This book introduces some systematic analysis and a new perspective on privacy by design, a concept first formulated by Dr. Ann Cavoukian, the former Information and Privacy Commissioner for the Canadian province of Ontario. Broadly, privacy by design suggests that privacy ought to be deliberately considered and proactively included as a consideration in the design of all goods and services. With the dramatic growth of technologies capable of eroding our privacy, privacy by design has emerged as a way to reign in the privacy-abusive aspects of new technologies. Hartzog's central assertion in the book is that privacy by design should be mandated and regulated by legislators.
The author first highlights the importance of design generally, though the book limits its analysis to popular consumer-facing digital products and services. Design is the “actual function, structure, and appearance of consumer-facing technologies” (p. 199). Design is “both important and difficult”, but it “reflects and protects values”, and the notion of “design neutrality” is therefore anathema, much as the notions of “technology neutrality” or “gun neutrality” might be. Design is politically charged, and therefore ought not to be ignored.
Privacy's Blueprint, the book's title, is the author's name for a design agenda for privacy law and policy that includes three parts: values, boundaries and tools. First, the author discusses the values protected by privacy by design. Next, he seeks to articulate “basic boundaries to further those values” (p. 94). And finally, he lays out specific legal tools to enforce those values.
The author seeks to identify the privacy values that are affected by design and ought to be nurtured by design, ultimately settling on three specific values: trust, obscurity and autonomy. These, we are told, foster other values like “dignity, identity, freedom, equality, and free speech”, as well as “control, intimacy … fairness, self-realization” (p. 119). Trust is composed of “discretion, honesty, protection, and loyalty” (p. 99). Obscurity, by contrast, is “the lack of any one of four factors: search visibility, unprotected access, identification, and clarity” (p. 112). Autonomy “is a near limitless concept”, but the author asserts that “autonomy is furthered as a design value when privacy law guides technologies to use signals and transaction costs to reinforce trust and obscurity” (p. 117). Each of these values is broken down, explained and illustrated by example.
The book then sets out the “boundaries for design”. This is where the author makes his most meaningful suggestion, namely that product safety and consumer protection laws are models that can inform the regulation of privacy by design. The author writes that “the main boundaries for privacy law's design agenda should focus on deception, abuse, and danger” (p. 134). There follows an interesting discussion of various privacy scams and abuses, from impersonation of Google cars, to flashlight apps that collect geolocation data, persuasion profiling and more.
Readers are then introduced to the third part of Hartzog's blueprint for privacy: the tools of privacy by design. Hartzog classifies the tools, or responses, as soft, moderate or robust. Soft responses “shape design through education and incentives” (p. 159). These include government-funded privacy by design initiatives, such as the EU Agency for Network and Information Security (ENISA) privacy by design research paper, and “bug bounty” programs, which reward people for identifying privacy flaws. Another important soft response is the establishment of industry standards. Hartzog discusses ISO 27001, NIST 800-53 and other such standards, and notes that the “downside of standards is that they can become entrenched, which causes problems if they become outdated or do not reflect the values they were designed to serve” (p. 166). He also adds that standards “are a bad fit for problems that are fundamentally nontechnical, such as people's general unease about receiving targeted advertisements. So technical standards are an important part of privacy design, but they cannot be the only or even the main approach” (pp. 166–67) – an assertion discussed further below. Moderate responses include enforcement of privacy settings as contractual terms, and application of the doctrine of unconscionability, “a concept used to render certain terms unenforceable” (p. 172). Robust responses include “tort liability for design or outright categorical prohibitions” (p. 159) enacted by legislation.
The rest of the book is mostly examples of how these various tools are applied to a slew of different abuses of privacy, such as Term of Use tyranny (i.e. extracted consent) and Overexposure (i.e. oversharing of data).
This discussion provides interesting examples of challenges to privacy and suggested solutions. For example: Google has produced a tool that blurs faces on a video before posting to YouTube. There is discussion of encryption backdoors and key escrows, which are, of course, to be avoided, as well as discussion of the risks of always-on technologies, like virtual personal assistants. The book ends with a discussion of the internet of things – in which the internet is connected to everyday objects and devices – and calls for regulation of the internet of things, such as “prerequisites and rules for connectivity or obligations that flow from connectivity”. Hartzog calls for particular attention and stricter rules to apply to the internet of things given the added vulnerabilities and risks of connected devices in the domestic setting – everything from connected refrigerators to Hello Barbie.
Overall, Hartzog has taken a fairly amorphous concept, privacy by design, and has drafted a framework for its application. This framework could be very useful to authors of standards and guidance, or even to lawmakers. There are, however, several important aspects of the book that have left this reviewer unpersuaded.
