ASU: A Privacy by Design hotbed

A unique new privacy think tank has entered the arena—but few outside the southwestern United States may know about it. The Privacy by Design Research Lab is starting its second year of operations at the W. P. Carey School of Business at Arizona State University. Marilyn Prosch, an associate professor in the business school, runs the virtual lab. Ontario Information and Privacy Commissioner Ann Cavoukian serves as its executive director. The lab is a case study in how much opportunity still exists to shape the relatively young privacy profession.

“Our research lab…will establish a virtual environment to work with industry leaders to create guidelines for businesses worldwide to use to effectively protect personal data,” announced Julie Smith David at the lab’s launch. Smith David is director of ASU’s Center for Advancing Business through Information Technology and cofounder of the lab with Prosch.

The idea to start a privacy think tank with a pragmatic focus dawned on Prosch gradually. With a background in both accounting and information systems dating back before the Internet era, Prosch has long been interested in questions of how best to implement privacy.

In 2002, when the American Institute of CPAs (AICPA) and the Canadian Institute of Chartered Accountants (CICA) formed a Privacy Task Force, Prosch signed on as the representative for academia. The task force produced the AICPA/CICA Privacy Framework in December 2003. Prosch said their goal was to identify accountant-like criteria that could be measured for any information system processing personal data. The framework in turn evolved into the Generally Accepted Privacy Principles that privacy professionals now use for conducting assessments.

It was during those task force meetings that Prosch became acquainted with Cavoukian.

"I met Commissioner Cavoukian about the time her book

was released in 2002,” Prosch told

“I knew that her philosophy was a natural concept to be taught in business school classes, and we quickly began to work together on researching how businesses can benefit from incorporating good privacy practices into their value chain."

The commissioner, herself, was at the time in the process of formalizing her “privacy by design” principles. Cavoukian had been making regular trips to Arizona, so working with ASU’s business school was a natural fit, Prosch said.

At about the same time the idea for the Privacy by Design Research Lab was coming together, its financial means were also materializing. In 2008, TRUSTe was in the process of selling its assets in order to convert to a for-profit corporation. The results of those proceeds financed the 2009 establishment of The Privacy Projects (TPP), a nonprofit think tank run by former Microsoft CPO and current head of Corporate Privacy Group Richard Purcell. TPP funded the the ASU lab with seed money and a grant for its first research project.

caught up with Purcell, who explained TPP’s purpose in funding the new think tank.

“The Privacy Projects focuses on evidence-based advancements in privacy and data protection,” he said. “At the time, as now, Privacy by Design needed real-world development and application.”

“We were pleased to support Doctors Prosch and Smith David in their efforts to develop a vision and process for implementing the underlying principles into software, services and hardware realities,” Purcell added.

Today, the lab conducts three types of activities: research; cross-department information sharing, and industry outreach.

Prosch says the lab’s research is initially focused on designing and redesigning information systems with privacy in mind.

"The first projects funded resulted in a

as well as providing a Practical Guidance for Mobile Technologies,” Prosch said.

“In the Nokia case study, we illustrated how privacy could be protected in a traffic-flow model using mobile devices, how the value chain was positively impacted and how the seven Privacy by Design principles were met,” she added.

“In the case of the practical guidance for mobile technologies,” she continued, “10 experts from industry participated in a Delphi study. They identified and ranked 14 challenges for the mobile industry, along with 73 corresponding potential solutions."

Prosch’s efforts at ASU also involve educating other departments about privacy fundamentals. She had noticed a gap in how privacy was taught in universities. During the dot-com boom of the late 1990s, many business schools offered e-commerce courses that touched on data security. But in the aftermath of the dot-com bust, instruction in data privacy became almost the exclusive domain of law schools. As a result, few of industry’s future CIOs or CFOs were learning about the topic.

To change that dynamic at ASU, Prosch first makes sure that business students get privacy. She teaches accounting and information systems students about data quality and liability. Outside of the business school, Prosch hosts meetings with ASU faculty to explore how privacy topics might be woven into their own curricula.

Another unique aspect of Prosch’s privacy lab is involvement with local industry. Once a month, Prosch hosts local CIOs and CISOs to discuss case studies involving privacy implementation.

The ASU privacy lab has taken a novel approach in its name. Where others, such as the Center for Democracy and Technology and Future of Privacy Forum, bear more general and timeless concepts in their names, the ASU lab has banked its brand on a narrower and relatively new body of thought.

What is privacy by design? At its core, it’s the notion that privacy is less costly and more effective to implement in the design phase of new products and services rather than after they’re launched. Mobile and online technologies—where personal data can be most easily captured and shared in non-transparent ways—have come under the most scrutiny lately for not vetting potential privacy compromises in the design phase.

For her part, Cavoukian has been the leading champion of the concept, articulating seven principles that she proposes are instrumental for getting organizations to view privacy as a net benefit for their stakeholders. The idea gained momentum in 2010 at the 32nd International Conference of Data Protection and Privacy Commissioners, which dedicated a resolution to the concept. Soon after, the U.S. Federal Trade Commission lauded the concept in its landmark privacy framework paper released in December 2010. Several sessions at the IAPP Academy in Dallas in September addressed topic, and conferees mentioned that it was on their 2012 corporate agendas.

Despite its growing popularity, the concept is not without critics, who say the literature written to date on the topic doesn’t constitute a formal methodology and that none of the seven principles by itself is a new innovation.

Ira Rubinstein, adjunct professor and senior fellow at New York University, has been studying privacy by design for ways to test whether it adds monetary value, one of its central claims. He sees PBD at an early crossroads.

"The privacy community is familiar with the core techniques of privacy by design, such as data minimization, anonymization, privacy-friendly defaults and better interfaces that help users become more aware of the benefits and risks of data sharing,” Rubinstein told

.

“We don't need new techniques so much as more effective ways of ensuring that companies learn these techniques and make them part of their development process,” he explained.

“In particular, we need to adopt a flexible regulatory framework. It should avoid technology mandates in favor of incentives that reward companies that step up to privacy by design and treat laggards more harshly," Rubinstein added.

What does the future hold for the Privacy by Design Research Lab? Prosch wants it to become a leading think tank for advancing privacy in business and business schools. Whether the public stock of its “Privacy by Design” moniker rises or falls will also factor into the lab’s level of success.