Privacy By Design: Protect User Data From 'Get-Go'

International effort seeks to bake in consumer privacy options.

January 5, 2015

4 Min Read
Ann Cavoukian

8 Quiet Firsts In Tech In 2014

8 Quiet Firsts In Tech In 2014


8 Quiet Firsts In Tech In 2014 (Click image for larger view and slideshow.)

As the world becomes more interconnected through a web of mobile devices and smart software that track a person's every move, just how that personal data is used and how much control an individual has over it have become important topics in government, industry, consumer, and civil liberties groups.

An international effort is developing a framework for governments and companies that bakes in privacy protection at the very beginning of a software or mobile device development effort.

Known as Privacy By Design (PBD), it is a process focused on user control and freedom of choice regarding how and when to share personal data. PBD is the brainchild of Ann Cavoukian, former Commissioner for Information and Privacy for the Canadian province of Ontario and now the executive director of Ryerson University's Privacy and Big Data Institute.

[Which new security companies will make waves? Read 20 Startups To Watch In 2015.]

Cavoukian outlined the main goals of PBD at a recent seminar on international privacy efforts on the campus of the National Institute of Standards and Technology (NIST) in Gaithersburg, Md. Privacy is a global challenge, she said. Cavoukian rejected the notion that technological developments counteract privacy, noting that such notions whittle away at personal self-determination concerning private data. Privacy is not about secrecy, it is about personal control -- how an individual wants his data to be used, she said.

"We have to start thinking about privacy in a bigger way," Cavoukian said. Context is key to managing privacy, she added. Citing a recent Pew Research Internet Project, "Public Perceptions and Security in the Post-Snowden Era," she noted there is widespread public concern about government surveillance and the loss of control over personal information.

Cavoukian said PBD is being adopted as an international standard and has been translated into 37 languages. Both the United Nations and the US government have said PBD is vital for maintaining personal privacy in technological applications, she noted, adding that NIST is working to apply privacy engineering and risk models for PBD standards.

The essence of PBD is proactiveness; regulatory compliance alone is unsustainable, she said. To make privacy proactive, it must be embedded into software applications as the default setting. Most current privacy options are overly complicated, which means many consumers do not use them. But privacy can be built in from the beginning, which would allow users to relax about the safety of their data. "You can offer privacy assurance from the get-go," she said.

There are nine current major applications areas for PBD processes: surveillance cameras in mass transit systems, biometrics used in casinos and gaming facilities, smart meters and smart grids, mobile communications, near-field communications, RFID and sensor technologies, redesigning ID geolocation, remote healthcare, and big data and analytics.

Internationally there are ongoing projects between the European Union and the US to bridge the gaps in how both regions approach privacy, said Bojana Bellamy, president of the Centre for Information Policy Leadership in Washington, D.C. Major projects include work on accountability, privacy by design, and privacy principles. She noted that there is a global upswell of accountability efforts seeking to set down legal accountability for privacy issues.

European and international groups look at privacy from a risk-management perspective, Bellamy said. These efforts examine the role of risk in data privacy and seek to develop best practices for accessing and protecting private information in online services and applications.

The federal government is already embracing some of the PBD concepts in its operations. Speaking at the NIST event, Jessica Rich, director of the Federal Trade Commission's Bureau of Consumer Protection, said private industry has to do more to make privacy policies more understandable to customers by eliminating the dense legalese they are often written in.

But the FTC is not reinventing the wheel to better protect customer privacy. Instead, Rich said, it is adapting the existing Federal Information Processing Standards. These adaptations include embracing PBD concepts, mandating easy-to-use opt-in or opt-out privacy choices for customers, and basic transparency in the form of companies providing customers with reasonable access to their data through revised privacy policies.

The FTC is actively working on a number of policies and initiatives to protect consumer data, Rich said. For example, it is looking at how many mobile device applications aimed at children collect information without sharing that data with parents or making them aware that data is being collected. She said the FTC is currently involved in more than 50 enforcement actions on firms that failed to provide adequate security policies to their customers. Many firms still fail to provide basic data security for their customers' information, she said.

The owners of electronic health records aren't necessarily the patients. How much control should they have? Get the new Who Owns Patient Data? issue of InformationWeek Healthcare today.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights