January 23, 2024 • 54 mins
In Honor of Data Privacy Week 2024, we're publishing a special episode. Instead of interviewing a guest, Debra shares her 'Top 20 Privacy Engineering Resources' and why. Check out her favorite free privacy engineering courses, books, podcasts, creative learning platforms, privacy threat modeling frameworks, conferences, government resources, and more.
DEBRA's TOP 20 PRIVACY ENGINEERING RESOURCES (in no particular order)
- Privado's Free Course: 'Technical Privacy Masterclass'
- OpenMined's Free Course: 'Our Privacy Opportunity'
- Data Protocol's Privacy Engineering Certification Program
- The Privacy Quest Platform & Games; Bonus: The Hitchhiker's Guide to Privacy Engineering
- 'Data Privacy: a runbook for engineers by Nishant Bhajaria
- 'Privacy Engineering, a Data Flow and Ontological Approach' by Ian Oliver
- 'Practical Data Privacy: enhancing privacy and security in data' by Katharine Jarmul
- Strategic Privacy by Design, 2nd Edition by R. Jason Cronk
- 'The Privacy Engineer's Manifesto: getting from policy to code to QA to value' by Michelle Finneran-Dennedy, Jonathan Fox and Thomas R. Dennedy
- USENIX Conference on Privacy Engineering Practice and Respect (PEPR)
- IEEE's The International Workshop on Privacy Engineering (IWPE)
- Institute of Operational Privacy Design (IOPD)
- 'The Shifting Privacy Left Podcast,' produced and hosted by Debra J Farber and sponsored by Privado
- Monitaur's 'The AI Fundamentalists Podcast' hosted by Andrew Clark & Sid Mangalik
- Skyflow's 'Partially Redacted Podcast' with Sean Falconer
- The LINDDUN Privacy Threat Model Framework & LINDDUN GO Card Game
- The Privacy Library Of Threats 4 Artificial Intelligence (PLOT4ai) Framework & PLOT4ai Card Game
- The IAPP Privacy Engineering Section
- The NIST Privacy Engineering Program Collaboration Space
- The EDPS Internet Privacy Engineering Network (IPEN)
Read “Top 20 Privacy Engineering Resources” on Privado’s Blog.
Privacy assurance at the speed of product development. Get instant visibility w/ privacy code scans.
Shifting Privacy Left Media
Where privacy engineers gather, share, & learn
TRU Staffing Partners
Top privacy talent - when you need it, where you need it.
Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.
Copyright © 2022 - 2024 Principled LLC. All rights reserved.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Debra J Farber (00:00):
Hello, I am Debra J Farber.
Welcome to The Shifting PrivacyLeft Podcast, where we talk
about embedding privacy bydesign and default into the
engineering function to preventprivacy harms to humans and to
prevent dystopia.
Each week, we'll bring youunique discussions with global
privacy technologists andinnovators working at the
(00:20):
bleeding edge of privacyresearch and emerging
technologies, standards,business models and ecosystems.
Welcome everyone to ShiftingPrivacy Left.
I'm your host and residentprivacy guru, Debra J Farber.
Today, for the Special DataPrivacy Day episode, I am not
interviewing a guest, but I amsharing with you my top 20
(00:43):
privacy engineering resourcesand why I'm recommending them.
So let's dive in.
Now, why am I doing this?
Well, I'm often asked about howand where people can learn more
about privacy engineering andtechnical privacy topics, so I
recently compiled a list of myfavorite privacy engineering
resources and posted that toLinkedIn.
(01:04):
I was just shocked at how muchinterest there was in that post
and how viral it kind of wentwithin the privacy community,
and so I thought it only madesense to write an article that
gives more context as to why Irecommended each resource.
Well, I finally wrote thatarticle, which will soon be
published by Privado, and I hopeyou find it helpful and that
(01:25):
you share these resources withothers seeking to get into
privacy, and so I've now takenthat article and turned it into
a podcast, in case this is a waythat you better consume
information.
So I've organized thisinformation in groupings based
on you know, here's a bunch ofcourses, here's a bunch of
podcasts, here's a creativeprivacy engineering approaches
(01:49):
and so forth.
I guess we'll start.
It's not in an order of myfavorite ranked, but we'll start
with Privado's TechnicalPrivacy Masterclass.
1) Actually, we're startingwith 'Courses,' and the first
one in courses is TechnicalPrivacy Masterclass.
So this is with Nishant Bajariaas instructor.
(02:11):
He's the privacy engineeringmanager at Meta and author of
Data Privacy, a runbook forengineers.
He's also a provado advisor aswell.
Now, who is this technicalprivacy masterclass for?
It looks to me like it's forprivacy engineers, for people in
DevOps, tpms and people inprivacy operations.
(02:32):
The course is completely free.
It takes about two and a halfto three hours to complete and
there is a certificate ofcompletion, so you can get a
certificate awarded if thestudent completes the course and
the quiz questions.
However, upon completion of thecourse, you will receive a
certified credential that youcan add to your LinkedIn profile
(02:53):
.
Now let me tell you a littlebit about why I recommended this
.
Nishant does an excellent job ofjust distilling down his wisdom
that he's gained from his manyyears in privacy engineering,
and this is a really engagingand strategic course.
So first he makes the case forhow privacy and security can
enable engineering and reducecosts by building a proactive
(03:17):
privacy program.
Second, nishant detailseffective approaches for
tackling common privacyengineering problems and he
gives really illustrative usecases, so for example, around
data inventory andclassification, technical
privacy reviews and privacy codescanning.
And then he lays out ways tosuccessfully build privacy tools
(03:38):
and infrastructure.
So this would be around likeDSAR and rights management,
consent management and maybeeven building a privacy center.
And then, lastly, nishantdemonstrates how to scale and
mature a technical privacyprogram.
So that would be you know whatare those KPIs and how do you
address governance, and you knowscale the program through
(04:00):
maturity.
And you know some of themodules and topics include I'll
talk about the groupings, notthe individual modules, but the
module.
Yeah, I'll talk about themodules, but not the individual
topics.
How about that?
So first you've got anintroduction to technical
privacy, then you've gotbuilding a proactive privacy
program, building privacy toolsinto infrastructure, scaling and
(04:22):
maturing a privacy program.
And then he's got a whole bonusmodule about his own story,
where Nishant talks aboutbecoming an accidental privacy
engineer, and his story is sodifferent from mine.
So you know, I love to heareverybody else's origin stories
to how they came to privacy.
2) All right, the second privacyresource that I'm going to
(04:44):
recommend to you is a course byopenmined.
org.
That's openmined dot org, andthe course I'm recommending
although they have severalcourses is our privacy
opportunity.
The instructors are AndrewTrask, who's the founder and
(05:04):
leader at OpenMind and alsosenior researcher at DeepMind
and PhD student at theUniversity of Oxford.
I have asked Andrew to be onthis podcast numerous times.
He was just in the middle ofwriting, you know, defending his
PhD and completing hisschoolwork there.
So, given that he's working onso much and has developed a
(05:25):
community of 16,000 plus, youknow, developers and data
scientists we will have him onthe show eventually, but I just
wanted to call attention to allthe great work that Andrew's
doing.
The other instructor is EmmaBlumke, phd, who is a research
manager at the Center forGovernance of AI.
So who's this course for?
(05:45):
I think it's for anyoneinterested in a holistic,
socio-technical approach totoday's privacy problems and the
key privacy enhancingtechnologies that data
scientists can leverage forsharing and using data in a
privacy preserving way isopening up the value of the data
that you have, but stillpreserving privacy.
(06:05):
Now I mentioned, this course iscompletely free and it takes
about eight hours for the onlinemodules and any additional time
if you are submitting forcertification.
So there is a certificate ofcompletion, but only if you
complete and pay for the fullcertification process.
There's no certificate ofcompletion for just completing
(06:26):
the online course modules, andthat certification is available
for free if you complete thecourse.
In addition to you know reviewand acceptance of a submitted
sample privacy productspecification that, based on
learning about privacy enhancingtechnologies and the various
approaches to data science today, you would submit a sample
(06:47):
privacy product specification.
Why am I recommending thiscourse?
Our privacy opportunity?
I've been in privacy for a longtime right, 18 years and I took
this course about a year ago.
I was blown away.
Blown away by how well theinstructors lay the case for a
socio-technical perspective forprivacy before they even get
(07:07):
into the technical weeds.
Right.
This course does an outstandingjob of detailing how privacy
infrastructure is changing, howsocieties manage information and
information flows and howbaking privacy into
infrastructure during thiscurrent period of technological
advancement presents us with theopportunity and disruption
(07:28):
within nearly every corner ofsociety.
So you'll also come away betterunderstanding the benefits of
privacy enhancing technologies,which they describe in a way
that is more impactful tosociety than your typical
privacy compliance training.
I think Andrew and Emma areincredible and they're engaging
instructors who share how andwhen each type of PET can be
(07:50):
used.
They dive into what they callstructured transparency.
They dive into input and outputprivacy and input and output
verification, and they also diveinto information flow
governance Some of their modules, just to give you a sense of
what I'm talking about.
Their modules include thefollowing Society runs on
(08:13):
information flows, informationflows within communities,
information flows within marketsand their incentives, the
limitations of information flows.
Introducing structuredtransparency.
Input privacy, output privacyinput verification, output
verification and flow governance.
The impact of structuredtransparency and create a
(08:37):
product specification, whichagain is optional and that's for
full certification, which I didnot do but I encourage others
to do.
There's also a community of,like I said, 16,000 data
scientists really in the weedsworking on implementing privacy
enhancing technologies usingPyTorch using all of the.
You know it's as deep as Icould go, talking about the
(09:01):
tools of the trade.
But there are other courses aswell.
I just have not taken themaround federated learning,
around data science, privacygenerally, because they're a
little more lab focused and alittle too technical for me.
But I encourage you to look atopenmindorg, definitely, take
our privacy opportunity and thentake a look at the other
courses.
(09:21):
I mean, there's one course Ithink it takes like 60 hours to
complete.
Again, it's also free.
So there's there's so muchthere that you can learn and
there's a community for you toplug into.
All right.
3) Number three under courses,it would be Data Protocols'
Privacy Engineering Course,their modules and certification.
So who's it for?
(09:42):
It's for privacy engineers,those in DevOps, TPMs and those
in privacy operations.
So this is an interesting modeltoo.
So data protocols privacyengineering course is free to
complete all of the coursemodules, but if you wanted an
official certification, it's$495 to you pay for a final
(10:04):
assessment and I guess that's topay for the reviewer and the
process fee and all that.
