This article is published in the March 2015 issue.

Privacy by Design Workshop: Concepts and Connections

The following guest blog post is contributed by Ph.D. students Nick Doty and Richmond Wong working with Deirdre Mulligan from the University of California Berkeley School of Information.

For years, lawmakers, advocates and engineers have touted the potential benefits of Privacy by Design, of integrating privacy throughout the technical design process rather than an after-the-fact. Nonetheless, we still struggle with how to practice Privacy by Design, whether it’s how to conceptualize privacy, how to build privacy in the engineering process, how to present those privacy designs to users or how to incentivize practice of and compliance with Privacy by Design.

In order to identify a shared research vision to support these different facets of the practice of Privacy by Design, the Computing Community Consortium (CCC) is sponsoring a series of four workshops over this year. We kicked off the series this past week with the first workshop held in stormy Berkeley, California.

A group of over 40 collaborators represented various parts of industry, academia, government and civil society: from health care to social networking to telecommunications, from philosophy to law to computer science, from national intelligence services to state pension authorities to consumer advocates.

Based on a series of case studies of privacy complaints arising in different sectors, groups analyzed: the applicability of existing privacy frameworks such as the Fair Information Practice Principles; taxonomies of privacy harms and justifications; and new concepts or “properties” of privacy. The group struggled with the “essentially contested” concept of privacy and how nonetheless different concepts or analytical tools can help us identify and address privacy concerns.

The workshop also heard “reports from the field” on those who have implemented — or are struggling to improve — privacy programs in the wild: at large tech companies, Internet standard-setting bodies or government agencies. Often highlighted were disciplinary differences: both in the different ways that academics (lawyers versus computer scientists, say) approach the concept of privacy and its practice and in the effective organization of multi-functional teams within companies. We heard frequently that attendees had met new people and been challenged by new ideas. We hope those connections will contribute to productive workshops to come.

Reflecting over the two days and looking forward, participants discussed how to engage with the complexity of conceptualizing privacy, and how to bring in expertise from other relevant perspectives such as economics, sociology, and science & technology studies. We identified a desire to bridge the technical and social research cultures, and to bridge the research work creating new privacy tools and the adoption of those tools in the practice of Privacy by Design.

Organization is in progress for a workshop in May to discuss privacy from the perspective of design, hosted at Georgia Tech. In the fall, we will gather software engineers at Carnegie Mellon to discuss their development practices in depth. Finally, to wrap up the series, an east coast event will provide a discussion for policymakers and regulators to discuss how to catalyze Privacy by Design.

Presentations, introductions of the participants, reports from our brainstorming sessions and collected scholarly references are all available on the workshop series homepage. We will invite some participants to blog about their individual experiences here and a more detailed workshop report will follow.