Privacy by Design References

-
(This was written and first published elsewhere in June 2020)

Below are some resources that have been useful as I've been exploring the relationship between privacy by design and engineering.
  • CNIL GDPR Guide for Developers
    • GDPR or not, this guide is a great stepwise process to keep an eye on privacy issues throughout the SDLC.
  • Putting the D into PbD: Turning Privacy Law into Design Solutions
    • This fun webinar during Privacy Awareness Week in May 2020 featured a role playing exercise to highlight the disconnect that lawyers and engineers often experience with respect to privacy engineering. Many of its lessons really resonated with experiences I've had. With an engineering hat on, answers seem like a simple binary solution. On the privacy side, however, it's one of the fuzzier areas of law. What to do?
    • Many of the examples in the webinar focused on clarifying shared language in context. For example, "sensitive data", "encrypted" or "personal information" are likely to have nuanced definitions across jurisdictions. Similarly, consent is not a magic wand to fix all of your potential legal or regulatory issues. (And might have a precise definition that only a lawyer could love.)
    • Another great idea reviewed was taking the classic (and still very useful) CIA security triad and expanding with a few privacy categories to ensure that privacy issues are included in risk assessments and threat models.
    • There are some great materials on the Salinger Privacy blog as well, check them out!
  • How to operationalize privacy by design
    • This IAPP article highlighted important communication considerations in implementing an organization-wide or product-specific privacy program. The importance of C-level support and early communication, getting involved in the right meetings early in projects, and trying to automate processes are among the recommendations here.
    • The need to constantly reevaluate your approach and integrate continuous learnings from various sources really resonated for me. Not only does guidance change -- hello, CCPA and maybe soon, CPRA -- but project needs rapidly shift. Whether checklists and guidance, code reviews, or advising on the privacy tradeoffs of new features, there's a lot for privacy pros to keep up with.

Popular posts from this blog

Thinking About BIPA and Machine Learning

-
One article that really caught my attention recently discussed the use of Creative Commons-licensed images from Flickr as part of the MegaFace dataset for training facial recognition algorithms. Despite its aggressive (but not untrue) title, it highlights the many sides of the questions we the people and we the companies building products with these technologies face confront. Focusing on the licensing, Flickr truly expanded the available commons of openly-licensed images by allowing its community to choose Creative Commons (CC) licenses. Interestingly, the latest version of the most permissive CC license expressly does not license "publicity, privacy, and/or other similar personality rights", yet the licensor agrees not to assert such rights to the extent necessary to support the rest of the license. However, previous versions of this or other CC licenses probably apply to many photos in the data set, and not all of the other licenses contain this language. For the Cre
Read more

Changing PDF Metadata with Python

-
While updating a pdf recently, I noticed some metadata I wanted to change and a few annotations that were hidden from view but still in the file. However, the "Get Info" pane in Preview on OS X doesn't provide a metadata editor, nor does its Export function, so it seemed like a good opportunity to learn a bit more about the PDF standard and Python packages for getting the job done. Adobe Acrobat or other GUI's would've been much faster, but I'll likely need to do this programmatically again at some point like those of you who might've found this post by looking on your favorite privacy-preserving search engine for "change pdf metadata in python". So here we go. Before starting, I hopped into a new folder and created a git repository with a first commit of my original pdf in case anything went wrong. Then I ran conda create --name pdf --python=3.8.1 and conda activate pdf to set up an Anaconda virtual Environment named pdf to keep my work is
Read more

A New Serverless Look

-
(Update 3/20/2024: If it ain't broke, do the classic developer thing and rebuild it! I've taken the site described below offline, and moved its posts here.) Until recently, I had no reason to build anything elaborate with a serverless architecture. Yet it's everywhere now! There's  Amplify , Netflify , JAM , SAM , lambdas , workers and more to learn about.
Read more