What would a privacy curriculum for future developers look like?

Privacy
Giving a privacy talk to a code academy, summer 2018

A professor of software engineering got in touch to ask me a question: if I had an hour to speak to a room full of undergraduates about privacy, what – in my view – are the points they would be most likely to absorb?

Fortunately, I did a lot of that very talking to rooms full of software professionals in my open source development years, so I didn’t have to think too hard. I’m going to share what I would view as an ideal curriculm on privacy in development. These thoughts are anchored in my past perspective in as a web developer as well as my current perspective in legislation and policy.

All six of this blog’s longtime readers will know that none of what I’m about to say here is new; I’ve covered this all in my conference speaking as well as in previous posts, and I’ve noted those links for additional reading below. And, of course, I’ll cover all of this in detail in my upcoming book, which should be in your hands in time for the new academic year.

Before we can get into the ideal curriculum, first we need to set the scene.

Understand who you are and where you stand

If you are currently in, or are about to start, an undergraduate software engineering or computer science course, the first thing you need to understand is that you will spend your career working alongside equally competent professionals who had a completely different educational pathway from yours. They may have come to development from another field entirely; they may have come to development through a focused educational experience such as a code academy; and they may have fallen into development for the fun of it with no formal web education whatsoever (hiya).

So if you’re assuming that there will be a common set of knowledge of practices, procedures, and processes regarding privacy for you to draw upon throughout your career, you need to adjust your expectations. There will be no common set of knowledge of practices, procedures, and processes regarding anything. Don’t look towards your management and leadership either, as they’re none the wiser. If privacy is a factor in your future workplaces, it’s likely to be driven by the legal department as a strictly reactive, scary, and deeply resented legal compliance obligation whose purpose is to cover your company’s backside rather than protect the people in your data.

All of that means that someone in your workplaces, and on your career journeys, needs to show leadership in privacy, and it might as well be you.

A curriculum for privacy

This is a rough outline which summarises many of the hourlong conference talks which I delivered to development communities. It’s also a little bit of a sneak preview of my book outline.

Any one of these topics could be an hour-long discussion on its own. Each one of them is a starting-off point for further research and engagement. This list is neither exhaustive nor authoritative nor final, nor will it ever be.

If you have an hour, you can watch this video of me expanding on a version of this outline. If you want a more focused version, this audio-only video has slides.

  1. Intro to privacy and data protection
    1. Differing cultural, legal, and historical approaches to privacy
    2. Privacy through the rule of law
    3. Privacy through soft regulation
  2. Essential privacy concepts
    1. Common core values
      1. Data minimisation
      2. Data integrity
      3. Purpose minimisation
      4. Lifecycle limitation
      5. Information, technical, and human security measures
      6. Transparency and notice
      7. User participation and rights
      8. Accountability, redress, and enforcement
      9. Choice, control, and consent
      10. Legal compliance
    2. User rights
      1. The right to be informed
      2. The right of access
      3. The right of rectification
      4. The right to erasure
      5. The right to restrict processing
      6. The right to data portability
      7. The right to object
      8. Rights in relation to automated decision-making and profiling
  3. Privacy legislation
    1. Introduction to the European privacy regime
    2. US privacy legislation, including future/draft policies
    3. Domestic privacy regulation wherever you are
    4. Sector-specific privacy legislation (children’s data, health, etc)
  4. Privacy in project management
    1. Privacy by Design
    2. Privacy Impact Assessments
    3. Data audits
    4. Data processing agreements
    5. Staff training and professional development
  5. Privacy in development
    1. Training and methodologies
    2. Planning and documentation
    3. Design requirements
    4. Technical and security measures
    5. Developing for user rights
    6. Developing for consent
    7. Testing and maintenance
    8. Development guidelines
  6. Current topics and issues
    1. Adtech tracking and profiling
    2. Analytics tracking
    3. Location data
    4. Third party sharing
    5. Social networks
    6. Children’s privacy
    7. Data profiling and brokers
    8. Surveillance and “safety” tech
    9. IoT/connected devices
    10. State surveillance

There’s plenty more where that came from, but that’s as good a start as any.

It’s very important to note that none of the hypothetical curricular materials could be academic papers or legal briefings. Expecting trainee developers to start their education by jumping straight into dense Ph.D research, or the full legal texts of some of the most complex regulations ever enacted, is a form of credentialist gatekeeping which has pushed countless web professionals away from any further interest in privacy at the exact moment when they could have been drawn in. Privacy needs some shock therapy as much as it needs democratisation down to a developer level.

To the current students out there, let me say this: you’re going to be an amazing software engineer and there is a bright future ahead of you. Creating a more user-centric, privacy-friendly web is the key to that. So speak up and make some noise about the topics I’ve listed above, because the future of the open web, and the people you will spend your careers building sofware for, is counting on it. If you’re looking for links and resources on any of the topics I’ve shared above to study on your own time, just get in touch (my contact details are in the + above) and I’ll be happy to help.

And whether you receive your privacy training in a formal educational setting or through some random Scottish wonk’s blog, remember this: don’t put work into the world which could diminish your future, or the future of anyone whose lives could be negatively impacted by your work, through processes which treat privacy as an obstructive legal compliance obligation rather than the most important thing you may ever do.

Oh, and by the way. Everything I’ve said above? It applies to web accessibility too. But that’s a blog post for another day and another voice.

Expect better, demand more, and lead the way.

If you have gone through a professional development program – whether that’s an undergraduate degree, a code academy, or anything in between – then there’s a 95% chance that what I’ve written above is completely new. You didn’t receive any of this information in your formal studies, and you didn’t receive any of this in your on-the-job training or in your workplace. So you may be feeling a little bit confused, a little bit overwhelmed, or even a little bit angry.

It’s important to understand that, to borrow Michael Kiwanuka’s gorgeous words, you ain’t the problem. Curricular training about privacy, as a theoretical, legal, and practical concept, is absent and nonexistent, and for the most part, universities, colleges, and code academies don’t teach it at all. That would be bad enough. But what’s worse is that every day, developers are being slagged off by professionals – in law, academia, politics, and even in data protection – who brand them stupid, selfish, lazy, and even criminally complicit because they do not know the chapter and verse of a subject which they were never taught.

That’s wrong. It’s completely wrong. But it’s down to you to demand better for the future developers who will come after you, and who will soon work on the teams that you lead.

We need to make clear to educational institutions that the curricular information I’ve described above should be part and parcel of developers’ formal training from day one. Privacy, as a core software engineering concept, should not be an optional module, it should not be a lunchtime seminar from a guest speaker, it should not be the preserve of postgraduate law courses for law professionals, and it should not be piled in with subjective concepts such as ethics and trolley problems.

As far as I’m concerned – and I am getting more hardcore about this with every year that passes – if educational institutions are sending newly minted developers into the world without a theoretical, legal, and practical grounding in developing for privacy, then those institutions have failed them badly. To use a tired metaphor I have invoked before: no school would send architects into the world who didn’t know a thing about building codes. So why are schools sending developers into the world with massive gaps in their foundational knowledge? Because when it comes to privacy, those gaps will become our societies’ obligations to fix.

We’ve got enough problems as is. We can’t change the past, so let’s do what we can to change the future.

Further reading

The Author

We are people of enormous power and influence over the open web. I empower digital professionals to use that power wisely. I advocate for an open web built around international standards of human rights, privacy, accessibility, and freedom of expression. This is my personal site, and does not reflect the work or opinions of my employer.