Talk:Privacy by design

Trilogy of Applications
This section doesn't make sense. It doesn't seem to actually describe what it says it does, and in fact reads a lot like the marketing material found on Ann Cavoukian's own page. See Talk:Ann Cavoukian. I don't want to remove it, because it might actually be useful, but not in its current form. -69.196.184.175 (talk) 21:35, 24 January 2014 (UTC)

The usefulness is probably in the notion that PbD does not work if it comes down to only applying ICT measures, but that it should address comprehensive measures in a range of aspects of an organisation, product or system life cycle. But that's not what it says now. Jrest (talk) 16:06, 26 January 2014 (UTC)

Should this be three areas/spheres of application? Emergentchaos (talk) 17:16, 26 January 2014 (UTC)

If "this" refers to "organisation, product or system life cycle": I am not sure the point is to make it three of anything. In our paper we present a more generic set of Privacy Design patterns that may be the start of a more complete set: This list is not complete or definitive in any way. It just serves now to illustrate that there may be more to it then currently is described. — Preceding unsigned comment added by Jrest (talk • contribs) 20:38, 26 January 2014 (UTC)
 * privacy requirements patterns;
 * anonimization and pseudonymization;
 * hiding of personal data;
 * data minimization;
 * transparence, auditing and accounting patterns;
 * informed consent.

Bad english - 'designing so data don't need protection' s.b. doesn't not don't Sweedj (talk) 09:55, 20 April 2017 (UTC) Changed - but IMHO data is plural, so I would suggest it is changing something that was correctSjewiki22 (talk) 10:15, 20 April 2017 (UTC)

General Structure
The general structure of this article is difficult to determine because the concept has different meanings in different contexts (e.g. Canada vs USA vs EU) and because there is not even documented consensus on a greatest common denominator of the meaning. Jrest (talk) 16:06, 26 January 2014 (UTC)

Biases
Many parties -me included- may be biased because the concept is part of active research and policy development. An example of this bias is the tendency of North American legislation to let business themselves work out what this concept should mean (evolutionary approach) while EU tends to take a more regulatory approach, although this has not yet instantiated in this case. Jrest (talk) 16:06, 26 January 2014 (UTC)

Style
I have cleaned up the article to bring it in line with the Manual of Style, and specifically WP:BOLDFACE and Manual of Style/Capital letters. Ground Zero | t 12:26, 15 May 2014 (UTC)

Foundational principles
The section on the seven foundational principles is copied in whole from Ann Cavoukian's website (which is credited, although it is not made explicit that what follows is a direct copy-paste job). The amount of information is superfluous and the tone of the text is too "infomercially" for an encyclopedia. Unless someone edits this section to make in more neutral in tone (and cite it correctly if still necessary), I will delete at least the seven descriptions. Gerard RvE (talk) 12:34, 21 May 2014 (UTC)

Per WP:COPYVIO, I have removed this text and more that had been copied from privacybydesign.ca. Ground Zero | t 16:58, 24 June 2014 (UTC)

Regarding criticism
The article as is uses van Rest et al.'s criticism of privacy by design. But in fact, this article does criticise the EUs minimal definition of privacy by design and not the approach carried out by Ann Cavoukian. In fact, in their extended definition they propose to implement the seven foundational principles. Does anyone else see this contradiction? If I get some feedback, I may edit this paragraph, but I want to have at least one other opinion on that. — Preceding unsigned comment added by Kraeuterp (talk • contribs) 08:18, 9 January 2015 (UTC)

I have some comments to improve on the technical correctness of this article. The article mentions DHCP being a protocol being a good example of privacy by design. This is completely untrue. DHCP servers and protocol require and rely on the Ethernet MAC address which is provided by each client on the network. The Ethernet MAC address is an identifiable address that can be used to track each client and thus removes all possible privacy you might have expected from DHCP providing you with a dynamic IP address. In fact most DHCP servers have options that allow for the IP address assigned by be persistent across sessions (after they expire, they renew and provide the same address to the client) because some operating systems get confused and have issues with too many different addresses. IMHO as an IT expert and engineer, DHCP is a very bad example to use as privacy by design. I think you should consider removing this as an example. Thanks!

Let me provide further details... you go to the computer store to purchase a computer. That computer has a serial number on it which retailers and manufacturers record for warranty purposes. And you purchase the computer (easiest with a credit card) your name and contact details are provided automatically (or provided also through the warranty registration). You go home and plugin the computer, and if you think you are expecting privacy because you use DHCP to connect to the internet (through your ISP), you're wrong. Even if some how you escape providing your contact details at the time of purchase or warranty registration, the NSA will simply associate any LOGIN to any account that you do with your MAC address and various mappings of dynamically assigned IP addresses, you are still fully traceable on the internet from these points. The entirety of the network protocol stacks from top to bottom was not designed with privacy by design in mind, so you can not use any networking protocol as an example because it is not compliant to the requirements of privacy by design.

The Above Criticism on DHCP is non-scientific as its critique refers to persistent MAC and not DHCP itself. DHCP in itself does not require any persistent MAC, only that the device in question establish means to authenticate a session which could be based 100% on identifiers created for the session.Sjewiki22 (talk) 06:26, 7 December 2017 (UTC)

Another problem with privacy by design is that it also conflicts with security requirements. IMHO, you can not have both, either you have privacy, or you have security, but you can not fully realize both because they conflict with each other. IMHO, security is more important than privacy (even though I am personally a very huge advocate for privacy) because there are always a few bad apples out there (bad persons) who undertake causing problems for everyone. It is utopian to think that you can live without security in this world, it is just not possible. So unfortunately have to give up a bit of privacy in order to ensure security. That is just the way the world works unfortunately. Thanks!