So if you wanted to attain anofficial certification of their
privacy engineering course,which I do believe they offer to
the big tech developers, and sothat's becoming a little bit of
a standardized course in the,the Metas, the Netflix, the you
(10:25):
know that that space right, thebig tech companies.
It takes about five to sixhours to complete and there's no
certificate of completion, as Imentioned, for just completing
the online course.
There is certification if youcomplete the curriculum, pass
the comprehensive final exam orfinal assessment excuse me, it's
not an exam and pay the finalassessment fee, then you'll earn
(10:46):
your data protocol privacyengineering certification and a
badge If you wanted to displayyour badge somewhere on your
personal website or whatever andyou will receive a certified
credential that you can add toyour LinkedIn profile to prove
that you completed it.
Now, why am I recommending itto you?
This course is also led byrenowned instructor Nashant
(11:08):
Bajaria.
In this course, he dives intothe basics of privacy
engineering.
You will gain the knowledge andskills that you need to protect
data privacy while designingand building products and
processes.
So these eight courses and sixhands on labs they test your
ability to design the securedata processes and also to
(11:30):
address vulnerabilities.
So data protocols mission is toeducate and engage developers
and it's designed to driveadoption, support education and
grow community.
It has a significant user baseacross the major tech companies,
as I mentioned.
So the value of its fullcertification program is
increasingly becoming anindicator of baseline privacy
(11:52):
engineering knowledge and skills.
So really urge you to check itout.
The modules, courses and labsinclude well, let's see, there's
a governance module.
It talks about dataclassification.
There's a lab, a dataclassification lab, talks about
data categorization andassociated lab, and then there's
(12:12):
a retrieval lab as well.
Then there's a systems modulewhich includes consent
management.
In addition consent managementlab, there's a security and
privacy course, a data deletioncourse and lab and a data
sharing course and lab.
And then, lastly, there's anexecution module where you learn
(12:34):
the basics of privacy tech andtechnical privacy consulting All
right out of courses.
4) This next recommendation kindof stands on its own under the
moniker of creative privacyengineering, education and
awareness.
So I've been working with afounder Mert Çan Boyer from
(12:55):
Imagine Privacy, doing businessnow as a Privacy Quest.
So Privacy Quest is a gamifiedlearning experience that was
inspired by the capture the flagor CTF style competitions that
the application securityindustry has really used to
drive awareness ofvulnerabilities and software,
(13:17):
and the founders designedprivacy quest here in that same
kind of gamified way, but tohelp non technical individuals
enter the privacy engineeringfield by providing a
comprehensive learningexperience that covers all the
necessary IT foundations.
It is expanding now to includemodules for current privacy
engineers to upskill to otherareas.
(13:37):
Privacy quest is for beginners,intermediate learners and
advanced privacy professionals.
The platform is pretty flexible, offers a variety of challenges
and competitions to suitdifferent skill levels and will
also be expanding into otheroverlapping areas soon.
Like definitely a deeper diveinto privacy and AI For privacy
(13:59):
awareness.
For data privacy day events,mayor Sean has expanded.
Well, he's created this dataprivacy day village and has an
entire storyline of the battlefor AI and there's two different
factions and you pick a faction.
That's going on right now untilFebruary 18th.
It's like a month long group ofactivities and events that even
(14:23):
I've been participating in aquiz night, different fireside
chats.
I mean there's a lot going on.
So I, you know, definitely urgeyou to check out privacy quest
for data privacy day events andcompetitions, but this is also a
platform year round that youcould use throughout the year
for learning.
It's for privacy and dataprotection managers, privacy
(14:44):
lawyers and privacy engineers.
Even though I've given you a lotof reasons why you should go
check it out.
I've got another set of reasonsas well.
One of the things I really loveis the use of immersive
storytelling, visual art, musicand a game of fine learning
platform.
So you'll gain all of thisinvaluable privacy and security
(15:05):
knowledge and when you'redelving into the intricacies of
privacy engineering through youknow the various quests.
You know you're going todevelop a deep understanding of
these concepts concepts likedata protection, threat modeling
, risk mitigation and encryption.
Privacy quest equips you andyour teams with practical skills
that you need to navigate thecomplex landscape of privacy and
(15:27):
security.
It provides a platform forcontinuous learning and growth,
and also you could connect withthe community of privacy
enthusiasts and professionals,showcase your experience and
position yourself as a valuableasset in the privacy and
security domain.
Companies can even leverageprivacy quest to deliver privacy
engineering education to theiremployees in a way that is
(15:48):
memorable, engaging andeffective.
Teams can even partner withprivacy quest to create, like a
privacy awareness day or week,various activities.
We've expanded this to include,like tabletop games, escape
room events and gamifiedworkshops.
So if you're thinking about howcan I gain privacy engineering
awareness and spread the messageof why it's important
(16:09):
throughout your organization andcan help use privacy quest to
do this with your workforce.
BONUS (16:14):
Now, I also want to highlight bonus material.
I didn't make this a standaloneof my top 20, you know
recommendations, because there'sjust already so much Mert Çan
has also written TheHitchhiker's Guide to Privacy
Engineering, and he created thisguide for privacy professionals
with legal backgrounds who wantto level up their knowledge of
(16:34):
technical data privacy, and withthe Hitchhiker's Guide, you can
grasp the technical mechanismsthat keep privacy intact and
then speak with credibility whenyou're working with technical
teams.
Right.
This was a creative passionproject from Mert Çan and he
really does combine his love forscience fiction and data
privacy here, and he offers up areally fun, engaging and
(16:59):
immersive privacy learningexperience for attorneys to
improve their technical skills.
It's also designed to provide apretty solid foundation in
privacy engineering principlesand practices, and it enables
privacy lawyers to betterunderstand and address the
complex privacy issues facingdigital society and thus their
organization.
(17:20):
5) All right, now let's turn tobooks - 'Data Privacy: a run
book for engineers.
' I talked about that so much onthis show, but I'm going to
give a brief rundown again.
The author again is NishantBajaria, and his book is
basically for system designers,architects and engineers that
(17:41):
work with data, especially inhighly distributed architectures
.
However, anyone should readthis book, from management to
media, to regulators toattorneys.
You know it really gives youbaseline knowledge that enables
you to offer commentary andanalysis that is rooted in
context and experience.
You know this is the first bookin the era of cloud computing
(18:03):
and identity graphs, you know,to help engineers implement
complex privacy goals like datagovernance, technical privacy
reviews, data deletion, consentmanagement and so on.
It teaches you how to navigatethe tradeoffs between strict
data security and real worldbusiness needs.
So in this practical book,you'll learn how to design and
(18:25):
implement privacy programs thatare easy to scale and automate.
This includes workablesolutions and smart repurposing
of existing security tools thathelp set and achieve your
privacy goals.
So chapters here would includeprivacy engineering, why it's
needed, how to scale it,understanding data and privacy,
(18:46):
data classification, datainventory, data sharing, the
technical privacy review, datadeletion, exporting user data
via DSARS, building a consentmanagement platform and closing
security vulnerabilities.
Then also scaling, hiring andconsidering regulations.
(19:08):
6) The second book, so the sixthresource that I am in my top 20
here is Privacy Engineering, aData Flow and Ontological
Approach by Ian Oliver, and hewrote this book for software
developers, software architects,system designers and TPMs.
So I'm recommending this bookbecause it presents an approach
(19:31):
that's based upon data flowmodeling, coupled with
standardized terminologicalframeworks, classifications and
ontologies to properly annotateand describe the flow of
information into, out of andacross these systems.
It also provides the structuresand frameworks for the
engineering process,requirements and audits, and
(19:52):
even the privacy program itself,but takes a pragmatic approach
and encourages the use andmodification of tools and
techniques presented as thelocal context and needs required
.
Chapters include case studies,privacy, engineering process
structure, data flow modeling,security and information type
classifications, additionalclassification structures,
(20:16):
requirements, risk andassessment, notice and consent,
privacy enhancing techniques,auditing and inspection,
developing a privacy program andconclusions.
7) My seventh recommendation andanother book is Catherine
Jarmul's Practical Data PrivacyEnhancing Privacy and Security
(20:39):
and Data.
Catherine Jarmul is theprincipal data scientist at
ThoughtWorks.
She's a previous guest on myshow and I've been using her
book ever since I got it, eversince it was published.
I think I even have a preprint,I think, because it is so
helpful for data scientists andprivacy enhancing technology
enthusiasts.
So this is the first book I'veseen that is really addressing
(21:04):
the overlap of privacy in datascience and it gets really
technical.
So some of that technical stuff, lab stuff, is where I stop and
some of the others on this callwill listen.
But I love how Catherinebalances a deep technical
perspective with really plainlanguage overviews of the latest
privacy technology approachesand architectures and she really
(21:25):
talks about it in the datascience workflows and machine
learning workflows.
Her book serves as an essentialguide that will give you a
fundamental understanding ofmodern privacy building blocks
like differential privacy,federated learning and encrypted
computation.
She shares like really solidadvice and best practices for
integrating breakthrough privacyenhancing technologies into
(21:47):
production systems.
So chapters here include datagovernance and simple privacy
approaches, anonymization,building privacy into data
pipelines, privacy attacks,especially of the models, and
the training, data privacy awaremachine learning and data
science.
I'm giving an entire talk forData Privacy Day that's based on
(22:11):
chapter five of her privacyaware machine learning and data
science Just great stuff.
Also includes federatedlearning and data science,
encrypted computation,navigating the legal side of
privacy, privacy and practicalconsiderations, faqs and their
(22:31):
answers and then a fun lastchapter go forth and engineer
privacy.
8) My eighth resource and nextbook is Strategic Privacy by
Design, the second edition by RJason Cronk.
He's the owner of For Right WebServices also enter privacy
(22:52):
consulting group.
He's also on the board andhelped bring to life the IOPD,
the Institute of OperationalPrivacy by Design, and he wrote
this book for operationalprivacy managers and privacy
engineers.
In fact, this is one of theofficial textbooks published by
the IOPP for studying for theirCertified Information Privacy
(23:14):
Technologist Certification, theCIPT.
I really love how this bookfocuses on how to build and
implement better processes,products and services that
consider individuals' privacyinterests as a design
requirement.
It is about how to build thingsthat people can trust.
Jason has over 100 additionalpages in his second edition of
(23:36):
Strategic Privacy by Design, soI really urge you to get a copy
of the newer book.
He really refines his thinkingover time of having deployed his
framework to many organizations.
