Technologists hired to help regulators

As technology advances, so must privacy regulators’ knowledge and understanding of such technologies. Without understanding how various technologies function, it is difficult to determine whether privacy is protected within those functions and equally as difficult to investigate resulting breaches. In this vein, some regulators have begun hiring technologists on staff.

The U.S. Federal Trade Commission (FTC) hired its first chief technologist in November of last year to advise the agency about evolving technology and policy issues. The UK Information Commissioner’s Office (ICO) is in the process of doing the same and is working to establish a reference panel to aid with technology concerns.

The FTC’s chief technologist, Edward Felten, began his post in January. He was formerly a professor of computer science and public affairs and was the founding director of the Center for Information Technology Policy at Princeton University. At the FTC, he serves as an internal technology consultant within the agency and an ambassador to the technology community, helping build ties and foster flows of information in both directions, thereby assisting the technology community to better understand the FTC and vice versa. He will find the various ways that a chief technologist can be most helpful to the agency, since the position is new. He will also advise the chairman and the commissioners about policy issues as they relate to technology on consumer protection, privacy and competition.

While he won’t assist the agency with its investigations, “primarily because there are other people on staff who are qualified to do that,” Felten says, he’ll be available to consult with agency staff about the investigations.

Felten will also work on the FTC’s recently released Internet privacy

, analyzing the feasibility of its proposed do-not-track (DNT) mechanism. Felten says he’s “convinced that a reasonable DNT system is technologically feasible,” and points to companies such as Microsoft, Mozilla and Google’s recent announcements that they will

do-not-track mechanisms as evidence that he’s not alone.

Felten says that besides his work on DNT, his goals for 2011 include looking at cybersecurity and the FTC’s role in protecting consumers in that regard as well as responding to technology-related issues that arise.

“I think it’s clear that privacy is going to be a significant issue in the upcoming year,” he says.

Meanwhile, the UK ICO’s Deputy Commissioner and Director of Data Protection, David Smith, says that hiring a technologist has been something the ICO has been looking at for some time now as technology becomes increasingly important in the way that personal information is processed.

“It’s harder and harder for the data protection expert, who maybe doesn’t have technological expertise,” Smith says. “There’s been lots of attention on security breaches where you look at whether the security side of an organization is adequate. When you get to the technical side, you need a level of expertise to have readily available in the office.”

Smith says online activities such as deep packet inspection and behavioral advertising are examples of why the ICO needs a technologist to understand the extent to which those mechanisms are processing personal data and whether those mechanisms fall within the legislation the ICO regulates.

The technologist will have various job responsibilities, including representing the ICO to the

’s technology subgroup. The technologist will also advise staff on new forms of technology, such as facial recognition, and may also assist the ICO on investigations involving security measures at particular organizations, for example. The technologist may also be involved in assessing whether monetary penalties will be applied and determining whether an organization took reasonable steps to comply with data protection laws.

Smith adds that he hopes the ICO’s technologist will play a role in training the nontechnical staff.

The ICO is also working to recruit an external technology reference panel that will comprise experts from various professional bodies, such as the British Computer Society, that could act as a sounding board to help the ICO understand new forms of technology and those on the horizon. The in-house technologist would act as the link between the ICO and the panel and would be someone with a broad spectrum of knowledge capable of communicating with the board and of acquiring additional knowledge when needed.

Smith says he expects that firms will continue to hire technologists in the future but that privacy professionals will also need to increasingly understand technology themselves to the extent possible, including deep packet inspection and other techniques.

“They need expert advice they can call on when their own knowledge and understanding reaches its limits,” he says. “Everybody needs to know a bit more. But you also need the expertise.”