This is unfounded statements based on a false dichotomy. There is no reason in general to assume a trade-of between security (of all) and privacy (security of one). On the contrary, security of an ICT system depends on each external stakeholder being secure EVEN IF the ICT system security is circumvented. In fault-tolerant system design, you assume such deliberate or accidental failure to occur and design in order NOT to trust intended security and only rely on actual ability to revoke and recover when such failure occur.Sjewiki22 (talk) 06:31, 7 December 2017 (UTC)

Principles cannot be evaluated or enforced
This section is unprecise and as such nonenforceable lacking the necessary scientific rigor for Wikipedia. The problem clearly show itself in the examples that ALL can be characterized by obivous security vulnerabilities leaking personal data. Applying the term "Privacy by Design" is as such not scientific, but merely what looks like a product or personal "brand" for someone that wants to claim or be associated with positive terminology.

Either unambiguous clarification need to be made or the article as such should be deleted.

One could apply strict and concise validations criteria.

If Privacy can be defined as Security (absence of risk) for one Citizen, then Privacy by Design in digital terms can be defined as enabling services without creating personal data, i.e. without creating risk to the citizens of secondary use.

Such a definition would be consistent with the 2003 EU Workshop on Privacy Enhancing Technologies, where the separation between "Privacy friendly" and "Privacy Enhancing" exactly broke over the creation of personal data/transfer of control over secondary data usage. |Slide 3Sjewiki22 (talk) 10:43, 22 November 2016 (UTC)


 * Please be bold and improve the article by making the edits you feel are needed. Be sure to add references to reliable sources to support your edits. (Blogs are not generally considered to be reliable sources, though.) Thanks. Ground Zero &#124; t 13:39, 22 November 2016 (UTC)

Tried, but honestly, the entire article should be re-written focusing on clear definitions, case examples (e.g. GPS, radio broadcast, cash, etc.) and problemsolving principles and technologies instead of personal promotion and false marketing-claimsSjewiki22 (talk) 15:24, 5 December 2016 (UTC)

Note on CSD
Yes, this is a notable topic however the entire thing is written exclusively to use and promote a single author's point of view on the subject. There is no way to remove the promotionalism because nearly all of the sources are this person's work. WP:TNT J bh  Talk  15:42, 5 December 2016 (UTC)

Contested deletion
This page is not unambiguously promotional, because... (your reason here) --2620:149:6:1007:C420:3639:E0D:1582 (talk) 17:06, 5 December 2016 (UTC)

After being directed here by a google search, I found this page useful because it contains details not only about a book by Ann Cavoukian but also criticisms of it. The page is larger than the book itself because it's shedding light on an important piece of work in the privacy space, with arguments both for and against the work. Definitely not unambiguously promotional.

Privacy by design:
The statement 'may have been derived from this' seems to be contextless.Sweedj (talk) 09:46, 20 April 2017 (UTC)

Better now?Sjewiki22 (talk) 10:08, 20 April 2017 (UTC)

Article being hi-jacked by interests.
This article and term clearly is subject to attempts to capture the term for personal promotion and/or reduce the term to have no scientific meaning ("best effort" or "data protection by design").

The latest edit was a clear example of such as it introduced major changes towards the later with no justification.

I suggest a) To restructure the article so people having contributed to the field of Privacy Enhancing Technologies can be properly attributed

People like David Chaum, later e.g. Stefan Brands, Jan Camenish and even the RSA (Ron Rivest etc.) deserve a lot more credit that some DP-people trying to claim the right to capture the field without providing solutions or adding scientifically.

b) To introduce a scale to differentiate between Privacy by Design and mere Privacy Friendly or best intention This was the exact same discussion we had in 2004 as part of the EU Workshop on the same topic where interests tried to define policies by undermining terminology to not include security from citizen perspective.

Biased and legally problematic article
This article is heavily problematic. It has no clear structure; it has extremely partial views towards the particular conception of privacy by design as Privacy-enhancing technologies, which is not in line with legal nor academic consensus. Attempts to clarify legal inaccuracies in the article are being reversed by a single editor: the GDPR for example does not mention 'privacy by design' at all, but data protection by design, which is not the same as privacy enhancing technologies.

The article is regularly updated with commercial interests such as courses, and namedropping of particular individuals who are not clearly involved in the development of the concepts. At best, the vast majority of individuals named should have resources cited, not their names placed into the article.

Data protection by design is a separate area from privacy by design. There is a separate page for Privacy Enhancing Technologies which should be cited and developed in, and most PETs related areas should be developed on that page not on this one. The editor making the majority of the changes here is claiming that anything that is not "providing solutions or adding scientifically" should be excluded. This is absurd given that the law does not mandate privacy enhancing technologies, but data protection by design. It is not a correct legal readinng and is based on the editor's own normative preferences. Both mathematically and informationally theoretically private 'solutions' should be highlighted on the page as well as the approaches which are better supported by the legal text of the GDPR. Mirive (talk) 14:11, 22 April 2018 (UTC)

"Data Protection by Design" is great but about system internal security which has little or nothing to do with privacy (as control is still in the system and thus not with the citizen). The legal principle (GDPR) is mainly "Data minimization" first, then purpose specification/limitation, then informed consent. (Not incorporating claims of secondary interests overriding principles). This is not excluding anything nor is it biased. The problem here is about attempts from especially one person to claim to fame to dictate terminology (what was already a long established field) backed by interests in circumventing GDPR while corporate marketing or government propaganda able to claim "Privacy by Design". It is a simple problem of hegemony through terminology undermining the principles, i.e. to make the term without content and useless for anything than PR.

