Skip to main content
SpringerLink
Log in

Privacy by designers: software developers’ privacy mindset

  • Published:
Empirical Software Engineering Aims and scope Submit manuscript

Abstract

Privacy by design (PbD) is a policy measure that guides software developers to apply inherent solutions to achieve better privacy protection. For PbD to be a viable option, it is important to understand developers’ perceptions, interpretation and practices as to informational privacy (or data protection). To this end, we conducted in-depth interviews with 27 developers from different domains, who practice software design. Grounded analysis of the data revealed an interplay between several different forces affecting the way in which developers handle privacy concerns. Borrowing the schema of Social Cognitive Theory (SCT), we classified and analyzed the cognitive, organizational and behavioral factors that play a role in developers’ privacy decision making. Our findings indicate that developers use the vocabulary of data security to approach privacy challenges, and that this vocabulary limits their perceptions of privacy mainly to third-party threats coming from outside of the organization; that organizational privacy climate is a powerful means for organizations to guide developers toward particular practices of privacy; and that software architectural patterns frame privacy solutions that are used throughout the development process, possibly explaining developers’ preference of policy-based solutions to architectural solutions. Further, we show, through the use of the SCT schema for framing the findings of this study, how a theoretical model of the factors that influence developers’ privacy practices can be conceptualized and used as a guide for future research toward effective implementation of PbD.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

Notes

  1. High-level design of the software system, with emphasis on the system’s structure and the non-functional requirements it needs to meet.

References

  • Ackerman MS, Cranor LF, Reagle J (1999) Privacy in e-commerce: examining user scenarios and privacy preferences. Proceedings of the 1st ACM conference on electronic commerce, Denver

  • Ammori M, Pelican L (2013) Media diversity and online advertising. Alb L Rev 76:665–696

    Google Scholar 

  • Argyris C (1960) Understanding organizational behavior. The Dorsey Press, Oxford, England

  • Awad NF, Krishnan MS (2006) The personalization privacy paradox: an empirical evaluation of information transparency and the willingness to be profiled online for personalization. MIS Q 30:13–28

  • Ayalon O, Toch E (2013) Retrospective privacy: managing longitudinal privacy in online social networks. Proceedings of the Ninth Symposium on Usable Privacy and Security

  • Balebako, R., Marsh, A., Lin, J., Hong, J., Cranor, L. F. (2014) The privacy and security behaviors of smartphone app developers. Workshop on Usable Security (USEC 2014), San Diego, 2014

  • Bamberger KA, Mulligan DK (2010) Privacy on the books and on the ground. Stanford Law Rev 63:247

  • Bamberger KA, Mulligan DK (2013) Privacy in Europe: initial data on governance choices and corporate practices. Geo Wash L Rev 81:1529–1755

    Google Scholar 

  • Bandura A (1986) Social foundations of thought and action: a social cognitive theory. Prentice-Hall, Englewood Cliffs

    Google Scholar 

  • Bartels KK, Harrick E, Martell K, Strickland D (1998) The relationship between ethical climate and ethical problems within human resource management. J Bus Ethics 17(7):799–804

    Article  Google Scholar 

  • Berente N, Yoo Y (2012) Institutional contradictions and loose coupling: Postimplementation of NASA’s enterprise information system. Inf Syst Res 23(2):376–396

    Article  Google Scholar 

  • Birnhack M, Elkin-Koren N (2011) Does law matter online? Empirical evidence on privacy law compliance. Michigan Telecommun Technol Law Rev 17:337

    Google Scholar 

  • Birnhack M, Toch E, Hadar I (2014) Privacy mindset, technological mindset. Jurimetrics 55:55–114

    Google Scholar 

  • Brown R, Holmes H (1986) The use of a factor-analytic procedure for assessing the validity of an employee safety climate model. Accid Anal Prev 18(6):455–470

