 Good morning everyone. Thank you for showing up this early already. Who here is interested in their privacy? Raise your hand. Good. And who here is an engineer? Even better. Jaap Henk is going to talk to us about privacy design strategies, so this is just a talk for you. Jaap Henk is an associate professor at the University of Nijmegen, he's the scientific director of the Privacy and Identity Lab, and he's a regular columnist for the financial newspaper, and he's going to talk to us about privacy design strategies. Oh, before I forget, after the talk there will be a meet-up in Pi where we can do some more questions and discussions and everything, so please join us there after the talk. Jaap Henk. I'm going to talk about privacy design strategies, and it's always a pleasure to be introduced by somebody from the Netherlands who knows how to pronounce both my name and the name of my university, because that's like a mess. Today I'm going to talk about eight privacy design strategies that's sort of like concept that we developed at the University of Nijmegen, the Radba University, in order to make privacy by design more concrete. In essence, trying to translate soft legal norms that engineers are more comfortable working with and therefore trying to make systems more privacy-friendly. This is pretty much all that Jeroen already said. My research topic is quite broad. I do everything ranging from more like the information science, privacy by design, Wushi, soft kind of stuff that I'm talking about here, all the way down to designing cryptographic protocols. I don't do real cryptoprimitives, I leave that to mathematicians, there's nothing beyond that I like to apply and to do cool stuff with. I'm also the Scientific Director of the Price and Identity Lab. Just to mention, this is like a virtual collaboration between our university, Radba University of Nijmegen, where the computer scientists are, the legal people from the Tilt Institute of Law Technology and Society, and those are lawyers that actually understand technology, they even make their own cool gadgets, which I always find very surprising. There's people from TNO, which are more the social scientists, and this is all because we think that privacy is a topic that is mostly disciplinary, that needs to be addressed from all these different perspectives. And I blog about all these things, the URL is down there. What is privacy about? Privacy is about protecting personal data. Okay, but what does that mean? Well, interestingly enough, if you look at the development of privacy protection and understanding of what privacy means, you see that this depends, basically walks along with developments in technology. So 100 years ago, maybe even more already, this whole idea of the right to be left alone, let alone, actually, was formulated in the US, and why was that? Well, you know, back in those days, the printing presses, printing became more cheap, there were like local newspapers were appearing, and at the same time, there were developments in photography that made sure that people, ordinary people, could walk around with cameras and make pictures of people when walking around in public. And then those pictures, you know, happened to be printed in the local press. And certain people didn't like that, and they felt that their privacy in public was invaded by these developments. Later on, in the 60s, with the advancements of computing and the advancements of database technology, you see the frame shifting, and you see that people talk about privacy more in terms of like, to get and give control. How to make sure that we control our own personal data. The whole idea of informational self-determination came on the front light, and if you look at the legal protection of privacy in Europe, at least, this is pretty much still framed in that perspective. The whole idea of control is, I think, central to that thing. More recent developments are thinking more about privacy as a mechanism that allows you to separate contexts. The whole idea being that something that is said here is not necessarily something that should be shared somewhere else and something that you share with your partner is not something that you want to share at work or the other way around. So all these different contexts, and there can be many, should be somehow separated, and you want to make sure that information doesn't flow just like that from one context to the other. Okay, so that is like the conceptualization of privacy. If you look at, you know, the more legal way this is protected at least in the European Union, you have the general data protection regulation that's going into force in a year now, and then if you look at what the legal definition of personal data is, then actually personal data is a lot. So it's not only information that directly identifies a person, but actually all information that is either directly or indirectly linked to a natural person. And this already leads to a lot of confusion, especially for people designing systems because I still meet a lot of people when I talk about privacy by design that say, you know, I'm not collecting personal information because it's not, you know, it's not directly linked to a natural person. So things like a license plate or the MAC address of your network adapter, there's still people that don't consider that personal data, personal information. Whereas according to the legal interpretation it should be interpreted as personal information, personal data, and therefore should be protected. And there's many more. Secondly, there is confusion, or at least when you think about privacy by design, and I'm going to talk about that later on a bit more, is that you should realize that there's really different kinds of personal data out there. And this distinction