Privacy by design (PbD) is a policy measure that guides software developers to apply inherent solutions to achieve better privacy protection. For PbD to be a viable option, it is important to understand developers’ perceptions, interpretation and practices as to informational privacy (or data protection). To this end, we conducted in-depth interviews with 27 developers from different domains, who practice software design. Grounded analysis of the data revealed an interplay between several different forces affecting the way in which developers handle privacy concerns. Borrowing the schema of Social Cognitive Theory (SCT), we classified and analyzed the cognitive, organizational and behavioral factors that play a role in developers’ privacy decision making. Our findings indicate that developers use the vocabulary of data security to approach privacy challenges, and that this vocabulary limits their perceptions of privacy mainly to third-party threats coming from outside of the organization; that organizational privacy climate is a powerful means for organizations to guide developers toward particular practices of privacy; and that software architectural patterns frame privacy solutions that are used throughout the development process, possibly explaining developers’ preference of policy-based solutions to architectural solutions. Further, we show, through the use of the SCT schema for framing the findings of this study, how a theoretical model of the factors that influence developers’ privacy practices can be conceptualized and used as a guide for future research toward effective implementation of PbD.
This is a preview of subscription content, log in to check access.
Buy single article
Instant access to the full article PDF.
Price includes VAT for USA
Subscribe to journal
Immediate online access to all issues from 2019. Subscription will auto renew annually.
This is the net price. Taxes to be calculated in checkout.
High-level design of the software system, with emphasis on the system’s structure and the non-functional requirements it needs to meet.
Ackerman MS, Cranor LF, Reagle J (1999) Privacy in e-commerce: examining user scenarios and privacy preferences. Proceedings of the 1st ACM conference on electronic commerce, Denver
Ammori M, Pelican L (2013) Media diversity and online advertising. Alb L Rev 76:665–696
Argyris C (1960) Understanding organizational behavior. The Dorsey Press, Oxford, England
Awad NF, Krishnan MS (2006) The personalization privacy paradox: an empirical evaluation of information transparency and the willingness to be profiled online for personalization. MIS Q 30:13–28
Ayalon O, Toch E (2013) Retrospective privacy: managing longitudinal privacy in online social networks. Proceedings of the Ninth Symposium on Usable Privacy and Security
Balebako, R., Marsh, A., Lin, J., Hong, J., Cranor, L. F. (2014) The privacy and security behaviors of smartphone app developers. Workshop on Usable Security (USEC 2014), San Diego, 2014
Bamberger KA, Mulligan DK (2010) Privacy on the books and on the ground. Stanford Law Rev 63:247
Bamberger KA, Mulligan DK (2013) Privacy in Europe: initial data on governance choices and corporate practices. Geo Wash L Rev 81:1529–1755
Bandura A (1986) Social foundations of thought and action: a social cognitive theory. Prentice-Hall, Englewood Cliffs
Bartels KK, Harrick E, Martell K, Strickland D (1998) The relationship between ethical climate and ethical problems within human resource management. J Bus Ethics 17(7):799–804
Berente N, Yoo Y (2012) Institutional contradictions and loose coupling: Postimplementation of NASA’s enterprise information system. Inf Syst Res 23(2):376–396
Birnhack M, Elkin-Koren N (2011) Does law matter online? Empirical evidence on privacy law compliance. Michigan Telecommun Technol Law Rev 17:337
Birnhack M, Toch E, Hadar I (2014) Privacy mindset, technological mindset. Jurimetrics 55:55–114
Brown R, Holmes H (1986) The use of a factor-analytic procedure for assessing the validity of an employee safety climate model. Accid Anal Prev 18(6):455–470
