Privacy Engineering: Shaping an Emerging Field of Research and Practice

  title={Privacy Engineering: Shaping an Emerging Field of Research and Practice},
  author={Seda Gurses and Jos{\'e} M. del {\'A}lamo},
  journal={IEEE Security \& Privacy},
Addressing privacy and data protection systematically throughout the process of engineering information systems is a daunting task. Although the research community has made significant progress in theory and in labs, meltdowns in recent years suggest that we're still struggling to address systemic privacy issues. Privacy engineering, an emerging field, responds to this gap between research and practice. It's concerned with systematizing and evaluating approaches to capture and address privacy… 

Figures from this paper

Privacy Engineering Methodologies: A survey

  • Y. Al-Slais
  • Computer Science
    2020 International Conference on Innovation and Intelligence for Informatics, Computing and Technologies (3ICT)
  • 2020
A survey of academic publications discussing the current privacy engineering methodologies finds a significant increase in publications after the official implementation of GDPR and proposes a taxonomy based on the theoretical backgrounds and origin of methodology (security-based or privacy-friendly).

Strengthening Privacy by Design

This chapter closes the loop, merging the findings of the previous chapters on the legal principles, technical tools, and their interplay, in order to establish guidelines that support the development of privacy-friendly designs.

"Appropriate Technical and Organizational Measures": Identifying Privacy Engineering Approaches to Meet GDPR Requirements

It is concluded that recent privacy engineering approaches have the conceptual background to cover the GDPR, but advocate research on the integration of privacy concerns in software development processes.

Right engineering? The redesign of privacy and personal data protection

This article studies the techno-epistemic network emerging around this idea historically and empirically, and identifies tensions and limits within these design-based approaches, which can offer opportunities for learning lessons to increase the quality of privacy articulations.

Reusable Elements for the Systematic Design of Privacy-Friendly Information Systems: A Mapping Study

The most advanced research areas in privacy engineering are described and some of the gaps found are discussed, suggesting areas where researchers and funding institutions can focus their efforts.

Methods and Tools for GDPR Compliance Through Privacy and Data Protection Engineering

  • Y. MartínA. Kung
  • Computer Science
    2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
  • 2018
In this position paper we posit that, for Privacy by Design to be viable, engineers must be effectively involved and endowed with methodological and technological tools closer to their mindset, and

Towards a Principled Approach for Engineering Privacy by Design

This work analyzes three privacy requirements engineering methods and derives a set of criteria that aid in identifying data-processing activities that may lead to privacy violations and harms and also aid in specifying appropriate design decisions.

A Privacy-Aware V-Model for Software Development

This paper proposes the new W-model as a privacy-aware extension of the V-model frequently used in software engineering, and introduces a cost function that assists privacy engineers in selecting the most suitable countermeasure.

A Systematic Mapping Study on Privacy by Design in Software Engineering

The findings suggest that PbD in software engineering is still an immature field and that there is a need for privacyaware approaches for software engineering and their validation in industrial settings.

Data Protection by Design: Promises and Perils in Crossing the Rubicon Between Law and Engineering

The article presents the empirical findings of a broad consultation with people involved in the making of this network, including policy makers, regulators, entrepreneurs, ICT developers, civil rights associations, and legal practitioners, and outlines how DPbD is subject to differing, sometimes also conflicting or contradictory, expectations and requirements.



Engineering Privacy

The paper uses a three-layer model of user privacy concerns to relate them to system operations and examine their effects on user behavior, and develops guidelines for building privacy-friendly systems.

PRIPARE: Integrating Privacy Best Practices into a Privacy Engineering Methodology

This paper reviews existing best practices in the analysis and design stages of the system development lifecycle, introduces a systematic methodology for privacy engineering that merges and integrates them, leveraging their best features whilst addressing their weak points, and describes its alignment with current standardization efforts.

Privacy Principles for Sharing Cyber Security Data

Application of these principles can reduce the risk of data exposure and help manage trust requirements for data sharing, helping to meet the goal of balancing privacy, organizational risk, and the ability to better respond to security with shared information.

Bridging the Gap Between Privacy and Design

The gap between privacy and design in the context of “lateral privacy” on social networking sites (SNSs) and other platforms is explored by analyzing the privacy concerns lodged against the introduction of Facebook's News Feed in 2006 and three alternative theories of privacy are explored that provide compelling explanations of the privacy harms exemplified in platform environments.

Addressing privacy requirements in system design: the PriS method

PriS is described, a security requirements engineering method, which incorporates privacy requirements early in the system development process and provides a holistic approach from ‘high-level’ goals to ‘privacy-compliant’ IT systems.

Extending the Power of Consent with User-Managed Access: A Standard Architecture for Asynchronous, Centralizable, Internet-Scalable Consent

  • Eve Maler
  • Computer Science
    2015 IEEE Security and Privacy Workshops
  • 2015
User-Managed Access corrects a power imbalance that favors companies over individuals, enabling privacy solutions that move beyond compliance.

Protection Goals for Privacy Engineering

Six protection goals provide a common scheme for addressing the legal, technical, economic, and societal dimensions of privacy and data protection in complex IT systems. In this paper, each of these

Reviewing for Privacy in Internet and Web Standard-Setting

  • Nick Doty
  • Computer Science
    2015 IEEE Security and Privacy Workshops
  • 2015
The history of considerations for security and privacy in Internet and Web standard-setting, the impact of Snowden surveillance revelations and reactions to them, and some trends in how the work done within standard- setting organizations is reviewed are reviewed.

A critical review of 10 years of Privacy Technology

The field of privacy technology was seeded by computer security and cryptography experts that rushed to apply their tools to new problems, yielding mixed results, and the analysis aims to explain why some paradigms came to dominate the field, their advantages, but also their blind spots, and unfulfilled promises.

Privacy by Design in Federated Identity Management

A catalog of privacy-related architectural requirements, joining up legal, business and system architecture viewpoints, and the demonstration of concrete FIM models showing how the requirements can be implemented in practice are presented.