Bowman Courtney - The Architecture of Privacy

by Courtney Bowman , Ari Gesher , John K. Grant , and Daniel Slate

Copyright 2015 Ari Gesher, Courtney Bowman, Daniel Slate and John Grant. All rights reserved.

Printed in the United States of America.

Published by OReilly Media, Inc. , 1005 Gravenstein Highway North, Sebastopol, CA 95472.

OReilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://safaribooksonline.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com .

• Editors: Elissa Lerner, Heather Scherer, and
  Mike Loukides
• Production Editor: Colleen Lobner
• Copyeditor: Christina Edwards
• Proofreader: Gillian McGarvey
• Indexer: WordCo Indexing Services
• Interior Designer: David Futato
• Cover Designer: Ellie Volckhausen
• Illustrator: Rebecca Demarest

• September 2015: First Edition

See http://oreilly.com/catalog/errata.csp?isbn=9781491904015 for release details.

The OReilly logo is a registered trademark of OReilly Media, Inc. The Architecture of Privacy, the cover image of a six-banded armadillo, and related trade dress are trademarks of OReilly Media, Inc.

While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.

978-1-491-90401-5

[LSI]

When I was an undergraduate majoring in computer science a few decades ago, books published by OReilly and Associates possessed talismanic power to me. As it happened, some of the earliest OReilly books were being published during my freshman year, and their mix of great writing, beautiful production value, and hyper-specificity were tailor-made for a young geek learning about Unix, perl, and the Internet for the first time. My dorm room bookshelves were lined with a rainbow of brightly colored book spines. Across my desk roamed a veritable menagerie of cover illustrations, from camels to grasshoppers, from crabs to crowned pigeons. I read every line of Dale Doughertys book, and Cricket Lius book; the tattered pages of my copy of Larry Walls Perl Programming began to fall apart in my hands. I even splurged (well, my parents did) and bought the entire set of pricey X Window System guides, although I confess that I didnt read most of those.

I tell you this history to come clean: I gladly wouldve written a Foreword to contribute text to an OReilly book to honor my twenty-year-old selfs obsession even if that book was just average. What a happy moment it is for me, then, to be able to contribute front matter to an OReilly book that is much more than just average. You hold in your hands (or view on your screen) a fantastic contribution to the burgeoning literature of privacy engineering.

Privacy requires a dialogue between two types of people: those who speak policy and those who speak engineering. The most important word of that sentenceand the part that many people fail to understandis dialogue. In many other spaces where tech touches policy, these two tribes stand across a chasm, reacting to one another but not conversing with one another. Thus, in modern digital copyright policy, creators create, technologists protect and circumvent, and lawyers create laws and spur lawsuits reacting to these actions. In telecommunications policy, engineers engineer and lawyers react and respond.

And even in a field that many peopleincluding many expertsmistakenly think relates closely to privacyinformation securitythe dialogue is hardly essential. Security folks traffic in the impossible and possiblethis crypto works or it is broken. The benchmarks for victory and defeat are entirely internal to the discipline. And the law and policy folks sit on the sidelines and react and respond.

Privacy doesnt work this way. A privacy engineer, at least a good one, cannot live in ignorance of law and policy because the ideas of victory and defeat for privacy cannot be subjected to correctness proofs and measurements of algorithmic complexity. Engineers can tell you how to dial down or dial up a particular information flow, but it requires a source external and foreign to the engineers core trainingmaybe the law department, public relations, the shareholders, or the engineers moral compassto determine right and wrong, acceptable risk or not, privacy violation or not.

As only one example, take the topics of data anonymization and re-identification, topics central to work I have done. This much we now know: data can either be useful or perfectly anonymous but never both. I said this once, and much ink has been spilled trying to prove me wrong. Im not wrong, but at the same time, I am not being very interesting when I say it. Of course scrubbed data can be unscrubbed. You would be foolish indeed (or worse, trying to sell anonymization consulting services) to fail to realize that modern improvements in data processing, auxiliary data, and storage could lead to any other result. But recognizing this boring truth is far from knowing what to do about it. The lesson of powerful re-identification isnt that we take our ball and go home. But it is just as unacceptable to continue to act as nothing has changed.

You cannot solve the re-identification problem without lawyers who understand tech and techies who understand policy. (I try to be both, as I went to law school a few years after obtaining that CS degree and now teach law.) It might be enough to delete eighteen identifiers or it might not. It might be enough to encrypt the data and leave the key with Joan in the front office, or it might not. Maybe you can distribute the data to a trusted third party, or maybe you shouldnt. Its nuance and hard choices and a dialogue between engineers and lawyers all the way down. We need to train a new breed of privacy engineer, and it starts with creating a literature elaborating this new discipline.

This bringing together of engineering and law means that it takes an exceptional group of people to come together to write a proper book on this topic. Luckily for you, and for the privacy community as a whole, the authors of this book compose such a group. They include top-notch engineers and good lawyers. But more importantly, they include people steeped in the weird mental gymnastics, arcane training, and time spent in rooms in Silicon Valley and state and national capitals required to be called privacy experts.

It is even luckier for you that they happen also to be extremely engaging writers. This is a very well-produced and organized book. It has the virtues of clarity and modesty, two virtues often lacking in books written by engineers. I call the book modest, because it recognizes that this field is new and that we dont really even yet understand what we mean when we call somebody a privacy engineer.

Im not sure Im ready to call this book a classic or a new entrant into the canon. I think time will tell, and I hope I am invited back to update this Foreword for the second edition, when I can trot out those labels, if they stick. But this seems to me at least to be a very useful book, one that fills a gaping hole in the current literature. Ill happily place my copy of this book on my shelf. I have a particular spot in mind where I think it will fit in well.