Friday, March 23, 2018

Privacy is not dead, but does need reinforcement

The sky is falling... is the general feeling in the Privacy community.. Businesses are out to take your Privacy from you... There is no privacy left.... Give up...

I am a Privacy advocate. I sometimes give myself the title "CyberPrivacy" specifically because I do focus on  Electronic Information Privacy and not physical privacy. I am very angry at the Privacy failures.  I just have a more pragmatic perspective. A perspective from experience. A perspective that is grounded in both 
  • Occam's razor - The most simple solution is the best.
  • Hanlon's Razor - Never attribute to malice that which is adequately explained by stupidity.

Privacy is not on the top 5 things to do, and therefore not done... 

Anyone who has ever worked on some kind of an application, will recognize that all the outstanding things to work on (the backlog) get prioritized. The priority is very simply based on how important that outstanding issue is to the overall functionality. Most weighted in priority are those things that are differentiators from your competitor, those things that the most people are asking for.  Of the resulting prioritized list, the team will be focused on the top 5, sometimes just the top one... 

This is especially true in "Agile", where there is a unrelenting focus on "Minimally Viable Product", and "Continuous Deployment". Agile is very quick to get features into the customer hands, but really slow at getting the foundational capabilities into the product. Things like Performance, Modularity, Robustness, Security, and Privacy... 

Privacy-By-Design still takes effort

Privacy-By-Design is a fantastic approach. I have promoted it in many ways. Privacy-By-Design is a process that one would use when designing a system so that one includes privacy into the design. When done this way, the overall energy it to implement is minimized. When done this way, the overall design has a 'privacy' feature. But it does require that someone decide to use Privacy-By-Design, which does require that someone decide Privacy is worth acting upon. 

Although Privacy is a great feature, it is a dangerous feature

Another reason Privacy doesn't get into the top 5 priorities is because it is a double edged sward. That is to say that it might be a fantastic feature, but if anything goes wrong it becomes your most damaging failure.

If you market your product/service/software as "Privacy Protecting", then you better do a perfect job. Given that Privacy has some Principles that are very deterministic. Some Principles are a bit harder, like Consent and Transparency. However there are some Privacy Principles that are risk based; De-Identification, and Security. That is to say that there is always some risk that private data will escape containment. You design to keep it as well contained as possible, but accidents happen. Most accidents happen because of human error, but not exclusively.

Facebook as exemplar

The Facebook case around Cambridge Analytica is a good exemplar... Facebook ignored privacy for a long time, never a business priority. Things are changing in the market where privacy might be able to break into top 5 priorities. But I'm not sure. The threat of penalty upon privacy failure is far harder to justify as a priority, over a positive money flow caused by some business action. Even when both are equal dollars. Business leadership is mildly smart, but investors are dumb and focus only on actual dollars. So potential loss due to unlikely privacy issue simply doesn't factor into the picture.

Many people expected this of Facebook, and are less outraged. I have always figured everything I have given Facebook is public. So to me, this incident was not shocking. Made me angry, yes.

Apple is not without scars

Apple, who everyone likes to think is a perfect company, is not without privacy scars. Easiest case for me to point at is their failure around their De-Identification mechanism "Differential Privacy", fails. A fantastic capability, and I think well done. But as I stated above, some of these things fall into a 'risk' classification where all one can do is lower the risk as much as possible.


Business is not fundamentally the issue. Businesses are not out to hurt you. Businesses are being pushed to deliver products faster, focus on flashy features. The reason, Consumers demand it and will leave your product for a more flashy product. Stupid society plus capitalism are the problem. 

 In the EU the population seems to be smarter about this. GDPR might save us all. 

I continue to fight. I continue to develop standards. I continue to blog. I continue to be selective about what I do as a consumer. I educate everyone I can. I don't worry about those that don't want to be educated. Privacy is not dead, but it does need reinforcement.

No comments:

Post a Comment