It is fair to separate between the process of designing (designing privacy best effort and methodologies to do so) and a state of design (Privacy by Design), but not to claim that claiming to follow some process steps automatically incorporate state-of-the-art and certainly not as a assurance reaching a state where control do not transfer from citizen to a system.Sjewiki22 (talk) 05:27, 25 April 2018 (UTC)

Proposed rewrite
The article should be about the subject Privacy by Design, which is referenced as a fundamental part of data protection. It is not just about GDPR since Privacy by design was created in Canada, was adopted globally, is in use in the USA, and strongly influenced GDPR. It is not just about Privacy Enhancing Technologies, whilst the initial impetus was a study of PET, it quickly moved into something fundamentally different as a set of principles for data protection and the idea that it is possible to have Privacy, Security and Usability in the same solution and that all of these aspects are important.

In the war between the different agendas in this article, the result is a number of things like the reference to Kim Cameron's seven "Laws of Identity" which have nothing to do with the principles of Privacy by design apart from the number 7.

Please add your thoughts, Regards RonaldDuncan (talk) 17:43, 25 April 2018 (UTC)

Ronald. It is a fallacy to claim that to have "Privacy, Security and Usablity in the same solution" require or can even be achieved when control is to be in the solution and not with the citizen in question. Problem was that the DPA's have only been working with lightweight solutions and therefore apply weak definitions that goes nowhere towards ensuring privacy (or security for all or usability for users). We can discuss whether asymmetric encryption, blinded encryption, onion routing or digital cash was the first publications of Privacy by Design. But these were invented and implemented somewhere between 5 and 15 years BEFORE the DPAs got involved that now for mere personal marketing (supported by the main interests in data abuse) claim the right to define terms so no privacy is ensured. The functional covering term to use for such purposes is "Data protection by Design".Sjewiki22 (talk) 17:40, 27 April 2018 (UTC)

Sjewiki22. My suggestion is that you create an article on Privacy enhancing technologies, and that we put the PET information into that article, and we have this article focused on "Privacy by Design" in its data protection sense. Most of the references to "Privacy by Design" I have found point to it coming from the Data Protection Officers rather than the technology community, and that it is the background to the GDPR "Data protection by design"/"Privacy by design". Clearly there are different view points as to if "Privacy, Security and Usability" can be achieved or not with out PET and if it has to be citizen centric or solution centric with auditing of the solution. Currently the regulatory framework is solution centric with legal redress for solutions that fail to meed the legislation. I think it is important that this article better reflects the status now that the DPAs have got involved and created a global legislative framework. RonaldDuncan (talk) 09:14, 6 May 2018 (UTC)

RonaldDuncan. Pointless suggestion. You have no "Privacy by Design" without "Privacy Enhancing Technologies" - it simply makes no sense as PETs are the only substance to the design issue. DPAs are not contributing to the issue, they borrow it and may best case be attributed the term itself (but not the content, see the 1995 report). The core of the issue is the interests in NOT making "Privacy by Design" in any measurable way but merely talk of intentions or "best effort" with no consequences. It does makes sense to separate between the individual tool and the whole system - i.e. you can have lots of privacy enhancing technologies involved, but in the end, it only takes one identifier to reverse the design 100% in a privacy invasive model Sjewiki22 (talk) 15:04, 14 May 2018 (UTC)

You seem to be forgetting that GDPR didn't really change anything. It ads aspects including bigger fines and enforce responsibility on the data controller etc., but the principles are unchanged. GDPR, HIPPA or whatever regulation you point to - neither of these "define" Privacy by Design (or Security by Design for that sake) as the term only makes sense as in "data that need no protection as privacy is ensured by design" which of course require citizen being in unconditional control, i.e. when the control is not in the system regardless of policies, agreements or legal restrictions.Sjewiki22 (talk) 15:04, 14 May 2018 (UTC)

If DPAs want a term for policy/regulatory-only privacy (does not make sense IMHO - tried and failed many times, i.e. P3P, sticky policies, self-regulation etc) then the term should be "Privacy by Regulation" or "Privacy by Policy", i.e. not a security technically related "design"Sjewiki22 (talk) 15:15, 14 May 2018 (UTC)

Sjewiki22. I would like to proceed with the rewrite, I happy to create it in my sandbox along with a draft article on PET. You have further edited the article to remove any reference to the Data Protection Office/Information Commissioners Office origin of the term. Since it is a term that is widely used in Data Protection law, I think that your view point that the term is wrong is not helpful. The term may be wrong, but it is the one used by DPOs/DPAs in their area of expertise. RonaldDuncan (talk) 16:22, 1 June 2018 (UTC)

RonaldDuncan First, I have NOT removed the reference to the 1995 workshop report nor have I removed the fluffy reformulation of the "7 laws of Identity". Second. I do, however, not accept the wrongful notion that some DPA have the right to define (and erode) such a basic term 15 years after. Just as I strongly reject your notion (an the many other interests) to separate the term from its origin in Privacy Enhancing Technologies and basic security.Sjewiki22 (talk) 12:12, 3 June 2018 (UTC)

Privacy by design Re-Write
I see the proposal to rewrite the article, which I both welcome and have suggested myself. I think we would all benefit from this.

