Abstract
“Privacy by default” is being discussed as one important principle for ICT system design. This principle has been taken up as “data protection by default” in the proposal for a European Data Protection Regulation published in 2012. However, it is debated what this principle should mean in practice. In this text, we analyze the relation to “security by default” and “privacy by design” and discuss different possible interpretations of the “data protection by default” principle. After presenting general considerations on how to choose and implement appropriate default settings, we exemplarily describe recommendations for typical identity-related application scenarios such as social network sites, user tracking on the web and user-controlled management of one’s identities. Both the general and the scenario-based elaborations provide guidance for developers as well as evaluators.
Chapter PDF
Similar content being viewed by others
Keywords
References
32nd International Conference of Data Protection and Privacy Commissioners: Privacy by Design Resolution. Proposed by Cavoukian, A., approved in October 2010, Jerusalem, Israel (2010), http://www.ipc.on.ca/site_documents/pbd-resolution.pdf
European Commission: Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). COM (2012) 11 final, Brussels, January 25(2012), http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf
Hansen, M., Probst, T.: Datenschutzgütesiegel aus technischer Sicht: Bewertungskriterien des schleswig-holsteinischen Datenschutzgütesiegels. In: Bäumler, H., von Mutius, A. (eds.) Datenschutz als Wettbewerbsvorteil – Privacy sells: Mit modernen Datenschutzkomponenten Erfolg beim Kunden, pp. 163–179. Vieweg, Wiesbaden (2002)
European Privacy Seal, https://www.european-privacy-seal.eu/
Nielsen, J.: The Power of Defaults. Jakob Nielsen’s Alertbox (September 26, 2005), http://www.useit.com/alertbox/defaults.html
Kesan, J.P., Shah, R.C.: Setting Software Defaults: Perspectives from Law, Computer Science and Behavioral Economics. U Illinois Law & Economics Research Paper No. LE06-012. Notre Dame Law Review 82, 583–634 (2006)
Bureau Européen des Unions de Consommateurs (BEUC): EU General Data Protection Framework – BEUC answer to the consultation (December 31, 2009), http://www.beuc.org/custom/2010-00021-01-E.pdf
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal L 281, 0031–0050 (November 23, 1995)
European Data Protection Supervisor: Opinion of the European Data Protection Supervisor on the data protection reform package (March 7, 2012), http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2012/12-03-07_EDPS_Reform_package_EN.pdf
Albrecht, J.P.: Draft Report on the proposal for a regulation of the European Parliament and of the Council on the protection of individual with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM (2012)0011 – C7-0025/2012 – 2012/0011(COD)), Committee on Civil Liberties, Justice and Home Affairs (Decmber 17, 2012), http://www.europarl.europa.eu/sides/getDoc.do?language=EN&reference=PE501.927
Cavoukian, A.: Privacy by Design: The 7 Foundational Principles (August 2009), http://www.privacybydesign.ca/content/uploads/2009/08/7foundationalprinciples.pdf (revised January 2011)
Reding, V.: Your data, your rights: Safeguarding your privacy in a connected world. Privacy Platform The Review of the EU Data Protection Framework, Brussels (March 16, 2011), Reference: SPEECH/11/183, http://europa.eu/rapid/press-release_SPEECH-11-183_en.htm
Altheim, M.: The Review of the EU Data Protection Framework v. The State of Online Consumer Privacy in the US. Blog entry (March 17, 2011), http://ediscoverymap.com/2011/03/the-review-of-the-eu-data-protection-framework-v-the-state-of-online-consumer-privacy-in-the-us/
Scarfone, K., Hoffman, P.: Guidelines on Firewalls and Firewall Policy. Recommendations of the National Institute of Standards and Technology. Special Publication 800-41, Revision 1 (September 2009), http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf
