Privacy by designers: software developers’ privacy mindset

Abstract

Privacy by design (PbD) is a policy measure that guides software developers to apply inherent solutions to achieve better privacy protection. For PbD to be a viable option, it is important to understand developers’ perceptions, interpretation and practices as to informational privacy (or data protection). To this end, we conducted in-depth interviews with 27 developers from different domains, who practice software design. Grounded analysis of the data revealed an interplay between several different forces affecting the way in which developers handle privacy concerns. Borrowing the schema of Social Cognitive Theory (SCT), we classified and analyzed the cognitive, organizational and behavioral factors that play a role in developers’ privacy decision making. Our findings indicate that developers use the vocabulary of data security to approach privacy challenges, and that this vocabulary limits their perceptions of privacy mainly to third-party threats coming from outside of the organization; that organizational privacy climate is a powerful means for organizations to guide developers toward particular practices of privacy; and that software architectural patterns frame privacy solutions that are used throughout the development process, possibly explaining developers’ preference of policy-based solutions to architectural solutions. Further, we show, through the use of the SCT schema for framing the findings of this study, how a theoretical model of the factors that influence developers’ privacy practices can be conceptualized and used as a guide for future research toward effective implementation of PbD.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2

Notes

  1. 1.

    High-level design of the software system, with emphasis on the system’s structure and the non-functional requirements it needs to meet.

References

  1. Ackerman MS, Cranor LF, Reagle J (1999) Privacy in e-commerce: examining user scenarios and privacy preferences. Proceedings of the 1st ACM conference on electronic commerce, Denver

  2. Ammori M, Pelican L (2013) Media diversity and online advertising. Alb L Rev 76:665–696

    Google Scholar 

  3. Argyris C (1960) Understanding organizational behavior. The Dorsey Press, Oxford, England

  4. Awad NF, Krishnan MS (2006) The personalization privacy paradox: an empirical evaluation of information transparency and the willingness to be profiled online for personalization. MIS Q 30:13–28

  5. Ayalon O, Toch E (2013) Retrospective privacy: managing longitudinal privacy in online social networks. Proceedings of the Ninth Symposium on Usable Privacy and Security

  6. Balebako, R., Marsh, A., Lin, J., Hong, J., Cranor, L. F. (2014) The privacy and security behaviors of smartphone app developers. Workshop on Usable Security (USEC 2014), San Diego, 2014

  7. Bamberger KA, Mulligan DK (2010) Privacy on the books and on the ground. Stanford Law Rev 63:247

  8. Bamberger KA, Mulligan DK (2013) Privacy in Europe: initial data on governance choices and corporate practices. Geo Wash L Rev 81:1529–1755

    Google Scholar 

  9. Bandura A (1986) Social foundations of thought and action: a social cognitive theory. Prentice-Hall, Englewood Cliffs

    Google Scholar 

  10. Bartels KK, Harrick E, Martell K, Strickland D (1998) The relationship between ethical climate and ethical problems within human resource management. J Bus Ethics 17(7):799–804

    Article  Google Scholar 

  11. Berente N, Yoo Y (2012) Institutional contradictions and loose coupling: Postimplementation of NASA’s enterprise information system. Inf Syst Res 23(2):376–396

    Article  Google Scholar 

  12. Birnhack M, Elkin-Koren N (2011) Does law matter online? Empirical evidence on privacy law compliance. Michigan Telecommun Technol Law Rev 17:337

    Google Scholar 

  13. Birnhack M, Toch E, Hadar I (2014) Privacy mindset, technological mindset. Jurimetrics 55:55–114

    Google Scholar 

  14. Brown R, Holmes H (1986) The use of a factor-analytic procedure for assessing the validity of an employee safety climate model. Accid Anal Prev 18(6):455–470

    Article  Google Scholar 

  15. Budi, A., Lo, D., Jiang, L., Lucia (2011) Kb-anonymity: a model for anonymized behaviour-preserving test and debugging data. PLDI 2011: 447–457

  16. Castro M, Costa M, Martin JP (2008) Better bug reporting with better privacy. ACM Sigplan Notices 43(3):319–328

    Article  Google Scholar 

  17. Cavoukian A (2009) Privacy by design: the 7 foundational principles. Information and Privacy Commissioner of Ontario, Toronto

    Google Scholar 

  18. Cavoukian A (2011) Privacy by design: origins, meaning, and prospects. Privacy Protection Measures and Technologies in Business Organizations: Aspects and Standards Information Science Reference (an imprint of IGI Global)