This discussion is old going all the way back to e.g. the 2003 EU Workshop on Privacy Enhancing Technologies where the scientific community across the Atlantic reacted strongly in opposition to commercial attempts to undermine terminology leading to the use of "Privacy friendly" for non-complete technologies without invalidating solutions actually ensuring citizen control.

It is vital to not allow erosion of rights through fluffy definitions, or using terms covering both good and bad at the same time allowing for invasive structures claiming to be good (as e.g. Facebook have been doing with "Privacy by Design" while retaining corporate control over data or claims of "Data Anonymization" or "Differential Privacy").

In this, it is important to distinguish clearly between the many efforts in the design process (e.g. "privacy engineering") and a categorization of outcome.

There is no assurance what-so-ever that a certain process will lead to a solution that ensures Privacy by Design just as technological or other changes may erode the security of what was previous fairly considered "Privacy by Design". Therefore the label of "Privacy by Design" on a particular solution has to be dynamic and subject to - in principle - continuous evaluation.

In this I recommend the EU approach of NOT trying to define or require "Privacy by Design" per see beyond "data minimization" according to state-of-the-art.

The legal definition in EU is essentially whether or nor data is subject to legal restrictions, i.e. "Identified or identifiable" maintaining a close linkage to scientific reality as security and thereby control is a fluid question.

We could benefit from a categorization covering some of the greyzone issues (e.g. related to accountability as one of the main parameters in a multi-dimensional problem), but I presently do not see a legitimate source of such a scale.

In short, I would be part of the large professional scientific community that would reject strongly to allowing a fluffy definition to provide data controllers (whether government or private) a free "get out of jail card" for back-doors or reducing the term to non-consequential marketing or propaganda use.Sjewiki22 (talk) 12:12, 3 June 2018 (UTC)

As a cautionary comment. I would perhaps suggest that someone with close ties to CloudBuy indicate commercial interest in the topic with main agenda of a rewrite so as to justify a corporate use of personal data. The linkage between Privacy by Design and cloud is addressed including how to create isolated processes in cloud in a 2011 report from the Danish It and Telecoms Agency. . Building profiles or "digital twins" as the presently business hype term outside citizen control clearly is not compatible with the term "Privacy by Design". Sjewiki22 (talk) 12:35, 3 June 2018 (UTC) I am happy to create a draft rewrite in my sandbox. Regarding the potential conflict of interest with CloudBuy, we have been through a lot of work proving to our customers that we are GDPR compliant, and thus I have a lot of practical experience of implementing cloud systems whilst maintaining compliance with regulation in a heavily audited environment. Privacy by Design is an area that I have been familiar with for a long period, since we have been operating for 20 years and security and privacy engineering have been important aspects of our platform. I do not see a conflict with my work since the article is about the concept of privacy by design and its regulatory meaning as opposed to any particular implementation.RonaldDuncan (talk) 13:44, 5 June 2018 (UTC)
 * I have completed the rewrite in my sandbox. I went back to an earlier version of the page as a starting point using https://en.wikipedia.org/w/index.php?title=Privacy_by_design&oldid=774733466 as edited by Psheld (talk | contribs) at 10:16, 10 April 2017 (→‎Global adoption: prev. link to the PDF of the 2010 resolution was dead. Updated.).  I have taken the COI, tone, and expert subject templates off the page.  You can look at the history of the changes from the starting point through to the current version in my sandbox. https://en.wikipedia.org/wiki/User:RonaldDuncan/sandbox  It is a significantly larger article, so please tidy up my mistakes and ensure that any major changes have supporting references :) RonaldDuncan (talk) 17:40, 16 July 2018 (UTC)
 * Hi I went back to the 10 April 2017 version to start the rewrite, so you have made some changes to the article in the last 15 months since my starting point. Please have a look at the new article and put back any changes you think are relevant.  I am sure there are plenty of typo's that need correcting, but I wanted to get the process started so I have published the new version :) RonaldDuncan (talk) 17:53, 16 July 2018 (UTC)

This is a perverted manipulation. Please undo anything you did since July 16th and avoid making changes until the draft in your sandbox has been discussed as agreed. This version is not representing science but only a very narrow and special interest-focussed perspective while editing out all prior foundational work or sources not benefiting one agenda - CC                      Sjewiki22 (talk) 09:14, 19 July 2018 (UTC)
 * Thanks for your feedback on the rewrite. I tried to find articles and references that supported your point of view that the 7 principles came from Kim Cameron's 7 laws of Identity rather than Ann Cavoukian, if I had found any I would have put in a section about disputed origins for the Foundational principles.  Wikipedia is not about original research, it is about writing in a neutral point of view with authoritative references to back up any statements.  I tried to carry out the rewrite a number of times and the more I researched the topic and the more papers I found they all referred back to the joint paper between Ontario IPC and the Dutch DPA in 1995 on Privacy enhancing technologies followed by Ann Cavoukian publishing the framework in 2009 and the the International Assembly of Privacy Commissioners and Data Protection Authorities adopting it in 2010.  There are over 500 academic papers that reference Ann Cavoukian's paper.  Plus the documents from the EU in the form of ENISA and the EDPS.  It is now an important topic since it is part of GDPR which has transformed the data protection landscape.  This was why I went back to a version of the article prior to your edit where you added in Kim Cameron's 7 laws of Identity as the origin of the principles.  One of the reasons for multiple editors is that people bring different opinions and points of view.  The thing that unities us is that the articles have to be backed up by authoritative references, please add improvements backed up by authoritative references.RonaldDuncan (talk) 21:59, 19 July 2018 (UTC)

You searched for sources that confirmed your view and interest only - ignoring facts and all the links provided deleting anything (eg Danish eGov work on Privacy by Design and Security by Design and Rethinking PKI - building in Privacy) but the self-promotional bullshit. Ann Cavokian and Borking did not invent Privacy by Design, they just labeled what was already an established field but - respect - was among the most active in trying to talk it into the legal political space and 15 years later added a fluffy minor rewrite of a already fluffy "7 laws of identity".

