Privacy Engineering: The Hero We Need (An Origin Story)

Much like the character arc in a WWE storyline, the perception of data (particularly customer data) has fallen from that of a champion to downright villainy in the last two decades.

“Data is the new oil” has been the refrain since Clive Humby coined the phrase in 2006. A decade later in 2016, data gained notoriety as the “new asbestos.”

Several world-changing companies have been built on extracting value from data — you don’t need me to list these. But with the passage of time, and the stumbles of some of these companies, the hidden dangers of data collection and use have been revealed. The scale of data processed and the complexity of underlying systems have reached unprecedented levels. Traditional privacy and compliance management approaches are lacking scalable tools to grapple with these extraordinary circumstances. And just like a great WWE narrative evolution, the world needs a new hero.

Cue the entrance of… the privacy engineer!

But what is this hero supposed to be able to do, anyway?

Powers

Privacy engineering is tricky to pin down. Since it typically requires cross-functional knowledge, it can be highly context-dependent. With a backdrop of technological and legal sea changes, the field itself has had to go through multiple evolutions.

Carnegie Mellon computer science professors Cranor and Sadeh described privacy engineers back in 2013 as “technologists responsible for ensuring that privacy is an integral part of the design process.” Privacy engineering crosses multiple disciplines and multiple issues: technical issues such as cybersecurity and data analytics, complex legal and compliance issues, business issues, and even ethics. These are no one-dimensional heroes. They have to be able to walk through walls, see around corners, and have deep compassion for both internal teams and end users. They are here today and deploy different strengths in different situations.

Manifestations

So how do we recognize these heroes among us? In 2018, Facebook revealed that it had created a 300-person team focused on building privacy products. Uber has been working on better privacy features since at least 2017. Google opened a whole center in Munich last year, growing their privacy engineering team to over 200. In fact, many of the tech giants have been building up their privacy engineering teams steadily in recent years. In tandem, a broad phalanx of startups tackling various privacy challenges has emerged.

These teams work on diverse problems ranging from the clearcut to the convoluted — from password and cookie management to clearing a user’s entire history of interactions. Europe’s GDPR almost requires privacy engineering, calling for GDPR requirements to be built into products with direct, strong language, and California’s CCPA is similar in many respects. If federal regulation in the US is next, as many expect, virtually every company will start getting their privacy engineering act together, particularly as they reinvent their business models in response to digitization. Even if the drumbeat of regulation stops with California’s law, we will likely see product standards strive to meet CCPA requirements, similar to the impact we’ve seen from California’s regulations on auto emissions standards nationally.

In January 2020, the National Institute of Standards and Technology (NIST) released a Privacy Framework, beginning the formation of guidelines as more companies prioritize data privacy and protecting user data. NIST articulates that some cybersecurity risks are relevant in the world of data privacy, but at the same time, many privacy risks are very distinct. This framing starts to express why the privacy engineer faces a unique and significant set of challenges.

Challenges

Similar to cybersecurity, privacy is a tricky field in which to operate. In a sense, it is only the failures that are noticed, comparable to the plight of many beleaguered fictional superheroes. But privacy engineers know that their mission is critical and achieving “check-the-box” compliance is decidedly insufficient.

Today, product development moves at a breakneck speed. In the last two decades, we’ve gone from a waterfall model of software development with bi-annual code releases, to a CI/CD model with hundreds of releases every day. It’s no wonder that data went from being “the new oil” to “the new asbestos.” Privacy engineers are building important features to minimize negative consequences of moving so fast — from unified services that locate and remove user data when required, to ensuring that users understand what they are consenting to as they go through a product’s onboarding flow.

Clearly, the work of privacy engineers is easier said than done. The challenges include:

1. The fact that privacy engineers are often retrofitting privacy features into a system that was built when data privacy was far from top-of-mind.
2. The unfortunate truth that the business value of building privacy features isn’t always clear to those who haven’t lived through an incident or breach (even if they are being told about the importance by legal or compliance teams).
3. The need to balance the tremendous market and competitive pressure to move fast and drive productivity with the goal of respecting customer data privacy requirements.
4. The fact that as systems have become increasingly distributed, there is more replication of data and polyglot tribal knowledge. Simply figuring out where user data lives and how it is handled can be a herculean task.

Opportunities

The challenges may be significant but it is absolutely worth persevering. Privacy engineers can add tremendous value and will be the ones to create the technology that prevents data “oil spills.” They have the skills and the mandate to prevent massive data privacy setbacks for a company or even an entire industry.

Privacy engineers can identify and neutralize the risk from mishandled data, at the source. The whole idea of privacy-by-design encourages all engineers to think about the privacy implications of the data they’re using, the features they’re building, and end user trust. Beyond consent gathering and settings management features, there is very interesting work being done on this front ranging from creating guardrails that prevent inadvertent coding errors to automated code reviews for compliance.

User data retention and deletion functionality is another crucial capability that privacy engineers are building. Most companies’ technology stacks are highly individualized as they make architectural choices to fit their business needs. This is just as true for cloud-native companies as it is for those at various stages of modernization. Privacy engineers are the ones who have the vision and skills to cut across organizational silos and balance priorities ranging from data-science goals to retention policies.

While the above opportunities focus on prevention, we believe that a focus on detection and response is equally critical to the long term health of a company’s privacy objectives. A key capability that we have strong conviction about is continuous, comprehensive visibility into company data. Privacy engineers are taking this on through an exhaustive inventory of their systems and data — articulating the various tiers of data by risk, classifying data as it enters their systems, and tracing them as they traverse different applications and data stores and circulate to third parties.

From One, To Many

If this were a WWE event, a single hero would emerge who had all the powers to address the challenges and capitalize on the opportunities, putting our modern “asbestos” on the ropes. However, in the real world, we need a nuanced, multi-faceted, and disciplined team of dedicated engineers with a variety of skills to actualize these powers (did someone say Justice League?). At Layer 9, we’re focusing on helping to develop a visibility and detection capability for the privacy engineering community. Our contribution to the hero’s tool belt is Application Data Monitoring (ADM), which aims to provide observability, change monitoring, benchmarking, and insight generation for a company’s data in motion.

We’d love to find ways to join forces with others in the community and take on the enormous challenge of protecting data privacy. If your team is working on one of the many dimensions of the privacy engineering problem, we’d love to hear from you. Drop us a note at Layer 9, or follow us on social media — @layer9ai and LinkedIn — and read our other articles on our Medium publication.