This Article 
 Bibliographic References 
 Add to: 
Engineering Privacy
January/February 2009 (vol. 35 no. 1)
pp. 67-82
Sarah Spiekermann, Humboldt University, Berin
Lorrie Faith Cranor, Carnegie Mellon University, Pittsburgh
In this paper we integrate insights from diverse islands of research on electronic privacy to offer a holistic view of privacy engineering and a systematic structure for the discipline's topics. First we discuss privacy requirements grounded in both historic and contemporary perspectives on privacy. We use a three-layer model of user privacy concerns to relate them to system operations (data transfer, storage and processing) and examine their effects on user behavior. In the second part of the paper we develop guidelines for building privacy-friendly systems. We distinguish two approaches: "privacy-by-policy" and "privacy-by-architecture." The privacy-by-policy approach focuses on the implementation of the notice and choice principles of fair information practices (FIPs), while the privacy-by-architecture approach minimizes the collection of identifiable personal data and emphasizes anonymization and client-side data storage and processing. We discuss both approaches with a view to their technical overlaps and boundaries as well as to economic feasibility. The paper aims to introduce engineers and computer scientists to the privacy research domain and provide concrete guidance on how to design privacy-friendly systems.

[1] A. Etzioni, The Limits of Privacy, 1999.
[2] P. Sprenger, “Sun on Privacy: 'Get over It',” Wired News,,1283,17538,00.html , 26 Jan. 1999.
[3] “The Coming Backlash in Privacy,” The Economist, 2000.
[4] A. Cavoukian and T.J. Hamilton, The Privacy Payoff: How Successful Businesses Build Customer Trust. McGraw-Hill, 2002.
[5] J. Guynn, “Facebook Hangs Its Head over Ad System,” Los Angeles Times, la-fi- facebook6dec06,0,1006420.story?coll=la-headlines-pe-business , 6Dec. 2007.
[6] A. Acquisti, A. Friedman et al. “Is There a Cost to Privacy Breaches? An Event Study Analysis,” Proc. Third Int'l Conf. Intelligent Systems, 2006.
[7] Ernst & Young LLP, Privacy: What Consumers Want, 2002.
[8] Int'l Assoc. Privacy Professionals (IAPP), “US Privacy Enforcement Case Studies Guide,” stories/pdfsIAPP_Privacy_Enforcement_Cases_ 07.05.07.pdf , 2007.
[9] CBS News, “Poll: Privacy Rights under Attack,” opinion/pollsmain894733.shtml, Oct. 2005.
[10] Privacy Int'l, National Privacy Ranking 2006—, European Union and Leading Surveillance Societies, 2006.
[11] TAUCIS—Technikfolgenabschätzungsstudie Ubiquitäres Computing und Informationelle Selbstbestimmung, J. Bizer et al., eds. 2006.
[12] S. Spiekermann et al., “E-Privacy in 2nd Generation E-Commerce,” Proc. Third ACM Conf. Electronic Commerce, 2001.
[13] A. Acquisti and J. Grossklags, “Privacy and Rationality in Individual Decision Making,” IEEE Security & Privacy, vol. 2, pp.24-30, 2005.
[14] Privacy & American Business, “New Survey Reports an Increase in ID Theft and Decrease in Consumer Confidence,” http://www.pandab.orgdeloitteidsurveypr.html , May 2005.
[15] S. Spiekermann, “Acceptance of Ubiquitous Computing Services: About the Importance of Human Control,” presentation at the Carnegie Mellon Univ. Heinz School of Public Policy and Management, Pittsburgh, 2006.
[16] J. Tsai, S. Egelman, L. Cranor, and A. Acquisti, “The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study,” Proc. Workshop Economics of Information Security, June 2007.
[17] S. Lahlou, M. Langheinrich, and C. Röcker, “Privacy and Trust Issues with Invisible Computers,” Comm. ACM, vol. 48, no. 3, pp.59-60, 2005.
[18] A. Whitten and J.D. Tygar, “Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0,” Proc. Eighth USENIX Security Symp., Aug. 1999.
[19] R. Dingledine and N. Mathewson, “Anonymity Loves Company: Usability and the Network Effect,” Security and Usability: Designing Secure Systems that People Can Use, L. Cranor and S. Garfinkel, eds., pp. 547-559, 2005.
[20] O. Berthold et al., “Web MIXes: A System for Anonymous and Unobservable Internet Access,” Proc. Int'l Workshop Design Issues in Anonymity and Unobservability. 2001.
[21] R. Dingledine et al., “Tor: The Second-Generation Onion Router,” Proc. 12th USENIX Security Symp., 2004.
[22] P. Golle, F. McSherry, and I. Mironov, “Data Collection with Self-Enforcing Privacy,” Proc. 13th ACM Conf. Computer and Comm. Security, pp. 69-78, , Oct./Nov. 2006.
[23] J. Feigenbaum, M.J. Freedman, T. Sander, and A. Shostack, “Privacy Engineering for Digital Rights Management Systems,” Revised Papers from the ACM CCS-8 Workshop Security and Privacy in Digital Rights Management, pp. 76-105, T. Sander, ed., 2002.
[24] B. Friedman, I.E. Smith et al. “Development of a Privacy Addendum for Open Source Licenses: Value Sensitive Design in Industry,” Proc. Eighth Int'l Conf. Ubiquitous Computing, 2006.
[25] L.F. Cranor, P. Guduru, and M. Arjula, “User Interfaces for Privacy Agents,” ACM Trans. Computer-Human Interaction, vol. 13, no. 2, pp. 135-178, , June 2006.
[26] J.B. Earp, A.I. Antón, and O. Jarvinen, “A Social, Technical and Legal Framework for Privacy Management and Policies,” Proc. Americas Conf. Information Systems, 2002.