    Article  Google Scholar 

  • Budi, A., Lo, D., Jiang, L., Lucia (2011) Kb-anonymity: a model for anonymized behaviour-preserving test and debugging data. PLDI 2011: 447–457

  • Castro M, Costa M, Martin JP (2008) Better bug reporting with better privacy. ACM Sigplan Notices 43(3):319–328

    Article  Google Scholar 

  • Cavoukian A (2009) Privacy by design: the 7 foundational principles. Information and Privacy Commissioner of Ontario, Toronto

    Google Scholar 

  • Cavoukian A (2011) Privacy by design: origins, meaning, and prospects. Privacy Protection Measures and Technologies in Business Organizations: Aspects and Standards Information Science Reference (an imprint of IGI Global)

  • Cavoukian, A., Chibba, M., Stoianov, A., Marinelli, T., Peltsch, K., Chabanne, H., Despiegel, V. (2014) Facial recognition with biometric encryption in match-on-card architecture for gaming and other computer applications. eBook, York University, Toronto

  • Chan YE (2000) IT value: the great divide between qualitative and quantitative and individual and organizational measures. J Manag Inf Syst 16(4):225–261

    Article  Google Scholar 

  • Cooper MD, Phillips RA (2004) Exploratory analysis of the safety climate and safety behavior relationship. J Saf Res 35(5):497–512

    Article  Google Scholar 

  • Culnan MJ, Williams CC (2009) How ethics can enhance organizational privacy: lessons from the ChoicePoint and TJX data breaches. Manag Inf Syst Q 33(4):673–687

    Article  Google Scholar 

  • Dennedy MF, Fox J, Finneran T (2014) The privacy engineer’s manifesto: getting from policy to code to QA to value. Apress, Berkeley

    Book  Google Scholar 

  • Deshpande SP (1996) Ethical climate and the link between success and ethical behavior: an empirical investigation of a non-profit organization. J Bus Ethics 15(3):315–320

    Article  Google Scholar 

  • Dinev T, Hart P (2006) An extended privacy calculus model for e-commerce transactions. Inf Syst Res 17(1):61–80

    Article  Google Scholar 

  • Eisenberger R, Fasolo P, Davis-LaMastro V (1990) Perceived organizational support and employee diligence, commitment, and innovation. J Appl Psychol 75(1):51

    Article  Google Scholar 

  • Fienberg SE (2006) Privacy and confidentiality in an e-commerce world: data mining, data warehousing, matching and disclosure limitation. Stat Sci 21(2):143–154

    Article  MathSciNet  MATH  Google Scholar 

  • Friedman B, Kahn Jr PH, Borning A (2006) Value sensitive design and information systems. In: Human-Computer Interaction in Management Information Systems, M.E. S Sharpe Inc., pp 348–372

  • FTC (2012) Protecting consumer privacy in an era of rapid change: recommendations for businesses and policymakers. FTC Privacy Report

  • GDPR (2012) European Commission, Proposal for a regulation of the European Parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:52012PC0011. Accessed 14 Apr 2017

  • Gellman R (2013) Fair informaiton practices: a basic history http://bobgellman.com/rg-docs/rg-FIPShistory.pdf. Accessed 16 Aug 2013

  • Gershon RR, Karkashian CD, Grosch JW, Murphy LR, Escamilla-Cejudo A, Flanagan PA, Martin L (2000) Hospital safety climate and its relationship with safe work practices and workplace exposure incidents. Am J Infect Control 28(3):211–221

    Article  Google Scholar 

  • Gimeno D, Felknor S, Burau K, Delclos G (2005) Organisational and occupational risk factors associated with work related injuries among public hospital employees in Costa Rica. Occup Environ Med 62(5):337–343

    Article  Google Scholar 

  • Grechanik M, Csallner C, Fu C, Xie Q (2010) Is data privacy always good for software testing? In: 2010 I.E. 21st International Symposium on Software Reliability Engineering, IEEE, pp 368–377