I think is pretty useful. First of all, and this is something that many people, also people, ordinary people using the systems like using Twitter or social networks like Facebook or Google or whatever, the volunteer data, the data that you explicitly share with other people when asked about it. If you fill in a form, you as an ordinary user, and of course I know most of you are more technical savvy than the average person, most people will know that when they enter that information that information is actually shared with the other party. The other party is aware of that information. So you volunteer that. But there's a second class of information that is really, really important. And that's the observed data. That's all the information that is also collected by all these service providers that people are not necessarily aware of that that information is collected. And that information is like, that's a broad spectrum of kind of data. It starts with logging all kinds of stuff, like logging the IP addresses of people that signed into your, that accessed your web page, for instance. It can be the location that is tracked when you use your mobile phone. It can even go as far as tracking mouse movements on your screen when you're visiting a website just because the designer of the website wants to know whether the placement of a certain button on the website is the most effective place to put it. And so on, and so on. This kind of tracking happens all the time, and very few people are aware of that happening. And that is problematic. And of course, then there's the third class, and that's all the information that you can derive from the second two classes of data. You know, we call it that observed data, we call metadata. And why is that so important? Who knows who this is? Yeah. Riselyeuw, yeah. What was Riselyeuw famous for? I think he's famous for many things, but I'm looking for a specific answer, so maybe this is not a good question, there's one quote by him saying something along the lines like, give me a letter of five sentences of any innocent man, and I will find something in that letter to have him hanged, which I think still applies today, and actually those five sentences you just collect in a second. Going back to the metadata, why do I think that this is so important? Actually, it's not about the letters, but it's about the fact that metadata is behavioral data. It's about the data of our behavior, the things that we do. And I think this is also grounded by research in psychology that instead of listening to what people say or reading what people write, if you actually look at what people do, this is a much stronger indicator of what they really want, what their real desires are, then if you only listen to what they say or read what they write. So those behavioral data, those metadata, I think are much more sensitive even than the volunteer data. Okay. And what does this basically this whole swath of data lead to? Well, first of all, government surveillance. Again, a little quiz. The image on the left, is that real or fake? Is that a real logo or was that made up? Hands up for real. Hands up for fake. Yeah, I thought everybody knew this. The other one on the right, is that a real logo or is it fake? Real anybody? Fake anybody? There's a few that still don't know this. The one on the right is indeed real. Nothing is beyond our reach. The motto of a small part of the NSA, the National Security Agency. We know all this because of the Snowden revelations, but it's wrong to think that this is the only thing happening. It's only the Americans doing this. I mean, it's not only the American Secret Service is doing it, the GCHQ is doing it, the Dutch are doing it, the Germans are doing it, but it's also not the only the Secret Service is doing it. Basically, government, part of the business of government, is to know a lot about the citizens, which is fine up to a certain point. But in certain cases it gets extreme. Just one example that struck me at least, in the Netherlands, is, for instance, tax authorities. In the Netherlands, the tax authorities collect a lot of data in order to combat tax fraud. One thing they did, or actually two things they did, was to go after people having so-called employee employment-provided cars. Lee's car. How do you say that in English? I don't know. It's basically a car you get from your employer to do your work. In order to make sure that this is not considered income, you actually have to use it only for your work, and you're not supposed to use it for private use. Of course, how can you detect this? You can just say, I have this car, I only use it for work, I never use it for anything personal. So the tax authorities were like, we know a way to verify this. How? They basically asked the parking companies that operate big parking places in the Netherlands for all the license plates of all the cars that park there on Saturdays or Sundays. Basically, the idea being, well, if you park your car in the city on a Saturday, then that's probably not for work use. This is for private use. Another thing they did was actually drive around on the parking spaces at IKEA, another big shopping malls, with a camera, with automatic number plate recognition, and see if the number plates matched a list of cars that were registered as being employer work cars not used for private use. So the kind of surveillance in government is like extensive. It's not only the secret services, it's also the government at large. And of course, it's not only government surveillance, it's also business surveillance, and the whole idea here being that many of these so-called free services that we are being offered are actually not so much, well, for us, they're free, but that's because we are not the customer, we are actually the