  19. Cavoukian, A., Chibba, M., Stoianov, A., Marinelli, T., Peltsch, K., Chabanne, H., Despiegel, V. (2014) Facial recognition with biometric encryption in match-on-card architecture for gaming and other computer applications. eBook, York University, Toronto

  20. Chan YE (2000) IT value: the great divide between qualitative and quantitative and individual and organizational measures. J Manag Inf Syst 16(4):225–261

    Article  Google Scholar 

  21. Cooper MD, Phillips RA (2004) Exploratory analysis of the safety climate and safety behavior relationship. J Saf Res 35(5):497–512

    Article  Google Scholar 

  22. Culnan MJ, Williams CC (2009) How ethics can enhance organizational privacy: lessons from the ChoicePoint and TJX data breaches. Manag Inf Syst Q 33(4):673–687

    Article  Google Scholar 

  23. Dennedy MF, Fox J, Finneran T (2014) The privacy engineer’s manifesto: getting from policy to code to QA to value. Apress, Berkeley

    Google Scholar 

  24. Deshpande SP (1996) Ethical climate and the link between success and ethical behavior: an empirical investigation of a non-profit organization. J Bus Ethics 15(3):315–320

    Article  Google Scholar 

  25. Dinev T, Hart P (2006) An extended privacy calculus model for e-commerce transactions. Inf Syst Res 17(1):61–80

    Article  Google Scholar 

  26. Eisenberger R, Fasolo P, Davis-LaMastro V (1990) Perceived organizational support and employee diligence, commitment, and innovation. J Appl Psychol 75(1):51

    Article  Google Scholar 

  27. Fienberg SE (2006) Privacy and confidentiality in an e-commerce world: data mining, data warehousing, matching and disclosure limitation. Stat Sci 21(2):143–154

    MathSciNet  Article  MATH  Google Scholar 

  28. Friedman B, Kahn Jr PH, Borning A (2006) Value sensitive design and information systems. In: Human-Computer Interaction in Management Information Systems, M.E. S Sharpe Inc., pp 348–372

  29. FTC (2012) Protecting consumer privacy in an era of rapid change: recommendations for businesses and policymakers. FTC Privacy Report

  30. GDPR (2012) European Commission, Proposal for a regulation of the European Parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:52012PC0011. Accessed 14 Apr 2017

  31. Gellman R (2013) Fair informaiton practices: a basic history http://bobgellman.com/rg-docs/rg-FIPShistory.pdf. Accessed 16 Aug 2013

  32. Gershon RR, Karkashian CD, Grosch JW, Murphy LR, Escamilla-Cejudo A, Flanagan PA, Martin L (2000) Hospital safety climate and its relationship with safe work practices and workplace exposure incidents. Am J Infect Control 28(3):211–221

    Article  Google Scholar 

  33. Gimeno D, Felknor S, Burau K, Delclos G (2005) Organisational and occupational risk factors associated with work related injuries among public hospital employees in Costa Rica. Occup Environ Med 62(5):337–343

    Article  Google Scholar 

  34. Grechanik M, Csallner C, Fu C, Xie Q (2010) Is data privacy always good for software testing? In: 2010 I.E. 21st International Symposium on Software Reliability Engineering, IEEE, pp 368–377

  35. Grosch JW, Gershon RR, Murphy LR, DeJoy DM (1999) Safety climate dimensions associated with occupational exposure to blood-borne pathogens in nurses. Am J Ind Med 36(S1):122–124

    Article  Google Scholar 

  36. Gross R, Acquisti A (2005) Information revelation and privacy in online social networks. Proceedings of the 2005 ACM workshop on privacy in the electronic society, Alexandria

  37. Gürses S, Gonzalez Troncoso C, Diaz C (2011) Engineering privacy by design. Comput, Priv Data Prot 14(3)

  38. Jain S, Lindqvist J (2014) Should I protect you? Understanding developers’ behavior to privacy-preserving APIs. Workshop on Usable Security (USEC’14)

  39. Jaramillo F, Mulki JP, Boles JS (2013) Bringing meaning to the sales job: the effect of ethical climate and customer demandingness. J Bus Res 66(11):2301–2307

    Article  Google Scholar 

  40. Kalloniatis C, Kavakli E, Gritzalis S (2008) Addressing privacy requirements in system design: the PriS method. Requir Eng 13(3):241–255

    Article  Google Scholar 

  41. Lacity MC, Janson MA (1994) Understanding qualitative data: a framework of text analysis methods. J Manag Inf Syst 11:137–155