  • Grosch JW, Gershon RR, Murphy LR, DeJoy DM (1999) Safety climate dimensions associated with occupational exposure to blood-borne pathogens in nurses. Am J Ind Med 36(S1):122–124

    Article  Google Scholar 

  • Gross R, Acquisti A (2005) Information revelation and privacy in online social networks. Proceedings of the 2005 ACM workshop on privacy in the electronic society, Alexandria

  • Gürses S, Gonzalez Troncoso C, Diaz C (2011) Engineering privacy by design. Comput, Priv Data Prot 14(3)

  • Jain S, Lindqvist J (2014) Should I protect you? Understanding developers’ behavior to privacy-preserving APIs. Workshop on Usable Security (USEC’14)

  • Jaramillo F, Mulki JP, Boles JS (2013) Bringing meaning to the sales job: the effect of ethical climate and customer demandingness. J Bus Res 66(11):2301–2307

    Article  Google Scholar 

  • Kalloniatis C, Kavakli E, Gritzalis S (2008) Addressing privacy requirements in system design: the PriS method. Requir Eng 13(3):241–255

    Article  Google Scholar 

  • Lacity MC, Janson MA (1994) Understanding qualitative data: a framework of text analysis methods. J Manag Inf Syst 11:137–155

    Article  Google Scholar 

  • Lahlou S, Langheinrich M, Röcker C (2005) Privacy and trust issues with invisible computers. Commun ACM 48(3):59–60

    Article  Google Scholar 

  • Langheinrich M (2001) Privacy by design—principles of privacy-aware ubiquitous systems. International conference on ubiquitous computing. Springer, Berlin, Heidelberg

    MATH  Google Scholar 

  • Lucia, Lo D, Jiang L, Budi A (2012) kbe-anonymity: test data anonymization for evolving programs. In: 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, Essen, 2012, pp 262–265

  • Luria G (2008) Controlling for quality: climate, leadership, and behavior. Quality Manangement Jounral 15(1):27–40

    Google Scholar 

  • Madejski M, Johnson ML, Bellovin SM (2011) The failure of online social network privacy settings. Department of Computer Science, Columbia University, tech. Rep. CUCS-010-11

  • Mathew A, Cheshire C (2017) Risky business: social trust and community in the practice of cybersecurity for internet infrastructure. In: Proceedings of the 50th Hawaii International Conference on System Sciences

  • Mohamed S (2002) Safety climate in construction site environments. J Constr Eng Manag 128(5):375–384

    Article  Google Scholar 

  • Myers MD (1997) Qualitative research in information systems. MIS Q 21:241–242

    Article  Google Scholar 

  • Myers MD, Newman M (2007) The qualitative interview in IS research: examining the craft. Inf Organ 17:2–26

    Article  Google Scholar 

  • Nicholson N, Johns G (1985) The absence culture and psychological contract—who's in control of absence? Acad Manag Rev 10(3):397–407

    Google Scholar 

  • Ohm P (2010) Broken promises of privacy: responding to the surprising failure of anonymization. UCLA Law Review 57:1701

    Google Scholar 

  • Omoronyia I, Cacallaro L, Salehie M, Pasqualie L, Nuseibeh B (2013) Engineering adaptive privacy: on the role of privacy awareness requirements. Proceedings of the 2013 International Conference on Software Engineering. IEEE Press, 2013

  • Ozer NA (2012) Putting online privacy above the fold: building a social movement and creating corporate change. NYU Rev L & Soc Change 36:215

    Google Scholar 

  • Peters F, Menzies T (2012) Privacy and utility for defect prediction: experiments with MORPH. ICSE 2012:189–199

    Google Scholar 

  • Peters F, Menzies T, Gong L, Zhang H (2013) Balancing privacy and utility in cross-company defect prediction. IEEE Trans Softw Eng 39(8):1054–1106

