Lockstep

Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

"Seeing privacy through the engineer’s eyes"

An invited paper submitted to Privacy Policy Reporter, 2015 (in press).

Abstract

For all the talk of Privacy by Design, there is a gap separating the worlds of privacy law and systems design. Security and privacy are awkward bedfellows; they are distinct yet many confuse secrecy for privacy, and in turn, IT professionals are liable to hobble their privacy thinking. Privacy and IT practices in fact share a number of traits. If these were better appreciated, we should be able to more firmly locate technological accountability for privacy within the organisation, and we should see more effective interdisciplinary collaboration on
privacy.

Introduction

There appears to be a systematic shortfall in the understanding that technologists as a class have of data privacy. IT professionals may receive privacy training but as soon as they hear the oft repeated slogan “Privacy is not a Technology Issue” they tend to switch off.

My privacy career was borne out of information security. Some 13 years ago I was doing a big security review at a utility company. Part of their policy document suite was a privacy statement on the company’s website. It contained the usual clauses, like ‘We collect the following information about you [the customer]’ and ‘If you desire a copy of the information we have about you, please contact the Privacy Officer.’ From what I had seen of the customer management system, it was going to be hard for this company to collate all personal information for a given individual. I took the statement to the chief IT architect who confirmed it could not be done. So whoever wrote the privacy policy had bound the company to at least one fiction, without ever consulting with IT.

In the aftermath of this experience, it seemed vital to research what other implications for IT lay unseen in the privacy regime. The starting point was a review of Australia’s privacy principles from the engineer’s perspective, leading to a paper that exposed how big a technology issue privacy really is (Wilson, 2003). Since then, we’ve seen Big Data and the Internet of Things emerge to challenge many of our informal notions about privacy and our regulatory privacy protections. And the terms “Privacy by Design” and “privacy engineering” have entered the mainstream. Privacy is becoming an ever more urgent concern, yet the gap between privacy law and IT practice remains wide and under-appreciated.

This paper looks at the fundamental privacy misconceptions carried by many engineers, and explores some common ground between security and privacy practices, to help bring these fields closer together.