product being sold pretty much the same way as the piggy in the piggy farm, that is also not the customer of the piggy farm, but also the product of the piggy farm. And all these technical developments, the computing databases, then the internet, now mobile phones, smart phones, the fact that you have them always with you, they basically make them the Stasi agent in your own personal pocket. So that means that if people want to, and the technology is out there to do that, they can collect a lot of information about you. And with this whole thing of the internet of things, I really like this very, it's quite old mock-up of the internet of things if Google would develop a search engine for the internet of things, looking at the decoration of this Firefox browser, I think it's pretty, pretty old. But I still like it, it's a very good image, namely the idea being that you could actually search for your keys of your house using Google. And then Google would basically say, if you can read it, it's on the top of the fridge, right where you left them, dipshit. Would be very useful for me. I sometimes lose my keys or anything else, that would be great. But depending on the things that you're looking for and depending on the place where you left them, you may not want other people to search for them and know where you left them. So this creates all kinds of problems. These kinds of problems are both individual problems. There's a lack of privacy creates both individual problems, but it also creates societal problems. Of course, the individual problems are, you know, related to this whole idea of personal security, the fact that you want to be safe from invasion, the fact that you want to protect it both against this, you know, almighty government and a very almighty business that knows more about you than you know about the business or the government in the end to restore this power balance. But I also think that privacy is not only a personal value, it's also societal value. You need to be able to think in private about new things. You need to be able to think about things that your government may actually do not, may not actually like. And all these things are needed to protect democracy and, you know, things like all kinds of like gay rights, lesbian rights, those kind of things. I mean, they were developed those things back in the days that, you know, government and society at large were not really open to those kind of ideas. You would not have had any privacy and all your thoughts would be like basically out there straight away. Then the question is whether those rights would have developed the way they're developing now. So all these developments, all these technical developments make the people more transparent, predictable and hence vulnerable and this is a problem for each of us both personally and as a society at large. Therefore we need to protect privacy and one way to do that is to do privacy by design. Now the subtitle of this talk was something along the lines like sometimes good enough is good enough and in a way, you know, the perfect should not be the enemy of the good. Especially from a technical perspective, we often think that the only way to protect privacy is to do it in an absolute sense. That this whole idea of privacy by design is not going to contribute to that. So if that's what you want, you're out of luck. I think my main message here is that even though this is not going to create the best possible solution and maybe sometimes you can get pretty close but at least by doing something like privacy by design we get closer to a good solution and over at least a reasonable amount of protection instead of trying to go for the absolute goal of total privacy which in the end I think not everybody will want. If we only look at the discussion about things like the crypto wars and the access to encrypted communication you see a lot of pushback from all kinds of you know stakeholders in society that want different kind of things. So we have to find a way to find like a good spot where we still design systems that are privacy friendly enough and this is what privacy by design can do. What is the idea? Privacy by design is basically a concept that says that privacy is a design requirement just like any other design requirement, any other system design requirement and that you have to think about it and use it throughout and apply it throughout the system development process. Why? Well in a sense it's the same as in security. If you think about privacy later on in the process it's much harder to protect it. So the only way to make sure that privacy is protected in any reasonable sense, in any proper sense is to actually think about privacy requirements and take them into account all the way in the whole system development process and in that sense privacy is a quality attribute just like performance is or security is and as a remark privacy by design in that sense is a process meaning that it's not something that you know it's not something like okay I'm just gonna do it at the start and that's it. Now it's something that you continuously do and apply. Why would you do that? Well I mean in this group I think the arguments I gave in the last couple of slides are convincing enough. In many cases though companies have other kinds of interests and some of them are more like business oriented so for them for instance one of the reasons to apply privacy by design is just to reduce business risks. It reduces risks associated with having too much personal data. Data leak could lead to reputation loss. It could even lead to financial loss and basically by the whole adhesion like if you don't have it you cannot lose it. This already protects you from this kind of like damages. It also I think enables businesses pretty much in