13 March 2019 Legitimate and Monitored

How do you build privacy-friendly systems?

Tessel Renzenbrink
  • Follow us on Facebook
  • Follow us on LinkedIn
  • Follow us on Twitter

Photo: Robert v.d. Molen

Suppose you want to know how many cars travel across a certain road. You could build a system that registers all license plates driving by. But you could opt for a system that will simply place a tally mark for every car that passes by. Both systems serve the same function: they count cars. However, the first one is a privacy nightmare. The second system is designed in such a way that it cannot document any personal information. Privacy is not a factor that you can just tack on a system after the fact; it needs to be included in the design phase as a requirement. This design philosophy is called privacy-by-design. Can we work towards Tada-by-design?


How to build a privacy-friendly system is the field that Jaap-Henk Hoepman is researching. This senior lecturer at Radboud University recently shared his insights at the ‘Tada in practice’ meeting of the Municipality of Amsterdam, which took place at 20 February. “Privacy-by-design is based on the principle that technology is not neutral,” says Hoepman. “Technology comes with inherent values.” The seatbelt, for instance, is an expression of the value we place on safety. Hoepman continues: “That means that when you develop a new system, you also need to relate to the values that you want to include in that technology.” In privacy-by-design, privacy is included in every step of the development process: during development, operational commissioning and maintenance, and even in the dismantling phase.

But how?

So how do you go about making privacy more tangible? Hoepman did that by formulating eight privacy-by-design strategies. “Privacy is a soft term with ethical and legal components,” says Hoepman. “For technicians, that is harder to implement than strictly technical requirements like security or performance. That is why you need to make those abstract legal standards more tangible and transform them into technical design requirements.” To achieve that, Hoepman went back to the basics: “What is an information processing system? At the core, it is a database: a big table containing individuals and attributes.” In other words, it is like an Excel sheet with the names of people in the first column, followed by various details about them: age, address, eye colour, etc. You can apply strategies to these tables to increase privacy.

One example of such a strategy is minimization: Do not collect all possible data, but define in advance which information you will actually need. In the example above, for example, you do not need to collect license plate numbers in order to count cars. Another strategy is abstraction: think about the level of detail you want to see in the information you collect. You could read out a smart electricity meter every single minute of the day. But that would also mean unintentionally collecting data about the daily routines of the people living there: when they do their laundry, or what time they switch on the lights (and therefore what time they come home). The purpose of the meter is to calculate the electricity bill, so taking meter readings once a month is often enough.

Is Tada-by-design possible?

Hoepman’s method is highly detailed. The life cycle of a system is subdivided into different stages, from design to dismantling. Potential applications of the eight privacy-by-design strategies are reviewed again during each stage. During the meeting, the audience came up with the question of whether such a method would also be possible for Tada. Hoepman’s answer was: “What you are attempting to do with these Tada principles is to kick off discussions comparable to how privacy has been discussed so far. Eventually, you hope to design systems that do credit to those principles. In the privacy-by-design strategies, I have attempted to transpose them into practice. To translate the privacy rules that have been phrased fairly mildly in legislation into something that designers can apply in a concrete context. I think that the Tada principle of the ‘human factor’ relatively intangible for the average engineer. For the engineer to use it in practice, you will need to make the Tada values more tangible. The first step you could take is formulating very concrete cases to see what it means in a technical context. Then you take the results from these concrete case studies and try to generalize from there. The goal is to end up with abstract principles that are still sufficiently concrete and technical for designers to work with them.”

A possible next step for tangible implementation of Tada at the Municipality is to work out those six principles in concrete case studies. Do you have a case that you would like to develop based on Tada principles? Then contact us at info@tada.city.

Leave a Reply