Engineering Privacy on the Scaffolds: An Existentialist Examination of Privacy by Design

Psaty, Kristen

doi:10.1007/978-3-319-91029-1_20

Kristen Psaty⁸

Part of the book series: Philosophy of Engineering and Technology ((POET,volume 31))

529 Accesses
3 Altmetric

Abstract

What is digital privacy and who in society should be responsible for protecting it? This paper considers the challenges in defining digital privacy as well as the newest movement in privacy law and regulation, the concept of “privacy by design,” which calls upon engineers to integrate privacy into technology throughout the construction process. This paper seeks to advance two objectives. First, it turns the focus of inquiry to the experience and decision-making process of the engineer. Through a combination of contemporary technological thought, an existential philosophical lens, and an informed legal perspective, this paper seeks to understand the relationship between the computer engineer, the user, and privacy. Second, this paper hopes to add to the philosophical debate surrounding the contours of privacy as it relates to the engineer’s role in forging it. This analysis seeks to reveal, in part, the nature of privacy and the necessary conditions for its implementation in technology.

Foreword

All ideas and points of view belong to me, and are no way representative of any of my employers.

In dedication to the future.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 109.00; Price excludes VAT (USA)

Softcover Book: USD 139.99; Price excludes VAT (USA)

Hardcover Book: USD 139.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

1.
The IAB provides long-range technical direction for Internet development, a direct evolution of the Interne Configuration Control Board (ICCB), created by the 1979 program manager of DARPA during early development of the Internet.
2.
The concept of privacy by design has its roots in the publication of a report on “Privacy Enhancing Technologies” in a joint effort by the Information and Privacy Commissioner of Ontario, Canada and the Dutch Data Protection Authority in 1995.
Privacy by design is built on 7 Foundational Principles: 1. Proactive not Reactive; Preventative not Remedial; 2. Privacy as the Default Setting; 3. Privacy Embedded into Design; 4. Full Functionality: Positive-Sum, not Zero-Sum; 5. End-to-End Security – Full Lifecycle Protection; 6. Visibility and Transparency – Keep it Open; 7. Respect for User Privacy – Keep it User-Centric.
3.
The operationalization of privacy still rests on the premise that privacy can be engineered. As some critics have asserted, not every privacy threat posed by disruptive technology is compatible with being designed or engineered away.
4.
Carnegie Mellon University has implemented a Master of Science in Information Technology (MSIT) in Privacy engineering. The program is the first of its kind and aims to integrate privacy perspectives spanning product design, software development, cyber security, human computer interaction, as well as business and legal considerations.
5.
Examples of corporations implicated in privacy actions abound. One example can be found in the 2016 Federal Trade Commission settlement with Vulcun under privacy related charges that it unfairly replaced a popular web browser game with a program that installed applications on consumers’ mobile devices without their permission.
6.
For example, in the American personal health information sector the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule, 45 CFR §§ 164.400–414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. A breach under the HIPAA Rules is defined as, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” (See 45 C.F.R. 164.402).
“Access” to the personal information is broadly construed to encompass situations where electronic protected health information (ePHI) could have only have potentially been viewed. This example is described in regulatory guidance as a breach in incidents where ePHI is encrypted as the result of a ransomware attack, unless the covered entity can overcome the presumption by demonstrating that there is a “…low probability that the PHI has been compromised.” The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400–414.
7.
Perhaps this is part of the contour of what is private, that which triggers this shift in self-observation.