the sense that a security security by design has enabled all kinds of business for instance in the sphere of internet banking where now everybody does it online whereas 10, 20 years ago everybody did it still by paper. Why can you do that? That's because the systems to do it were designed more or less securely. We can argue about that from the start. Similarly I think that by doing privacy by design we can do stuff for instance in the health sphere quantified self all those kind of things in a much more responsible way and also in a way that more people actually trust those services and will actually trust to use those devices which means that that enables a business that otherwise would not be a business at all. So it's also a business enabler. Finally, if that didn't convince the companies we can always use the very, very big, big stick namely the general data protection regulation that comes into real force next year in May and which has the possibility to impose fines up to 2 or 3% of the annual turnover worldwide of a company. So this is used. Four, it's even four. They changed over the years. Four. Four, even better. So this stick and you know it's in a way I don't really like it but this is the stick that really makes it a top priority in companies because of this we are actually talking to companies trying to do privacy by design talking to banks, talking to energy suppliers all kinds of companies because now they need to do it. Now it's something that the board decides about. Great. So we've finally convinced companies and organizations to do privacy by design but there's a big, big gap how to do it. And why is that big gap so big? And this is where I want to you know dwell a little bit because you guys are the engineers and this is something mostly according to the small quiz you run did. I think there's many misconceptions among engineers about how the world works so to speak. And one of them is the fact that engineers I'm not going to say we because I'm not sure whether I'm still an engineer or whatever think in zeros and ones. Think in black and white. Whereas most of the, at least the lawyers but also most of society thinks in what I sort of like withingly say 50 shades of gray. Ask a lawyer about something and it's like it depends. This is a kind of, for lawyers and other people that makes total sense if for a computer scientist and I've been there I know it, it's like what? I can design something around it depends, right? This is hard, so what do you do? It takes, we teach courses in our university called Low and Cyberspace where we actually spend quite some time showing to our students that the world is not as black and white as they initially think it was. And that's an important lesson for them because that actually helps them to talk to lawyers, to business people, to in the end engage in a conversation that actually will move the situation forward. So this is I think the most important thing to if only to realize that the other side doesn't quite see it the way you think it should be. Second misconception. In the, and this is also in a way the way I phrased it a few slides ago it really was about bad business, bad government doing surveillance, collecting all this data. In terms of the law, those companies that governments are called data controllers and the law has all kinds of requirements imposed on those data controllers to protect our data. And therefore it's also called data protection. It's not something like you shall not collect data law, it's a data protection law. It's about the data controller has to protect your data. An engineer typically sees the data controller, the government or the business as the evil guy doing all kinds of bad stuff at the data. So that doesn't really square very nicely with this concept of doing data protection from the legal perspective. So that's also problematic because that really has a different viewpoint. If you view the data controller as the adversary then the whole concept of what the GDPR thinks is privacy by design will just fall apart because the premise is basically that the data controller will collect the data and there has a purpose to collect the data in the first place. And really related to that is the whole thing that for many people, especially engineers, privacy means data minimization. Now I do agree that data minimization is a very, very good tactic way to protect privacy. But it's not the only one. There's many other ways to protect privacy and if you look at the way that the law of the general data protection regulation is set up there are all kinds of other things associated with privacy protection for instance data subject access rights and those kind of things that you really need to implement if you want to do privacy. If you want to protect privacy. So privacy is not only providing minimization. It's a good way but it's not the only way. And this is already showed. The final thing and this is also something and then I will go to the whole idea of the privacy design strategies to make this more concrete the problem is that for many people and again engineers if you talk about data processing and this is the general construct in the general data protection regulation and engineer if you talk about data processing it's really about processing is doing something with the data it's like computing with the data. If you look at the law if you look at the legal interpretation of what data processing is it is way more. Not only operating but it's also storing retaining collecting sharing changing basically data processing processing is anything that happens to or you can do to the data so it's much broader again something that you as an engineer should be aware of. Okay. But those misconceptions at least put on in your minds for a little bit and