Nishant Bhajaria - Data Privacy: A runbook for engineers

I met Nishant while I was leading the product and engineering team at Netflix, where I had been since the beginning of the company. The team was about 500 strong, and while we had had early brushes with security challenges, we had not tackled privacy in a significant way until we faced blowback from the Netflix Prize, and then GDPR and CCPA in quick succession. We were building out the team, the philosophy, and the deliverables at the same time, and Nishant was a key part of that teamsomeone who spoke both engineering and privacy, who understood the pragmatics, the needs of the business, the limits on engineering effort, and the commitments we had made (and needed to make) to our customers and how to fulfill them.

For the Netflix Prize, 20062009, we wanted to publish a large dataset of 100M ratings from 500k users (e.g. user N liked title T with 4 stars) and offer a $1M prize for the team who could best build a prediction engine to predict ratings on a test set held back from the competitors. Obviously we needed to anonymize the dataset, but James Bennett, who ran the prize effort for me, also took a sophisticated approach of randomizing a percentage of the ratings so they could not be matched to other public sources. However, Arvind Narayanan and Vitaly Shmatikov at the University of Texas at Austin wrote a paper showing that statistical re-identification techniques could match ratings to IMDB and expose the identities of several individualsa possibility we hadnt sufficiently thought through. This was a wakeup call for me.

Around this time, there were an escalating series of breaches at various other companies, disclosing personal information including names, addresses, SSNs, credit cards, etc. It was easy to view these as security problems, but in many cases, the breach was less a penetration of defenses, but was by or through an insider, or an accident. As we studied how to avoid being hit ourselves, it became clearer and clearer that while we needed to have strong security measures, it would also be necessary to design our IT systems to limit and segregate personal information so that accidents were unlikely, insiders had less chance (and more incentive) to avoid a leak, and hackers would have to work much harder to put the pieces together.

Then came the GDPR regulation, as a harbinger of many new privacy regulations that are still rolling out as I write this in 2021. GDPR (and later CCPA) added the new consideration that individuals should have the right to know what data was collected, to be able to see that data, to fix it if incorrect, and to delete it if they wished. This further reinforced the need to design our systems with privacy in mind, to make all these things easier to accomplish.

For Netflix, this meant segregating our personally identifying information in tokenized data stores, ensuring that all references were indirect, and adding policies, controls, and auditing around access to those stores. Accomplishing this on a system running at scale, without impacting performance, was a significant challenge, and one in which Nishant was a key leader. It made me wish that we had planned more for this when starting out, and that we didnt have to build it after the factand I started to think and communicate about principles of design for privacy with my team.

This book takes that thinking further and deeper. It is written for professionals in technology companies facing the same challenges that we faced then, but in an ever more stringent and demanding environment when privacy matters more to individuals and thus regulators, when more data is stored and more breaches and disclosures happen all the time, when technology platforms are less monolithic and more bolted together from various partnerships and services, and public opinion about technology companies has turned increasingly negative on their use and abuse of private data.

Your digital exhaust can be incredibly valuable, and can be used to pay for services and products which are offered for free (or to boost revenue for products sold for a fee). Free (or reduced cost) has always been an attractive model to consumers, but now people are becoming more savvy and demanding about what is done with their data, and companies are being more aggressive about deriving maximum value from that data to pay for ever richer and more interesting products.

But your private information linked to behavior is increasingly used in services or systems that are unavoidable: from government services, health, banking, travel infrastructure, to third party infrastructure like ratings agencies. These systems, being non-optional, have an even bigger responsibility to use your personal information safely, since you cant vote with your feet and avoid companies that abuse your trust.