Privacy is an important feature in today’s software, and DevOps teams should be focused on it.
Privacy by Design, Privacy Enhancing Technology and Privacy by Default are all terms associated with privacy and software.
What do they mean, and how do they affect DevOps?
In my last blog post, I explained the meaning of Privacy by Design. In this post, I’ll discuss Privacy by Default and explain what it has to do with DevOps.
Privacy by Default and Privacy by Design
As I explained in my first blog, Privacy by Design is an approach to systems engineering which takes privacy into account throughout the whole engineering process.
So every new product developed should take Privacy by Design Principles into account.
On the other hand, Privacy by Default is more Ops-oriented.
It requires IT Operations to configure the privacy settings for its customers’ software in the strictest mode. To put it another way, no manual change to the privacy settings should be required on the part of the user.
This also implies a user’s consent must be provided when personally identifiable Information (PII) has to be shared with third parties (online, for instance).
So, Privacy by Default is an important part of the application of Privacy by Design in DevOps.
I will illustrate this with an example.
Privacy by Default: The social network example
Online social networks like Facebook are one of the best examples to illustrate Privacy by Default.
Imagine you have a social network account and you want to use one of its services.
The social network and its services say they are compliant with the Privacy by Default Principles.
To function correctly, the service only needs your name and email address.
It is not necessary for the service to publish your age, friends, location, etc. without your consent. If the service is compliant with the Privacy by Default Principle, it will only share your name and email address. All other PII will not be shared without the user’s consent.
If the social network service does share this PII, it is a serious breach of the Privacy by Default Principle, and it is not compliant with the Privacy by Default or Privacy by Design Principles.
To ensure this breach will never take place, the DevOps team should establish that in the service’s software, only the client’s name and email address should be accessible for third parties. And this should be a distinct user story—so every member of the DevOps team should have notice of this before going live.
Conclusion
Privacy by Default is an important part of Privacy by Design.
It requires the DevOps team to configure the privacy settings for its customers’ software in the strictest mode.
It also implies the user has to be asked for consent if the software wants to share data with third parties.
If this is not the case, the software is not compliant with the Privacy by Default Principle (and therefore, neither with the Privacy by Design Principle).