Want to Be A More Privacy-Aware Developer for Data Privacy Day? Think of Personal Information like Uranium
Sunday, January 28th is Data Privacy Day. And, I know the best way for Twilio to celebrate the day would be with a post on best practices for handling nuclear reactor fuel. Kidding. In all seriousness, much of Data Privacy Day is focused on building awareness among consumers about how they can protect their privacy on the internet – a noble cause. But what about a little awareness-building for you, the developers – the doers that build that internet?
Now, I’m no nuclear physicist, but I am Twilio’s Associate General Counsel and head up our privacy program. So, let me plead my case that if you want to become a more privacy-aware developer (and who doesn’t?!), one way to get into the right frame of mind is to think of handling personal information like you’re handling radioactive material – like uranium. Hear me out that there are (at least) eight similarities between personal information and uranium to keep in mind when building in a privacy-aware way.
- Both uranium and personal information are powerful sources of “fuel”.
Uranium is a fuel source for things like energy plants and nuclear weapons. In today’s data driven economy, personal information is fuel, too. It’s some of the most powerful data that businesses process. It makes it possible to enhance and personalize people’s experiences with technology. Personal information allows your iPhone to unlock using your thumbprint, your Amazon Echo to understand your voice commands, and your Words With Friends app to show you a banner ad for those shoes you’ve been ogling on Nordstrom.com. Each of these “things” requires the processing of personal information.
For communications applications like those powered by Twilio, personal information, like phone numbers and communications content, allows developers to communicate directly to their end users instead of being relegated to communicating through generic billboards (or their digital equivalent). Can you imagine how our digital economy would function if all the personal information was gone? So, chances are your application will end up handling some personal information – it is nearly unavoidable in today’s world.
- Both uranium and personal information come in different forms that carry different levels of risk.
For uranium, there are different grades. Some is low-enriched and some is weapons-grade. Personal information also comes in different forms with differing levels of risk. IP addresses are like low-enriched uranium. It is still uranium, so you still have to be thoughtful when you handle it. In contrast, recordings of phone calls are closer to highly-enriched or weapons-grade uranium. You have to be much more careful about how you handle them.
Just like uranium, you should not use riskier forms of personal information when a less risky form will do. And, just like uranium, the riskier the form of personal information, the greater the level of care and security (and work) required when handling it.
- For both uranium and personal information, the less you handle it, the better off you are.
Uranium, for obvious reasons, is better off handled as little as possible and only as necessary to achieve the purpose for which it is intended. In general, it is not a great idea to have lots of different people accessing a uranium stockpile, moving it here and there, and leaving bits of uranium all over the place.
The same principle applies to handling personal information. That means don’t collect it, don’t access it, don’t move it, don’t expose it, don’t store it, don’t analyze it – just don’t mess with it, unless you have to.
And, yes, many of us have to work with personal information to do our jobs. The point isn’t to keep us from doing our jobs. The point is that we all should be conscious that, when working with personal information, less is more.
- Both uranium and personal information require special training to handle appropriately.
They don’t just let any ol’ person handle uranium, right? Well, the law (and customers) say you can’t just let any ol’ person handle personal information that you process. That’s why privacy and security training is important.
In all seriousness, each and everyone of us whose job involves the handling of some form of personal information (and that’s pretty much all of us), has a role to play in ensuring its proper handling. It only takes one person’s mistake to make create a hazard
- For both uranium and personal information, it is a bad idea to stockpile it unless you have immediate need for it.
Common sense dictates that it is unreasonable to say “just grab whatever uranium you can and stick it in this storage location no one cares about – we’ll figure out what to do with it later”. Yet, all too frequently this logic gets applied to data sets that are likely to include a bunch of personal information.
In my experience working with and talking to people in tech companies, it is not unheard of to find that personal information is getting logged when it isn’t needed or shared with teams that have no use for it just because it seemed easier in the short-term to “dump” all the data – personal information and all – rather than think about whether the personal information is actually needed for the particular business purpose. Not good.
- For both uranium and personal information, it is important to have a clear understanding of where it is at all times.
As much as they’d be loathe to admit it, many companies do not have a good handle on where all their personal information is. (In fact, even those who are “owners” of particular systems or programs don’t always know what personal information their system or program is processing.) This is a result of a lot of different factors – speed of development, personnel changes, conflicting priorities…
But, if personal information is like uranium, how are you supposed to know that you’re handling it properly, if you don’t even know that you’re handling it, much less what type you’re handling? This is why mapping out what personal information you process and how it flows through your systems is privacy control numero uno under nearly every single privacy framework (HIPAA, GDPR, etc.) out there.
- Personal information “leakage,” like uranium leakage, is bad.
Just like you ought to know where your personal information and uranium is, you ought to take measures to prevent loss of personal information and uranium whether in the form of accidental leakage or, worse, having it stolen. And, as with uranium – the more personal information you lose, the worse it is.
If you don’t believe that losing personal information can be that bad, remember the breach at Equifax? How about Yahoo? And, apparently you can buy both stolen personal information and uranium on the dark web.
- When you’re done with personal information, you should get rid of it safely and securely.
When you’re done with your uranium fuel, you don’t just toss the spent fuel rods in the trash and call it good. The same applies to managing destruction of personal information.
Once you’re done using personal information for whatever purpose, you should get rid of it in a way that keeps the company and the individual to whom it belongs safe. That means anonymizing it or deleting it in a way that it cannot be used to harm anyone. Don’t just toss it (or the device it is on) in the trash where it can be stolen. And, don’t just let it hang around “collecting dust”. So long as you let it hang around, you have to continue to safeguard it.
Also, like with uranium, personal information “clean up” is something that should be designed into your systems at the same time that you’re designing how it is going to get used – rather than an afterthought or something you just figure the next developer can figure out how to solve. Figuring out how to clean up (aka delete or anonymize) personal information from systems that didn’t take that clean-up into account in their original design is no easy feat, particularly when the clean-up needs to take place years later after institutional knowledge of those systems may be lost.
So, you might not need to (get to?) wear a bunny suit to work, but working with personal information is still serious business. So, be smart and privacy-aware when building your application.
Happy Data Privacy Day, Everyone!
You can listen to Sheila talk about GDPR + data privacy on DVELP’s podcast here