you can think about them and we can talk about them during the meeting of the workshop. Let's go back to the whole idea of this privacy by design because I said privacy by design is applying privacy throughout the software development life cycle all the way when you design a system. Now the problem is that if you look at this and this is a very classic almost waterfall kind of like software development life cycle and I know systems are not developed like this they never were developed like this they will never be developed like this but still you can sort of separate these kind of phases and you know first when you build you start with an idea you start basically with a few guys from business let's take the business perspective a few guys from business saying look we have this great idea for a new service and they start talking like what should they do what should the possibilities be so this is the concept development phase then is the analysis phase okay suppose you want to do this how could we do that what are the consequences what kind of technology do we need and then you start designing it then you start implementing it you test it and you evaluate and then at some point you figure out there's something wrong with the concept you change a little bit and then you have this cycle great now if you look at privacy by design and privacy in general if you look at technology things that we know things that we can apply we have things like privacy and technology great stuff but it's only applicable during the implementation phase it's useless in the concept phase we have things like design patterns and things like privacy design patterns and start starting to emerge we're actually actually as a group with a few others working on a repository for that so if you're interested come talk to me to make privacy design patterns that can be applied during the design phase but what was missing up till now was something that would help engineers and also people from more the business perspective to talk about the concepts and to analyze those concepts in terms of the privacy consequences that those concepts and designs have and this is where the privacy design strategies come in and what they really try to do is map fuzzy legal concepts to concrete data protection goals to help control data processing and there's eight of them I'm going to show how we came up with them because that is sort of like a fun story I'm doing on time that's okay the whole idea is basically saying look if you're at a very high level of abstraction look at a system an information processing system what is that in essence well almost always a database information comes in it's stored you do stuff with it but it's the storing and processing of that information that data that is relevant here okay so if that is what a system is how could you protect privacy there so here you see this this is the database the database table and we have individuals data subjects and we have attributes information about those individuals how could you protect privacy in this case how could you make the system more privacy friendly let's see if this works well one of the things you can do is minimize so instead of collecting information about everybody you collect information about only those people that you're interested in of course you can do that at the level of individuals you can also do that at the level of attributes instead of collecting all the information about everybody you can just collect some information only the relevant information so minimization and I already said that before it's an important strategy it works but it's not the only one what else can we do well we can separate instead of having one big database for all the stuff that we do we store the data in several databases and of course the hidden assumption here is that we do not give everybody access to all the databases only those people that are associated with one application have access to one database only people associated with another application have access to another database and there's a different interpretation of separation that will come to later on what else can we do still looking still in this database frame well instead of you know collecting stuff in a lot of detail we can abstract data both again in terms of individuals and attributes instead of collecting information about everybody here in this tent I could also say you know I'm only interested about the fact that you were in this tent so I want information about people in this tent and I'm not interested about information of each of you individually another thing and then you apply it to attributes will be something like I'm not interested in your birth date but I'm only interested in your age I'm only interested in whether you're over 18 or whatever or over 65 etc and finally something else you can do is you can hide the data you can both protect it encrypt it and you can even try to hide the metadata make it unlinkable so those those that was basically the way that we started thinking about you know if we look at the database how can we protect privacy in an information system if we look at it as a database slightly updating the graphics here this is basically the same picture you see minimization you see separation you see abstract you see height but you see also something else you see four more strategies there's two strategies that are basically oriented toward the data subject and those are very very important strategies because the law explicitly provides for them they basically require you to have data subject access rights and also information rights so you should be transparent about the process processing you should inform your data subjects about the processing and you should give them control people should be able to review their