Who's liable?
Privacy worries surround UN Internet regulations
Online piracy eradication efforts spark privacy concerns

Social networks seek workplace privacy protections