Privacy and big data are at the forefront of many policy (and economics) discussions these days. The two are conflated and act as the central theme for public and legislative debate on new laws and policies affecting data brokers, national security organizations, foreign entities and the general public at large. One of the most interesting of these discussions, which I participated in, was the NIST sponsored “Privacy Engineering Workshop,” a forum designed to address the shortcomings in the new “Framework for Improving Critical Infrastructure” in respect to privacy. This workshop was undertaken simultaneously with the White House OSTP’s Workshops on privacy and big data across the country (I will write about these in upcoming installments). The outcome of these two efforts is to address the growing concerns around the real impacts of privacy and big data on the public and private sectors within the US, and outside.
Privacy engineering is not a new, but an evolving notion—one that portends to have great impact on how we address privacy policies and protections on an end-to-end basis by designing them in, rather than attempting to bolt them on afterwards. It is a technical level activity that has broad support by the academic, public and private sectors, given the level of participation so far.
The OASIS Privacy by Design principles are a major influence of this thinking, along with existing (and future) Federal Information Practices (or FIPPS), existing NIST Standards and Industry-driven protocols and best practices. The outcome of these endeavors will no doubt be a group of logical and architectural constructs based on well characterized use cases, which will then drive standards for the design and monitoring of privacy protections in the next generation of protocols, solutions and large systems. Although technical in nature, these engineering constructs must be applied such that no matter the policies and rules driving them they can be implemented, and then monitored, in a consistent fashion that allows for uniformity in how privacy is addressed at a systems level.
I commend this effort, as it is core to the success of any type of Universal Privacy Doctrine that might ever come about. It is also critical to everyone reaching a level of trust in the use of the cloud, internet, mobile and social media applications that we are all so desirous of taking advantage of in our daily lives, personally and commercially.
I believe that if we are ever going to see big data become that game changer we must address existing privacy before the genie is forever out of the lamp. A growing number believe that we have already sacrificed any notion of privacy, given the now frequent information leaks and hacks of personal data. To many it feels that we have no real privacy protections to stop anyone from behaving this way.
Privacy engineering offers a collaborative framework for achieving the desired outcomes; however, it must be supported by comprehensive policies and governance (for example: monitoring and enforcement). The long-standing privacy doctrine of “Notify and Consent” is no longer applicable or relevant to world we live in.
I will be speaking on “Privacy Engineering for a Software Defined Anything World” at the upcoming SDx Conference in London on May 15. Join me to dig into the pragmatics of how we can engineer privacy into the evolving software defined architectures and solutions that are being advocated for the next generation data center and cloud-based solutions.