He was able to then providedozens of illustrative examples,
a new chapter on threatmodeling for privacy, and then
he's added a glossary and modelanswers to the numerous
(23:57):
exercises that he's listedthroughout the book.
Chapters in his book includeintro what is privacy by design?
Building blocks, so really thistalks about the different
actors and their roles.
What are potential privacyharms and moral consequences?
There's also physical, mentaland other tangible consequences
(24:19):
that we don't normally thinkabout, if we're just thinking
about data privacy.
So he adds those in as well.
He talks about controls andthen has this ongoing example
and exercise around creating aapplication for reporting
potholes, so he'll call that thepothole application example.
Then this next chapter isaround modeling, so threats,
(24:42):
interactions and relationships,risk analysis, mitigating risks,
and then again using thepothole application example and
exercises to demonstrate what hemeans by modeling.
Chapters on designing forprivacy, design methodology,
pothole application example andexercises.
And then there's a glossary andthis includes categories of
(25:05):
personal information, riskterminology, hierarchy of
controls and then Dan Solov'staxonomy of privacy harms.
And then he's got someappendices he's added this year
or to the second edition aroundprivacy engineering, privacy
enhancing technologies andprivacy at scale.
He's got one on quantifyingrisks, another on the model
(25:27):
answers to his exercises and hekind of does a crosswalk and
maps to the CIPT body ofknowledge which, again, this
book is one of the officialtextbooks for the CIPT.
9) I would be remiss if I didn'talso include, as my ninth
resource and next book, 'ThePrivacy Engineer's Manifesto:
(25:49):
getting from policy to code toQA to value.
' This book is by one of myheroes, Michelle
Finneran-Dennedy, CEO of PrivacyCode, as well as Jonathan Fox,
Director of Strategy andPlanning at the Office of the
CPO at Cisco, as well as ThomasR Finneran (that's Michelle
Dennedy's father, who hasrecently passed, but an amazing
(26:12):
engineer).
So this book is for privacymanagers, privacy engineers and
their managers, CPOs, DPOs andIT management.
You know, this seminal work inprivacy engineering really
provides a systematicengineering approach to develop
privacy policies that are basedon enterprise goals and
(26:34):
appropriate governmentregulations.
Privacy procedures, standards,guidelines, best practices,
privacy rules and privacymechanisms can then be designed
and implemented according to asystems engineering set of
methodologies, models andpatterns that are well known and
well regarded, but are alsopresented in a creative way.
I have it on good knowledgethat there's a second edition of
(26:56):
this book in the works, so youmight want to wait before
running out and getting a copy.
This is the book that prettymuch inspired me to focus on
this idea of privacy engineering.
It's been out about I don'tknow close to 10 years now, and
it really got me thinking abouthow do we close the gap between
legal and engineering, and itwas really important to me on my
(27:17):
own privacy journey, so I urgeyou to check it out as well.
Here chapters include, you know, part one is getting your head
around privacy.
Part two is the privacyengineering process.
Part three is organizing forthe privacy information age and
part four is where do we go fromhere, kind of presenting a
vision of the future and how toprepare technologically for it.
(27:39):
All right, we're almost at thehalfway mark.
10) Number 10, we're startingwith the privacy engineering
focus conferences that are myfavorite.
So number 10, PrivacyEngineering Practice and Respect
Conference, otherwise known asPEPR.
This is put on by thenon-profit engineering org
USENIX.
So what is it?
(28:01):
PEPR is focused on designingand building products and
systems with privacy and respectfor their users and the
societies in which they operate,with the goal to improve the
state of the art and practice ofbuilding for privacy and
respect and to foster a deeplyknowledgeable community of both
privacy practitioners andresearchers that collaboratively
(28:21):
work towards that goal.
The 2024 USENIX conference onprivacy engineering, practice
and respect will take place atHyatt Regency, Santa Clara, on
June 3rd and 4th in 2024.
So you know, view the call forparticipation, get your
submissions in.
(28:41):
Submissions are due Monday,february 12th 2024, and I really
urge you to attend.
This really is the preeminentprivacy conference for privacy
engineers and technologists.
The PEPR conference is now myabsolute favorite annual
conference, and because I lovethis community so much, I
decided to join the PEPRconference programming committee
(29:03):
.
I'm really excited about that.
Just to show you how much Ilove this conference.
Here's a short example to showI'm not exaggerating I am
getting married this MemorialDay weekend.
Okay, it's a long time coming.
Covid actually canceled ouroriginal plans but we're finally
getting married Memorial Dayweekend and I let my fiancée\
know that we need to postponeour honeymoon by a week so that
(29:26):
I can ensure that I make it downto the Bay Area to attend PEPR
first.
So I'm not exaggerating when Isay how much I enjoy this event
that I am, you know, one of themost important days of people's
lives, right, you know I'mmaking room for PEPR.
And then USENIX also makes forthe perfect conference venue, as
it's a nonprofit engineeringorganization that's committed to
education, and the founders ofthe conference are really two
(29:49):
stalwarts in the field ProfessorLorrie Cranor and Lea Kissner.
PEPR features a two day lineupof talks and panels from leaders
across privacy engineering.
It's basically a show and tellof privacy engineering
practitioners, where we can gaininsights from the lessons
learned of others and networkwith this real small but growing
(30:09):
community.
So last year there were about150 to 200 privacy engineers in
attendance and you know, most ofthe feedback from others was
how much we all felt invigoratedby our discussions with one
another and how it felt like alove bubble of sorts.
If you'd seen our posts onLinkedIn, it was just everyone
just just professing our lovefor this conference because of
(30:30):
how it made us feel.
You know, it might get a littletoo large in the future.
I do anticipate in the futurethere'll be thousands of people
and maybe they'll feeloverwhelming, but for now you'd
be plugging into a really youknow, warm, welcoming, nurturing
community and it just feelsit's just wonderful.
So if you're a privacy engineer, this is the one conference
(30:50):
that I would be sure not to miss.
11) All right, next up, number11 top privacy engineering
resource, is the InternationalWorkshop on Privacy Engineering,
or the IWPE.
The organization that hoststhis is the IEEE, and the
workshop takes place annuallyduring the IEEE European
(31:15):
Symposium on Security andPrivacy.
This is a forum for concreteproposals for models, methods,
techniques and tools thatsupport data protection.
Engineers and organizations inthis endeavor are few and in
need of immediate attention.
So to cover this gap, thetopics at the conference focus
(31:35):
on all the aspects of privacyengineering, ranging from its
theoretical foundations,engineering approaches and
support infrastructures to itspractical application projects
of different scale.
So this is a broaderperspective than the USENIX
Pepper Conference, which favorspractical approaches over
discussions of theoreticalfoundations.
(31:57):
The 2024 conference will takeplace on July 8th in Vienna,
austria.
There's a call for submission,so submit your lightning talk
proposal or panel discussion byApril 15.
This conference is for privacyengineers and while I have not
personally attended thisconference, I know many who have
and had a great time speakingat and attending this event,
(32:19):
while it's pretty heavy onparticipants from academia.
Organizers have opened up anindustry talk track to invite
practitioners to share theirexperience, lessons learned or
challenges faced with a wideraudience.
So I invite you to help makethis conference great.
12) Okay, so next up, we've gota non-profit organization that
(32:40):
I'm recommending that you followand engage, so this is my
number 12 on my top 20 list theInstitute of Operational Privacy
Design, or IOPD.
The mission of the IOPD is todefine and drive the adoption of
privacy design standards toprovide accountability and
(33:00):
public recognition for goodprivacy practices.
It's for operational privacymanagers and privacy engineers
and anybody who wants to getmore involved in understanding
how to design privacy into yourproducts and services.
So until now, implementingprivacy by design in default has
been kind of squishy, hard todefine, kind of difficult to
(33:20):
implement.
And the IOPD has changed thisparadigm by developing the
industry's first standard for arepeatable and comprehensive
process by which a company canreduce its privacy risks, and
they call this the IOPD processdesign standard, so the process
design standard.
By adopting it, organizationswill be able to reduce the
(33:40):
complexity of the overall designprocess and create significant
efficiencies that reduce costwhile increasing consumer trust.
This standard covers the designprocess by which an
organization designs itsproducts, services or even other
business processes.
The goal of this standard is toensure privacy is a forethought
in the design.
(34:00):
Now the second standard whichwe'll be working on this year
yes, I'm participating in IOPD,I'm on a subcommittee on risk
controls.
We're working on an assurancestandard which will cover the
end result the product, theservice or the business,
ensuring that it does in factreduce privacy risks to an
acceptable level.
So, in theory, any product,service or business process
(34:23):
designed and developed using thedesign standard should result
in meeting the subsequentstandard, though the latter will
have more rigorous risktolerances included.
Organizations that meet therequirements of the privacy by
design assurance standard areable to display then a IOPD
privacy seal for their product,their service or business
(34:44):
process, and then from membersof the IOPD.
The organization hosts monthlydiscussions with movers and
shakers in the privacyengineering space, and it's
called privacy, engineering andtechnology education discussion,
or, for short, PETed.
13) Okay on to podcasts, fornumber 13, I would be remiss to
(35:10):
not include the Shifting PrivacyLeft podcast, with me as host
and sponsored by Privado.
What is it?
Well, you kind of know thatshifting privacy left features
lively discussions on the needfor organizations to embed
privacy by design into the UX/UI, architecture, engineering,
devops and the overall productdevelopment processes before
(35:34):
coder products are ever shipped.
Each week, we publish a newepisode that features interviews
with privacy engineers,technologists, researchers,
ethicists, innovators, marketmakers and industry thought
leaders.
We dive deeply into thissubject and unpack the existing
elements of emergingtechnologies and tech stacks
(35:55):
that are driving privacyinnovation, strategies and
tactics that win trust, privacypitfalls to avoid and privacy
tech issues ripped from theheadlines, and then some other
juicy topics of interest.
I crafted this show for privacyengineers.
That is the community that I amthinking about when I put these
shows together and othertechnologists.
(36:15):
Of course, anyone can listen toit, but expect that there'll be
technical content.
The reason I'm recommending myown podcast is I really enjoy
producing and hosting ShiftingPrivacy Left and I think my
passion for privacy engineeringand privacy tech and building
community comes through mydesire to inspire others.
(36:35):
We go deeper into technicalprivacy topics across guests
with various backgrounds andinterests, sometimes diving into
implementation and tech stacks,while making sure to also look
at problems holistically.
Recently, I'm really proud thatthe show has won the Privacy
Podcast People Choices Awards.
(36:56):
We won in three categoriesSecond place for Best Privacy
Podcast, first place for BestNewcomer and second place for
Best Interviewer.