The only really well-defined definition of privacy across legal, technical and other fields is the definition of whether GDPR protection apply - "if data is NOT identified or identifiable" - then you can say with certainty it is Privacy by Design. And that is exactly GDPR points towards with e.g. "data minimization according to state of the art" - despite all the legal loopholes in GDPR to handle rights and obligations when privacy is not designed in from the start - so it is not even an issue of conflict between technical and legal fields.

There is only one acceptable action - revert to the neutral pre-july 16 version and then lets redo the article. IMHO this is bordering fraud from interest groups that want to circumvent regulation and principles. Sjewiki22 (talk) 09:14, 20 July 2018 (UTC)
 * You reference the Danish eGov work on Privacy by Design and Security by Design The section 4 on Privacy by design starts "The above-mentioned objectives and principles for the security model are compliant with the concept of Privacy-by-Design (PbD) 2, which e.g. is described by the Canadian Information and Privacy Commissioner Ann Cavoukian in the 1990s." This is typical of the literature it all refers back to the Cavoukian model.  This article then extends it to security by design and provides technical ways of implementing privacy by design.  I think a summary of the article should be added to either the Criticism and Recommendations section or implementation section.
 * The book on digital certificates has a quote from Ann Cavoukian
 * "In his new book, Rethinking Public Key Infrastructures and Digital Certificates, Stefan Brands pioneers an innovative new way to introduce privacy into two of today's hottest technologies—public key infrastructures and smartcards. Brands' book goes well beyond just making the case for privacy by providing the essential algorithms and protocols needed to introduce a new standard of privacy in technology. This is a must read for anyone involved in introducing PKI or smartcards into their organization.
 * Ann Cavoukian, Ph.D.
 * Information and Privacy Commissioner of Ontario" This is one of 3 quotes in the praise section of the book. My assumption is that he is being praised for putting Privacy into practice and that this would be a good reference in the implementation section.  My issue with your previous edits was that you removed all reference to Ann Cavoukian, and changed the origin to "7 laws on identity" my conclusion is that you have some issue with Ann Cavokian and Borking and changed the article to your view point.  Unfortunately I could not find any evidence in the literature that your view point is valid. RonaldDuncan (talk) 10:07, 20 July 2018 (UTC)

I have no problem to acknowledge the origin of the term "Privacy by Design" to the 1995 report and I have no stake in that question.

The problem is that creating a label do not provide the right to dictate scientific content. Both "privacy" and "design" was prior to this which the report also clearly states. Creating a term does not get to redefine neither - especially not 15 years after and especially not reducing it some a mere intentional issue without any useful metrics or definitions as to outcome of the process.

If so, the term becomes useless as anything including the worst violations can claim "Privacy by Design" as claim of best effort is all it takes. You often see e.g. Google, Facebook, NSA and even EU member state bureaucracies claiming "privacy by design" even though it is utterly absurd.

This problem on terminology hegemony between DP bureaucrats (and the both commercial, bureaucracy and "national security" interests behind them) and hardcore privacy/anonymity design scientists and civil liberties is not new. I refer to e.g. the 2003 EU Workshop on clarifications and the Danish eGov report "New Digital Security Models" as an operational attempt to reconcile the differences.

You do not get to hide this as "criticism" to a useless and pointless description.

Privacy by Design ends where data becomes "Identified or identifiable" - whether this is a right and whether there are greyzones or reasons to relax the requirements refering to the richer concept of multi-party Security by Design should not be used for terminology obfuscation as it prevents creation of meaning and debate.

Conflict of Interest
A conflict of interest tag was added by. It needs to be debated here. could you state what the conflict of interest is since you added the tag RonaldDuncan (talk) 22:11, 19 July 2018 (UTC)

You clearly represent a commercial interest in avoiding clear definitions of Privacy by Design as your income originate from server-side control of personal/customer data (CloudBuy), i.e. in inherent conflict with the very purpose of Privacy by Design. All have some bias, but this conflict of interest is obvious in the rewrite despite prior warning as to the issue and an explicit agreement to do the editions on another page instead of merely applying your view as you did. Sjewiki22 (talk) 09:50, 20 July 2018 (UTC)


 * Thanks, I wanted to understand your view on this. I and my company have no commercial interest in "privacy by design".
 * My company cloudBuy has an interest in protecting personal data and have been doing so since the 90's. We do not gain income from "server-side control of personal/customer data" it is the reverse.  This is a legislative cost that we have to bear along with the potential reputation and financial damage if we have an issue with customers data.  Our field is B2B ecommerce and a lot of our work is Government buyers with private suppliers, who require that we are fully compliant with legislation like GDPR.  One of our key systems is PhbChoices.co.uk this allows private individuals with long term conditions to manage their budgets and care.  Clearly we have done a lot of work to try and protect these peoples information, and as we all know internet security is difficult.
 * Personally I have a major problem with GDPR and "privacy by design" because these are both vague and not specific but require "best practice". I much prefer standards such as Payment Card Industry/Data Security Standard since there are very clear detailed requirements and a corresponding through audit along with regular improvements to the standard as the state of the art changes.  There is currently no assessment for either GDPR or "privacy by design".  Our approach was to add the legislation to our ISO 27001 system and update the system to reflect the legislative requirements.  Since we were already compliant with the previous data protection act there were a number of changes but most of these were already best practice.
 * I do not see any conflict between my role as CIO of cloudBuy or my role as Chairman of cloudBuy and "privacy by design" it is something that we implement into our systems and are audited on, but it is not some thing that we are selling. I do not believe we make any reference to "privacy by design" on any of our websites.  I hope this is clear. RonaldDuncan (talk) 10:40, 20 July 2018 (UTC)

@ I do not know if you are faking it for selfish reasons or simply have no idea what you are talking about. We are in the areas of Greys Law so I will assume lack of knowledge but insist on the principles be uphold.