    Article  Google Scholar 

  • Reay, I., Dick, S., Miller, J. (2009) A large-scale empirical study of P3P privacy policies: stated actions vs. legal obligations. ACM transactions on the web (TWEB), 3(2), 6

  • Resnick ML, Montania R (2003) Perceptions of customer service, information privacy, and product quality from semiotic design features in an online web store. International Journal of Human-Computer Interaction 16(2):211–234

    Article  Google Scholar 

  • Rubinstein IS, Good N (2013) Privacy by design: a counterfactual analysis of Google and Facebook privacy incidents. Berkeley Tech LJ 28:1333–1583

    Google Scholar 

  • Sánchez Abril P, Levin A, Del Riego A (2012) Blurred boundaries: social media privacy and the twenty-first-century employee. American Business Law Journal 49(1):63–124

    Article  Google Scholar 

  • Schneider B, Ehrhart MG, Macey WH (2013) Organizational climate and culture. Annu Rev Psychol 64:361–388

    Article  Google Scholar 

  • Schneider B, González-Romá V, Ostroff C, West MA (2016) Organizational climate and culture: reflections on the history of the constructs in Journal of Applied Psychology. J Appl Psychol 102(3):468

  • Seaman CB (1999) Qualitative methods in empirical studies of software engineering. IEEE Trans Softw Eng 25(4):557–572

    Article  Google Scholar 

  • Shaw TR (2003) The moral intensity of privacy: an empirical study of webmaster' attitudes. J Bus Ethics 46(4):301–318

    Article  Google Scholar 

  • Sheth S, Kaiser G, Maalej W (2014) Us and them: a study of privacy requirements across North America, Asia, and Europe. Proceedings of the 36th International Conference on Software Engineering. ACM, 2014

  • Siu O-L, Phillips DR, Leung TW (2004) Safety climate and safety performance among construction workers in Hong Kong: the role of psychological strains as mediators. Accid Anal Prev 36(3):359–366

    Article  Google Scholar 

  • Smith HJ, Dinev T, Xu H (2011) Information privacy research: an interdisciplinary review. MIS Q 35(4):989–1016

    Article  Google Scholar 

  • Spiekermann S, Cranor LF (2009) Engineering privacy. IEEE Trans Softw Eng 35(1):67–82

    Article  Google Scholar 

  • Spreitzer GM (2008) Taking stock: a review of more than twenty years of research on empowerment at work. In: Handbook of organizational behavior. Sage, Thousand Oaks, pp 54–72

    Google Scholar 

  • Stamper R, Liu K, Hafkamp M, Ades Y (2000) Understanding the roles of signs and norms in organizations-a semiotic approach to information systems design. Behav Inform Technol 19(1):15–27

    Article  Google Scholar 

  • Strauss A, Corbin J (1990) Basics of |qualitative research. Sage publications, Newbury Park

    Google Scholar 

  • Strauss A, Corbin J (1994) Grounded theory methodology: an overview. In: Denzin NK, Lincoln YS (eds) Handbook of qualitative research. Sage, Thousand Oaks, pp 273–285

    Google Scholar 

  • Strauss A, Corbin J (1998) Basics of qualitative research: techniques and procedures for developing grounded theory. Sage Publications, Thousand Oaks

    Google Scholar 

  • Stutzman F, Gross R, Acquisti A (2013) Silent listeners: the evolution of privacy and disclosure on Facebook. Journal of Privacy and Confidentiality 4(2):2

    Google Scholar 

  • Suddaby R (2006) From the editors: what grounded theory is not. Acad Manag J 49(4):633–642

    Article  Google Scholar 

  • Székely I (2013) What do IT professionals think about surveillance? Internet and surveillance: the challenges of web 2.0 and social media, 16, 198

  • Taneja K, Grechanik M, Ghani R, Xie T (2011) Testing software in age of data privacy: a balancing act. Proceedings of the 19th ACM SIGSOFT Symposium and the 13th European conference on foundations of software engineering, ACM, pp 201–211

