One of the papers workshopped at PLSC was Ari Ezra Waldman’s paper, Designing Without Privacy. Ari’s paper, which will be published in Houston Law Review, won the Best Paper Award from IAPP.
Here’s the abstract:
In Privacy on the Ground, the law and information scholars Kenneth Bamberger and Deirdre Mulligan showed that empowered chief privacy officers (CPOs) are pushing their companies to take consumer privacy seriously, integrating privacy into the designs of new technologies. But their work was just the beginning of a larger research agenda. CPOs may set policies at the top, but they alone cannot embed robust privacy norms into the corporate ethos, practice, and routine. As such, if we want the mobile apps, websites, robots, and smart devices we use to respect our privacy, we need to institutionalize privacy throughout the corporations that make them. In particular, privacy must be a priority among those actually doing the work of design on the ground — namely, engineers, computer programmers, and other technologists.
This Article presents findings from an ethnographic study of how, if at all, technologists doing the work of technology product design think about privacy, integrate privacy into their work, and consider user needs in the design process. It also looks at how attorneys at private firms draft privacy notices for their clients. Based on these findings, this Article presents a narrative running in parallel to the one described by Bamberger and Mulligan. This alternative account, where privacy is narrow, limited, and barely factoring into design, helps explain why so many products seem to ignore our privacy expectations. The Article then proposes a framework for understanding how factors both exogenous (theory and law) and endogenous (corporate structure and individual cognitive frames and experience) to the corporation prevent the CPOs’ robust privacy norms from diffusing throughout technology companies and the industry as a whole. This framework also helps elucidate how reforms at every level — theory, law, organization, and individual experience — can incentivize companies to take privacy seriously, enhance organizational learning, and eliminate the cognitive biases that lead to discrimination in design.