Budi, A., Lo, D., Jiang, L., Lucia (2011) Kb-anonymity: a model for anonymized behaviour-preserving test and debugging data. PLDI 2011: 447–457
Castro M, Costa M, Martin JP (2008) Better bug reporting with better privacy. ACM Sigplan Notices 43(3):319–328
Cavoukian A (2009) Privacy by design: the 7 foundational principles. Information and Privacy Commissioner of Ontario, Toronto
Cavoukian A (2011) Privacy by design: origins, meaning, and prospects. Privacy Protection Measures and Technologies in Business Organizations: Aspects and Standards Information Science Reference (an imprint of IGI Global)
Cavoukian, A., Chibba, M., Stoianov, A., Marinelli, T., Peltsch, K., Chabanne, H., Despiegel, V. (2014) Facial recognition with biometric encryption in match-on-card architecture for gaming and other computer applications. eBook, York University, Toronto
Chan YE (2000) IT value: the great divide between qualitative and quantitative and individual and organizational measures. J Manag Inf Syst 16(4):225–261
Cooper MD, Phillips RA (2004) Exploratory analysis of the safety climate and safety behavior relationship. J Saf Res 35(5):497–512
Culnan MJ, Williams CC (2009) How ethics can enhance organizational privacy: lessons from the ChoicePoint and TJX data breaches. Manag Inf Syst Q 33(4):673–687
Dennedy MF, Fox J, Finneran T (2014) The privacy engineer’s manifesto: getting from policy to code to QA to value. Apress, Berkeley
Deshpande SP (1996) Ethical climate and the link between success and ethical behavior: an empirical investigation of a non-profit organization. J Bus Ethics 15(3):315–320
Dinev T, Hart P (2006) An extended privacy calculus model for e-commerce transactions. Inf Syst Res 17(1):61–80
Eisenberger R, Fasolo P, Davis-LaMastro V (1990) Perceived organizational support and employee diligence, commitment, and innovation. J Appl Psychol 75(1):51
Fienberg SE (2006) Privacy and confidentiality in an e-commerce world: data mining, data warehousing, matching and disclosure limitation. Stat Sci 21(2):143–154
Friedman B, Kahn Jr PH, Borning A (2006) Value sensitive design and information systems. In: Human-Computer Interaction in Management Information Systems, M.E. S Sharpe Inc., pp 348–372
FTC (2012) Protecting consumer privacy in an era of rapid change: recommendations for businesses and policymakers. FTC Privacy Report
GDPR (2012) European Commission, Proposal for a regulation of the European Parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:52012PC0011. Accessed 14 Apr 2017
Gellman R (2013) Fair informaiton practices: a basic history http://bobgellman.com/rg-docs/rg-FIPShistory.pdf. Accessed 16 Aug 2013
Gershon RR, Karkashian CD, Grosch JW, Murphy LR, Escamilla-Cejudo A, Flanagan PA, Martin L (2000) Hospital safety climate and its relationship with safe work practices and workplace exposure incidents. Am J Infect Control 28(3):211–221
Gimeno D, Felknor S, Burau K, Delclos G (2005) Organisational and occupational risk factors associated with work related injuries among public hospital employees in Costa Rica. Occup Environ Med 62(5):337–343
Grechanik M, Csallner C, Fu C, Xie Q (2010) Is data privacy always good for software testing? In: 2010 I.E. 21st International Symposium on Software Reliability Engineering, IEEE, pp 368–377
Grosch JW, Gershon RR, Murphy LR, DeJoy DM (1999) Safety climate dimensions associated with occupational exposure to blood-borne pathogens in nurses. Am J Ind Med 36(S1):122–124
Gross R, Acquisti A (2005) Information revelation and privacy in online social networks. Proceedings of the 2005 ACM workshop on privacy in the electronic society, Alexandria
Gürses S, Gonzalez Troncoso C, Diaz C (2011) Engineering privacy by design. Comput, Priv Data Prot 14(3)
Jain S, Lindqvist J (2014) Should I protect you? Understanding developers’ behavior to privacy-preserving APIs. Workshop on Usable Security (USEC’14)
Jaramillo F, Mulki JP, Boles JS (2013) Bringing meaning to the sales job: the effect of ethical climate and customer demandingness. J Bus Res 66(11):2301–2307
