One of the readers of C# Design and Development took me to task some time ago for not discussion the matter of security in my book. He has been the only reader to ever ask me about the issue of privacy, so I didn’t think too much about it at the time. When I wrote the book, I thought it far more important to discuss security—keeping the data, application, and user safe. In fact, the book makes security part of an application triad the developer must consider during the design process. My thinking at the time was that privacy is a matter settled by management as part of a policy that is often implemented outside the developer’s control. To a certain extent that perception is still valid, but I’ve since learned that the developer does bear some responsibility toward the user when it comes to privacy.
A recent ComputerWorld article has made me think yet again about the whole issue of privacy. In this case, OnStar is collecting absolutely every last bit of information they can about you, without your permission, and selling it to anyone with a few pennies to spend. (A later article says that OnStar is reversing course on this decision.) They do tell you about spying on you, but you’ll only find this information if you read through the legalese contained in the Terms & Conditions. However, there are some people who don’t think you have any right to privacy in the first place. Industry leaders that include Facebook chief Executive, Mark Zuckerberg, Google chief, Eric Schmidt, Sun Microsystems chief, Scott McNealy, and Oracle chief, Larry Ellison would prefer you not to have any privacy whatsoever. They’d simply love to dig into every aspect of your life. The use of newer technologies, such as super cookies, have also proven that companies have a strong desire to invade your privacy.
So, the developer is faced with a number of questions when it comes to privacy. The most important of which is whether privacy is a right. According to the ComputerWorld article, the senate has finally woken up and decided that perhaps privacy is a matter they really should consider, especially when it comes to such brazen violations such as the one by OnStar. There is some validity to the belief that the Constitution and Bill of Rights offers at least some protection of privacy. Some laws, such as the Health Insurance Portability and Accountability Act (HIPAA) add additional rights. However, I imagine that we’ll experience years of delays, political wrangling, and legal interpretation before those rights are specifically spelled out in a way that developers (and others) can understand.
Assuming that a certain level of privacy is a right and that it’s legally protected, the developer still has a host of questions to answer. Here are some of the things you should think about as a developer when designing an application.
- What is the company policy regarding privacy?
- How does an application specifically guard or expose a user’s privacy?
- When does a user’s right to privacy override the desire of management to invade it?
- Which rights does a user forfeit as a member of an organization?
- Is privacy configurable as an opt in or an opt out selection?
- Precisely what information does the company collect?
- Precisely what information does the company actually need to conduct business?
If the developer of the OnStar system had included a simple switch for turning the device off (disallowing any eavesdropping of any sort), the whole issue discussed in the ComputerWorld article would be moot. Unfortunately, no one thought to include such a switch, despite the fact that it would have been an obvious design addition. Of course, we don’t need to look specifically at OnStar as a bad example of privacy thwarted. Many applications today include a “call home” feature and won’t even work if you don’t have an Internet connection. In short, someone somewhere is spying on you constantly.
When you look for privacy-related design information for the developer online or in books, you find it mysteriously missing. The reader who called my book into question was right to do so. I hope that this small article has at least started you thinking about privacy and overcomes the omission in my book. Future posts will fill in some additional gaps, but I’d like to hear your perspective on the issue of privacy first. What questions do you have about privacy? How would you design an application that protects user privacy while meeting organizational needs for information? Let me know at John@JohnMuellerBooks.com.