Privacy By Design:
Moving from Art to Practice
Designing privacy into systems at the beginning of the development process necessitates the effective
translation of privacy principles, models, and mechanisms into system requirements.
Mos T PeoPLe inVoLVeD with system development are well aware of the adage that you are bet- ter off designing in security and privacy (and pretty much
any other “nonfunctional” requirements) from the start, rather than trying to add them later. Yet, if this is the
conventional wisdom, why is the conventional outcome so frequently systems with major flaws in these areas?
Part of the problem is that while
people know how to talk about functionality, they are typically a lot less fluent in security and privacy. They may
sincerely want security and privacy, but
they seldom know how to specify what
they seek. Specifying functionality, on
the other hand, is a little more straightforward, and thus the system that previously could make only regular coffee
in addition to doing word processing
will now make espresso too. (Whether
this functionality actually meets user
needs is another matter.)
members of staff are seen demonstrating a new whole-body security scanner at manchester
airport, manchester, england, in January 2010. airline passengers bound for the united
states faced a hodgepodge of security measures across europe and airports did not appear
to be following a u.s. request for increased screening of passengers from 14 countries.
security and Privacy
PHo TogRAPH by Jon SuPER/AP PHo To
The fact that it is often not apparent
what security and privacy should look
like is indicative of some deeper issues.
Security and privacy tend to be articulated at a level of abstraction that often
makes their specific manifestations
less than obvious, to either customers
or system developers.
This is not to say the emperor has
no clothes; far from it. There are sub-
stantial bodies of knowledge for some
nonfunctional areas, including secu-
rity, but figuring out how to translate
the abstract principles, models, and
mechanisms into comprehensive spe-
cific requirements for specific systems
operating within specific contexts is
seldom straightforward. That trans-
lation process is crucial to designing
these properties into systems, but it
also tends to be the most problematic
activity and the activity for which the
least guidance is provided. The sheer
complexity of most modern systems
compounds the problem.