Lipner, S., Howard, M.: The Trustworthy Computing Security Development Lifecycle. MSDN, Security Engineering and Communications, Security Business and Technology Unit, Microsoft Corporation (March 2005), http://msdn.microsoft.com/en-us/library/ms995349.aspx
Soghoian, C.: Not an option: time for companies to embrace security by default. Ars Technica. (August 9, 2011), http://arstechnica.com/tech-policy/2011/08/not-an-option-time-for-companies-to-embrace-security-by-default/
Iachello, G., Hong, J.: End-User Privacy in Human-Computer Interaction. Found. Trends Hum.-Comput. Interact. 1(1), 1–137 (2007)
Microsoft: Privacy by Default (March 2012), http://download.microsoft.com/download/B/8/2/B8282D75-433C-4B7E-B0A0-FFA413E20060/privacy_by_default.pdf
Liu, Y., Gummadi, K.P., Krishnamurthy, B., Mislove, A.: Analyzing Facebook Privacy Settings: User Expectations vs. Reality. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, IMC 2011, pp. 61–70. ACM, New York (2011)
Madejski, M., Johnson, M., Bellovin, S.M.: The Failure of Online Social Network Privacy Settings. Tech Report CUCS-010-11, Columbia University (2011)
Rubinstein, I.S., Good, N.: Privacy by Design: A Counterfactual Analysis of Google and Facebook Privacy Incidents. New York University Public Law and Legal Theory Working Papers, Paper 347 (2012), http://lsr.nellco.org/nyu_plltwp/347
Niemann, F., Scholz, P.: Privacy by Design und Privacy by Default – Wege zu einem funktionierenden Datenschutz in Sozialen Netzwerken. In: Peters, F., Kersten, H., Wolfenstetter, K.-D. (eds.) Innovativer Datenschutz, pp. 109–145. Duncker & Humblot, Berlin (2012)
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), Official Journal L 201, 0037–0047 (July 31, 2009); amended in 2009 by the Directive 2009/136/EC (November 25, 2009)
Fielding, R.T., Singer, D. (eds.): Tracking Preference Expression (DNT). W3C Working Draft 02 October 2012 (2012), http://www.w3.org/TR/tracking-dnt/
European Commission, Director-General (Robert Madelin): Letter to World Wide Web Consortium Tracking Protection Working Group. Ref. Ares (2012)743354 (June 21, 2012), http://lists.w3.org/Archives/Public/public-tracking/2012Jun/att-0604/Letter_to_W3C_Tracking_Protection_Working_Group.210612.pdf
Hansen, M.: User-controlled identity management: the key to the future of privacy? International Journal of Intellectual Property Management (IJIPM) 2(4), 325–344 (2008)
Zwingelberg, H., Hansen, M.: Privacy Protection Goals and Their Implications for eID Systems. In: Camenisch, J., Crispo, B., Fischer-Hübner, S., Leenes, R., Russello, G. (eds.) Privacy and Identity 2011. IFIP AICT, vol. 375, pp. 245–260. Springer, Heidelberg (2012)
ABC4Trust – Attribute-based Credentials for Trust, FP7 ICT Integrated Project, https://abc4trust.eu/
Acquisti, A., John, L., Loewenstein, G.: What is privacy worth? In: Workshop on Information Systems and Economics, WISE (2009), http://www.heinz.cmu.edu/~acquisti/papers/acquisti-ISR-worth.pdf
Schmitt, L.: Privacy as default. Privacy by default! Konzept für Privatsphäre im Ubiquitous Computing. Diploma Thesis, Köln International School of Design (June 2006), http://lutzschmitt.com/pub/Lutz_Schmitt-Privacy_as_default_Privacy_by_default.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Hansen, M. (2013). Data Protection by Default in Identity-Related Applications. In: Fischer-Hübner, S., de Leeuw, E., Mitchell, C. (eds) Policies and Research in Identity Management. IDMAN 2013. IFIP Advances in Information and Communication Technology, vol 396. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-37282-7_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-37282-7_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-37281-0
Online ISBN: 978-3-642-37282-7
eBook Packages: Computer ScienceComputer Science (R0)