Privacy Mindset, Technological Mindset

Abstract

Policymakers around the world constantly search for new tools to address growing concerns as to informational privacy (data protection). One solution that has gained support in recent years among policy makers is Privacy by Design (PbD). The idea is simple: think of privacy ex ante, and embed privacy within the design of a new technological system, rather than try to fix it ex post, when it is often too late. However, PbD is yet to gain an active role in engineering practices. Thus far, there are only a few success stories. We argue that a major obstacle for PbD is the discursive and conceptual gap between law and technology. A better diagnosis of the gaps between the legal and technological perceptions of privacy is a crucial step in seeking viable solutions. We juxtapose the two fields by reading each field in terms of the other field. We reverse engineer the law, so as to expose its hidden assumptions about technology (the law’s technological mindset), and we read canonical technological texts, so as to expose their hidden assumptions about privacy (technology’s privacy mindset). Our focus is on one set of informational privacy practices: the large corporation that collects data from individual data subjects.This dual reverse engineering indicates substantial gaps between the legal perception of informational privacy, as reflected in the set of principles commonly known as Fair Information Privacy Principles (FIPPs) and the perceptions of the engineering community. While both information technology and privacy law attempt to regulate the flow of data, they do so in utterly different ways, holding different goals and applying different constraints. The gaps between law and technology point to potential avenues to save PbD.