    Article  Google Scholar 

  42. Lahlou S, Langheinrich M, Röcker C (2005) Privacy and trust issues with invisible computers. Commun ACM 48(3):59–60

    Article  Google Scholar 

  43. Langheinrich M (2001) Privacy by design—principles of privacy-aware ubiquitous systems. International conference on ubiquitous computing. Springer, Berlin, Heidelberg

    Google Scholar 

  44. Lucia, Lo D, Jiang L, Budi A (2012) kbe-anonymity: test data anonymization for evolving programs. In: 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, Essen, 2012, pp 262–265

  45. Luria G (2008) Controlling for quality: climate, leadership, and behavior. Quality Manangement Jounral 15(1):27–40

    Google Scholar 

  46. Madejski M, Johnson ML, Bellovin SM (2011) The failure of online social network privacy settings. Department of Computer Science, Columbia University, tech. Rep. CUCS-010-11

  47. Mathew A, Cheshire C (2017) Risky business: social trust and community in the practice of cybersecurity for internet infrastructure. In: Proceedings of the 50th Hawaii International Conference on System Sciences

  48. Mohamed S (2002) Safety climate in construction site environments. J Constr Eng Manag 128(5):375–384

    Article  Google Scholar 

  49. Myers MD (1997) Qualitative research in information systems. MIS Q 21:241–242

    Article  Google Scholar 

  50. Myers MD, Newman M (2007) The qualitative interview in IS research: examining the craft. Inf Organ 17:2–26

    Article  Google Scholar 

  51. Nicholson N, Johns G (1985) The absence culture and psychological contract—who's in control of absence? Acad Manag Rev 10(3):397–407

    Google Scholar 

  52. Ohm P (2010) Broken promises of privacy: responding to the surprising failure of anonymization. UCLA Law Review 57:1701

    Google Scholar 

  53. Omoronyia I, Cacallaro L, Salehie M, Pasqualie L, Nuseibeh B (2013) Engineering adaptive privacy: on the role of privacy awareness requirements. Proceedings of the 2013 International Conference on Software Engineering. IEEE Press, 2013

  54. Ozer NA (2012) Putting online privacy above the fold: building a social movement and creating corporate change. NYU Rev L & Soc Change 36:215

    Google Scholar 

  55. Peters F, Menzies T (2012) Privacy and utility for defect prediction: experiments with MORPH. ICSE 2012:189–199

    Google Scholar 

  56. Peters F, Menzies T, Gong L, Zhang H (2013) Balancing privacy and utility in cross-company defect prediction. IEEE Trans Softw Eng 39(8):1054–1106

    Article  Google Scholar 

  57. Reay, I., Dick, S., Miller, J. (2009) A large-scale empirical study of P3P privacy policies: stated actions vs. legal obligations. ACM transactions on the web (TWEB), 3(2), 6

  58. Resnick ML, Montania R (2003) Perceptions of customer service, information privacy, and product quality from semiotic design features in an online web store. International Journal of Human-Computer Interaction 16(2):211–234

    Article  Google Scholar 

  59. Rubinstein IS, Good N (2013) Privacy by design: a counterfactual analysis of Google and Facebook privacy incidents. Berkeley Tech LJ 28:1333–1583

    Google Scholar 

  60. Sánchez Abril P, Levin A, Del Riego A (2012) Blurred boundaries: social media privacy and the twenty-first-century employee. American Business Law Journal 49(1):63–124

    Article  Google Scholar 

  61. Schneider B, Ehrhart MG, Macey WH (2013) Organizational climate and culture. Annu Rev Psychol 64:361–388

    Article  Google Scholar 

  62. Schneider B, González-Romá V, Ostroff C, West MA (2016) Organizational climate and culture: reflections on the history of the constructs in Journal of Applied Psychology. J Appl Psychol 102(3):468

  63. Seaman CB (1999) Qualitative methods in empirical studies of software engineering. IEEE Trans Softw Eng 25(4):557–572

    Article  Google Scholar 

  64. Shaw TR (2003) The moral intensity of privacy: an empirical study of webmaster' attitudes. J Bus Ethics 46(4):301–318

    Article  Google Scholar 

  65. Sheth S, Kaiser G, Maalej W (2014) Us and them: a study of privacy requirements across North America, Asia, and Europe. Proceedings of the 36th International Conference on Software Engineering. ACM, 2014

  66. Siu O-L, Phillips DR, Leung TW (2004) Safety climate and safety performance among construction workers in Hong Kong: the role of psychological strains as mediators. Accid Anal Prev 36(3):359–366