From the feedback that I'vereceived, people really seem to
like my authenticity, practicalperspectives and provocative
questions that nudge theaudience to think differently
(37:16):
and creatively.
14) Next up on podcasts is TheAI Fundamentalists.
We've got hosts Andrew Clarkhe's the co-founder and CTO at
Monitaur, an AI governancecompany, and Sid Mangalik,
research scientist at Monitaurand computer science PhD
candidate at Stony BrookUniversity.
So Monitaur is obviously thesponsor of The AI
(37:40):
Fundamentalists and it's apodcast about the fundamentals
of safe and resilient modelingsystems behind the AI that
impacts our lives and ourbusinesses.
It's really for data scientists, ai system designers and
privacy engineers.
Again, I like this podcastbecause it talks about the
technical and about differentapproaches where there might be
(38:02):
problems with some of theapproaches.
So when I was seekingbite-sized podcasts for learning
more about AI myself, I cameacross this podcast pretty much
in its infancy I think it waslike the third or fourth episode
ever and after listening tojust one episode on some of the
drawbacks to using syntheticdata and AI and some of the few
use cases that it's really goodand some of the use cases that
(38:25):
actually aren't so great, I wasreally hooked.
Andrew and Sid are expert datascientists.
They're also pretty riveting inand compelling in their
discussions and they have a veryclear and practical
communication style that reallyresonated with me and cuts
through the marketing fluff thatmany AI-focused companies put
out there.
So while their podcast issquarely one about AI, I felt
(38:49):
that I needed to include a nodto their content here, as they
often discuss the overlappingissues of privacy and AI on
their show, and their podcasthas truly rounded out my
understanding of thatintersection.
15) The next podcast is number15 on my list is Partially
Redacted with host Sean Falconer, the head of marketing at
(39:11):
Skyflow.
This is a privacy engineeringfocused podcast show produced
and hosted by Skyflow, and it'sfor privacy engineers and
technologists.
Partially Redacted, focuses itsepisodes on a variety of topics
around privacy engineering.
The interviews, half of whichare with Skyflow employees and
half from outside guests, arereally packed with information
(39:33):
and novel insights for a privacyengineering audience.
I haven't listened to too manyepisodes, so I you know I can't
say too much about it, but Ireally like the focus of the
content and you should check itout.
16) Then, my next category isthreat modeling frameworks and
(39:53):
card games - probably somethingyou might not have expected, and
I'm hoping that this ispointing people to new resources
they never even considered.
You may have heard aboutLINDDUN, which is a recognized
privacy threat modelingframework.
There's also a card game thatgoes with it, linden Go, which
I'll talk about in a moment.
(40:13):
LINDDUN is a recognized privacythreat modeling framework
developed by privacy experts atKU Leuven.
It offers mature support toidentify and mitigate privacy
threats early in the developmentlifecycle, and when you adopt
Linden, you can therefore helpbuild privacy into the system's
core.
It's intended for privacyengineers, security analysts and
(40:35):
operational privacy managers,and the reason I'm recommending
it is well.
Privacy is increasinglyimportant, yet often
misunderstood.
I really like how Lindencategorizes by privacy threat
type, like linking, identifying,non-repudiation, detecting data
, disclosure, unawareness andnon-compliance.
(40:55):
Those are the different privacythreat types.
What's great about Linden isthat you can apply it to an
actual software system for athorough investigation, and when
you adopt Linden throughout thesoftware design phase, you then
can uncover and fix relevantprivacy gaps.
The creators have also includedopen-sourced resources like
privacy threat types, threattrees and methods, and so, for
(41:19):
those who learn by doing, youcan even buy the Linden Go card
game.
It's got 33 threat cards thathighlight the most common
privacy threats and systemhotspots, and then this game
transforms the privacyassessment process into an
engaging collaborativeexperience with your team.
It's designed for structuredbrainstorming with a diverse
team, and Linden Go requiresonly the card deck and a system
(41:41):
sketch to kickstart your journey.
17) Now Now Now Now number 17is kind of a little bit of an
extension of Linden, but appliedto AI, so that's the Privacy
Library of Threats forArtificial Intelligence,
shortened as PLOT the number 4AI, so it's the PLOT 4ai
framework, and it also includesa Plot 4ai card game.
(42:04):
The creator of Plot 4ai isIsabel Barbara.
She's the founder at Rhite, aconsulting firm in the AI
privacy space, and Plot 4 AI isa library that contains 86
threats related to AI andmachine learning.
These threats have beenclassified into eight categories
(42:26):
, and there's also a Plot 4aigame to help AI teams with
threat modeling for privacy, andeven a free self-assessment
tool for your AI project.
There's also a paper that sheco-authored called Threat
Modeling Generative AI Systemsthat you can refer to, where the
authors use Plot 4ai to createan open-source library of
(42:47):
potential threats for generativeAI systems.
Plot 4ai is for data scientists,privacy and data protection
managers, privacy engineers,security analysts and AI
governance managers.
I really like that.
Isabel created Plot 4 AI basedoff of the Linden Threat Model
Framework, though catalogingthreats mapped to AI
(43:08):
specifically rather than tosoftware systems generally.
It's also notable that Plot 4aiis not solely focused on
privacy and security by design.
It does cover the whole conceptof responsibility towards the
individuals that we want toprotect and humanity as a whole,
so I especially appreciate that.
And then, Plot 4ai helps you toconnect with the people that
(43:29):
are represented in your data andwith the people that one day
could be affected by your models.
18) My last few selectionshere are to call attention to
some other resources that can'tbe categorized very well, and
the first one would be the IAPP,the International Association
of Privacy Professionals.
They've got a privacyengineering section so you could
sign up for news and eventinformation and engagement
(43:53):
around the topic of privacyengineering.
This is where privacyprofessionals working in the IT
and privacy engineering fieldsplug into the other areas of the
privacy profession.
The privacy engineering sectiondoes offer a range of programs,
events, content and networkingopportunities through which
privacy pros working in IT andrelated fields can connect in
advance.
It's kind of for privacyengineers and IT privacy
(44:17):
managers, and I recommend itbecause the IAPP has focused
most of its services to theprivacy community on the needs
of DPOs, dpo's, privacyattorney's, consultants and the
GRC functions.
But if you're a member of theIAPP, you might find it helpful
to join the privacy engineeringsection for networking, speaking
and writing opportunities etc.
However, I do want to note thatthe IAPP does charge extra for
(44:40):
attendance at the privacyengineering section's day-long
lineup at its conferences,usually day before the main
conference and kind of seenalmost as a workshop rather than
like a formal conferenceprogramming.
The costs are then oftenprohibitive and the actual
attendance by the audience canbe pretty anemic, with most of
the speakers as the audiencemembers.
(45:01):
There's a lot of potential forthe IAPP to invest more in
bringing technical content toits members, like how it's
currently investing in AI andprivacy with a separate
conference, but it's not clearthat they have the political
will to do so.
So I'll continue to keeprecommending the privacy
engineering focus conferences.
19) Number 19 is the U.
S.
government has the NIST PrivacyEngineering Program Space.
(45:24):
Space Given concerns about howinformation technologies may
affect privacy at individual andsocietal NIST's.
Nist's privacy engineeringprogram supports the development
of trustworthy informationsystems by applying measurement,
science and systems engineeringprinciples to the creation of
frameworks, risk models,guidance tools and standards
(45:48):
that protect privacy and, byextension, civil liberties.
Nist's privacy engineeringcollaboration space is an online
venue open to the public wherepractitioners can discover,
share, discuss and improve uponopen source tools, solutions and
processes that support privacyengineering and risk management.
It's definitely for privacyengineers and the reason for my
(46:10):
recommendation is multiple Toolsand use cases are currently
focused on dissociability andprivacy risk assessment within
this collaboration space.
Anyone could submit open sourcetools and use cases to be
included in the collaborationspace.
For example, I was excited tosee that literally just
yesterday, it's January 26thright now.
(46:32):
Just yesterday, NIST addedPrivado Scan to the
collaboration space.
The privacy engineeringcollaboration space and Privado
Scan obviously by Privado.
It's an open source privacyscanner that allows an engineer
to scan their application codeand discover how data flows in
the application.
It detects hundreds of personaldata elements being processed
(46:53):
and further maps the data flowfrom the point of collection to
syncs, such as external thirdparties, databases, logs and
internal APIs.
It allows privacy engineers toconcretely verify and assess if
a certain data collection policyset on an application actually
matches the implementation rightin the code itself.
(47:15):
Thus it embeds privacyassessments into the developer's
workflow.
Talk about shifting left right.
And then another tool availablein the NIST collaboration space
is the FAIR F-A-I-R all capitalletters FAIR Privacy
Quantitative Privacy RiskFramework from Jason Cronk and
Enter Privacy.
(47:35):
He talks about FAIR a lot inhis book Strategic Privacy by
Design.
This framework is based on FAIR.
Fair stands for FactorsAnalysis in Information Risk,
which is extended into theprivacy domain, and this
examines personal privacy risksto individuals and quantifies it
so you can make decisionsbetter.
(47:56):
20) Last but not least, my 20thresource - drumroll please - is
from the EU government.
It's the EDPS Internet PrivacyEngineering Network, or IPEN.
So the purpose of IPEN is forthe European Data Protection
Supervisor, the supervisor's org, to bring together developers
and data protection experts thathave technical backgrounds from
(48:19):
different areas in order tolaunch and support projects that
build privacy into everydaytools and develop new tools that
can effectively protect andenhance our privacy.
It supports engineers workingon reusable building blocks,
design patterns and other toolsfor selected internet use cases
(48:39):
where privacy is at stake.
It aims to build bridges whereprivacy and data protection
experts from other disciplinesand it also promotes wider
understanding of thetechnologies that enable the
protection of personal data.
It facilitates exchanges tocoordinate work and aims to
create a community pursuingcommon objectives by connecting
existing initiatives, groups andindividuals working on privacy
(49:00):
engineering.
It's squarely for privacyengineers and the reason I'm
recommending it is.
IPEN events bring togetherprivacy experts and engineers
from public authorities,industry, academia and civil
society, discussing relevantchallenges and developments for
the engineering andtechnological implementation of
data protection and privacyrequirements into all phases of
(49:22):
the development process.
So, for example, last yeartheir annual event focused on
explainable artificialintelligence, so there was an
overlap with privacy.
I also really like that theymaintain a wiki for privacy
standards and privacy projects.
