Lockstep

Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

Book Chapter: "Blending the Practices of Privacy and Information Security"

Steve had a paper published as a chapter of the book "Trans-Atlantic Data Privacy Relations as a Challenge for Democracy", Dan Svantesson & Dariusz Kloza (Eds) Intersentia, 2017

"Blending the Practices of Privacy and Information Security to Navigate Contemporary Data Protection Challenges"

Summary

The relationship between European privacy regulators and predominantly American technology businesses can appear increasingly fraught. A string of adverse and possibly counter intuitive privacy findings against digital businesses – including the “Right to be Forgotten”, and bans on biometric-powered photo tag suggestions – have left some wondering if privacy regulations and information technology are fundamentally at odds. Technologists are often confused by these findings and unsure of their role in privacy management.

Security and privacy are awkward bedfellows, usually described as distinct but overlapping fields. Privacy is frequently described as “not a technology issue” but that slogan can alienate IT practitioners. And Privacy by Design proponents like to advertise that security and privacy are a “positive sum” despite the painful truth that privacy often creates tensions with other complex system objectives like usability, cost, efficacy, revenue opportunities, and security. These competing interests should not be played down in an effort to make privacy more palatable, for conflicting requirements are the very stuff of engineering.

The practices of privacy and information security in fact have much in common. Fundamentals in security like the ‘need to know’ and the principle of Least Privilege are closely aligned to the privacy principles of Collection Limitation and Use Limitation. This paper reviews the collective attitudes of engineers to privacy, and explores how to make the topic more accessible. It should follow that difficult privacy territory like social networking and Big Data becomes clearer to non-lawyers. Transatlantic data protection challenges might then yield to privacy engineering designs that are more fundamentally compatible across the digital ethos of Silicon Valley and the privacy activism of Europe.