  • Tene O, Polonetsky J (2013) Big data for all: privacy and user control in the age of analytics. Northwest J Technol Intellect Prop 11(5):1

    Google Scholar 

  • Thomas K, Bandara AK, Price BA, Nuseibeh B (2014) Distilling privacy requirements for mobile applications. Proceedings of the 36th International conference on software engineering. ACM, 2014

  • Toch E, Wang Y, Cranor LF (2012) Personalization and privacy: a survey of privacy risks and remedies in personalization-based systems. User Model User-Adap Inter 22(1–2):203–220

    Article  Google Scholar 

  • Tsai MT, Cheng NC (2010) Programmer perceptions of knoweldge-sharing behavior under social cognitive theory. Expert Syst Appl 37(12):8479–8485

    Article  Google Scholar 

  • U.S. Dept. of Helath, Education & Welfare (1973) Record computers and the rights of citizens. REp. of Sec'y Advisory Comm. on Automated Pers. Data Sys. 41 (1973). http://www.justice.gov/opcl/docs/rec-com-rights.pdf

  • Van Der Sype YS, Maalej W (2014) On lawful disclosure of personal user data: what should app developers do? 7th International Workshop on Requirements Engineering and Law (RELAW), IEEE 2014

  • van Lieshout M, Kool L, van Schoonhoven B, de Jonge M (2011) Privacy by design: an alternative to existing practice in safeguarding privacy. Info 13(6):55–68

    Article  Google Scholar 

  • van Rest, J., Boonstra, D., Everts, M., van Rijn, M., van Paassen, R. (2014) Designing privacy-by-design. Privacy Technologies and Policy, Springer Berlin, Heidelberg

  • Varonen U, Mattila M (2000) The safety climate and its relationship to safety practices, safety of the work environment and occupational accidents in eight wood-processing companies. Accid Anal Prev 32(6):761–769

    Article  Google Scholar 

  • Walsham G (2006) Doing interpretive research. Eur J Inf Syst 15(3):320–330

    Article  Google Scholar 

  • Wimbush JC, Shepard JM (1994) Toward an understanding of ethical climate: its relationship to ethical behavior and supervisory influence. J Bus Ethics 13(8):637–647

    Article  Google Scholar 

  • Wood R, Banduar A (1989) Social cognitive theory of organizational management. Acad Manag Rev 14(3):361–384

    Google Scholar 

  • Zohar D (1980) Safety climate in industrial organizations: theoretical and applied implications. J Appl Psychol 65:96–102

    Article  Google Scholar 

  • Zohar D (2000) A group-level model of safety climate: testing the effect of group climate on microaccidents in manufacturing jobs. J Appl Psychol 85(4):587

    Article  Google Scholar 

  • Zohar D, Luria G (2005) A multilevel model of safety climate: cross-level relationships between organization and group-level climates. J Appl Psychol 90(4):616–628

Download references

Acknowledgement

We acknowledge the support of the Israel Science Foundation, Grant 1116/12.

Author information

Authors and Affiliations

  1. Department of Information Systems, University of Haifa, 199 Aba Khoushy Ave. Mount Carmel, 3498838, Haifa, Israel

    Irit Hadar, Tomer Hasson & Sofia Sherman

  2. Faculty of Engineering, Tel Aviv University, P.O. Box 39040, 6997801, Tel Aviv, Israel

    Oshrat Ayalon & Eran Toch

  3. Faculty of Law, Tel Aviv University, P.O. Box 39040, 6997801, Tel Aviv, Israel

    Michael Birnhack & Arod Balissa

Authors
  1. Irit Hadar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tomer Hasson
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Oshrat Ayalon
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Eran Toch
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Michael Birnhack
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Sofia Sherman
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Arod Balissa
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Irit Hadar.

Additional information

Communicated by: Tim Menzies

Appendices

Appendix 1: Participants

Table 4 List of participants
Full size table

‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬Appendix 2: Interview Guide

  1. 1.