    Article  Google Scholar 

  67. Smith HJ, Dinev T, Xu H (2011) Information privacy research: an interdisciplinary review. MIS Q 35(4):989–1016

    Article  Google Scholar 

  68. Spiekermann S, Cranor LF (2009) Engineering privacy. IEEE Trans Softw Eng 35(1):67–82

    Article  Google Scholar 

  69. Spreitzer GM (2008) Taking stock: a review of more than twenty years of research on empowerment at work. In: Handbook of organizational behavior. Sage, Thousand Oaks, pp 54–72

    Google Scholar 

  70. Stamper R, Liu K, Hafkamp M, Ades Y (2000) Understanding the roles of signs and norms in organizations-a semiotic approach to information systems design. Behav Inform Technol 19(1):15–27

    Article  Google Scholar 

  71. Strauss A, Corbin J (1990) Basics of |qualitative research. Sage publications, Newbury Park

    Google Scholar 

  72. Strauss A, Corbin J (1994) Grounded theory methodology: an overview. In: Denzin NK, Lincoln YS (eds) Handbook of qualitative research. Sage, Thousand Oaks, pp 273–285

    Google Scholar 

  73. Strauss A, Corbin J (1998) Basics of qualitative research: techniques and procedures for developing grounded theory. Sage Publications, Thousand Oaks

    Google Scholar 

  74. Stutzman F, Gross R, Acquisti A (2013) Silent listeners: the evolution of privacy and disclosure on Facebook. Journal of Privacy and Confidentiality 4(2):2

    Google Scholar 

  75. Suddaby R (2006) From the editors: what grounded theory is not. Acad Manag J 49(4):633–642

    Article  Google Scholar 

  76. Székely I (2013) What do IT professionals think about surveillance? Internet and surveillance: the challenges of web 2.0 and social media, 16, 198

  77. Taneja K, Grechanik M, Ghani R, Xie T (2011) Testing software in age of data privacy: a balancing act. Proceedings of the 19th ACM SIGSOFT Symposium and the 13th European conference on foundations of software engineering, ACM, pp 201–211

  78. Tene O, Polonetsky J (2013) Big data for all: privacy and user control in the age of analytics. Northwest J Technol Intellect Prop 11(5):1

    Google Scholar 

  79. Thomas K, Bandara AK, Price BA, Nuseibeh B (2014) Distilling privacy requirements for mobile applications. Proceedings of the 36th International conference on software engineering. ACM, 2014

  80. Toch E, Wang Y, Cranor LF (2012) Personalization and privacy: a survey of privacy risks and remedies in personalization-based systems. User Model User-Adap Inter 22(1–2):203–220

    Article  Google Scholar 

  81. Tsai MT, Cheng NC (2010) Programmer perceptions of knoweldge-sharing behavior under social cognitive theory. Expert Syst Appl 37(12):8479–8485

    Article  Google Scholar 

  82. U.S. Dept. of Helath, Education & Welfare (1973) Record computers and the rights of citizens. REp. of Sec'y Advisory Comm. on Automated Pers. Data Sys. 41 (1973). http://www.justice.gov/opcl/docs/rec-com-rights.pdf

  83. Van Der Sype YS, Maalej W (2014) On lawful disclosure of personal user data: what should app developers do? 7th International Workshop on Requirements Engineering and Law (RELAW), IEEE 2014

  84. van Lieshout M, Kool L, van Schoonhoven B, de Jonge M (2011) Privacy by design: an alternative to existing practice in safeguarding privacy. Info 13(6):55–68

    Article  Google Scholar 

  85. van Rest, J., Boonstra, D., Everts, M., van Rijn, M., van Paassen, R. (2014) Designing privacy-by-design. Privacy Technologies and Policy, Springer Berlin, Heidelberg

  86. Varonen U, Mattila M (2000) The safety climate and its relationship to safety practices, safety of the work environment and occupational accidents in eight wood-processing companies. Accid Anal Prev 32(6):761–769

    Article  Google Scholar 

  87. Walsham G (2006) Doing interpretive research. Eur J Inf Syst 15(3):320–330

    Article  Google Scholar 

  88. Wimbush JC, Shepard JM (1994) Toward an understanding of ethical climate: its relationship to ethical behavior and supervisory influence. J Bus Ethics 13(8):637–647

    Article  Google Scholar 

  89. Wood R, Banduar A (1989) Social cognitive theory of organizational management. Acad Manag Rev 14(3):361–384

    Google Scholar 

  90. Zohar D (1980) Safety climate in industrial organizations: theoretical and applied implications. J Appl Psychol 65:96–102

    Article  Google Scholar 

  91. Zohar D (2000) A group-level model of safety climate: testing the effect of group climate on microaccidents in manufacturing jobs. J Appl Psychol 85(4):587

    Article  Google Scholar 

  92. Zohar D, Luria G (2005) A multilevel model of safety climate: cross-level relationships between organization and group-level climates. J Appl Psychol 90(4):616–628

Download references

Acknowledgement

We acknowledge the support of the Israel Science Foundation, Grant 1116/12.

