Privacy and security by design for product management

Anticipate and prevent breaches from occurring.

Recognise the value and benefits of proactively adopting strong and consistent privacy and security practices for your product. Ask yourself whether your product could withstand the risks that privacy by chance or privacy by disaster would bring.

Further reading illustrating proactive rather than reactive product management:

• A privacy policy is not enough.
• Privacy by Design: Essential for organizational accountability and strong business practices

The product should provide privacy assurance, giving the user the maximum privacy by default. A user should not have to take actions to protect their privacy within your product.

Default product settings should be privacy preserving. Encourage the product team to think beyond the default settings or preferences that users control to the overall system defaults.

When designing a new product, or feature, it should always maximise privacy, beginning with no personal data collection, unless and until a specified purpose is defined.

Data minimisation is the first line of defence. The collection, use or disclosure of aggregated, de-identified personal data also raises privacy issues. We often apply paper world requirements to a digital world. Online systems actually require less data because of their computational capabilities.

Personal data that is not collected, retained or disclosed needs no securing.

Further reading illustrating privacy as the default setting:

• Location based services: Redesigning IP Geolocation
• De-Identification of Health Data: Dispelling the myths surrounding de-identification
• Privacy-enhanced biometric identifiers: Biometric encryption
• Distributed information privacy architecture: The Ontario Smart Grid Case Study

Privacy and security should not be an add-on, after thought or after-breach consideration. When it comes to product design and development, it should be rolled into the core functionality.

Poster: 7 Laws of Identity by Kim Cameron

Development and design should be approached in a holistic, integrative and creative way, moving away from a reactive model to a proactive one.

It is essential that all interests and objectives, including privacy, are documented, and that desired functions are articulated and metrics agreed upon and applied. Reject trade-offs in favour of finding a solution that enables multi-functionality.

Privacy expertise must be available and engaged throughout all phases of the workflow, not purely at development or design stage, bringing an appreciation of client expectations.

As a product manager, consider the following.

During design and development, could we:

• Design reporting features that allow users to be notified of how personal data is being collected by our application, and whether any exceptions to their privacy preferences have occurred;
• Provide simple, easy to understand user interfaces for privacy controls;
• Use privacy-protective default settings;
• Ensure end-to-end protection of personal data;
• Not require social media registration to access the app;
• Not enable sharing by default;
• Include an option to show users their personal data;
• Unbundle or separate consent;
• Include better user-management features:
• Minimise your application’s access to device data; and
• Integrate privacy by design into the development cycle.

As a product team, could we:

• Find ways to educate users about the risks associated with personal data;
• Conduct annual assessments of privacy and security by design in our product.
• Conduct annual reviews of the privacy policy for the product.
• Revisit contact forms, sign-up pages and customer-service entry points.
• Enable the regular deletion of data created through these processes.

At the end of engagement and mothballing, could we:

• Remind users to review and refresh their privacy settings;
• Ensure the contracted retention details are adhered to;
• Allow users to download and delete old data;
• Delete the data of users who have closed their accounts; and
• Delete all user data when the app’s life comes to an end.

Further reading illustrating privacy embedded in design:

• Anticipating unintended consequences of networked systems: Wifi Positioning systems
• Embedding privacy into big data methods: PbD in the age of big data
• Embedding privacy into mobile technologies and ecosystems: The roadmap for PbD in mobile communications.
• The Laws of Identity

Ensure that legitimate interests and objectives are accommodated in a positive-sum, ‘win-win’ way. Do not resort to zero-sum where unnecessary trade-offs to privacy are made in the product.

In a zero-sum view, in order to enjoy privacy, we must give up other functionalities that we value, such as security, safety, system efficiency, flow of information, or business interests. This is an outdated, yet mainstream, way of thinking.

Respecting people’s privacy should never present a barrier to delivering a service. Products should be built with privacy in mind, providing a double-enabling outcome (positive-sum).

Security is key to privacy. There should be full lifecycle management of information so that personal data is properly secured and not retained for longer than necessary. We are responsible for the security of personal data stored by our product throughout the data’s entire lifecycle (at rest, in transit, and while in use).

Security, of course, is not just about encryption or destruction of data but covers a wide area, outside of product management and development. Product managers should be aware of which providers are being used for their products and how they stack up security and privacy wise.

DevOps should assess third party cloud providers on:

• How proven their security stack is. Are they running different patch levels on different hardware?
• How large they are. How resilient or redundant are they? What is their recovery time objective?
• The speed and agility at which they work. How quickly do they adapt to security issues today? Which peer groups do they work with for security information gathering?

For developers and designers, security should be a core principle when designing the product or feature. Before any code is written, the design should get a security review. Code written by the product developers should be peer reviewed for security and least privilege (ie. minimising access)

When relying on third party code, such as open source components, make use of an inventory and vulnerability checking tool such as OWASP Dependency Check.

Static code analysis (SCA) is a quick and automatic check, without having to execute the code. It works to discover issues that are hard to discover manually.

• Resource: List of Open Source static code analysis security tools

Secure destruction of personal data, is also part of secure data handling. We need to follow responsible, secure procedures for destruction of personal data once a decision is made not to retain the data.

Further reading illustrating embedding of end-to-end security:

• Cloud computing environment: Modelling cloud computing architecture without compromising privacy
• Protecting sensitive data by default in high availability environments: Encryption by default and circles of trust

Stakeholders must be assured that the privacy and security promises and objectives for the product are transparent and independently verifiable.

Visibility and transparency are essential to establishing accountability - not only for individuals but also for business partners and other stakeholders. It is increasingly in the interests of everyone, from developers and system architects to organisational leadership, to be transparent and accountable when it comes to privacy.

The implementation of privacy by design opens up a stream of dialogue between organisations and the end-users they serve. Effective communication with users is the essential link between implementing strong privacy practices and fostering the consumer confidence and trust that leads to sustainable competitive advantage.

Users need to be advised in a timely, actionable, simple manner of any important system privacy attributes, including which privacy policies apply and who is responsible for them.

The product should keep the interests of the individual uppermost by offering strong privacy defaults, appropriate notice and user-friendly options.

Respecting the user means that when designing or deploying a platform or product, an individual’s privacy and user interests are accommodated.  The product needs to anticipate the user’s privacy perceptions, needs, requirements and default settings.

On the operational side, the product needs to assure transparency, attain informed user consent, and provide rights of access and correction. Users expect privacy preferences and settings to be clear, to function across the platform and to persist over time. These should cascade to third parties utilised (ie. cloud providers, etc).

Empowering users to play active roles in the management of their personal data may be the single most effective check against misuse and abuse of personal data. As such, this principle has important links to the field of user interface design. The user interface should allow maximum user control over personal data and its processing by others.

Further reading on user-centric approach to privacy:

• The implications of an open world: Privacy and government 2.0
• Building privacy into user interface design: Emerging design criteria
• Identity metasystem
• Engineering personal control of online data: Emerging personal data ecosystem