    Background information

    • Domain (of development), position, years of experience, number of subordinates, formal education, additional professional training

    • What sources of knowledge do you use beyond the requirements of the customer? (Colleagues? Friends outside the organization? Literature? Professional journals? Web? Other?)

    • Have you been involved in the development of information systems that handle information about users or other data subjects? If so, please describe your role in each project.

    • Have you acquired knowledge/education specifically related to privacy concerns in information systems? If so, please describe.

    • What development methodologies do you use?

    • Do you have direct communication with the customer?

    • When you take design decisions, do they affect others in the development team? If so, who is affected (and how many)? What are their roles?

  2. 2.

    Privacy definition

    • What is informational privacy?

    • What is the difference between security and privacy?

  3. 3.

    Information sources

    • What sources of information do you use in order to resolve privacy concerns?

    • (Internet / what sites? Organizational procedures? Managers? Other employees? Literature (which)?)

  4. 4.

    Guidelines

    • What laws are you familiar with, in the context of informational privacy?

    • What procedures are you familiar with, in the context of informational privacy?

    • What norms are you familiar with, in the context of informational privacy?

  5. 5.

    Cases and examples

    • When you encounter a privacy concern, what do you do about it?

    • In what cases do you consider or analyze privacy concerns, while designing a system?

    • When developing a system, what are the potential risks regarding privacy?

    • Describe three examples of projects you were involved in, in which privacy concerns were discussed. What aspects of privacy did you handle?

    • Are privacy concerns considered, in projects you are involved with, while designing user interfaces? If so, in what context?

    • Do you initiate discussions regarding privacy or require clarifications or additional privacy-related requirements when designing a system?

    • Is privacy taken into account when planning for future requirements?

  6. 6.

    Familiarity and use of privacy strategies

    • What strategies (presented in Table 5) are you familiar with as solutions for privacy concerns?

    • (Bring examples)

    • For each of the following strategies, please specify whether you are familiar with it, whether you use it, and why / in what cases do you decide not use it?

  7. 7.

    FIPPs

    • Does the organization inform its users about its privacy policy?

    • During your work, have you ever needed to address concerns of notifying users about ongoing operations or information theft? If so, how? At what stage?

    • In your opinion, to what extent is it important to receive consent from users prior to collecting private data about them?

    • In your opinion, to what extent do the users have the right to choose how, when and what information is gathered about them (that is, the freedom to design the information that is collected about them)?

    • Do you think that user consent for data collection should be opt-in (default is lack of consent, and requires active action to give consent) or opt-out (default is agreement, and requires active action to deny consent)?

    • Have you ever dealt with user consent in this context? In what stage of the development? Who raised the need? Is the topic of user consent discussed during projects?

    • Do you, or the customer (for whom the system is designed), define the purpose for which the information is collected by the system?

    • How do you decide what information is collected by the system? What are the considerations? Are they determined according to customer requirements? According to common practices? Some other criteria?

    • Is the legitimacy of the purpose for which personal information is collected by the system discussed? Do you ever ask yourself if a specific purpose of collecting personal information is legal/problematic in any sense?

    • In your opinion, should personal information accumulated about users in the system be deleted? If so, after how much time should it be deleted? (Immediately after the use of the information? after one month? three months? one year? two years? five years? ten years?)

  8. 8.

    Responsibility

    • Is information privacy considered to be the responsibility of the architect?

    • (If not): Whose responsibility is it?

  9. 9.

    Open discussion

    • Do you have any other thoughts about informational privacy you would like to share?

    • Why did you agree to be interviewed for this research?

Table 5 List of privacy strategies
Full size table

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Hadar, I., Hasson, T., Ayalon, O. et al. Privacy by designers: software developers’ privacy mindset. Empir Software Eng 23, 259–289 (2018). https://doi.org/10.1007/s10664-017-9517-1

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10664-017-9517-1

Keywords

Search

Navigation