While I am unable to attend theevents in the EU, I do like to
stay connected by subscribing toIPEN's listserv, reading its
(49:46):
blog posts and referring to itswiki when needed.
So that is it.
That is my top 20 privacyengineering resources.
Let me know what you think.
What did I miss?
DM me.
Share this episode online.
Reach out to me.
You can email me at debra@shiftingprivacyleftcom.
(50:08):
You could find me on LinkedIn.
I'd really love to know.
Do you have a resource to add?
Is there anything I'm missing?
Do you like the 20 resourcesthat I shared with you?
Well, until next Tuesday,everyone, when we'll be back
with engaging content andprobably a really great guest
this time instead of just me.
Take care To learn more.
(50:55):
Go to privado.
ai.
Be sure to tune in next Tuesdayfor a new episode.
Bye for now.
Thanks for joining us this weekon Shifting Privacy Left.
(52:04):
Make sure to visit our website,shiftingprivacyleft.
com, where you can subscribe toupdates so you'll never miss a
show.
While you're at it, if youfound this episode valuable, go
ahead and share it with a friend.
And, if you're an engineer whocares passionately about privacy
, check out Privado (52:21):
the developer-friendly privacy
platform and sponsor of thisshow.
To learn more, go to privado.
ai.
Be sure to tune in next Tuesdayfor a new episode.
Bye for now.
Hello, I am Debra J Farber.
Welcome to The Shifting PrivacyLeft Podcast, where we talk
about embedding privacy bydesign and default into the
engineering function to preventprivacy harms to humans and to
prevent dystopia.
Each week, we'll bring youunique discussions with global
privacy technologists andinnovators working at the
(00:20):
bleeding edge of privacyresearch and emerging
technologies, standards,business models and ecosystems.
Welcome everyone to ShiftingPrivacy Left.
I'm your host and residentprivacy guru, Debra J Farber.
Today, for the Special DataPrivacy Day episode, I am not
interviewing a guest, but I amsharing with you my top 20
(00:43):
privacy engineering resourcesand why I'm recommending them.
So let's dive in.
Now, why am I doing this?
Well, I'm often asked about howand where people can learn more
about privacy engineering andtechnical privacy topics, so I
recently compiled a list of myfavorite privacy engineering
resources and posted that toLinkedIn.
(01:04):
I was just shocked at how muchinterest there was in that post
and how viral it kind of wentwithin the privacy community,
and so I thought it only madesense to write an article that
gives more context as to why Irecommended each resource.
Well, I finally wrote thatarticle, which will soon be
published by Privado, and I hopeyou find it helpful and that
(01:25):
you share these resources withothers seeking to get into
privacy, and so I've now takenthat article and turned it into
a podcast, in case this is a waythat you better consume
information.
So I've organized thisinformation in groupings based
on you know, here's a bunch ofcourses, here's a bunch of
podcasts, here's a creativeprivacy engineering approaches
(01:49):
and so forth.
I guess we'll start.
It's not in an order of myfavorite ranked, but we'll start
with Privado's TechnicalPrivacy Masterclass.
1) Actually, we're startingwith 'Courses,' and the first
one in courses is TechnicalPrivacy Masterclass.
So this is with Nishant Bajariaas instructor.
(02:11):
He's the privacy engineeringmanager at Meta and author of
Data Privacy, a runbook forengineers.
He's also a provado advisor aswell.
Now, who is this technicalprivacy masterclass for?
It looks to me like it's forprivacy engineers, for people in
DevOps, tpms and people inprivacy operations.
(02:32):
The course is completely free.
It takes about two and a halfto three hours to complete and
there is a certificate ofcompletion, so you can get a
certificate awarded if thestudent completes the course and
the quiz questions.
However, upon completion of thecourse, you will receive a
certified credential that youcan add to your LinkedIn profile
(02:53):
.
Now let me tell you a littlebit about why I recommended this
.
Nishant does an excellent job ofjust distilling down his wisdom
that he's gained from his manyyears in privacy engineering,
and this is a really engagingand strategic course.
So first he makes the case forhow privacy and security can
enable engineering and reducecosts by building a proactive
(03:17):
privacy program.
Second, nishant detailseffective approaches for
tackling common privacyengineering problems and he
gives really illustrative usecases, so for example, around
data inventory andclassification, technical
privacy reviews and privacy codescanning.
And then he lays out ways tosuccessfully build privacy tools
(03:38):
and infrastructure.
So this would be around likeDSAR and rights management,
consent management and maybeeven building a privacy center.
And then, lastly, nishantdemonstrates how to scale and
mature a technical privacyprogram.
So that would be you know whatare those KPIs and how do you
address governance, and you knowscale the program through
(04:00):
maturity.
And you know some of themodules and topics include I'll
talk about the groupings, notthe individual modules, but the
module.
Yeah, I'll talk about themodules, but not the individual
topics.
How about that?
So first you've got anintroduction to technical
privacy, then you've gotbuilding a proactive privacy
program, building privacy toolsinto infrastructure, scaling and
(04:22):
maturing a privacy program.
And then he's got a whole bonusmodule about his own story,
where Nishant talks aboutbecoming an accidental privacy
engineer, and his story is sodifferent from mine.
So you know, I love to heareverybody else's origin stories
to how they came to privacy.
2) All right, the second privacyresource that I'm going to
(04:44):
recommend to you is a course byopenmined.
org.
That's openmined dot org, andthe course I'm recommending
although they have severalcourses is our privacy
opportunity.
The instructors are AndrewTrask, who's the founder and
(05:04):
leader at OpenMind and alsosenior researcher at DeepMind
and PhD student at theUniversity of Oxford.
I have asked Andrew to be onthis podcast numerous times.
He was just in the middle ofwriting, you know, defending his
PhD and completing hisschoolwork there.
So, given that he's working onso much and has developed a
(05:25):
community of 16,000 plus, youknow, developers and data
scientists we will have him onthe show eventually, but I just
wanted to call attention to allthe great work that Andrew's
doing.
The other instructor is EmmaBlumke, phd, who is a research
manager at the Center forGovernance of AI.
So who's this course for?
(05:45):
I think it's for anyoneinterested in a holistic,
socio-technical approach totoday's privacy problems and the
key privacy enhancingtechnologies that data
scientists can leverage forsharing and using data in a
privacy preserving way isopening up the value of the data
that you have, but stillpreserving privacy.
(06:05):
Now I mentioned, this course iscompletely free and it takes
about eight hours for the onlinemodules and any additional time
if you are submitting forcertification.
So there is a certificate ofcompletion, but only if you
complete and pay for the fullcertification process.
There's no certificate ofcompletion for just completing
(06:26):
the online course modules, andthat certification is available
for free if you complete thecourse.
In addition to you know reviewand acceptance of a submitted
sample privacy productspecification that, based on
learning about privacy enhancingtechnologies and the various
approaches to data science today, you would submit a sample
(06:47):
privacy product specification.
Why am I recommending thiscourse?
Our privacy opportunity?
I've been in privacy for a longtime right, 18 years and I took
this course about a year ago.
I was blown away.
Blown away by how well theinstructors lay the case for a
socio-technical perspective forprivacy before they even get
(07:07):
into the technical weeds.
Right.
This course does an outstandingjob of detailing how privacy
infrastructure is changing, howsocieties manage information and
information flows and howbaking privacy into
infrastructure during thiscurrent period of technological
advancement presents us with theopportunity and disruption
(07:28):
within nearly every corner ofsociety.
So you'll also come away betterunderstanding the benefits of
privacy enhancing technologies,which they describe in a way
that is more impactful tosociety than your typical
privacy compliance training.
I think Andrew and Emma areincredible and they're engaging
instructors who share how andwhen each type of PET can be
(07:50):
used.
They dive into what they callstructured transparency.
They dive into input and outputprivacy and input and output
verification, and they also diveinto information flow
governance Some of their modules, just to give you a sense of
what I'm talking about.
Their modules include thefollowing Society runs on
(08:13):
information flows, informationflows within communities,
information flows within marketsand their incentives, the
limitations of information flows.
Introducing structuredtransparency.
Input privacy, output privacyinput verification, output
verification and flow governance.
The impact of structuredtransparency and create a
(08:37):
product specification, whichagain is optional and that's for
full certification, which I didnot do but I encourage others
to do.
There's also a community of,like I said, 16,000 data
scientists really in the weedsworking on implementing privacy
enhancing technologies usingPyTorch using all of the.
You know it's as deep as Icould go, talking about the
(09:01):
tools of the trade.
But there are other courses aswell.
I just have not taken themaround federated learning,
around data science, privacygenerally, because they're a
little more lab focused and alittle too technical for me.
But I encourage you to look atopenmindorg, definitely, take
our privacy opportunity and thentake a look at the other
courses.
(09:21):
I mean, there's one course Ithink it takes like 60 hours to
complete.
Again, it's also free.
So there's there's so muchthere that you can learn and
there's a community for you toplug into.
All right.
3) Number three under courses,it would be Data Protocols'
Privacy Engineering Course,their modules and certification.
So who's it for?
(09:42):
It's for privacy engineers,those in DevOps, TPMs and those
in privacy operations.
So this is an interesting modeltoo.
So data protocols privacyengineering course is free to
complete all of the coursemodules, but if you wanted an
official certification, it's$495 to you pay for a final
(10:04):
assessment and I guess that's topay for the reviewer and the
process fee and all that.
So if you wanted to attain anofficial certification of their
privacy engineering course,which I do believe they offer to
the big tech developers, and sothat's becoming a little bit of
a standardized course in the,the Metas, the Netflix, the you
(10:25):
know that that space right, thebig tech companies.
It takes about five to sixhours to complete and there's no
certificate of completion, as Imentioned, for just completing
the online course.
There is certification if youcomplete the curriculum, pass
the comprehensive final exam orfinal assessment excuse me, it's
not an exam and pay the finalassessment fee, then you'll earn
(10:46):
your data protocol privacyengineering certification and a
badge If you wanted to displayyour badge somewhere on your
personal website or whatever andyou will receive a certified
credential that you can add toyour LinkedIn profile to prove
that you completed it.
Now, why am I recommending itto you?
This course is also led byrenowned instructor Nashant
(11:08):
Bajaria.
In this course, he dives intothe basics of privacy
engineering.
You will gain the knowledge andskills that you need to protect
data privacy while designingand building products and
processes.
So these eight courses and sixhands on labs they test your
ability to design the securedata processes and also to
(11:30):
address vulnerabilities.
So data protocols mission is toeducate and engage developers
and it's designed to driveadoption, support education and
grow community.
It has a significant user baseacross the major tech companies,
as I mentioned.
