In today’s internet age, with the closing gap between the digital and physical worlds, it is very essential to safeguard our digital identities in order to protect our physical identities.
It requires us to be more proactive and take our security and privacy into our own hands instead of merely relying on others to solve this problem for us.
While the large technology companies are constantly changing their privacy settings and terms and conditions to make the best out of their business with the data they collect, while playing within the guidelines set by the law, most of us might not be comfortable with the personal data that these companies collect and share, despite giving our consent when we blindly accepted the terms and conditions.
Just like how we protect our physical privacy by setting up gates, walls or fences in our houses, the need of the hour is to not just talk about the digital privacy policies and its implications, rather take our online privacy into our own hands by only granting specific information that we feel comfortable sharing with the applications we use.
According to Wikipedia, Internet privacy is a subset of data privacy that involves the right or mandate of personal privacy concerning the storing, repurposing, provision to third parties, and displaying of information pertaining to oneself via the Internet. Privacy can entail preserving both the Personally Identifiable Information (PII), data that can be used to uniquely identify the individual, like their age, physical address, GPS tracking data, etc., as well as Non-Personally Identifiable Information (non-PII), data such as the person’s behaviour on a website. Thus, we need to ensure correct internet privacy practices to safeguard our digital identities.
In order to create secure next-generation products, we need to ensure being a Privacy Doer by encompassing privacy in the entire design with the help of an up and coming approach called ‘Privacy by Design’ which ensures privacy is incorporated into the entire design of tech and systems by default by making privacy a priority, alongside other purposes the system is being built to serve.
Principles of Privacy by Design
Since privacy shouldn’t be an after-thought to a product, Privacy by Design approach aims at looking at privacy as a feature rather than a part of the product by ensuring privacy is made an integral part of an organisation’s priorities, objectives designs and operations.
There are seven principles of Privacy by Design:
- Proactive, not Reactive; Preventive, not Remedial: Anticipating and preventing security breaches before they occur.
- Privacy as the Default: Laying down systems which automatically preserve the user’s privacy by default, instead of the user taking their security into their own hands.
- Privacy Embedded into Design: Integrating privacy holistically into the design of the system creatively, without diminishing the functionality of the system.
- Full Functionality: Positive-Sum not Zero-Sum: Accommodating both privacy and functionality into the systems without having to make a trade-off between either of the two. If the system requires compromises, it has to be made more effective or user-friendly.
- End-to-End Security: Lifecycle Protection: Ensuring the privacy of the information in the whole lifecycle of the data, that is, from the start when the information enters the system, to when it has to be retained safety in the system, to the end when it has to be destroyed properly.
- Visibility and Transparency: Being accountable to the user’s privacy and enabling them to see how the information is stored and processed by the system. This ensures the greater trust of the user in the organisation’s systems.
- Respect for User Privacy: Ensuring to preserve the user’s private information instead of letting it fall into the wrong hands or sharing it between other systems or other unauthorised third-party applications.
Naturally, privacy by design works best if it is incorporated throughout the system design process since it becomes more and more difficult and time-consuming to incorporate it afterwards.
How to be a Privacy Doer?
Most organisations aim to collect as much data as possible from their users and believe privacy policies and security compliances are too stringent as they get in their way to extract meaningful insights from the large flows of data that they receive. However, there are three things that Privacy Doers can do to enjoy a great flow of data while safeguarding the user’s privacy.
Building a first-party tracker for the product: The products should aim to store and process the user data on the organisation’s own servers to maintain full control over the security of the data. However, due to financial strains, it might not always be feasible to host data in-house. In those scenarios, instead of associating with a third party application to store and process the user data, the organisation should team up with third-party tracking software, which helps the organisation to own tracking software to take control over the user actions without compromising on the tracking abilities. Moreover, if you need to share the user data to third party applications, you can do so by taking the user’s consent to forward the data authorised directly by them, without having to onboard multiple screens to track and authorise the sharing of the user data.
Creating different data layers: Organisations aim to collect as much data on their user base as possible to analyse and understand their target audience better. However, not all of the data should be accessible to everyone since this could lead to privacy breaches. There should be a layered approach for every team or individual to collect, store and access the data according to the organisational standards.
The most popular layering approach is a three-layer approach, each additional layer offering a more sophisticated extraction of the user data. In the three-layer approach, the first layer is the raw data layer, also called the data lake, where all the user data is dumped. Since all of the user data is available here, only data engineers should have access to this layer. To access specific data from the data lake, APIs to extract the specific data and tracking information to keep a log on who all access the data and when should be added to this layer.
The second layer should use an automatic ETL (extract, transform, load) data integration technique to only access the data required. To ensure the confidentiality of this data, confidential information like user name, user ID, age, address, etc. should be encrypted. Thus, data on the second layer can be used for analysis on the user behaviour without comprising upon user confidentiality. Lastly, the third layer is where the data dashboards and reports are accessible to the individuals in an anonymised and aggregated form.
Sharing only what is needed: Many products share user information with other third-party applications. However, doing so not only increases the chances of a privacy breach but also slows down the application since each action triggers multiple events. Instead, products should only trigger user events only after taking the user’s consent and store the data on their own servers on the internet. They can then transmit as many events from the server to third party servers in an encrypted form to further avoid privacy breaches.
In conclusion, while businesses are obsessed with gaining as much useful information as possible to meet their business strategy and goals, care should be taken in order to keep internet user privacy the utmost goal. Products should explicitly inform the users on the data they collect, how they process the data and what all information they further share with other third party applications and only do so once they get a consent from the users. In short, stop being a privacy talker and start being a privacy doer!
To learn more about Coding Ninjas, visit the website.
By Saarthak Jain