information they should even be able to ask to remove certain information think about the right to be forgotten for instance so those things need to be implemented as well and then at the bottom this is more towards the data controller and of course the data protection authorities themselves the data controller needs to enforce a privacy policy and also something that is like relatively new in the GDPR is the requirement to actually demonstrate that you're doing everything you can or everything at least enough to able to show that you protect the privacy of your customers so here's I'll go into a little bit of more detail into what these eight design strategies actually mean and give some examples and then we'll wrap up so minimization was the first the definition is a bit long-winded but in essence it boils down to process only that information that is absolutely required for the goal that you're trying to pursue but there is different ways that you can do that so one thing that you can do is a kind of like blacklisting you basically say okay I'm going to exclude certain information I know I'm not interested in whatever the country that you're from or your gender I don't need to record that I'm going to blacklist that there's another way that you can do it you can basically say I can select this is the opposite, this is basically a whitelisting basically saying okay I know I'm using information of use so that's why I'm going to collect that information and nothing else depends on application which one works better also what you can do is at some point strip information that you do not longer need so you may need certain information during the order process but as soon as the order is shipped you can maybe throw away a lot of the information and in the end there's of course the whole thing at some point you don't need any personal information about one of your customers anymore and then you have to destroy it and how do you do that securely especially if it's stored on backup it's a challenge but you have to think about those things an example is select before you collect and all the kinds of like minimization strategies that you can think of separation this is really like the definition says preventing the correlation as much as possible of individual data items to make sure that they cannot be connected with each other and build a much larger much more precise picture of certain individuals now of course one way to do that is to distribute the databases and store information in different databases but there's also a different way to look at this and that's basically saying instead of doing centralized processing do distributed processing don't have a central server but do processing in the edge in the smartphones or tablets of the users and you see examples of emergence so for instance I sort of like the example of the facial recognition built in in recent versions of iOS where your photo album it can actually scan your pictures and try to recognize faces and then it will collect like albums of that person is in those picture now traditionally you would have needed to send all the pictures to a central server and then analyze centrally and send back the metadata but what actually happens is that all the analysis is done locally on your phone no pictures are sent to a central server so this is a nice example another example that is more like a dream than a reality although there's like a few proof of concepts out there is this whole idea of a peer-to-peer social network I mean if the whole idea of a peer-to-peer social network is to share profiles with a few other people then what's the point of having a centralized social network you could do that in a total peer-to-peer fashion and maybe even in a way where your own local profile and whatever you want to share with others is on your own smartphone which is connected to the internet anyway all the time mostly and if you don't want your profile to be seen you can actually switch it off and then there's like a direct that knows that you want to have access to your personal data that you can provide in this way which is much more controlled and there's no central component anymore no Mark Zuckerberg that knows everything about everybody abstraction that's a search strategy I already gave this example and like you can either instead of collect information about individuals you can group that you can also instead of having like very specific information about individuals have more coarse-grained information instead of recording the the birth date, the age all that kind of stuff this is for instance a strategy that has been successfully applied in a smart grid there was several years ago in the Netherlands there was the idea to introduce smart meters to measure energy consumption in every household in the Netherlands and there was quite a strong opposition against that why? I'm afraid that the energy the network operators or the energy suppliers would actually read out your energy consumption in real time and researchers all over the world show that if you can read out the energy consumption in real time you can deduce all kind of stuff even up to the point that you can see what kind of TV programs you're watching so this in the end can be quite sensitive information so what was in the end decided that the network operators and the smart meters should not provide that information in real time at least not in a sub-second kind of like resolution so like the course resolution that at least the network operator can get data is in 15 minutes intervals but they only are allowed to access that in case of network management but normally speaking your energy consumption is only read out after three months and then of course the information content it's aggregated so total consumption