So the value of its fullcertification program is
increasingly becoming anindicator of baseline privacy
(11:52):
engineering knowledge and skills.
So really urge you to check itout.
The modules, courses and labsinclude well, let's see, there's
a governance module.
It talks about dataclassification.
There's a lab, a dataclassification lab, talks about
data categorization andassociated lab, and then there's
(12:12):
a retrieval lab as well.
Then there's a systems modulewhich includes consent
management.
In addition consent managementlab, there's a security and
privacy course, a data deletioncourse and lab and a data
sharing course and lab.
And then, lastly, there's anexecution module where you learn
(12:34):
the basics of privacy tech andtechnical privacy consulting All
right out of courses.
4) This next recommendation kindof stands on its own under the
moniker of creative privacyengineering, education and
awareness.
So I've been working with afounder Mert Çan Boyer from
(12:55):
Imagine Privacy, doing businessnow as a Privacy Quest.
So Privacy Quest is a gamifiedlearning experience that was
inspired by the capture the flagor CTF style competitions that
the application securityindustry has really used to
drive awareness ofvulnerabilities and software,
(13:17):
and the founders designedprivacy quest here in that same
kind of gamified way, but tohelp non technical individuals
enter the privacy engineeringfield by providing a
comprehensive learningexperience that covers all the
necessary IT foundations.
It is expanding now to includemodules for current privacy
engineers to upskill to otherareas.
(13:37):
Privacy quest is for beginners,intermediate learners and
advanced privacy professionals.
The platform is pretty flexible, offers a variety of challenges
and competitions to suitdifferent skill levels and will
also be expanding into otheroverlapping areas soon.
Like definitely a deeper diveinto privacy and AI For privacy
(13:59):
awareness.
For data privacy day events,mayor Sean has expanded.
Well, he's created this dataprivacy day village and has an
entire storyline of the battlefor AI and there's two different
factions and you pick a faction.
That's going on right now untilFebruary 18th.
It's like a month long group ofactivities and events that even
(14:23):
I've been participating in aquiz night, different fireside
chats.
I mean there's a lot going on.
So I, you know, definitely urgeyou to check out privacy quest
for data privacy day events andcompetitions, but this is also a
platform year round that youcould use throughout the year
for learning.
It's for privacy and dataprotection managers, privacy
(14:44):
lawyers and privacy engineers.
Even though I've given you a lotof reasons why you should go
check it out.
I've got another set of reasonsas well.
One of the things I really loveis the use of immersive
storytelling, visual art, musicand a game of fine learning
platform.
So you'll gain all of thisinvaluable privacy and security
(15:05):
knowledge and when you'redelving into the intricacies of
privacy engineering through youknow the various quests.
You know you're going todevelop a deep understanding of
these concepts concepts likedata protection, threat modeling
, risk mitigation and encryption.
Privacy quest equips you andyour teams with practical skills
that you need to navigate thecomplex landscape of privacy and
(15:27):
security.
It provides a platform forcontinuous learning and growth,
and also you could connect withthe community of privacy
enthusiasts and professionals,showcase your experience and
position yourself as a valuableasset in the privacy and
security domain.
Companies can even leverageprivacy quest to deliver privacy
engineering education to theiremployees in a way that is
(15:48):
memorable, engaging andeffective.
Teams can even partner withprivacy quest to create, like a
privacy awareness day or week,various activities.
We've expanded this to include,like tabletop games, escape
room events and gamifiedworkshops.
So if you're thinking about howcan I gain privacy engineering
awareness and spread the messageof why it's important
(16:09):
throughout your organization andcan help use privacy quest to
do this with your workforce.
BONUS (16:14):
Now, I also want to highlight bonus material.
I didn't make this a standaloneof my top 20, you know
recommendations, because there'sjust already so much Mert Çan
has also written TheHitchhiker's Guide to Privacy
Engineering, and he created thisguide for privacy professionals
with legal backgrounds who wantto level up their knowledge of
(16:34):
technical data privacy, and withthe Hitchhiker's Guide, you can
grasp the technical mechanismsthat keep privacy intact and
then speak with credibility whenyou're working with technical
teams.
Right.
This was a creative passionproject from Mert Çan and he
really does combine his love forscience fiction and data
privacy here, and he offers up areally fun, engaging and
(16:59):
immersive privacy learningexperience for attorneys to
improve their technical skills.
It's also designed to provide apretty solid foundation in
privacy engineering principlesand practices, and it enables
privacy lawyers to betterunderstand and address the
complex privacy issues facingdigital society and thus their
organization.
(17:20):
5) All right, now let's turn tobooks - 'Data Privacy: a run
book for engineers.
' I talked about that so much onthis show, but I'm going to
give a brief rundown again.
The author again is NishantBajaria, and his book is
basically for system designers,architects and engineers that
(17:41):
work with data, especially inhighly distributed architectures
.
However, anyone should readthis book, from management to
media, to regulators toattorneys.
You know it really gives youbaseline knowledge that enables
you to offer commentary andanalysis that is rooted in
context and experience.
You know this is the first bookin the era of cloud computing
(18:03):
and identity graphs, you know,to help engineers implement
complex privacy goals like datagovernance, technical privacy
reviews, data deletion, consentmanagement and so on.
It teaches you how to navigatethe tradeoffs between strict
data security and real worldbusiness needs.
So in this practical book,you'll learn how to design and
(18:25):
implement privacy programs thatare easy to scale and automate.
This includes workablesolutions and smart repurposing
of existing security tools thathelp set and achieve your
privacy goals.
So chapters here would includeprivacy engineering, why it's
needed, how to scale it,understanding data and privacy,
(18:46):
data classification, datainventory, data sharing, the
technical privacy review, datadeletion, exporting user data
via DSARS, building a consentmanagement platform and closing
security vulnerabilities.
Then also scaling, hiring andconsidering regulations.
(19:08):
6) The second book, so the sixthresource that I am in my top 20
here is Privacy Engineering, aData Flow and Ontological
Approach by Ian Oliver, and hewrote this book for software
developers, software architects,system designers and TPMs.
So I'm recommending this bookbecause it presents an approach
(19:31):
that's based upon data flowmodeling, coupled with
standardized terminologicalframeworks, classifications and
ontologies to properly annotateand describe the flow of
information into, out of andacross these systems.
It also provides the structuresand frameworks for the
engineering process,requirements and audits, and
(19:52):
even the privacy program itself,but takes a pragmatic approach
and encourages the use andmodification of tools and
techniques presented as thelocal context and needs required
.
Chapters include case studies,privacy, engineering process
structure, data flow modeling,security and information type
classifications, additionalclassification structures,
(20:16):
requirements, risk andassessment, notice and consent,
privacy enhancing techniques,auditing and inspection,
developing a privacy program andconclusions.
7) My seventh recommendation andanother book is Catherine
Jarmul's Practical Data PrivacyEnhancing Privacy and Security
(20:39):
and Data.
Catherine Jarmul is theprincipal data scientist at
ThoughtWorks.
She's a previous guest on myshow and I've been using her
book ever since I got it, eversince it was published.
I think I even have a preprint,I think, because it is so
helpful for data scientists andprivacy enhancing technology
enthusiasts.
So this is the first book I'veseen that is really addressing
(21:04):
the overlap of privacy in datascience and it gets really
technical.
So some of that technical stuff, lab stuff, is where I stop and
some of the others on this callwill listen.
But I love how Catherinebalances a deep technical
perspective with really plainlanguage overviews of the latest
privacy technology approachesand architectures and she really
(21:25):
talks about it in the datascience workflows and machine
learning workflows.
Her book serves as an essentialguide that will give you a
fundamental understanding ofmodern privacy building blocks
like differential privacy,federated learning and encrypted
computation.
She shares like really solidadvice and best practices for
integrating breakthrough privacyenhancing technologies into
(21:47):
production systems.
So chapters here include datagovernance and simple privacy
approaches, anonymization,building privacy into data
pipelines, privacy attacks,especially of the models, and
the training, data privacy awaremachine learning and data
science.
I'm giving an entire talk forData Privacy Day that's based on
(22:11):
chapter five of her privacyaware machine learning and data
science Just great stuff.
Also includes federatedlearning and data science,
encrypted computation,navigating the legal side of
privacy, privacy and practicalconsiderations, faqs and their
(22:31):
answers and then a fun lastchapter go forth and engineer
privacy.
8) My eighth resource and nextbook is Strategic Privacy by
Design, the second edition by RJason Cronk.
He's the owner of For Right WebServices also enter privacy
(22:52):
consulting group.
He's also on the board andhelped bring to life the IOPD,
the Institute of OperationalPrivacy by Design, and he wrote
this book for operationalprivacy managers and privacy
engineers.
In fact, this is one of theofficial textbooks published by
the IOPP for studying for theirCertified Information Privacy
(23:14):
Technologist Certification, theCIPT.
I really love how this bookfocuses on how to build and
implement better processes,products and services that
consider individuals' privacyinterests as a design
requirement.
It is about how to build thingsthat people can trust.
Jason has over 100 additionalpages in his second edition of
(23:36):
Strategic Privacy by Design, soI really urge you to get a copy
of the newer book.
He really refines his thinkingover time of having deployed his
framework to many organizations.
He was able to then providedozens of illustrative examples,
a new chapter on threatmodeling for privacy, and then
he's added a glossary and modelanswers to the numerous
(23:57):
exercises that he's listedthroughout the book.
Chapters in his book includeintro what is privacy by design?
Building blocks, so really thistalks about the different
actors and their roles.
What are potential privacyharms and moral consequences?
There's also physical, mentaland other tangible consequences
(24:19):
that we don't normally thinkabout, if we're just thinking
about data privacy.
So he adds those in as well.
He talks about controls andthen has this ongoing example
and exercise around creating aapplication for reporting
potholes, so he'll call that thepothole application example.
Then this next chapter isaround modeling, so threats,
(24:42):
interactions and relationships,risk analysis, mitigating risks,
and then again using thepothole application example and
exercises to demonstrate what hemeans by modeling.
Chapters on designing forprivacy, design methodology,
pothole application example andexercises.
And then there's a glossary andthis includes categories of
(25:05):
personal information, riskterminology, hierarchy of
controls and then Dan Solov'staxonomy of privacy harms.
And then he's got someappendices he's added this year
or to the second edition aroundprivacy engineering, privacy
enhancing technologies andprivacy at scale.
He's got one on quantifyingrisks, another on the model
(25:27):
answers to his exercises and hekind of does a crosswalk and
maps to the CIPT body ofknowledge which, again, this
book is one of the officialtextbooks for the CIPT.
