I’ve had this podcast in the queue for a long time. Privacy has become one of those things that testers need to always have at the back of their mind when testing. Understanding Privacy is a book by Dan Solove was on the podcast circuit promoting and had a number of excellent points around the subject in this interview.

  • People don’t understand the implications of giving up information
  • Because we don’t know how information might be used in the future, holders of the information doesn’t even know yet, making an informed decision is really hard
  • What does privacy even mean? Usually its a vague an amorphous concept
  • By contrast, the things that privacy is often traded off against, such as Security, are easy to define so they win out
  • Privacy isn’t one thing, but many things
  • Past attempts to define Privacy have been too broad (‘Right to be let alone’) or too narrow (‘intimate’ or ‘client confidentiality’)
  • Because of the diverse areas affected by Privacy, there is not just a single solution to it, but a basket of solutions for each problem
  • It is not about being paranoid, but about doing things with your eyes wide open
  • Unlike a car accident, the problems that Privacy issues cause might manifest many years down the road. The lack of immediacy is a key problem in education and recognition of risks
  • Most people think that because a company has a Privacy Policy it means that the company won’t share you information. Umm, no.
  • Don’t think that this isn’t just a Consumer problem. This is hard to manage and build out from a developer / implementation perspective.
  • There are four broad categories of problems around Privacy. The idea is that with such a taxonomy you can understand which problems (and there is often not just one) that need to be addressed.
    • Information Collection
      • Surveillance – when it inhibits personal information or used in an unrelated manner
      • Interrogation
    • Information Processing
      • Identification – linking people to information streams (think Gattaca)
      • Aggregation – combining bits of information to make something that is greater than the individual parts
      • Security – is the information kept securely?
      • Secondary Use – when data gathered for one purpose is used for others
      • Exclusion – denial of information regarding how data is used
    • Information Dissemination
      • Disclosure – spreading of facts
      • Breach of Confidentiality – betrayal of trust
      • Exposure – not reputation; but deep embarrassment
      • Accessibility of information – obscure data being made less obscure
      • Blackmail
      • Appropriation
      • Distortion
    • Invasion
      • Intrusion – spam for instance
      • Decisional Interference