Kalloniatis C, Kavakli E, Gritzalis S (2008) Addressing privacy requirements in system design: the PriS method. Requir Eng 13(3):241–255
Lacity MC, Janson MA (1994) Understanding qualitative data: a framework of text analysis methods. J Manag Inf Syst 11:137–155
Lahlou S, Langheinrich M, Röcker C (2005) Privacy and trust issues with invisible computers. Commun ACM 48(3):59–60
Langheinrich M (2001) Privacy by design—principles of privacy-aware ubiquitous systems. International conference on ubiquitous computing. Springer, Berlin, Heidelberg
Lucia, Lo D, Jiang L, Budi A (2012) kbe-anonymity: test data anonymization for evolving programs. In: 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, Essen, 2012, pp 262–265
Luria G (2008) Controlling for quality: climate, leadership, and behavior. Quality Manangement Jounral 15(1):27–40
Madejski M, Johnson ML, Bellovin SM (2011) The failure of online social network privacy settings. Department of Computer Science, Columbia University, tech. Rep. CUCS-010-11
Mathew A, Cheshire C (2017) Risky business: social trust and community in the practice of cybersecurity for internet infrastructure. In: Proceedings of the 50th Hawaii International Conference on System Sciences
Mohamed S (2002) Safety climate in construction site environments. J Constr Eng Manag 128(5):375–384
Myers MD (1997) Qualitative research in information systems. MIS Q 21:241–242
Myers MD, Newman M (2007) The qualitative interview in IS research: examining the craft. Inf Organ 17:2–26
Nicholson N, Johns G (1985) The absence culture and psychological contract—who's in control of absence? Acad Manag Rev 10(3):397–407
Ohm P (2010) Broken promises of privacy: responding to the surprising failure of anonymization. UCLA Law Review 57:1701
Omoronyia I, Cacallaro L, Salehie M, Pasqualie L, Nuseibeh B (2013) Engineering adaptive privacy: on the role of privacy awareness requirements. Proceedings of the 2013 International Conference on Software Engineering. IEEE Press, 2013
Ozer NA (2012) Putting online privacy above the fold: building a social movement and creating corporate change. NYU Rev L & Soc Change 36:215
Peters F, Menzies T (2012) Privacy and utility for defect prediction: experiments with MORPH. ICSE 2012:189–199
Peters F, Menzies T, Gong L, Zhang H (2013) Balancing privacy and utility in cross-company defect prediction. IEEE Trans Softw Eng 39(8):1054–1106
Reay, I., Dick, S., Miller, J. (2009) A large-scale empirical study of P3P privacy policies: stated actions vs. legal obligations. ACM transactions on the web (TWEB), 3(2), 6
Resnick ML, Montania R (2003) Perceptions of customer service, information privacy, and product quality from semiotic design features in an online web store. International Journal of Human-Computer Interaction 16(2):211–234
Rubinstein IS, Good N (2013) Privacy by design: a counterfactual analysis of Google and Facebook privacy incidents. Berkeley Tech LJ 28:1333–1583
Sánchez Abril P, Levin A, Del Riego A (2012) Blurred boundaries: social media privacy and the twenty-first-century employee. American Business Law Journal 49(1):63–124
Schneider B, Ehrhart MG, Macey WH (2013) Organizational climate and culture. Annu Rev Psychol 64:361–388
Schneider B, González-Romá V, Ostroff C, West MA (2016) Organizational climate and culture: reflections on the history of the constructs in Journal of Applied Psychology. J Appl Psychol 102(3):468
Seaman CB (1999) Qualitative methods in empirical studies of software engineering. IEEE Trans Softw Eng 25(4):557–572
Shaw TR (2003) The moral intensity of privacy: an empirical study of webmaster' attitudes. J Bus Ethics 46(4):301–318
Sheth S, Kaiser G, Maalej W (2014) Us and them: a study of privacy requirements across North America, Asia, and Europe. Proceedings of the 36th International Conference on Software Engineering. ACM, 2014
Siu O-L, Phillips DR, Leung TW (2004) Safety climate and safety performance among construction workers in Hong Kong: the role of psychological strains as mediators. Accid Anal Prev 36(3):359–366