9) I would be remiss if I didn'talso include, as my ninth
resource and next book, 'ThePrivacy Engineer's Manifesto:
(25:49):
getting from policy to code toQA to value.
' This book is by one of myheroes, Michelle
Finneran-Dennedy, CEO of PrivacyCode, as well as Jonathan Fox,
Director of Strategy andPlanning at the Office of the
CPO at Cisco, as well as ThomasR Finneran (that's Michelle
Dennedy's father, who hasrecently passed, but an amazing
(26:12):
engineer).
So this book is for privacymanagers, privacy engineers and
their managers, CPOs, DPOs andIT management.
You know, this seminal work inprivacy engineering really
provides a systematicengineering approach to develop
privacy policies that are basedon enterprise goals and
(26:34):
appropriate governmentregulations.
Privacy procedures, standards,guidelines, best practices,
privacy rules and privacymechanisms can then be designed
and implemented according to asystems engineering set of
methodologies, models andpatterns that are well known and
well regarded, but are alsopresented in a creative way.
I have it on good knowledgethat there's a second edition of
(26:56):
this book in the works, so youmight want to wait before
running out and getting a copy.
This is the book that prettymuch inspired me to focus on
this idea of privacy engineering.
It's been out about I don'tknow close to 10 years now, and
it really got me thinking abouthow do we close the gap between
legal and engineering, and itwas really important to me on my
(27:17):
own privacy journey, so I urgeyou to check it out as well.
Here chapters include, you know, part one is getting your head
around privacy.
Part two is the privacyengineering process.
Part three is organizing forthe privacy information age and
part four is where do we go fromhere, kind of presenting a
vision of the future and how toprepare technologically for it.
(27:39):
All right, we're almost at thehalfway mark.
10) Number 10, we're startingwith the privacy engineering
focus conferences that are myfavorite.
So number 10, PrivacyEngineering Practice and Respect
Conference, otherwise known asPEPR.
This is put on by thenon-profit engineering org
USENIX.
So what is it?
(28:01):
PEPR is focused on designingand building products and
systems with privacy and respectfor their users and the
societies in which they operate,with the goal to improve the
state of the art and practice ofbuilding for privacy and
respect and to foster a deeplyknowledgeable community of both
privacy practitioners andresearchers that collaboratively
(28:21):
work towards that goal.
The 2024 USENIX conference onprivacy engineering, practice
and respect will take place atHyatt Regency, Santa Clara, on
June 3rd and 4th in 2024.
So you know, view the call forparticipation, get your
submissions in.
(28:41):
Submissions are due Monday,february 12th 2024, and I really
urge you to attend.
This really is the preeminentprivacy conference for privacy
engineers and technologists.
The PEPR conference is now myabsolute favorite annual
conference, and because I lovethis community so much, I
decided to join the PEPRconference programming committee
(29:03):
.
I'm really excited about that.
Just to show you how much Ilove this conference.
Here's a short example to showI'm not exaggerating I am
getting married this MemorialDay weekend.
Okay, it's a long time coming.
Covid actually canceled ouroriginal plans but we're finally
getting married Memorial Dayweekend and I let my fiancée\
know that we need to postponeour honeymoon by a week so that
(29:26):
I can ensure that I make it downto the Bay Area to attend PEPR
first.
So I'm not exaggerating when Isay how much I enjoy this event
that I am, you know, one of themost important days of people's
lives, right, you know I'mmaking room for PEPR.
And then USENIX also makes forthe perfect conference venue, as
it's a nonprofit engineeringorganization that's committed to
education, and the founders ofthe conference are really two
(29:49):
stalwarts in the field ProfessorLorrie Cranor and Lea Kissner.
PEPR features a two day lineupof talks and panels from leaders
across privacy engineering.
It's basically a show and tellof privacy engineering
practitioners, where we can gaininsights from the lessons
learned of others and networkwith this real small but growing
(30:09):
community.
So last year there were about150 to 200 privacy engineers in
attendance and you know, most ofthe feedback from others was
how much we all felt invigoratedby our discussions with one
another and how it felt like alove bubble of sorts.
If you'd seen our posts onLinkedIn, it was just everyone
just just professing our lovefor this conference because of
(30:30):
how it made us feel.
You know, it might get a littletoo large in the future.
I do anticipate in the futurethere'll be thousands of people
and maybe they'll feeloverwhelming, but for now you'd
be plugging into a really youknow, warm, welcoming, nurturing
community and it just feelsit's just wonderful.
So if you're a privacy engineer, this is the one conference
(30:50):
that I would be sure not to miss.
11) All right, next up, number11 top privacy engineering
resource, is the InternationalWorkshop on Privacy Engineering,
or the IWPE.
The organization that hoststhis is the IEEE, and the
workshop takes place annuallyduring the IEEE European
(31:15):
Symposium on Security andPrivacy.
This is a forum for concreteproposals for models, methods,
techniques and tools thatsupport data protection.
Engineers and organizations inthis endeavor are few and in
need of immediate attention.
So to cover this gap, thetopics at the conference focus
(31:35):
on all the aspects of privacyengineering, ranging from its
theoretical foundations,engineering approaches and
support infrastructures to itspractical application projects
of different scale.
So this is a broaderperspective than the USENIX
Pepper Conference, which favorspractical approaches over
discussions of theoreticalfoundations.
(31:57):
The 2024 conference will takeplace on July 8th in Vienna,
austria.
There's a call for submission,so submit your lightning talk
proposal or panel discussion byApril 15.
This conference is for privacyengineers and while I have not
personally attended thisconference, I know many who have
and had a great time speakingat and attending this event,
(32:19):
while it's pretty heavy onparticipants from academia.
Organizers have opened up anindustry talk track to invite
practitioners to share theirexperience, lessons learned or
challenges faced with a wideraudience.
So I invite you to help makethis conference great.
12) Okay, so next up, we've gota non-profit organization that
(32:40):
I'm recommending that you followand engage, so this is my
number 12 on my top 20 list theInstitute of Operational Privacy
Design, or IOPD.
The mission of the IOPD is todefine and drive the adoption of
privacy design standards toprovide accountability and
(33:00):
public recognition for goodprivacy practices.
It's for operational privacymanagers and privacy engineers
and anybody who wants to getmore involved in understanding
how to design privacy into yourproducts and services.
So until now, implementingprivacy by design in default has
been kind of squishy, hard todefine, kind of difficult to
(33:20):
implement.
And the IOPD has changed thisparadigm by developing the
industry's first standard for arepeatable and comprehensive
process by which a company canreduce its privacy risks, and
they call this the IOPD processdesign standard, so the process
design standard.
By adopting it, organizationswill be able to reduce the
(33:40):
complexity of the overall designprocess and create significant
efficiencies that reduce costwhile increasing consumer trust.
This standard covers the designprocess by which an
organization designs itsproducts, services or even other
business processes.
The goal of this standard is toensure privacy is a forethought
in the design.
(34:00):
Now the second standard whichwe'll be working on this year
yes, I'm participating in IOPD,I'm on a subcommittee on risk
controls.
We're working on an assurancestandard which will cover the
end result the product, theservice or the business,
ensuring that it does in factreduce privacy risks to an
acceptable level.
So, in theory, any product,service or business process
(34:23):
designed and developed using thedesign standard should result
in meeting the subsequentstandard, though the latter will
have more rigorous risktolerances included.
Organizations that meet therequirements of the privacy by
design assurance standard areable to display then a IOPD
privacy seal for their product,their service or business
(34:44):
process, and then from membersof the IOPD.
The organization hosts monthlydiscussions with movers and
shakers in the privacyengineering space, and it's
called privacy, engineering andtechnology education discussion,
or, for short, PETed.
13) Okay on to podcasts, fornumber 13, I would be remiss to
(35:10):
not include the Shifting PrivacyLeft podcast, with me as host
and sponsored by Privado.
What is it?
Well, you kind of know thatshifting privacy left features
lively discussions on the needfor organizations to embed
privacy by design into the UX/UI, architecture, engineering,
devops and the overall productdevelopment processes before
(35:34):
coder products are ever shipped.
Each week, we publish a newepisode that features interviews
with privacy engineers,technologists, researchers,
ethicists, innovators, marketmakers and industry thought
leaders.
We dive deeply into thissubject and unpack the existing
elements of emergingtechnologies and tech stacks
(35:55):
that are driving privacyinnovation, strategies and
tactics that win trust, privacypitfalls to avoid and privacy
tech issues ripped from theheadlines, and then some other
juicy topics of interest.
I crafted this show for privacyengineers.
That is the community that I amthinking about when I put these
shows together and othertechnologists.
(36:15):
Of course, anyone can listen toit, but expect that there'll be
technical content.
The reason I'm recommending myown podcast is I really enjoy
producing and hosting ShiftingPrivacy Left and I think my
passion for privacy engineeringand privacy tech and building
community comes through mydesire to inspire others.
(36:35):
We go deeper into technicalprivacy topics across guests
with various backgrounds andinterests, sometimes diving into
implementation and tech stacks,while making sure to also look
at problems holistically.
Recently, I'm really proud thatthe show has won the Privacy
Podcast People Choices Awards.
(36:56):
We won in three categoriesSecond place for Best Privacy
Podcast, first place for BestNewcomer and second place for
Best Interviewer.
From the feedback that I'vereceived, people really seem to
like my authenticity, practicalperspectives and provocative
questions that nudge theaudience to think differently
(37:16):
and creatively.
14) Next up on podcasts is TheAI Fundamentalists.
We've got hosts Andrew Clarkhe's the co-founder and CTO at
Monitaur, an AI governancecompany, and Sid Mangalik,
research scientist at Monitaurand computer science PhD
candidate at Stony BrookUniversity.
So Monitaur is obviously thesponsor of The AI
(37:40):
Fundamentalists and it's apodcast about the fundamentals
of safe and resilient modelingsystems behind the AI that
impacts our lives and ourbusinesses.
It's really for data scientists, ai system designers and
privacy engineers.
Again, I like this podcastbecause it talks about the
technical and about differentapproaches where there might be
(38:02):
problems with some of theapproaches.
So when I was seekingbite-sized podcasts for learning
more about AI myself, I cameacross this podcast pretty much
in its infancy I think it waslike the third or fourth episode
ever and after listening tojust one episode on some of the
drawbacks to using syntheticdata and AI and some of the few
use cases that it's really goodand some of the use cases that
(38:25):
actually aren't so great, I wasreally hooked.
