Tutorial 1

Date/Time: Tuesday, October 16th, 2012 2:00pm - 5:00pm
Duration: 3 hours
Title: The State and Evolution of Privacy by Design

Presenter: Stuart S. Shapiro, The MITRE Corporation

Stuart S. Shapiro


“Privacy by design” (PbD) is both replete with and bereft of meaning. It is replete with meaning in the sense that it represents a distinct philosophical movement and a shift away from the dominant legal-oriented approach to privacy and toward an approach that is more proactive, technical, and embedded. On the other hand, it is largely bereft of meaning in the sense that it lacks anything resembling a coherent body of knowledge consisting of organized systematic techniques for carrying it out. From conceptual and theoretical standpoints, PbD is an undeniable phenomenon. However, the extent to which it “has legs” depends on substantively addressing this gap. In part, this gap reflects a failure to appropriately leverage and organize existing ideas and methods, but it also reflects the need to develop new methods capable of addressing the complexities and scales of new socio- technical systems and their implications for privacy. This 3-hour tutorial aims to survey the state of PbD and what will be required to move it into the realm of actionable, structured, and comprehensive techniques.

The tutorial will begin by discussing conceptions of privacy, particularly informational privacy, and recent approaches to framing it. It will then consider the origins and gross characteristics of PbD, contrasting it with the approaches it seeks to complement, if not replace. This will be followed by examination of some representative case studies of PbD “in action,” highlighting both instances and absences of useful applied methods and characteristics. This will lead into a more systematic review and evaluation of both theoretical foundations and practical methods, including relevant work that has not been explicitly slotted under the PbD rubric. Finally, potential ways of addressing identified deficiencies in both foundations and methods will be considered. In particular, the possibility of a more capable privacy risk management framework serving as a basis for structuring and deploying PbD will be discussed.


Stuart S. Shapiro is a Principal Information Privacy and Security Engineer at the MITRE Corporation. He has led multiple projects in the area of enterprise privacy-enhancing technologies (ePETs) and delivered the keynote presentation at the 2008 Privacy Enhancing Technologies Symposium. In addition to ePETs, his current interests include methodologies for privacy risk management and privacy engineering. Prior to joining MITRE, he was Director of Privacy at CareInsite, an e-health company, where his responsibilities included both policy and technical issues revolving around privacy and security. He has also held academic positions at multiple institutions and has taught courses on the history, politics, and ethics of information and communication technologies. His professional affiliations include the IAPP, the Advisory Board of the Ponemon Institute¡¯s Responsible Information Management Council, and the ACM U.S. Public Policy Council (USACM), where he currently chairs the Security and Privacy Committee.

Last modified: 2012-09-06 11:43:24 EDT