is much less much less privacy invasive hiding that's a complex beast hiding is preventing exposure as much as possible of your personal information by through all kinds of means and there's really a lot of different means because it's both about protecting the data itself so the volunteer data think about things like encryption database access control but there's also the whole concept of hiding the metadata and then you come into the realms of Tor and mixed networks to try to hide the fact that certain people are communicating with other people this is really really hard to do in a certain cases maybe even impossible but it's still important to mention that these kind of things this whole idea of unlinkability is also something to think about when you're building a system those four strategies are the data processing the data oriented strategies there's also four more processing oriented strategies and that I will talk about now one of them is Inform and Inform is an interesting beast it's something that basically says that you have to provide as much information as possible about the processing of the personal information to a data subject and you have as a data subject you have the right to that information I guess the situation is getting better these days but at some point bits of freedom who was the national Dutch organization to defend digital rights on the internet and beyond I guess they made something called the privacy inzaghe machine basically a machine a tool that would allow you to do data subject access requests more easily and in essence what it did it was just generate letters that you could then send to the companies asking for you know basically asking them what kind of information do you collect about me what do you use it for who did you share it with and at some point the tool was online and we decided to try it out with a few students this was five years ago I think and the results were hilarious back then two examples who knows Albert Heijn it's a big grocery store here in the Netherlands they have this bonus card a loyalty card and this collects information about your shopping behavior so one of the students had this card and basically sent a subject data subject access request to Albert Heijn asking okay what kind of information do you have about me it took a little while and then he got back a screenshot of a database and we were not entirely sure but it looked like a screenshot from a personnel database and the screenshot said that he was not in the database which was right because he was not working for Albert Heijn but that was not really what he was asking for okay the other example is even worse one student had a contract with a mobile phone operator you know so he asked about that information this was before the time that you would have like my T-Mobile my Vodafone my KPN kind of environment where you can basically access all kinds of information so he sent that letter and at some point he got a call from the help desk of the mobile phone operator that he was you know had a contract with and the person at the other end said all the rent said you know do you really want this do you really want me to provide that information because I've been you know I'm working on this for four hours it's gonna take at least four more hours it's like it's a mess yeah that's right it was a mess totally why was it a mess because none of those companies back then thought about this strategy they were not aware at all that they had to implement ways to allow their customers to get you know access to the data okay having transparency about the processing is one thing but if you want to have control about the processing you also have to provide ways to give people control so you have to implement meaningful forms of consent you actually have to provide ways to choose about the kind of processing and choosing does not mean you either provide me the information then you get access and if you don't provide me the information you get nothing I mean you really want to have at least the basic service that is accessible to everybody even those that do not want to share all kinds of personal information with you finally then the last two you're already standing there like there's like maybe 5 or 10 minutes something like that right then there's the whole thing of having a privacy policy and enforcing the privacy policy that privacy policy is something much more internal to the company and it's really important to make sure that everybody understands what the privacy policy is that like the board agrees what the privacy policy is and that also that the board provides all kind of resources and means to make sure that the privacy policy can actually be implemented but it's one thing to say that you have a privacy policy but if nothing happens or nothing can be done according to the privacy policy because the resources are not available then nothing is going to happen so this is also really really important and finally demonstration you have to be able to demonstrate to the data protection authorities that you are actually you know applying privacy by design and in general protecting the privacy of your customers for instance by doing logging and having a privacy management system and this is the summary of those eight privacy design strategies concluding remarks before we go to questions and before the tent breaks down because it's starting to leak here I talked about privacy by design there's really there are limits to privacy by design in many many ways actually I mean privacy itself is very fragile so if you design a system then the whole privacy may just fall apart completely from an engineering perspective this is really a tough challenge it's hard to define what the level of privacy is if you build a system how privacy