Privacy engineering is a growing field, and organizations are taking notice. Last year, the IAPP started the Privacy Engineering Section and hosted two forums (our coverage of those events can be found here and here), and will do so again May 1 for the upcoming Global Privacy Summit 2019 in Washington. Now, it is the U.S. National Institute of Standards and Technology’s turn to bring attention to privacy engineering, and it has given privacy practitioners the ability to join in, as well.
NIST has launched its Privacy Engineering Collaboration Space, an online open-sourced venue where privacy practitioners can make contributions to the field.
“One of the many things we hear is folks are looking for privacy solutions to implement in their organizations, and sometimes either the exact solution they are looking for may not exist, or they don’t know where to find it,” NIST Privacy Risk Strategist Kaitlin Boeckl said. “We wanted to create a space that would bring practitioners together to bring awareness to tools that are out there.”
For the debut of the space, NIST asks privacy practitioners to focus on privacy risk management and de-identification. The agency directs participants toward its GitHub repository, where they can contribute tools, use cases and feedback. Within the repository, NIST provides templates for practitioners to fill out depending on their contribution. Practitioners who offer up a tool can either send a link to their solution or drop the source code right in GitHub.
All the solutions and use cases are examined by moderators. Boeckl looks over privacy risk management entries, while University of Vermont Assistant Professors Joseph Near and David Darais cover de-identification. The moderators judge the submissions based on a strict set of operating rules. NIST states it will reject submissions that promote pay-for services and products, include personally identifiable information, contain vulgar content, or are factually inaccurate.
With privacy risk management, Boeckl said NIST wants to help make those processes easier and more accessible, and it is taking a similar approach to de-identification.
“We picked de-identification in part because we felt there were some tools in this space, and we do hope that over time, more organizations will put in use cases, whether it’s to describe a need that they have, or to explain how they might have used a particular tool and then describe what are the benefits and limitations might be so that they can provide education and awareness to the broader community,” Lefkovitz said.
It is an approach Kuma Executive VP and Partner Jenn Behrens, CIPP/G, CIPP/US, CIPM, FIP, believes fits in with current trends in privacy.
“As a consultancy that works with a lot of different types of organizations, risk management is where it's at. Everyone wants to manage their risk and they want to it in a risk-informed manner so they can have effective decision making. Those tools have been widely available in security, but not privacy,” Behrens said. “In the last nine months, I’ve been hearing a lot more requests for de-identification. A few years ago, this would have missed the mark. I think now it’s right on the mark cusp of that wave.”
Behrens said Kuma plans to participate in the space, citing her company’s previous efforts in the privacy engineering space. She believes the privacy industry is a welcoming one and advises anyone who thinks about participating in the space to jump in, as the field can always use fresh perspectives.
“We want to make sure that we contribute what we can to support this effort so that others can apply the discipline of privacy engineering as well,” Behrens said. “It’s really needed in the market and certainly NIST has some great leadership in the area.”
While the collaboration space has only been officially open for a couple of days, NIST conducted a soft launch in February and sent out emails to parties it believed would be interested. The agency received a submission from Google researchers who contributed a tool to train machine-learning models with differential privacy, a framework designed to help create differentially private programs, and tool to help with the de-identification of location data.
The agency went on the road to promote the collaboration space by conducting a pair of demos at this year’s RSA Conference. Boeckl went over the basics of the space and gave examples of contributions to the audience, which consists primarily of cybersecurity professionals from both the public and private sector. Boeckl said the stakeholders at the conference told her the engineering space is a much-needed resource.
“One great thing to see was that the cybersecurity professionals at the demos did not brush aside privacy considerations,” Boeckl said via email. “They discussed the importance of de-identification techniques, and were eager to discuss the space with the privacy counterparts at their organizations.”
NIST plans to host more demos and presentations as the space grows, and while the agency is primarily focused on de-identification and privacy risk management, participants can offer feedback on future topics they would like to see.
The space may be in its infancy, but the agency has high hopes for it as it helps to shine a spotlight on the burgeoning field of privacy engineering.
“We named it the collaboration space because we really wanted to build a community,” Lefkovitz said. “We hear about these challenges and we wanted to take those challenges from an isolated discussion to a community discussion on how we can really improve upon privacy solutions and move the field forward.”
If you want to comment on this post, you need to login.