Smith HJ, Dinev T, Xu H (2011) Information privacy research: an interdisciplinary review. MIS Q 35(4):989–1016
Spiekermann S, Cranor LF (2009) Engineering privacy. IEEE Trans Softw Eng 35(1):67–82
Spreitzer GM (2008) Taking stock: a review of more than twenty years of research on empowerment at work. In: Handbook of organizational behavior. Sage, Thousand Oaks, pp 54–72
Stamper R, Liu K, Hafkamp M, Ades Y (2000) Understanding the roles of signs and norms in organizations-a semiotic approach to information systems design. Behav Inform Technol 19(1):15–27
Strauss A, Corbin J (1990) Basics of |qualitative research. Sage publications, Newbury Park
Strauss A, Corbin J (1994) Grounded theory methodology: an overview. In: Denzin NK, Lincoln YS (eds) Handbook of qualitative research. Sage, Thousand Oaks, pp 273–285
Strauss A, Corbin J (1998) Basics of qualitative research: techniques and procedures for developing grounded theory. Sage Publications, Thousand Oaks
Stutzman F, Gross R, Acquisti A (2013) Silent listeners: the evolution of privacy and disclosure on Facebook. Journal of Privacy and Confidentiality 4(2):2
Suddaby R (2006) From the editors: what grounded theory is not. Acad Manag J 49(4):633–642
Székely I (2013) What do IT professionals think about surveillance? Internet and surveillance: the challenges of web 2.0 and social media, 16, 198
Taneja K, Grechanik M, Ghani R, Xie T (2011) Testing software in age of data privacy: a balancing act. Proceedings of the 19th ACM SIGSOFT Symposium and the 13th European conference on foundations of software engineering, ACM, pp 201–211
Tene O, Polonetsky J (2013) Big data for all: privacy and user control in the age of analytics. Northwest J Technol Intellect Prop 11(5):1
Thomas K, Bandara AK, Price BA, Nuseibeh B (2014) Distilling privacy requirements for mobile applications. Proceedings of the 36th International conference on software engineering. ACM, 2014
Toch E, Wang Y, Cranor LF (2012) Personalization and privacy: a survey of privacy risks and remedies in personalization-based systems. User Model User-Adap Inter 22(1–2):203–220
Tsai MT, Cheng NC (2010) Programmer perceptions of knoweldge-sharing behavior under social cognitive theory. Expert Syst Appl 37(12):8479–8485
U.S. Dept. of Helath, Education & Welfare (1973) Record computers and the rights of citizens. REp. of Sec'y Advisory Comm. on Automated Pers. Data Sys. 41 (1973). http://www.justice.gov/opcl/docs/rec-com-rights.pdf
Van Der Sype YS, Maalej W (2014) On lawful disclosure of personal user data: what should app developers do? 7th International Workshop on Requirements Engineering and Law (RELAW), IEEE 2014
van Lieshout M, Kool L, van Schoonhoven B, de Jonge M (2011) Privacy by design: an alternative to existing practice in safeguarding privacy. Info 13(6):55–68
van Rest, J., Boonstra, D., Everts, M., van Rijn, M., van Paassen, R. (2014) Designing privacy-by-design. Privacy Technologies and Policy, Springer Berlin, Heidelberg
Varonen U, Mattila M (2000) The safety climate and its relationship to safety practices, safety of the work environment and occupational accidents in eight wood-processing companies. Accid Anal Prev 32(6):761–769
Walsham G (2006) Doing interpretive research. Eur J Inf Syst 15(3):320–330
Wimbush JC, Shepard JM (1994) Toward an understanding of ethical climate: its relationship to ethical behavior and supervisory influence. J Bus Ethics 13(8):637–647
Wood R, Banduar A (1989) Social cognitive theory of organizational management. Acad Manag Rev 14(3):361–384
Zohar D (1980) Safety climate in industrial organizations: theoretical and applied implications. J Appl Psychol 65:96–102
Zohar D (2000) A group-level model of safety climate: testing the effect of group climate on microaccidents in manufacturing jobs. J Appl Psychol 85(4):587
Zohar D, Luria G (2005) A multilevel model of safety climate: cross-level relationships between organization and group-level climates. J Appl Psychol 90(4):616–628
We acknowledge the support of the Israel Science Foundation, Grant 1116/12.