The first is the author's treatment of EU's General Data Protection Regulation (GDPR). The book was published in 2018, but apparently it was being prepared in early 2016 (p. 87). The author was clearly aware of the final version of the GDPR (it is quoted, for example, in n. 97 on p. 54 and in n. 9 on p. 63), and its privacy by design provision. Moreover, the earlier version of the GDPR, published in 2012, also included privacy by design. The author categorises Article 25 of the GDPR as a “progressive new law”, and quotes from Article 25(2), which relates to “Privacy by Default”. As far as this reviewer could discern, any direct discussion of Article 25(1) is lacking, despite the fact that it is undoubtedly the most important legislative provision on privacy by design. How a book about privacy by design can ignore the most important regulatory provision on the topic is baffling.
Additionally, relying on Recital 40 of the GDPR, the author writes that: “‘Consent’ is the linchpin of the EU's entire General Data Protection Regulation. It legitimizes most kinds of data collection, use and disclosure” (p. 63). That Recital does in fact appear to ascribe to consent more importance than to other legal bases for processing of personal data. But consent is not the linchpin of the entire GDPR, though it may be of other data-protection laws, such as Canada's PIPEDA (as the author indicates). Consent is one of several alternate lawful bases, which is clear from the language of Article 6 of the GDPR.
The author repeats this canard, calling GDPR a “consent regime”, which, again, is erroneous. Perhaps the author sought to belittle the importance of GDPR in general, and downplay its Article 25(1) in particular, since this provision actually legislates privacy by design, making this book's call for legislators to legislate privacy by design somewhat moot. It would have been much more forceful had the author included a thorough analysis of the GDPR's treatment of privacy by design, and of other privacy by design models, so that the book would build on, rather than sidestep, existing knowledge in this space.
The lack of nuance with respect to EU's data-protection law also manifests elsewhere. The author builds a case for a “design gap” and explains that EU privacy law is complex and overwhelming. The author writes: “countries within the European Union (EU) commonly view privacy issues with two distinct lenses: human rights and data protection. Values like dignity are elevated over notions of seclusion and freedom” (pp. 58–59). These general assertions may leave the impression that EU law is complex and overwhelming, but they may also suggest a lack of familiarity with EU law.
Likewise, the author asserts that “virtually every privacy and data protection regime in the world seems to embrace the three basic ethics [of] … following the FIPs” – fair information practices – “not lying, and not harming” (p. 59). However, to this reviewer's knowledge that statement does not reflect reality. The Advisory Committee on Automated Personal Data Systems, which presented its findings to the Secretary of the US Department of Health, Education and Welfare in 1973, including the fair information practices, cited the Hessen Data Protection Act of 1970, as well as the Swedish Data Protection Act of 1973. Thus, the first state and national data-protection acts influenced the fair information practices rather than the other way around.
Similarly, Cavoukian initially wrote of privacy by design principles as affirming the fair information practices. Hartzog rips into the fair information practices as “the blueprint for the threats of the 1970s, when only governments and the largest corporations could collect data” (p. 61), suggesting wryly that lawmakers have tended to think that the “answer to every privacy problem is simply to ‘FIP harder’” (p. 61). As with Hartzog's omission to contend with the GDPR directly, so too with the implied criticism of Cavoukian; it would have been interesting and useful to understand precisely where Hartzog differs from Cavoukian's opinion.
Another and more important point on which this reviewer is unpersuaded, is the author's assertion that privacy by design ought to be micro-managed by legislators and courts. Hartzog writes: “Usually, lawmakers can most effectively fill privacy's design gap by articulating design boundaries in the form of flexible standards for companies” (p. 121). Later he proposes the application of authorisation and certification schemes, but even then he assumes they are to be administered by lawmakers. For example, he proposes that “regulatory regimes could come right out and say … ‘all [internet of things] devices should certify compliance with ISO 27001,’ the international data security standard” (p. 191). Indeed, the GDPR has legislated privacy by design. But the free market seems to be driving significant adoption of ISO 27001, as well as privacy seals, and GDPR's Article 42(1) requires EU member states to encourage the “establishment of data protection certification mechanisms and of data protection seals and marks”. Privacy's Blueprint might conceivably form the basis of a privacy by design seal. As to the need for moderate and robust responses, these are specifically included in the new wave of privacy regulation across the world – including the EU, Switzerland, Brazil, Australia and others, each of which already mandates privacy by design. So Hartzog's hope that legislators take privacy by design seriously was a reality even before the ink was dry on the book, complete with soft, moderate and robust responses. Legislators are already taking privacy by design very seriously, but the suggestion that they are best placed to dictate precisely how privacy by design is to be implemented is dubious. The call for legislation of the minutiae of privacy by design is not compelling.
Despite lacking rigour in some respects, this book makes an important contribution to privacy by design, adding an analytical layer that reinforces the need for privacy by design and the ways in which this important principle can be implemented. Privacy's Blueprint ought to be of value to privacy enthusiasts, practitioners advising product developers and to independent certification bodies as they develop their privacy by design seals and certifications. Hopefully this book will contribute to the further development of privacy by design and help advance methodologies which can subsequently be applied in practice.