Author information

Affiliations

Authors

Corresponding author

Correspondence to Irit Hadar.

Additional information

Communicated by: Tim Menzies

Appendices

Appendix 1: Participants

Table 4 List of participants

‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬Appendix 2: Interview Guide

  1. 1.

    Background information

    • Domain (of development), position, years of experience, number of subordinates, formal education, additional professional training

    • What sources of knowledge do you use beyond the requirements of the customer? (Colleagues? Friends outside the organization? Literature? Professional journals? Web? Other?)

    • Have you been involved in the development of information systems that handle information about users or other data subjects? If so, please describe your role in each project.

    • Have you acquired knowledge/education specifically related to privacy concerns in information systems? If so, please describe.

    • What development methodologies do you use?

    • Do you have direct communication with the customer?

    • When you take design decisions, do they affect others in the development team? If so, who is affected (and how many)? What are their roles?

  2. 2.

    Privacy definition

    • What is informational privacy?

    • What is the difference between security and privacy?

  3. 3.

    Information sources

    • What sources of information do you use in order to resolve privacy concerns?

    • (Internet / what sites? Organizational procedures? Managers? Other employees? Literature (which)?)

  4. 4.

    Guidelines

    • What laws are you familiar with, in the context of informational privacy?

    • What procedures are you familiar with, in the context of informational privacy?

    • What norms are you familiar with, in the context of informational privacy?

  5. 5.

    Cases and examples

    • When you encounter a privacy concern, what do you do about it?

    • In what cases do you consider or analyze privacy concerns, while designing a system?

    • When developing a system, what are the potential risks regarding privacy?

    • Describe three examples of projects you were involved in, in which privacy concerns were discussed. What aspects of privacy did you handle?

    • Are privacy concerns considered, in projects you are involved with, while designing user interfaces? If so, in what context?

    • Do you initiate discussions regarding privacy or require clarifications or additional privacy-related requirements when designing a system?

    • Is privacy taken into account when planning for future requirements?

  6. 6.

    Familiarity and use of privacy strategies

    • What strategies (presented in Table 5) are you familiar with as solutions for privacy concerns?

    • (Bring examples)

    • For each of the following strategies, please specify whether you are familiar with it, whether you use it, and why / in what cases do you decide not use it?

  7. 7.

    FIPPs

    • Does the organization inform its users about its privacy policy?

    • During your work, have you ever needed to address concerns of notifying users about ongoing operations or information theft? If so, how? At what stage?

    • In your opinion, to what extent is it important to receive consent from users prior to collecting private data about them?

    • In your opinion, to what extent do the users have the right to choose how, when and what information is gathered about them (that is, the freedom to design the information that is collected about them)?

    • Do you think that user consent for data collection should be opt-in (default is lack of consent, and requires active action to give consent) or opt-out (default is agreement, and requires active action to deny consent)?

    • Have you ever dealt with user consent in this context? In what stage of the development? Who raised the need? Is the topic of user consent discussed during projects?

    • Do you, or the customer (for whom the system is designed), define the purpose for which the information is collected by the system?

    • How do you decide what information is collected by the system? What are the considerations? Are they determined according to customer requirements? According to common practices? Some other criteria?

    • Is the legitimacy of the purpose for which personal information is collected by the system discussed? Do you ever ask yourself if a specific purpose of collecting personal information is legal/problematic in any sense?

    • In your opinion, should personal information accumulated about users in the system be deleted? If so, after how much time should it be deleted? (Immediately after the use of the information? after one month? three months? one year? two years? five years? ten years?)

  8. 8.

    Responsibility

    • Is information privacy considered to be the responsibility of the architect?

    • (If not): Whose responsibility is it?

  9. 9.

    Open discussion

    • Do you have any other thoughts about informational privacy you would like to share?

    • Why did you agree to be interviewed for this research?

Table 5 List of privacy strategies

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Hadar, I., Hasson, T., Ayalon, O. et al. Privacy by designers: software developers’ privacy mindset. Empir Software Eng 23, 259–289 (2018). https://doi.org/10.1007/s10664-017-9517-1

Download citation

Keywords

  • Data protection
  • Privacy
  • Privacy by design
  • Qualitative research
  • Grounded analysis
  • Social cognitive theory
  • Organizational climate