friendly is it I don't know it's really hard to measure this how do you compare this and of course there are all kinds of implementation obstacles like how to actually build these things both from an organizational perspective and how to convince people to do it in a certain way incentives and effective deterrence mechanisms are needed I think the GDPR is a good step in the right direction but I still think that the big elephant in the room is the business models of the big companies out there if we don't really do something against those business models then the incentive to do privacy and privacy by design is not going to be big enough that's really a problem better understanding of privacy by design is a process and to integrate that into the way systems are developed within companies and organizations is really something that people are only now starting to think about and this is messy, this is hard so if people have ideas basically these topics are things that I want to discuss in the meetup that basically follows right after this we will get wet but then we will meet up in Pi and then talk about this doing well I think is good enough further information 2% there's lots more thank you for your attention thank you very much as he mentioned we have a meetup later after this talk in the Pi tent in the workshop tent for now we still have some time for questions so if anybody has a question please line up at one of the microphones can I see somebody walking up please thanks for the talk closer to the microphone thanks for the talk about 2 years ago you wrote an article about identification pimps is this a new philosophy of doing well is good enough or don't make the perfect the enemy of the good enough yeah I think I know what you are talking about many people don't know the context I try to explain this briefly in the Netherlands they are designing a new system for electronic identity management and actually what they want to do is to provide people in the Netherlands citizens of the Netherlands with electronic identity which is so government has been thinking about this for a long time and in the end because of all kinds of pressure from market forces they ended up with a system and I didn't call them that but my professor called it then basically made a system where the identity provider gets to see everything you do and this meant that my professor basically said that this system was providing for identification pimps to be implemented in the Netherlands so there will be organizations the pimps that will know everything about whatever you do online this is not good enough but you know for discussion basically what I just said when is good enough how do you measure privacy my current thinking about this is that if there is like clearly practical applicable approaches that work in practice that do better than what you do in the same you you you then that's good enough so I think a lot of things that can be done and this just shows like how soft this field really is things like benchmarking need to be done here you really have to be able to compare how you're doing compared to other people in the same business and then basically say okay if you're doing good you're good enough but that also means that doing good enough maybe be doing very bad in five years time because like the competition basically stepped up their efforts and now you're lagging behind which I think is a good thing thanks for your question we still have more time for questions very nice presentation indeed when we look at privacy by design GDPR is very welcoming of technology evolutions and of course we are waiting for the data protection impact assessment opinion of the article 29 working party the final one so the way it looks there will be a need to do data protection impact assessments for high risk applications and there will be a requirement to review and update these data protection impact assessments and of course for the high risk that will go to the respective data protection authority that will provide input and guidance where do you see with ten months to go us standing when it comes to comparability of these documents because in essence that should be a benchmark then on how people think about privacy by design yeah I think that there's a very very interesting question and I think the situation is quite problematic to be honest indeed what you would want is actually that the privacy impact assessments sort of like provides an output a description that you then can feed into your design process in order to end up with a system that is more privacy friendly than what you started with this is not how it works in practice I have a PhD student who did the research in that he presented the paper on that recently he basically interviewed different companies in different sectors in industry about how they do privacy impact assessments and most of them what they do is they first build the system then do the privacy impact assessment and then based on the privacy impact assessment you see okay what kind of like small mitigation steps can I do to remove some residual risks well that was not of course the idea of doing a privacy impact assessment let's see how that is going to happen in the coming months, years but the thing is and this is also very interesting we are all now focusing on the GDPR like okay so now there's this gold standard that all these companies have to meet well we already had a privacy regulation a privacy law in Europe since 1996 and materially the differences between those two laws are not very big so basically everybody who is running now has been in violation for at least 10 years we have time for one more question if not please thank you and let's meet in pie in 10 minutes to talk about this more for those who are interested thanks