I will repeat - "Privacy by Design" ends where data become "identified or identifiable" - no more to say, never has been. At this point GDPR is not vague and neither was EU regulation in 1995 as this is unchanged and based on science on when data needs regulatory protection as the citizen loose control.

Ann Cavoukian do not get to define privacy even despite the large interest group that like her fluffy and non-consequential non-definition that merely talk about intent but providing no measures or useful definitions on outcome.

This security principle (do no evil/harm as in DO NOT CREATE personal data in the first place) can be used for standardization but isn't as the wolves define standards to control the prey and when we apply Privacy by Design within existing standards, they are changed to eliminate individual control for no other reason than commercial control (e.g. ISO 18000 NFC blocking for open security in RFID e.g. ISO 14443) and lock-in.

You do not solve this problem by stashing garbage rhetoric on top of it or adding your own analysis of sources as "criticism" to an already defunct description. And this has nothing to do with "data protection" as that only cover digital spaces that are not "Privacy by Design". The article is pure bullshit as-is covering only an attempt for personal self-promotion which suits all the ones that do not want privacy for selfish interests.

The point about moving from Privacy by Design (unconditional individual control) to Security by Design is that security is a multi-stakeholder issue and we need mechanism to deal with contradictional interests. The reference to the danish eGov report document how many such apparent contradictions are typically flawed assumptions in themselves that can be resolved through redesign, e.g. solving the apparent trade-off problem om progressive taxation and transaction anonymity.

In some cases, you need to relax on the strict Privacy by Design requirement (even remaining the normative goal) e.g. the issue of Conditional Identification as post-transaction accountability involves mechanisms that are subject to thirdparty control (e.g. a judge) as necessary to reconcile stakeholder security requirements.

Point is we can do almost all transaction anonymously but in order to enforce e.g. taxation or accountability some greyzone relaxation is needed according to state-of-the-art. Whenever we can do this even better, regulation at least in EU say we must do so.

So - politely - revert to the pre-July 16 neutral version where Ann Cavoukians contribution was recogniced but the nonsense do not get to dictate what privacy is nor undermine what is today raised to the highest-order normative design goal in all ICT design. As stated prior to your editions, the article are in need of rewrite and clarification, but not reverting to the self-promotional non-scientific version it was.

"Privacy by Design" ends when data becomes "identified or identifiable" - it did so in 1995 and it still does today and there is a large field of scholars have done tremendous work over the last 4-5 decades on the complex problems that some lightweight bureaucrats or data abusers do not get to ignore or overrule. I assume you "protect" customer data, but it has nothing to do with "Privacy by Design" - if so, the data needed no protection on behalf of customers. Sjewiki22 (talk) 11:54, 20 July 2018 (UTC)
 * @ OK, so my reading of the above is that I personally do not have a conflict of interest, but I am an incompetent/malicious in my editing of the article vs your view point :)
 * It is clear that you have very strong views on this topic. I think we both agree that Privacy by Design would benefit from a robust technical implementation framework, which could be tested and validated rather than assertions.  Unfortunately GDPR does not provide this framework and the implementations whilst moving in this direction are not there yet.  There are a number of recommendations and guidelines from various agencies that can be used as a rule book, however GDPR is outside the topic of this article, or your point on conflict of interest.
 * Can we close the conflict of interest tag? RonaldDuncan (talk) 13:32, 20 July 2018 (UTC)

Absolutely not. First you need to undo your damage Sjewiki22 (talk) 16:32, 20 July 2018 (UTC)
 * @ This is not the purpose of a conflict of interest tag. Bulling an editor to conform to your point of view by saying they have a conflict of interest is not the purpose of the tag it is to flag up people that have a conflict of interest. e.g. I clearly have a conflict of interest about the cloudBuy wikipedia page since I work for the company and about the Ronald Duncan page since it is about me. I have edited both pages in the past and people have kindly explained the correct way to get a page updated where you have a conflict of interest. RonaldDuncan (talk) 17:04, 20 July 2018 (UTC)
 * @ I think that you have a conflict of interest in this page, whilst going through your various messages to me etc.  I came across the deleted section in your talk page https://en.wikipedia.org/w/index.php?title=User_talk:Sjewiki22&oldid=842772990 where another editor  suggested that you have a conflict of interest.  There are two relevant sections that you deleted in the talk page Draft:Digital Renaissance this looks like it was the first article that you created in draft format, and was subsequently deleted.  The comments by  on your talk page are copied below for ease.

[COMMENTS REMOVED ~ Rob 13 Talk 22:57, 29 July 2018 (UTC)]

Deleted section regarding Sjewiki22 after clarification below that assertion was correct that Sjewiki22 is an expert with a strong point of view on privacy by design RonaldDuncan (talk) 10:10, 22 July 2018 (UTC)

Ad hominem and privacy violations are (especially in this context) not the way to go. I haven't rejected but this is not about me and I do not try to take credit beyond exemplifying. I stepped down from editing, the second Viper suggested there might be an issue.

