Sarah Spiekermann and Lorrie Faith Cranor in their work “Engineering Privacy” state that software engineers have a major responsibility when it comes to developing privacy-friendly systems “because they are the ones devising the technical architecture and creating the code”. They present the three-layer model of user privacy concerns and responsibility framework. Based on this model they elaborate a set of guidelines, categorising them in “privacy-by-policy” and “privacy-by-architecture”
Three-Layer Privacy Responsibility Framework
The authors distinguish from three spheres of privacy: User Sphere (constrained to the user environment, i.e. laptop, mobile phone, integrated systems etc), Recipient Sphere (company centric sphere involving their back-ends infrastructure) and Joint Sphere (related to companies that host users information, like email or facebook). For each of the privacy layers, the following table describes where is the data stored, what is the responsibility of the engineer and what are the issues that they need to face.
Privacy Spheres | Where Data is Stored | Engineer’s Responsibility | Engineering issues |
User Sphere |
Users’ desktop personal computers, laptops, mobile phones, RFID chips |
|
|
Joint Sphere |
Web service provider’s servers and databases |
|
|
Recipient Sphere |
Any data recipients: servers and databases of network providers, service providers or other parties with whom data recipient shares data |
|
|
Framework for Privacy-Friendly System Design
Spiekermann and Cranor propose a framework to develop privacy friendly systems. There is a rank of privacy levels lowest to highest that corresponds to the degree of identifiability (identified, pseudonymous, anonymous) of a user. In the cases where the user is totally identified, privacy needs to be provided by policy, while, in those cases where users are anonymous or pseudonymous, privacy can also be provided by architecture. The following table matches this attributes with the characteristics of the corresponding systems.
Privacy stages | identifiability | Approach to privacy protection | Linkability of data to personal identifiers | System Characteristics |
0 |
identified |
privacy by policy (notice and choice) |
linked |
|
1 |
pseudonymous |
linkable with reasonable & automatable effort |
|
|
2 |
privacy by architecture |
not linkable with reasonable effort |
|
|
3 |
anonymous |
unlinkable |
|
References:
S. Spiekermann and L. F. Cranor, “Engineering privacy,” IEEE Transactions on software engineering, vol. 35, no. 1, pp. 67–82, 2009.