Last week
, the National Institute of Standards and Technology (NIST) hosted a
workshop
to discuss and develop the concept of privacy engineering. This novel workshop brought together speakers from both the public and the private sector. Although a great deal was covered, three topics recurred throughout the workshop and appeared to be of special interest to NIST:
  • the lack of technical standards concerning privacy,
  • the role engineers can play in protecting privacy
  • and the role NIST should play in the privacy field going forward.
Of note, there is a lack of clear standards that exist for regulating privacy. Central to this discussion was the more abstract nature of Fair Information Practice Principles compared to the straightforward, technical standards that NIST incorporated into the
Preliminary Cybersecurity Framework
. Speakers and attendees disagreed about whether it was necessary to view privacy as principle-based and cybsersecurity as standards-based, but NIST was clearly interested in the possibility of bridging the gap to some extent.


NIST officials acknowledged they had not yet done much to standardize privacy engineering and risk management models, and that process-oriented principles have not achieved consistent and measurable results in privacy protection. Given these concerns, it is fair to speculate that NIST is exploring how to better account for privacy in Section 4.9 of the Framework—although that goal was expressly dismissed during the workshop.


The second recurring topic was the role of engineers—and engineering—in protecting individual privacy and insulating organizations from liability. On this point, there was general consensus that engineers currently play a key role in ensuring that privacy is adequately safeguarded and will only become more vital as both systems and risks become more complex.
Jonathan Fox
(author of
The Privacy Engineer’s Manifesto
along with the delightful
Michelle Dennedy
and Thomas Finneran) posited that innovation emphasizing privacy as part of the product life cycle is the way of the future.
Speakers and attendees disagreed about whether it was necessary to view privacy as principle-based and cybsersecurity as standards-based, but NIST was clearly interested in the possibility of bridging the gap to some extent.

Privacy experts and professionals—including one of the authors of this blog!—stressed the importance of organizational structure that emphasizes privacy, the value of developing a “culture of privacy” that raises every employee’s awareness of privacy issues and generally explained how to establish a privacy-protective environment. Individuals  in technical fields generally agreed, but noted the difficulties of training engineers to account for abstract privacy principles, as well as the responsibility of privacy experts to become more knowledgeable about technical issues. As David Hoffman clearly noted in our joint panel, “you can’t code ‘reasonable’”—which is frequently engineers’ initial reaction to privacy and its concept of a “reasonable consumer.”

Throughout the workshop, the role that NIST should play in the privacy field was the subtext of many discussions. NIST recently entered the privacy world with Appendix J of its Special Publication 800-53 in May 2013—after two and a half years of public comments on its efficacy with regard to FISMA compliance. I (Mary Ellen) may be biased, since one of my DHS colleagues labored on this for years as part of an inter-agency team, but I think Appendix J is an important milestone in the development of privacy and security integration.

With that said, should Appendix J translate to the private sector, or should NIST take a wider view of privacy engineering? Furthermore, should NIST and the Federal Trade Commission intersect on privacy standards? If so, how? These are open questions for now, but the workshop began to address some of them.

We think, ultimately, the workshop was a success, bringing the most pressing issues and concerns related to privacy engineering to the forefront and finding some unexpected points of consensus. Additionally, it provided a rare opportunity for individuals from both technical and policy backgrounds representing the public and private spheres to directly engage about issues significant to the future of privacy integration and development.

ADVERTISEMENT

RadarFirst's 2025 Privacy Incident Management Benchmarking Report