But you, dear Sir, did not and continued despite the warning - so I kindly reiterate to undo your damage including the above.

The issue here is about erosion of terminology, attempt to hi-jack a generic and additional which I will refrain from adding here.

This is about the fact that "Privacy by Design" is not a framework and - if so - it is certainly not invented by AC but by others before her and after.

It s not a trademark to be owned (and if so actually Nokia tried to), but a generic as in ensuring privacy by design as opposed to "by law (what you are allowed to)", "by self-regulation (moral/self-interest)/policy (promise)/agreement (contract)/.. (or whatever).

Relabeling privacy design as "Privacy by Design" does not give you the right to define privacy, design or how privacy is designed - especially not after it is raised to a principle (not by GDPR as GDPR do not mention the term "Privacy by Design", but by European Human Rights Convention).

I do not want to criticize AC as I recognize her long work as a Privacy Commissioner and one that zealously been advocating for privacy and also the view that privacy is about design. She is free to promote some guidelines and as Commissioner probably even obligated to do so.

Nor should we chastise those that work for "data protection" to defend citizen against misuse of their data after they have lost control. But they have a post-collection perspective ignoring that at that point privacy is already violated.

So I am fine by giving AC the credit of promoting a set of guidelines as one approach. Not to give her the credit and especially not to implicitly redefining Privacy as mere "data protection" Sjewiki22 (talk) 09:56, 21 July 2018 (UTC)
 * @ OK, I think I understand, you are a professional in this area with a strong point of view that you feel passionately about and wikipedia rules prevent you from directly editing the article. I have been trying to improve the article and would like to make it a better article.  It is not my article or your article any editor can edit the article.  The idea is that we collaborate to make it better. The best way to improve the article in your position is to put information in the talk page with suggested improvements backed by authoritative references.RonaldDuncan (talk) 10:20, 22 July 2018 (UTC)
 * ~ I have been trying to with the best of intentions with both regulation and reports as the authoritative references. Any issues that could have been considered COI is unintentional and I only react because people insist on doing wrong. You need to understand that Privacy by Design is not what AC tried to claim in 2009 (the join report in 1995 was a lot better on the main issues) and it is doing severe realworld damage. I merely ask the article to respect the difference between a generic Privacy (by design) (as opposed to e.g. Privacy by policy) and an attempt to reduce a serious scientific field to some fluffy "framework" for personal gain. You cannot have a secondary source on a generic or a scientific field under constant change the same way. In comparison - what if someone use "Democracy by Design" to define democracy to what they have in China or some stateless anarchy?

Especially, you should see the 2011 report as a response that 1) AC was wrong in 2009 as you - even in cloud - do NOT have to rely on "2) accountable business" or other organizational dependencies that can be overridden (which is in itself incompatible with "by design") and 2) Yes, we need in some situation to go beyond the Privacy by Design main goal of anonymity in transactions as the citizen may have conflicting security interest with e.g. providers need for accountability (as anonymity is inherently non-ability to hold you accountable even if all other parties work together) which is defined as Security by Design (as security is a multi-stakeholder issue whereas privacy is security from the citizen perspective only). Collecting data for profiling, marketing etc. is an interest, not a legitimate requirement for the transactionSjewiki22 (talk) 11:19, 22 July 2018 (UTC)
 * @ Do you agree with removing the COI template from the article? RonaldDuncan (talk) 11:46, 22 July 2018 (UTC)
 * The issue is not resolved.I do not know how this works except that I cannot do the editions to the present article which is clearly wrong as it only reflect Ann Cavoukians personal view from 2009 in direct clash with the 1995 report and existing regulation (at least in EU). I thought we agreed to finalize this in the sandbox before transferring it. Instead you re-introduced the problems even when you, on your own admission, yourself have an interest in the definition ("audited"). We can have a telco?Sjewiki22 (talk) 15:28, 22 July 2018 (UTC)

I have taken off the COI from the article. has suggested changes to the article and put in an appeal at the top of the talk page for other editors to get involved. My view is that I have performed clean up on the article after the various edits by Sjewiki22, posted the resulting cleaned up article, and a number of other editors have tidied up the results. RonaldDuncan (talk) 10:34, 23 July 2018 (UTC)

Would someone neutral from Wikipedia please step in here
As a professional in the field, it has been suggested that I should not engage in edition, so I won't.

Privacy and Anonymity is a well-established field with scholars working in the area for many decades

Referring to the 1995 report - the issue is "the path to anonymity" and on-route "minimization", i.e. the GOAL is NOT to "manage data", but to eliminate personal data or "preserve anonymity". This principle was built into the 1995 EU Data protection regulation defining restrictions on all data that are "identified or identifiable" and further emphasized in GDPR update of same article 25 "Data minimization according to state-of-the-art".

In 2009 (almost 15 years after), AC without substantiation tries to steal the agenda claiming personal ownership while publishing a set of guidelines which she blatantly calls a "Framework". Said guidelines contains nothing on anonymity or data minimization, but simple represent some overall statements that are not measurable or in any way represent a scientific framework.

Further - her unsubstantiated claim is that privacy CANNOT be designed so she try to reduce privacy to something handled by "2) accountable business" which reduces the step as a unilateral attack on privacy per see trying to give up on the root principles which "Privacy by Design" is about, see i.e. the report of 1995.