References

Carnegie Mellon University. (2017) Master of science in information technology in privacy engineering. http://privacy.cs.cmu.edu/. Accessed 1 Feb 2017.
Cavoukian, A. (2010). Privacy by design resolution. Resource document. 32nd international conference of data protection and privacy comissioners. https://www.ipc.on.ca/site_documents/pbd-resolution.pdf. Accessed 15 Oct 2016.
Clark, K. (2015). The EU safe harbor agreement is dead, here’s what to do about it. Resource document. Forbes. http://www.forbes.com/sites/riskmap/2015/10/27/the-eu-safe-harbor-agreement-is-dead-heres-what-to-do-about-it/#5401f2971719. Accessed 15 Oct 2016.
Cook, T. (2016). A message to our customers. http://www.apple.com/customer-letter/. Accessed 15 Oct 2016.
Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., Morris, J., Hansen, M., & Smith, R. (2013). Privacy considerations for internet protocols: RFC 6973. Resource document. Datatracker. https://datatracker.ietf.org/doc/rfc6973/?include_text=1. Accessed 15 Oct 2016.
Federal Trade Commission. (2016). Tech company settles FTC charges it unfairly installed apps on android mobile devices without users’ permission. https://www.ftc.gov/news-events/press-releases/2016/02/tech-company-settles-ftc-charges-it-unfairly-installed-apps. Accessed 1 Feb 2017.
Hustinx, P. (2010). Privacy by design: Delivering the promises. Resource document. Identity in the information society. https://www.ipc.on.ca/english/privacy/introduction-to-pbd/. Accessed 15 Oct 2016.
IAB. (2016). Internet architecture board. https://www.iab.org/. Accessed 15 Oct 2016.
Jefferson, T., & Tompkinson, H. (1816). Quotations on the Jefferson memorial. Resource document. Library of Congress. https://www.monticello.org/site/jefferson/quotations-jefferson-memorial. Accessed 15 Oct 2016.
Klitou, D. (2014). A solution, but not a panacea for defending privacy: The challenges, criticism and limitations of privacy by design. Resource document. Lecture notes in computer science. http://download.springer.com/static/pdf/612/chp%253A10.1007%252F978-3-642-54069-1_6.pdf?originUrl=http%3A%2F%2Flink.springer.com%2Fchapter%2F10.1007%2F978-3-642-54069-1_6&token2=exp=1463269172~acl=%2Fstatic%2Fpdf%2F612%2Fchp%25253A10.1007%25252F978-3-642-54069-1_6.pdf%3ForiginUrl%3Dhttp%253A%252F%252Flink.springer.com%252Fchapter%252F10.1007%252F978-3-642-54069-1_6*~hmac=569e0d4e52675a460416e634350c55b969018b5d631fcfd520dd5c5eee358c1f. Accessed 15 Oct 2016.
Lomas, N. (2017). Trump order strips privacy rights from non-U.S. Citizens, could Nix EU-US data flows. Tech Crunch. https://techcrunch.com/2017/01/26/trump-order-strips-privacy-rights-from-non-u-s-citizens-could-nix-eu-us-data-flows/. Accessed 1 Feb 2017.
Perez-Pena, R., & Schmidt, M. S. (2015). F.B.I. treating San Bernadino attack as terrorism case. Resource document. New York Times. http://www.nytimes.com/2015/12/05/us/tashfeen-malik-islamic-state.html?_r=0. Accessed 15 Oct 2016.
Rubin, J., Queally, J., & Paresh, D. (2017). FBI unlocks San Bernardino shooter’s iPhone and ends legal battle with Apple, for now. Los Angeles Times. http://www.latimes.com/local/lanow/la-me-ln-fbi-drops-fight-to-force-apple-to-unlock-san-bernardino-terrorist-iphone-20160328-story.html. Accessed 1 Feb 2017.
Sartre, J. P. (1992a). Being and nothingness: A phenomenological essay on ontology (Barnes, H. E., Trans.). New York: Washington Square Press, p. 343.
Google Scholar
Sartre, J. P. (1992b). Being and nothingness: A phenomenological essay on ontology (Barnes, H. E., Trans.). New York: Washington Square Press, p. 350–357.
Google Scholar
Sartre, J. P. (1992c). Being and nothingness: A phenomenological essay on ontology (Barnes, H. E., Trans.). New York: Washington Square Press, p. 340.
Google Scholar
Sartre, J. P. (1992d). Being and nothingness: A phenomenological essay on ontology (Barnes, H. E., Trans.). New York: Washington Square Press, p. 354.
Google Scholar
Sartre, J. P. (1992e). Being and nothingness: A phenomenological essay on ontology (Barnes, H. E., Trans.). New York: Washington Square Press, p. 302.
Google Scholar
Sartre, J. P. (1992f). Being and nothingness: A phenomenological essay on ontology (Barnes, H. E., Trans.). New York: Washington Square Press, p. 303.
Google Scholar
Sartre, J. P. (1992g). Being and nothingness: A phenomenological essay on ontology (Barnes, H. E., Trans.). New York: Washington Square Press, p. 347.
Google Scholar
Scott, M. (2015). Data transfer pact between U.S. and Europe is ruled invalid. Resource document. New York Times. http://www.nytimes.com/2015/10/07/technology/european-union-us-data-collection.html?_r=0. Accessed 15 Oct 2016.
The International Trade Administration, U.S. Department of Commerce. (2016). Privacy shield framework, “Privacy shield overview”. https://www.privacyshield.gov/Program-Overview. Accessed 1 Feb 2017.
The White House Office of the Press Secretary. (2017). Executive order: Enhancing public safety in the interior of the United States. https://www.whitehouse.gov/the-press-office/2017/01/25/presidential-executive-order-enhancing-public-safety-interior-united. Accessed 1 Feb 2017.
U.S. Department of Health & Human Services. (2016). Fact sheet: Ransomware and HIPPA. https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf. Accessed 1 Feb 2017.

Download references

Acknowledgments

Thank you to the gamut of engineers interviewed in the process of writing this piece. Special thanks to George Jakobsche for sparking my love of technology law, to Greg Pemberton for stoking it, to Santa Clara University School of Law High Technology Law Institute for fostering it, and to my readers Karl Bozicevic, Kyle Psaty, Celine Purcell, Evan Selinger and Andrew Watts. Deep and humble thanks to Jill Gordon, Lydia Moland, Valiere Dionne, and the Colby College Philosophy Department.

Author information

Authors and Affiliations

Privacy and Public Policy, Facebook, Menlo Park, CA, USA
Kristen Psaty

Authors

Kristen Psaty
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Friedrich-Alexander-Universität Erlangen-Nürnberg, Nürnberg, Germany
Albrecht Fritzsche
Friedrich-Alexander-Universität Erlangen-Nürnberg, Nürnberg, Germany
Sascha Julian Oks

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Psaty, K. (2018). Engineering Privacy on the Scaffolds: An Existentialist Examination of Privacy by Design. In: Fritzsche, A., Oks, S. (eds) The Future of Engineering. Philosophy of Engineering and Technology, vol 31. Springer, Cham. https://doi.org/10.1007/978-3-319-91029-1_20

Download citation

DOI: https://doi.org/10.1007/978-3-319-91029-1_20
Published: 03 July 2018
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-91028-4
Online ISBN: 978-3-319-91029-1
eBook Packages: Religion and PhilosophyPhilosophy and Religion (R0)

Publish with us

Policies and ethics