The Privacy Engineer's Manifesto. Chapter 1: The Evolving Landscape of Privacy as Technology improves
Technology innovations have had an impact on privacy throughout history. The Gutenberg press marked the start of the Information Age, democratizing information access and distribution.
The Privacy Engineer’s Manifesto [1] is a great book to understand the basics of Data Privacy and also the engineering aspects of implementing privacy into software applications. This post goes over the key ideas covered in Chapter 1, titled “Technology Evolution, People and Privacy“.
In the general narrative of the text, there are small inserts as one-or-two page articles by an eminent person in the technology field. In this chapter, there are four such articles - 1. ‘Sacred References to Privacy’ by Jay Cline, 2. ‘My Life within the Firewall‘ by Michelle Dennedy, 3. ‘IoT and Privacy’ by Tyson Macaulay and 4. ‘Privacy can’t be fixed’ by John Berard. One could expand the ideas on each of those articles into a blog post. This post covers ideas from the main narrative as well as a couple of these articles. In the future, I’ll probably just summarize the main text.
Table of Contents
Introduction
In the ever-evolving world of technology, innovation and privacy are two sides of the same coin. As technology paves new paths, it invariably influences our perception and realization of privacy. Innovations in technology have made it easier to collect, store, and share personal information. Some innovations have improved privacy, but many have put privacy at risk.
1. Innovation and Privacy - A Short History
The late 1400s gave birth to the printing press, heralding an era where books were no longer a luxury. With this newfound accessibility, individuals embraced the concept of personal privacy – reading what they fancied, when and where they wished.
Fast forward to the early 1800s: the advent of rail travel, cost-effective paper, and soaring literacy levels triggered an explosion in documenting and sharing day-to-day experiences.
But it wasn’t until the late 1800s, with the invention of the camera, that privacy found itself under direct assault. Capturing individuals without consent led to a surge in privacy concerns. Eminent thinkers like Warren and Brandeis pinpointed photography as a potential risk in their landmark paper, ‘The Right to Privacy’.
By the 1960s, there was palpable anxiety about governments hoarding excessive personal data. This gave rise to the Fair Information Practice Principles (FIPPs), underpinning most of today’s data privacy laws. Yet, technological leaps continually challenge these laws, with enforcement proving difficult and often playing catch-up to innovation.
1.1 The Spiritual Angle: Privacy in Sacred Texts
Even before our modern conundrums, privacy was deeply embedded in cultural and religious ethos.
The biblical stories of Adam and Eve and Noah's sons (Adam and Eve covering themselves with fig leaves, Noah’s son’s covering their drunken father) highlight early instances of bodily privacy controls and social respect for privacy.
Jewish traditions, as cited in the Talmud, stress not intruding on neighbors' spaces.
The Bible and Torah urge against gossip and slander in the Book of Proverbs.
Islam, through Quranic verses, accentuates respect for individual privacy.
The Catholic church's catechism admonishes those who tarnish their neighbor's reputation.
Interestingly, the Universal Declaration of Human Rights in 1947 encapsulated a right to informational privacy, perhaps a nod to these ancient tenets.
But one thing to remember is that privacy perceptions differ globally. In certain Eastern cultures, like Japan and China, retaining personal details is sometimes deemed selfish, with unique linguistic and cultural lenses shaping their privacy perspectives.
2. The Information Age - Stages of Evolution
As mentioned earlier, the Gutenberg press marked the start of the Information Age, democratizing information access and distribution. What followed was a cascade of inventions like the telegraph, the telephone, and the ENIAC computer, each widening our data processing and transfer capabilities.
Our Information Age journey can be mapped through five stages:
Firewall Stage: Technology existed as discrete units. The Internet was mainly used by academics. Security and privacy issues were limited to physical boundaries. The Fair Information Practice Principles (FIPPs) were documented during this stage.
Net Stage: With the introduction of Mosaic (the first browser), HTML, and consumer-ready tech, the Internet became accessible to general users. This stage was marked by a perceived sense of online anonymity.