In short

I ask of the community to avoid this systemic misinformation and especially

a) To NOT acknowledge AC claim of origin.

"Privacy by design" is a generic with many authors, some mentioned in the 1995 report. I claim no such authorship and is fine with reference that the 1995 workshop was probably the first time the explicit term was used but privacy design predates this and privacy by design is a generic based on science, not a trademark to be owned and used for personal or corporate profit.

b) To NOT accept ACs 2009 version or set of guidelines as the or even a framework for "Privacy by Design". The fact that the "foundational principles" somehow got referenced in the 2010 DP conference do not raise them and especially not the reduction of "privacy" to "data protection" to science, principle or law.

c) To start this article by

- a goals definition respecting both the science, the original 1995 goals and existing regulation. Privacy by Design can never be reduced to something about "data protection" as that imply we are already beyond inherent privacy assurance "by design" and deep into weaker structures such as "by law, "by policy", "by agreement" or otherwise.

The 1995 is very clear on this and repeatedly talk about designing to preserve anonymity and if not possible to minimize personal data collection and pseudonymise actively (to split the real identity from the pseudonymous identity - NOT to to de-identify afterwards).

- emphasize Privacy Enhancing Technologies as the core of all Privacy by Design But with reference to GDPR "state-of-the-art" also respect that this is work in progress which has since the 1995 report (and the today rather funny "Identity Protector") progressed enormously in many aspects. E.g. TOR has raised the bar on "anonymity", similar the existing of production mature blinded cryptographic libraries etc.

The actual technologies should be covered elsewhere, but examples of state-of-the-art is relevant in this article.

d) But also recognize the efforts by the DPs to promote focus on technical design over "by regulation".

In this, AC and Borking should both be recommended as some of the early adopters. I have no agenda attacking or criticizing anyone personal, but they do not get to raise their personal biased opinion to science.

And mention the 2009 as a set of progressive guidelines mainly focusing on the corporate internal efforts that deserves special mentioning but NOT a definition of or a framework for "Privacy by Design" as that is better left to scientific reality and state-of-the-art.

In short - I ask of Wikipedia community to not be used for shameless self-promotion in a way that distort scientific reality and try to reduce the fundamental right to privacy to something about "data protection"

I will be happy to assist but the process since july 16th has been hostage taking ignoring all objections. Sjewiki22 (talk) 09:54, 22 July 2018 (UTC)


 * I'm pretty new to Wikipedia, but I have a couple of suggestions for directly improving the article, as well as a point that may help you two see eye-to-eye.
 * SJ believes, among other things, that the article gives AC too much credit, that her conception of PbD is flawed, and that criticisms to it are under-represented. I think an appropriate way to resolve this would be to do what many articles dealing with questionable premises do: put a brief (I repeat: brief) summary of criticisms in the article lead. Another thing that may help communicate to the audience hat AC doesn't own the concept of PbD or privacy generally is to add a paragraph on previously developed privacy paradigms to the "History and background" section.
 * I would also like to point out that, while AC's paper has been cited 500 times, that doesn't necessarily mean she holds the dominant view of PbD. The initial paper in which Christopher Boorse describes his account of health has been cited over 1,300 times, but many of those citations are made with the purpose of criticizing or refuting his ideas, not supporting them. That said, such a person is still very significant to the subject, especially if their ideas are still widely in use in some form or another.
 * I'm going to make some minor edits to this page, but I won't make any of the changes listed above until I get some feedback from you two. I hope this helps. Matthew V. Milone (talk) 13:47, 24 July 2018 (UTC)

Thanks Matthew, I had a long phone call with Sjewiki22 yesterday, and explained that we need evidence in the form of reliable references. Sjewiki22 is going to get some suggestions for Generic "Privacy by Design" as opposed to AC "Privacy by Design" and how it is being implemented in the state of the art. There is also another section about future improvements at the bottom of the article :). Look forward to your contributions.  RonaldDuncan (talk) 15:47, 24 July 2018 (UTC)
 * That sounds good. Should this section be moved to the bottom of the article to comply with the chronological convention that talk pages follow? Also, since you didn't object (and I really doubt SJ would), I'll add a brief summary of criticisms to the lead. I don't have the expertise to add the information on previously developed/alternate privacy paradigms, though. Matthew V. Milone (talk) 15:58, 24 July 2018 (UTC)
 * Moved section to chronological position RonaldDuncan (talk) 20:27, 25 July 2018 (UTC)

Future Improvements
Hopefully another editor will come into this discussion. However, they may not want to get involved. In the meantime, I am very happy to work with you on some content about the generic meaning of Privacy by Design vs the "Privacy by Design" PbD of AC and your "Security by Design" SbD that you created as an extension. My view on your SbD is that it is interesting, but has not been widely adopted vs PbD which has been. There is a lot that could be improved in the article and your input will be helpful. The key thing is that any info in the article must be well referenced, for the AC PbD there are over 500 papers in google scholar that reference it so it is easy to find references. The challenge is that in 500 references it is easy to paint a picture that is very biased and so there needs to be balance if there are multiple points of view. I have sent you an email so we can have a conference call, and hopefully discuss and summarise here rather than debating in multiple sections in this talk page. RonaldDuncan (talk) 10:45, 23 July 2018 (UTC)

Merger proposal
This page has no Spanish version, but theres is one: Q110101609 at [] I propose merging it into this one. — Preceding unsigned comment added by 2A02:8071:884:B420:0:0:0:EC9C (talk) 20:44, 7 June 2023 (UTC)