Invading Privacy (at scale)

I had a wonderful time at the recent IAPP Global Privacy Summit, reconnecting with old friends, connecting in person with virtual friends and meeting many new ones for the first time. Some of my favorite activities included sharing my knowledge and expertise through a talk on privacy risk I gave with Nakia Grayson (NIST), Laurens Sion (KU Leuven) and Janelle Hsia (Privacy SWAN) and the many networking opportunities to learn what people are working on in the privacy professional community. I was also extremely happy to promote the second edition of my book, Strategic Privacy by Design, which has been significantly expanded and modified in the three years since the original publications (privacy is definitely an evolving field).

??????????????During one of the networking events, one person inquired about my methodology for threat modeling privacy, noting the new chapter in my book. I was excited to explain, but as I begun, this person expressed concern that the method “didn’t scale.” Caught off guard, I inarticulately noted that if you want to do threat modeling, you actually have to do threat modeling, there wasn’t a short-cut. There is no easy button. While there are certainly efforts you can undertake to stream line the process, scaling, in the way this person envisioned, can often led to mediocracy in results. No one would claim that a meal at a fast-food restaurant has the quality in results one would find in a Michelin starred restaurant. This isn’t to say that an award-winning chef cannot have an efficient and streamlined process, but they will never produce food at the scale of a major chain and the quality to maintain their star rating. The chef can source quality ingredients across all their dishes but each recipe must account for the nuances of mixing flavors and cooking methods. Sampling and taste testing ensure quality before the dish goes out the kitchen door (contrast this to chains that fire employees for sampling the food). ?Similarly, one can streamline threat modeling by recognizing similarities in threat scenarios and not repeating the same analysis for every product or service (a chef can know how much salt is too much), but the uniqueness of the context of each deserves some review and introspection, something that can be done through privacy threat modeling.

??????????????In systems engineering, there is the concept of non-functional requirements, often referred to as quality attributes. Sometimes these are mistaken as not true requirements because they may get prioritized against each other, with lower priority “requirements” pushed to future sprints. These are qualities like accessibility, safety, usability, improvability, portability and, important for our purposes, privacy. As with burgers at a fast-food restaurant, if you’re producing new products or services at a rapid pace, some quality attributes may not get the attention they need. Organizations will prioritize what’s important to them, whether that’s taste, safety, usability, or privacy. If an organization favors scalability or profitability above privacy then privacy may not get the attention, we, as privacy professionals, believe it deserves.

Woodrow Hartzog, in his wonderful book Privacy’s Blueprint, says that one way to deter or reduce privacy violations is to increase transaction costs. In other words, increase the cost of invading someone’s privacy. The best illustrative example I have for this is the Telemarketing Sales Rule, under the TCFPA, which prohibits robocalls. The rule increases transaction costs by requiring a live agent for telephone solicitations and prevents telemarketers from invading people’s privacy cheaply and at scale through automated calls and messages. We can view the design process in a similar vein. If you’re producing new products or services, or even features of products and services, on an assembly line, increasing the organization’s costs through threat modeling and risk analysis might be a good thing.

??????????????The moral of the story is, if you’re invading people’s privacy at scale, perhaps you should pump the brakes a little, slow down and be considerate of what you’re doing. ?