Extranet Stage: This stage was characterized by interactive portals that allowed authorized users to engage in self-service actions. It marked a change from the Internet being just a publishing medium to a sharing and collaborative one.
Access Stage: This stage saw a significant increase in sharing capabilities and ease of access to tech. Privacy concerns rose as people began to share more information in public and quasi-public domains.
Intelligence Stage: The current and future stage focuses on seamless connections, information processing, and service provisions tailored to individual needs. It emphasizes the centrality of data over tools.
2.1 IoT and Privacy
What is IoT?
The author says there are over 50 official definitions and provides this - IoT refers to a vast web of interconnected devices, which includes gadgets interacted with by people (e.g., smartphones, desktops, tablets), tools with limited human interfaces (e.g., medical devices, point of sale systems), and apparatuses observing or controlling the physical realm (e.g., sensors, smart devices). These devices mostly operate on Internet Protocol (IP) networks or are connected through gateways on IP networks.
IoT and Personal Information
Given the colossal amount of data in the IoT, it's evident that, on a broad scale, the IoT is inherently personal. If one could link identity and activity within the IoT, they could compile highly sensitive and personal profiles. However, turning IoT data into identifiable information often involves navigating a complex path, merging segregated datasets, and overcoming numerous "ifs".
PII Code of Conduct for IoT
The author proposes a PII code of Conduct for IoT, which are some basic rules for dealing with IoT privacy, starting with a maxim
IoT Privacy Maxim: information is personal if identity can be correlated with activity.
IoT Privacy Rule #1: PII exists if the correlation of identity to activity is viable and probable.
IoT Privacy Rule #2: PII exists if identity and activity information exists in the same repository.
IoT Privacy guideline #3: PII is not intrinsic when identity and activity artifacts are in separate repositories.
As IoT continues to grow, understanding and defining PII within it becomes crucial. Data privacy hinges on how well we can correlate identity with activity and the systems we have in place to guard this information.
3. The Dawn of the Personal Information Service Economy
The Information Age is witnessing the rise of “personal information services”, a novel category of services influenced by the increased ability to provide and utilize personal data.
3.1 Types of Personal Information Services:
Data Management Services: These services aim to assist individuals in protecting and managing their personal data. Examples include - Security tools, Identity management services, “Do not track” technologies and policies, Web-based cookie compliance solutions, etc.
Value-Based Services: These services utilize personal data to deliver value, either to individuals or businesses. E.g., Personalized recommendations, Device recovery, Data retrieval and hiding services.
As people share more about their preferences and community aspirations, these collective actions could shape the economy. Personal information services might emerge as crucial economic resources, influencing or gauging an economy's trajectory.
3.2 Data-Centric and Person-Centric Processing:
Definition:
Data-Centric: Prioritizes data as the primary factor in design.
Person-Centric: Focuses on the individual as a core design element.
Privacy Concerns: Combining data-centric and person-centric approaches inevitably processes personal information, which can raise privacy issues.
Importance of Privacy Engineering:
It is essential to collect customer data and interactions to ascertain the applicability of privacy rules.
The definition of personal information is evolving. Data previously regarded as impersonal or machine-related is gaining a new perspective.
A successful system design ensures that the value derived from data (DV) is greater than the associated risks (DR).
Privacy engineering enhances user experience, brand perception, and customer satisfaction.
It promotes the implementation of consistent engineering principles, avoiding singular and isolated design strategies.
Conclusion
As we've journeyed from the inception of the printing press to the sprawling web of IoT, each technological stride has beckoned us to re-evaluate our understanding and preservation of privacy. Our religious and cultural traditions remind us of privacy's deep-rooted significance, and the dawn of personal information services underscores its burgeoning importance in our service-driven economies. As we navigate this Information Age, it's imperative that we not only embrace the conveniences and innovations technology offers but also remain vigilant, proactive, and informed about our privacy rights and implications. For in the balance between technology's promise and privacy's prerogative lies the path to a harmonious digital future.
References
[1]: Dennedy, M. F., Fox, J., & Finneran, T. R. (2014). The privacy engineer's manifesto: getting from policy to code to QA to value (p. 400). Springer Nature.