Andrew and Sid are expert datascientists.
They're also pretty riveting inand compelling in their
discussions and they have a veryclear and practical
communication style that reallyresonated with me and cuts
through the marketing fluff thatmany AI-focused companies put
out there.
So while their podcast issquarely one about AI, I felt
(38:49):
that I needed to include a nodto their content here, as they
often discuss the overlappingissues of privacy and AI on
their show, and their podcasthas truly rounded out my
understanding of thatintersection.
15) The next podcast is number15 on my list is Partially
Redacted with host Sean Falconer, the head of marketing at
(39:11):
Skyflow.
This is a privacy engineeringfocused podcast show produced
and hosted by Skyflow, and it'sfor privacy engineers and
technologists.
Partially Redacted, focuses itsepisodes on a variety of topics
around privacy engineering.
The interviews, half of whichare with Skyflow employees and
half from outside guests, arereally packed with information
(39:33):
and novel insights for a privacyengineering audience.
I haven't listened to too manyepisodes, so I you know I can't
say too much about it, but Ireally like the focus of the
content and you should check itout.
16) Then, my next category isthreat modeling frameworks and
(39:53):
card games - probably somethingyou might not have expected, and
I'm hoping that this ispointing people to new resources
they never even considered.
You may have heard aboutLINDDUN, which is a recognized
privacy threat modelingframework.
There's also a card game thatgoes with it, linden Go, which
I'll talk about in a moment.
(40:13):
LINDDUN is a recognized privacythreat modeling framework
developed by privacy experts atKU Leuven.
It offers mature support toidentify and mitigate privacy
threats early in the developmentlifecycle, and when you adopt
Linden, you can therefore helpbuild privacy into the system's
core.
It's intended for privacyengineers, security analysts and
(40:35):
operational privacy managers,and the reason I'm recommending
it is well.
Privacy is increasinglyimportant, yet often
misunderstood.
I really like how Lindencategorizes by privacy threat
type, like linking, identifying,non-repudiation, detecting data
, disclosure, unawareness andnon-compliance.
(40:55):
Those are the different privacythreat types.
What's great about Linden isthat you can apply it to an
actual software system for athorough investigation, and when
you adopt Linden throughout thesoftware design phase, you then
can uncover and fix relevantprivacy gaps.
The creators have also includedopen-sourced resources like
privacy threat types, threattrees and methods, and so, for
(41:19):
those who learn by doing, youcan even buy the Linden Go card
game.
It's got 33 threat cards thathighlight the most common
privacy threats and systemhotspots, and then this game
transforms the privacyassessment process into an
engaging collaborativeexperience with your team.
It's designed for structuredbrainstorming with a diverse
team, and Linden Go requiresonly the card deck and a system
(41:41):
sketch to kickstart your journey.
17) Now Now Now Now number 17is kind of a little bit of an
extension of Linden, but appliedto AI, so that's the Privacy
Library of Threats forArtificial Intelligence,
shortened as PLOT the number 4AI, so it's the PLOT 4ai
framework, and it also includesa Plot 4ai card game.
(42:04):
The creator of Plot 4ai isIsabel Barbara.
She's the founder at Rhite, aconsulting firm in the AI
privacy space, and Plot 4 AI isa library that contains 86
threats related to AI andmachine learning.
These threats have beenclassified into eight categories
(42:26):
, and there's also a Plot 4aigame to help AI teams with
threat modeling for privacy, andeven a free self-assessment
tool for your AI project.
There's also a paper that sheco-authored called Threat
Modeling Generative AI Systemsthat you can refer to, where the
authors use Plot 4ai to createan open-source library of
(42:47):
potential threats for generativeAI systems.
Plot 4ai is for data scientists,privacy and data protection
managers, privacy engineers,security analysts and AI
governance managers.
I really like that.
Isabel created Plot 4 AI basedoff of the Linden Threat Model
Framework, though catalogingthreats mapped to AI
(43:08):
specifically rather than tosoftware systems generally.
It's also notable that Plot 4aiis not solely focused on
privacy and security by design.
It does cover the whole conceptof responsibility towards the
individuals that we want toprotect and humanity as a whole,
so I especially appreciate that.
And then, Plot 4ai helps you toconnect with the people that
(43:29):
are represented in your data andwith the people that one day
could be affected by your models.
18) My last few selectionshere are to call attention to
some other resources that can'tbe categorized very well, and
the first one would be the IAPP,the International Association
of Privacy Professionals.
They've got a privacyengineering section so you could
sign up for news and eventinformation and engagement
(43:53):
around the topic of privacyengineering.
This is where privacyprofessionals working in the IT
and privacy engineering fieldsplug into the other areas of the
privacy profession.
The privacy engineering sectiondoes offer a range of programs,
events, content and networkingopportunities through which
privacy pros working in IT andrelated fields can connect in
advance.
It's kind of for privacyengineers and IT privacy
(44:17):
managers, and I recommend itbecause the IAPP has focused
most of its services to theprivacy community on the needs
of DPOs, dpo's, privacyattorney's, consultants and the
GRC functions.
But if you're a member of theIAPP, you might find it helpful
to join the privacy engineeringsection for networking, speaking
and writing opportunities etc.
However, I do want to note thatthe IAPP does charge extra for
(44:40):
attendance at the privacyengineering section's day-long
lineup at its conferences,usually day before the main
conference and kind of seenalmost as a workshop rather than
like a formal conferenceprogramming.
The costs are then oftenprohibitive and the actual
attendance by the audience canbe pretty anemic, with most of
the speakers as the audiencemembers.
(45:01):
There's a lot of potential forthe IAPP to invest more in
bringing technical content toits members, like how it's
currently investing in AI andprivacy with a separate
conference, but it's not clearthat they have the political
will to do so.
So I'll continue to keeprecommending the privacy
engineering focus conferences.
19) Number 19 is the U.
S.
government has the NIST PrivacyEngineering Program Space.
(45:24):
Space Given concerns about howinformation technologies may
affect privacy at individual andsocietal NIST's.
Nist's privacy engineeringprogram supports the development
of trustworthy informationsystems by applying measurement,
science and systems engineeringprinciples to the creation of
frameworks, risk models,guidance tools and standards
(45:48):
that protect privacy and, byextension, civil liberties.
Nist's privacy engineeringcollaboration space is an online
venue open to the public wherepractitioners can discover,
share, discuss and improve uponopen source tools, solutions and
processes that support privacyengineering and risk management.
It's definitely for privacyengineers and the reason for my
(46:10):
recommendation is multiple Toolsand use cases are currently
focused on dissociability andprivacy risk assessment within
this collaboration space.
Anyone could submit open sourcetools and use cases to be
included in the collaborationspace.
For example, I was excited tosee that literally just
yesterday, it's January 26thright now.
(46:32):
Just yesterday, NIST addedPrivado Scan to the
collaboration space.
The privacy engineeringcollaboration space and Privado
Scan obviously by Privado.
It's an open source privacyscanner that allows an engineer
to scan their application codeand discover how data flows in
the application.
It detects hundreds of personaldata elements being processed
(46:53):
and further maps the data flowfrom the point of collection to
syncs, such as external thirdparties, databases, logs and
internal APIs.
It allows privacy engineers toconcretely verify and assess if
a certain data collection policyset on an application actually
matches the implementation rightin the code itself.
(47:15):
Thus it embeds privacyassessments into the developer's
workflow.
Talk about shifting left right.
And then another tool availablein the NIST collaboration space
is the FAIR F-A-I-R all capitalletters FAIR Privacy
Quantitative Privacy RiskFramework from Jason Cronk and
Enter Privacy.
(47:35):
He talks about FAIR a lot inhis book Strategic Privacy by
Design.
This framework is based on FAIR.
Fair stands for FactorsAnalysis in Information Risk,
which is extended into theprivacy domain, and this
examines personal privacy risksto individuals and quantifies it
so you can make decisionsbetter.
(47:56):
20) Last but not least, my 20thresource - drumroll please - is
from the EU government.
It's the EDPS Internet PrivacyEngineering Network, or IPEN.
So the purpose of IPEN is forthe European Data Protection
Supervisor, the supervisor's org, to bring together developers
and data protection experts thathave technical backgrounds from
(48:19):
different areas in order tolaunch and support projects that
build privacy into everydaytools and develop new tools that
can effectively protect andenhance our privacy.
It supports engineers workingon reusable building blocks,
design patterns and other toolsfor selected internet use cases
(48:39):
where privacy is at stake.
It aims to build bridges whereprivacy and data protection
experts from other disciplinesand it also promotes wider
understanding of thetechnologies that enable the
protection of personal data.
It facilitates exchanges tocoordinate work and aims to
create a community pursuingcommon objectives by connecting
existing initiatives, groups andindividuals working on privacy
(49:00):
engineering.
It's squarely for privacyengineers and the reason I'm
recommending it is.
IPEN events bring togetherprivacy experts and engineers
from public authorities,industry, academia and civil
society, discussing relevantchallenges and developments for
the engineering andtechnological implementation of
data protection and privacyrequirements into all phases of
(49:22):
the development process.
So, for example, last yeartheir annual event focused on
explainable artificialintelligence, so there was an
overlap with privacy.
I also really like that theymaintain a wiki for privacy
standards and privacy projects.
While I am unable to attend theevents in the EU, I do like to
stay connected by subscribing toIPEN's listserv, reading its
(49:46):
blog posts and referring to itswiki when needed.
So that is it.
That is my top 20 privacyengineering resources.
Let me know what you think.
What did I miss?
DM me.
Share this episode online.
Reach out to me.
You can email me at debra@shiftingprivacyleftcom.
(50:08):
You could find me on LinkedIn.
I'd really love to know.
Do you have a resource to add?
Is there anything I'm missing?
Do you like the 20 resourcesthat I shared with you?
Well, until next Tuesday,everyone, when we'll be back
with engaging content andprobably a really great guest
this time instead of just me.
Take care To learn more.
(50:55):
Go to privado.
ai.
Be sure to tune in next Tuesdayfor a new episode.
Bye for now.
Thanks for joining us this weekon Shifting Privacy Left.
(52:04):
Make sure to visit our website,shiftingprivacyleft.
com, where you can subscribe toupdates so you'll never miss a
show.
While you're at it, if youfound this episode valuable, go
ahead and share it with a friend.
And, if you're an engineer whocares passionately about privacy
, check out Privado (52:21):
the developer-friendly privacy
platform and sponsor of thisshow.
To learn more, go to privado.
ai.
Be sure to tune in next Tuesdayfor a new episode.
Bye for now.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com