Request For Research Presentations For the PrivacyCon Conference #11

Submission Number:
Ari Waldman
New York
Initiative Name:
Request For Research Presentations For the PrivacyCon Conference
In "Privacy on the Ground", the law and information scholars Kenneth Bamberger and Deirdre Mulligan showed that empowered chief privacy officers (CPOs) are pushing their companies to take consumer privacy seriously, integrating privacy into the designs of new technologies. But their work was just the beginning of a larger research agenda. CPOs may set policies at the top, but they alone cannot embed robust privacy norms into the corporate ethos, practice, and routine. As such, if we want the mobile apps, websites, robots, and smart devices we use to respect our privacy, we need to institutionalize privacy throughout the corporations that make them. In particular, privacy must be a priority among those actually doing the work of design on the ground-namely, engineers, computer programmers, and other technologists. This project presents the initial findings from an ethnographic study of how, if at all, technologists doing the work of technology product design think about privacy, integrate privacy into their work, and consider user needs in the design process. It also looks at how attorneys at private firms draft privacy notices for their clients and interact with designers. Based on these findings, I present a narrative running in parallel to the one described by Bamberger and Mulligan. This alternative account, where privacy is narrow, limited, and barely factoring into design, may help explain why so many products seem to ignore our privacy expectations. I then propose a framework for understanding how factors both exogenous (theory and law) and endogenous (corporate structure and individual cognitive frames and experience) to the corporation prevent the CPOs' robust privacy norms from diffusing throughout technology companies and the industry as a whole. This framework also helps suggest how specific reforms at every level-theory, law, organization, and individual experience-can create incentives for companies to take privacy seriously, enhance organizational learning, and eliminate the cognitive biases that lead to discrimination in design. This project speaks directly to a number of goals of this conference, but it primarily touches on the incentives for manufacturers and software developers to implement privacy and security by design in their goods or services. This project identifies the barriers to implementing privacy by design, including those forces that eliminate or erode the incentives for companies to take privacy seriously. My research is unique in that no other scholar has done an extensive ethnographic study of how, if at all, engineers integrate privacy into their work. My research also include quantitative assessments of user preferences, engineering education, and other metrics. This paper recently won the 2017 Best Paper Award, sponsored by the International Association of Privacy Professionals, at the Privacy Law Scholars Conference.