Privacy and Data Protection

What you can do to protect your data as a developer

Daan
Daan
Sep 30 · 7 min read
Image by Darwin Laganzon via Pixabay

As a developer, you not only have to make sure you’re working on the right functionalities for the application that you’re building but also that you’re taking care of functional and non-functional requirements. Applications have to be secure, able to scale fast, have fast response times, and not crash when the load peaks. In the era that we’re living in, it’s inevitable that privacy and data protection are also on that list of requirements.

If you’re really lucky as a developer, your company has hired a privacy engineer that does the privacy and data protection work for you. But most of the time you have to do it yourself. Understanding good privacy practices is a tool every engineer should have in their toolbelt.

Privacy engineering is an emerging discipline within, at least, the software or information systems domain which aims to provide methodologies, tools, and techniques such that the engineered systems provide acceptable levels of privacy.

Source: Wikipedia

In this article, I will show you how you can cope with privacy and data protection from a developer perspective. But before we start with this I’ll give you a brief introduction of how the privacy landscape has changed over the years.


The Changing Privacy Landscape

But data collection can also be less visible.

Data brokers specialize in creating in-depth profiles of individuals for advertisers. A profile can contain data like sexuality, browsing history, political affiliation, and even medical records.

This poses challenges for human rights. One challenge relates to the way companies use our data. The internet’s business model depends on people sharing their data in exchange for access to content, services, and social media platforms. While you might not pay anything upfront to go on social media platforms, they still make money from you by selling your personal information to advertisers. By clicking on “I agree” in the terms of service, users technically consent to this model. But as we all know, the biggest lie on the internet is: “I understood the terms of service”. No one really knows what they’re signing up to and this creates opportunities for misuse.

With the changing privacy landscape, the list of tasks for developers has expanded. Data from millions of users has been stolen. Every now and then a data breach happens and makes the news. As a developer, it’s your task to prevent this from happening. This requires some measures.


Be Transparent About Data

Let’s take a health app as an example. A user might be happy about the smartwatch collecting data like their heartbeat and location. They are probably happy to share that information to gain more info about their physical well being. However, if that data is sold to a running shoe company without their explicit consent, they probably wouldn’t be OK with that.

In Europe, companies have to comply with the General Data Protection Regulation (GDPR). This regulation was introduced on the 25th of May 2018. All companies, no matter what sector they are in, have to comply with the GDPR if they collect data from their employees, customers or other persons from the European Union. This includes audio and video, as well as text.

The GDPR gives individuals more privacy rights and should better protect people’s data. Not only in their role as a consumer, but also in their role as a civilian and employee.

In the US, this works a little bit differently. Privacy is handled differently depending on the sector. The health care sector, for example, has Health Insurance Portability and Accountability Act (HIPAA) confidentiality laws that companies in that sector need to comply with.

The HIPAA consists of five sections, also known as titles. Title one and two are the most important. Title one is about health care access, portability, and renewability. From a developer perspective, title two is the most interesting. Title two is about preventing health care fraud and abuse, administrative simplification, and medical liability reform. This title covers the protection of data.

One of the rules in this title is the ‘Privacy Rule’. This looks the same as the GDPR rules, for the most part — it gives individuals the right to request their own information or data to correct inaccuracies, for example.


Give the User Control Over Their Data

Let your users select their preferences, so they can choose whether they want to share certain information or not. Take a profile page, for example. Some users want their date of birth to be visible for everyone. Other people only want it to be visible to their friends. Give users control over their data and respect their preferences!


How to protect your data

Treat sensitive information differently

Cross environment data

If your company has to apply to the GDPR (General Data Protection Regulation), it is not allowed to use production data on any other environment than the production environment.

Encrypt backups

You should make backups frequently enough to ensure that you can restore your application without significant data loss. The more important your application is, the more redundancy should be built into your backup storage approach.

Restrict access

You also want to make sure that you restrict access to all of your website’s environments. You don’t want some random person to accidentally visit the test or acceptance environment, because someone misconfigured the robots.txt file. Something as simple as this is considered a data breach.

Restricting access can be done very easily with basic HTTP Authentication. This requires a user to fill in a username and password before the website can be visited. This way your data is protected from random persons.

Keep software packages and libraries up to date

If you are using third-party software such as a CMS, like Wordpress, you should take this very seriously. Don’t wait with applying security patches. Since third-party software is used a lot, hackers will create exploits and try to attack vulnerable applications. Most of these third-parties have a mailing list or RSS feed detailing security issues. Take advantage of this.

Other popular tools that get used a lot by developers to manage their software dependencies are Composer, npm, and yarn. Security vulnerabilities appearing in a package you depend on but aren’t paying any attention to is one of the easiest ways to get caught out. Ensure you keep your dependencies up to date.

Only collect data that you need

Once you start collecting data, it is considered good practice to periodically evaluate the data that you’ve collected. If data gets collected that isn’t being used, you should delete that data.

Better Programming

Advice for programmers.

Thanks to Zack Shapiro

Daan

Written by

Daan

Backend developer from The Netherlands. Crypto enthusiast.

Better Programming

Advice for programmers.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade