This blog post is the first of a series of posts that aims at bringing some light into the terminological thicket of privacy engineering. The series primarily aims at illustrating the goals and functions of privacy engineering and how they can be implemented through different technologies. To inform this discussion, it will (if only briefly) also touch on the theoretical underpinnings of privacy and privacy engineering.
Every now and then people ask me what this “privacy engineering” thing I keep talking about actually is and what it is good for. Well, this looks like a very simple question and, sure, there are several readily available answers to it. However, there are widely different conceptions of what the discipline is or should be about. Which of those is the “right” one or useful for the task at hand depends on many factors such as the applicable regulatory framework, the context in which the designed system will be used or the background of the involved personnel.
So, let’s start at the beginning:
What is privacy engineering?
On the surface, this question is easy to answer – just have a look at the available definitions and chose the one you deem best. For example, you could use one of these:
|NISTIR 8062||“A specialty discipline of systems engineering focused on achieving freedom from conditions that can create problems for individuals with unacceptable consequences that arise from the system as it processes PII”|
|ISO/IEC 27550||“Privacy engineering deals with the integration of privacy concerns into engineering practices for systems and software engineering life cycle processes.”|
|Dennedy et al||“engineering data governance for personal information into the design and implementation of routines, systems, and products that process personal information”|
|Cavoukian et al.||“the discipline of understanding how to include privacy as non-functional requirement in system engineering”|
|Gürses & del Alamo||“Privacy engineering is an emerging research framework that focuses on designing, implementing, adapting, and evaluating theories, methods, techniques, and tools to systematically capture and address privacy issues in the development of sociotechnical systems.”|
While these definitions focus on different aspects of privacy engineering, they are still similar in that they relate to systems engineering and the privacy-by-design paradigm. However, many of them are ripe with terminology that is vague, starting with the term “privacy” that might mean very different things to different people. Indeed, the notion that privacy is a multi-faceted concept is so commonplace that it borders on cliché.
So, what exactly is privacy, what is privacy-by-design and when is a system privacy-preserving? The answer to the latter question obviously depends on the answer to the first. However, one can also very well argue that a precise definition of privacy might not be the most important thing when it comes to protecting privacy. Rather, it might be more fruitful to ask what privacy is for. As I want to focus on the practical aspects of privacy engineering, I won’t go into that discussion here and refer you to Woodrow Hartzog, who just recently covered that topic.
The next post in this series will present three highly influential notions of privacy to lay the foundation for a discussion of their impact on privacy engineering practice and how they are reflected in different approaches towards privacy-by-design and the selection of technical (and organizational) measures for data protection.