Engineering Privacy by Design

The design and implementation of privacy requirements in systems is a difficult problem and requires the translation of complex social, legal and ethical concerns into systems requirements. The concept of “privacy by design” has been proposed to serve as a guideline on how to address these concerns. “Privacy by design” consists of a number of principles that can be applied from the onset of systems development to mitigate privacy concerns and achieve data protection compliance. However, these principles remain vague and leave many open questions about their application when engineering systems. In this paper we show how departing from data minimization is a necessary and foundational first step to engineer systems in line with the principles of privacy by design. We first discuss what data minimization can mean from a security engineering perspective. We then present a summary of two case studies in which privacy is achieved by minimizing different types of data, according to the purpose of each application. First, we present a privacypreserving ePetition system, in which user’s privacy is guaranteed by hiding their identity from the provider while revealing their votes. Secondly, we study a road tolling system, in which users have to be identified for billing reasons and data minimization is applied to protect further sensitive information (in this case location information). The case studies make evident that the application of data minimization does not necessarily imply anonymity, but may also be achieved by means of concealing information related to identifiable individuals. In fact, different kinds of data minimization are possible, and each system requires careful crafting of data minimization best suited for its purpose. Most importantly, the two case studies underline that the interpretation of privacy by design principles requires specific engineering expertise, contextual analysis, and a balancing of multilateral security and privacy interests. They show that privacy by design is a productive space in which there is no one way of solving the problems. Based on our analysis of the two case studies, we argue that engineering systems according to the privacy by design principles requires the development of generalizable methodologies that build upon the principle of data minimization. However, the complexity of this engineering task demands caution against reducing such methodologies to “privacy by design check lists” that can easily be ticked away for compliance reasons while not mitigating some of the risks that privacy by design is meant to address.