Communicated by: Tim Menzies
Appendix 1: Participants
Appendix 2: Interview Guide
Domain (of development), position, years of experience, number of subordinates, formal education, additional professional training
What sources of knowledge do you use beyond the requirements of the customer? (Colleagues? Friends outside the organization? Literature? Professional journals? Web? Other?)
Have you been involved in the development of information systems that handle information about users or other data subjects? If so, please describe your role in each project.
Have you acquired knowledge/education specifically related to privacy concerns in information systems? If so, please describe.
What development methodologies do you use?
Do you have direct communication with the customer?
When you take design decisions, do they affect others in the development team? If so, who is affected (and how many)? What are their roles?
What is informational privacy?
What is the difference between security and privacy?
What sources of information do you use in order to resolve privacy concerns?
(Internet / what sites? Organizational procedures? Managers? Other employees? Literature (which)?)
What laws are you familiar with, in the context of informational privacy?
What procedures are you familiar with, in the context of informational privacy?
What norms are you familiar with, in the context of informational privacy?
Cases and examples
When you encounter a privacy concern, what do you do about it?
In what cases do you consider or analyze privacy concerns, while designing a system?
When developing a system, what are the potential risks regarding privacy?
Describe three examples of projects you were involved in, in which privacy concerns were discussed. What aspects of privacy did you handle?
Are privacy concerns considered, in projects you are involved with, while designing user interfaces? If so, in what context?
Do you initiate discussions regarding privacy or require clarifications or additional privacy-related requirements when designing a system?
Is privacy taken into account when planning for future requirements?
Familiarity and use of privacy strategies
What strategies (presented in Table 5) are you familiar with as solutions for privacy concerns?
For each of the following strategies, please specify whether you are familiar with it, whether you use it, and why / in what cases do you decide not use it?
During your work, have you ever needed to address concerns of notifying users about ongoing operations or information theft? If so, how? At what stage?
In your opinion, to what extent is it important to receive consent from users prior to collecting private data about them?
In your opinion, to what extent do the users have the right to choose how, when and what information is gathered about them (that is, the freedom to design the information that is collected about them)?
Do you think that user consent for data collection should be opt-in (default is lack of consent, and requires active action to give consent) or opt-out (default is agreement, and requires active action to deny consent)?
Have you ever dealt with user consent in this context? In what stage of the development? Who raised the need? Is the topic of user consent discussed during projects?
Do you, or the customer (for whom the system is designed), define the purpose for which the information is collected by the system?
How do you decide what information is collected by the system? What are the considerations? Are they determined according to customer requirements? According to common practices? Some other criteria?
Is the legitimacy of the purpose for which personal information is collected by the system discussed? Do you ever ask yourself if a specific purpose of collecting personal information is legal/problematic in any sense?
In your opinion, should personal information accumulated about users in the system be deleted? If so, after how much time should it be deleted? (Immediately after the use of the information? after one month? three months? one year? two years? five years? ten years?)
Is information privacy considered to be the responsibility of the architect?
(If not): Whose responsibility is it?
Do you have any other thoughts about informational privacy you would like to share?
Why did you agree to be interviewed for this research?
About this article
Cite this article
Hadar, I., Hasson, T., Ayalon, O. et al. Privacy by designers: software developers’ privacy mindset. Empir Software Eng 23, 259–289 (2018). https://doi.org/10.1007/s10664-017-9517-1
- Data protection
- Privacy by design
- Qualitative research
- Grounded analysis
- Social cognitive theory
- Organizational climate