Privacy at Speed: Privacy by Design for Agile Development at Uber

Tuesday, January 28, 2020 - 2:30 pm3:00 pm

Engin Bozdag, Uber

Abstract: 

The concept of privacy by design (PbD) is more than 20 years old and a common element in both regulatory and technical discussions. While many strategies for Privacy by Design focuses on product development with a traditional waterfall-style methodology, today's current agile development process does not follow the historically clear cut and distinct design, planning, implementation, and release phases. Many privacy risk mitigation strategies are created for the waterfall-style methodology and focus on the planning phase. The implementation phase consists of taking the planned actions with the hopes that they are enough to avoid the identified risks.

In an agile methodology, software is released in an iterative and feedback-driven fashion, which emphasizes short development cycles, continuous testing, user-centricity and greater simplicity of design. Agile programming practices allow developers across services to continuously tweak, remove or add new features using "build-measure-learn" feedback loops. This includes experimental features, minimum viable products, and alpha releases. While agility requires quick software development sprints, privacy analysis is usually a slow and time-consuming activity. In addition, technical privacy assessments are based on the architectural description of the system, but in agile development, there is often no grand design upfront and the documentation is limited. It might be possible to assess the privacy readiness of each feature, but when these features are combined, there is no guarantee that the service itself or the entire supply chain that underlies it fulfills all the privacy requirements. The latter is the case due to modular micro-service oriented architectures that are favored in current-day software ecosystems.

In this talk, we will demonstrate an approach to technical privacy where privacy by design is applied in a hyper-connected service environment. We will walk through some of the principles coming from GDPR, industry standards such as ISO29100 and Data Protection Authority guidelines. We will also demonstrate how those principles can be applied to a complex agile environment.

Engin Bozdag, Uber

Engin is a senior privacy architect at Uber and leads the technical privacy review process to ensure privacy is embedded into products and services as early as possible. Prior to Uber, Engin worked for health tech leader Philips and led their technical GDPR implementation program. Engin holds a Ph.D. degree in algorithmic bias and technology ethics and an M.S. in software engineering both from Delft University of Technology, the leading technical university of the Netherlands and one of the leading engineering schools in the world. Engin is a member of the ISO/PC 317 Working Group working to create a global standard on Privacy by Design. Engin is also affiliated with 4TU Centre for Ethics & Technology (the major research center in the Netherlands on technology ethics) and also a regular guest lecturer for Delft University of Technology.

BibTeX
@conference {244720,
author = {Engin Bozdag},
title = {Privacy at Speed: Privacy by Design for Agile Development at Uber},
year = {2020},
address = {San Francisco, CA},
publisher = {{USENIX} Association},
month = jan,
}