Though the privacy engineering field is relatively new, there’s been at least one school that’s been at the forefront of this nascent profession. Carnegie Mellon University launched its MSIT- Privacy Engineering Program in 2013. It remains the only privacy engineering-focused master’s program in the country. As industry demand for privacy professionals with technical skills accelerates, it is worth taking a deeper look at the program and how it prepares new professionals for this burgeoning field.
CMU’s MSIT-PE program website describes the degree as one “designed specifically for computer scientists and engineers who want to make [a] meaningful impact as privacy engineers or technical privacy managers.” CMU is the number one-ranked computer science school in the country, according to U.S. News and World Report, and employs numerous privacy scholars, so is well-placed to craft such a curriculum.
“The goal of the program is to graduate students who are well prepared for privacy engineering jobs,” Cranor said. “That was the premise when we started the program. That led to the next question - what do privacy engineers need to know how to do? We did spend a lot of time talking with companies that were hiring privacy engineers to find out what they were looking for. I think that gave us some basic ideas for our curriculum. But, the role of privacy engineers is evolving over time, so our curriculum also evolves with it.”
Until recently, “privacy engineers” were rarely found outside the biggest tech companies. But, according to Cranor, that is changing quickly. “We are seeing all sorts of companies that are hiring privacy engineers,” she said. “Privacy lawyers don’t get them everything that they need. They are interested in going beyond the idea of legal compliance. They want to build products and services with privacy built in, and they need people with technical expertise that also understand privacy in order to do that.”
And many of those hiring are looking to CMU to find a workforce with the skills to accomplish that.
Carnegie Mellon is one of several universities participating in the IAPP’s Privacy Pathways program, which aims to build on privacy curricula in universities to launch students into privacy-related careers. IAPP CEO Trevor Hughes, CIPP, has followed CMU’s work closely since the inception of its MSIT-PE program. "We are seeing a huge need in industry for technical professionals with an understanding of the legal and policy context underpinning privacy,” he said. “Going forward, we expect to see an even greater demand for privacy professionals with an interdisciplinary education, combining privacy law, tech and design elements. CMU is making great strides toward meeting that need.”
CMU’s 12-month curriculum combines courses in technology with law and policy as well as usability and human factors. To graduate, students must also complete a privacy-by-design practicum project, where they work in teams with an outside company to tackle a real-world privacy challenge. In one past project, students worked with a social media company to design prototypes of user interfaces to help address the privacy concerns of elderly users. In another, students explored different means of communicating about privacy and gaining consent from drivers of vehicles deploying software collecting personal data.
Cranor believes these projects are useful for both the students and the companies. “It is great to be able to tackle a real-world problem, not just something their professors made up, but a real problem that a company has and learn about the kind of real-world constraints that companies actually face in addressing these privacy challenges.”
In addition to working directly with companies employing privacy engineers during their time at CMU, students can participate in faculty research. Cranor says a number of students take advantage of this every semester.
Where do CMU’S MSIT-PE graduates end up? Many, though certainly not all, find their way to Silicon Valley.
James Arps, a current student in the program, who has seen strong interest in MSIT-PE graduates from potential employers, commented on his own career search and the leg up that CMU provided. “In addition to sending out applications, I was also fortunate enough to receive interview opportunities from CMU's strong network of privacy-focused alumni,” he said. “The employers I spoke with are interested in candidates who are not only familiar with privacy-by-design principles and the current legislative environment, but who are also passionate about user advocacy and have effective communication skills. CMU’s privacy engineering program helped me develop those qualities through a healthy mix of topical lectures and portfolio-worthy class projects which challenged me to think critically about real issues facing industry professionals today.”
Cranor says CMU graduates take on many different types of privacy engineering roles. Some “are assisting with legal privacy compliance efforts;” others “are on product development teams,” she said. “We have some, particularly in big companies, who are building privacy tools that can be used by developers who are not experts in privacy in order to build [it] in throughout the products and services offered by their company.”
Lea Kissner, chief privacy officer at Humu, spoke to the need for privacy engineers in industry.
"The demand for privacy engineers massively outstrips supply,” said Kissner. “I get asked where to hire good privacy engineers at least once a week." In her previous position at Google, Kissner hired numerous graduates of CMU's privacy engineering program. "They've been excellent, with a good grounding in both the needs of users and the technical chops to make that happen," Kissner said.
CMU’s program has started small, but Cranor hopes to see it grow in the coming years. The challenge, she says, is getting enough qualified applicants. CMU looks for students with strong technical skills and an interest in privacy. Previous job experience is not needed, though some students have come to the program as mid-career professionals looking for a change.
She is also working with her colleagues to explore other non-classroom-based means of offering education in privacy engineering. “We have had quite a few inquiries from companies that would like their employees to be educated, but don’t want to send them to Pittsburgh for a year. So, they have asked us if we could put together some sort of certificate or exec ed program that we could provide training either with some of our faculty coming in person for a week or so or recording some lectures that their employees could watch online.”
Cranor said that they are currently exploring options and would love to hear from companies that would be interested in this.
Top photo: Lorrie Cranor