[27] J.I. Hong, J.D. Ng, S. Lederer, and J.A. Landay, “Privacy Risk Models for Designing Privacy-Sensitive Ubiquitous Computing Systems,” Proc. Fifth Conf. Designing Interactive Systems: Processes, Practices, Methods, and Techniques, pp. 91-100, , Aug. 2004.
[28] D. Warren and L. Brandeis, “The Right to Privacy,” Harvard Law Rev., vol. 45, 1890.
[29] R.A. Posner, “Privacy—A Legal Analysis,” Philosophical Dimensions of Privacy, F.D. Schoeman, ed., 1984.
[30] I. Altman, The Environment and Social Behavior: Privacy, Personal Space, Territory, Crowding. Brooks/Cole, 1975.
[31] A.F. Westin, Privacy and Freedom. Atheneum, 1967.
[32] L.F. Cranor, “Privacy Policies and Privacy Preferences,” Security and Usability: Designing Secure Systems that People Can Use, L.Cranor and S. Garfinkel, eds., 2005.
[33] D.J. Solove, “A Taxonomy of Privacy,” Univ. of Pennsylvania Law Rev., vol. 154, 2005.
[34] Heise Online, “Datenschützer: Google's Mail-Service in Deutschland unzulässig,” , 2004.
[35] J.A. Hoffer et al., Modern Systems Analysis and Design. Prentice Hall, 2002.
[36] J.C. Cannon, Privacy: What Developers and IT Professionals Should Know. Addison-Wesley Professional, 2004.
[37] L.F. Cranor, “I Didn't Buy It for Myself,” Designing Personalized User Experiences in E-Commerce, C.-M. Karat, J.O. Blom, and J.Karat, eds., Kluwer Academic Publishers, 2004.
[38] A. Adams and A. Sasse, “Taming the Wolf in Sheep's Clothing: Privacy in Multimedia Communications,” Proc. Seventh ACM Int'l Multimedia Conf., 1999.
[39] A. Adams and A. Sasse, “Privacy in Multimedia Communications: Protecting Users, Not Just Data,” People and Computers XV—Interaction without Frontiers, J. Blandford, J. Vanderdonkt, and P. Gray, eds., pp. 49-64, Springer, 2001.
[40] H. Nissenbaum, “Privacy as Contextual Integrity,” Washington Law Rev., vol. 791, pp. 119-158, 2004.
[41] S. Byers, “Information Leakage Caused by Hidden Data in Published Documents,” IEEE Security & Privacy, vol. 2, no. 2, pp.23-27, 2004.
[42] G.J. Nowag and J. Phelps, “Direct Marketing and the Use of Individual-Level Consumer Information: Determining How and When Privacy Matters,” J. Direct Marketing, vol. 93, pp. 46-60, 1995.
[43] “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data,” J. European Communities, vol. 281, no. 31, 1995.
[44] The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments, M. Rotenberg, ed. EPIC, 2004.
[45] P.N. Otto, A.I. Anton, and D.L. Baumer, “The ChoicePoint Dilemma: How Data Brokers Should Handle the Privacy of Personal Information,” IEEE Security & Privacy, vol. 5, no. 5, pp.15-23, Sept./Oct. 2007, doi: http://doi.ieeecomputersociety. org/10.1109 MSP.2007.126.
[46] S. Spiekermann et al., “Stated Privacy Preferences versus Actual Behaviour in EC Environments: A Reality Check,” Proc. Fifth Internationale Tagung Wirtschaftsinformatik, 2001.
[47] B. Berendt et al., “Privacy in E-Commerce: Stated Preferences versus Actual Behavior,” Comm. ACM, vol. 484, pp. 101-106, 2005.
[48] P.M. Regan, Legislating Privacy: Technology, Social Values, and Public Policy. Univ. of North Carolina Press, 1995.
[49] K.B. Sheehan, “Toward a Typology of Internet Users and Online Privacy Concerns,” The Information Soc., vol. 1821, pp. 21-32, 2002.
[50] M. Brown and R. Muchira, “Investigating the Relationship between Internet Privacy Concerns and Online Purchase Behavior,” J. Electronic Commerce Research, vol. 5, no. 1, pp. 62-70, 2004.
[51] N. Malhotra, S.S. Kim, and J. Agarwal, “Internet Users' Information Privacy Concerns IUIPC: The Construct, the Scale, and a Causal Model,” Information Systems Research, vol. 15, no. 4, pp. 336-355, 2004.
[52] M.S. Ackerman, L.F. Cranor, and J. Reagle, “Privacy in E-Commerce: Examining User Scenarios and Privacy Preferences,” Proc. First ACM Conf. Electronic Commerce, pp. 1-8,, Nov. 1999.
[53] J.H. Smith et al., “Information Privacy: Measuring Individuals' Concerns about Organizational Practices,” MIS Quarterly, vol. 202, pp. 167-196, 1996.
[54] S. Garfinkel and A. Shelat, “Remembrance of Data Passed: A Study of Disk Sanitization Practices,” IEEE Security & Privacy, Jan./Feb. 2003.
[55] N.F. Awad and K. Fitzgerald, “The Deceptive Behaviors that Offend Us Most about Spyware,” Comm. ACM, vol. 48, pp. 55-60, , Aug. 2005.
[56] O. Berthold et al., “RFID Verbraucherängste und Verbraucherschutz,” Wirtschaftsinformatik Heft, vol. 6, 2005.
[57] O. Guenther and S. Spiekermann, “RFID and Perceived Control— The Consumer's View,” Comm. ACM, vol. 489, pp. 73-76, 2005.
[58] S.M. Edwards, H. Li et al., “, Forced Exposure and Psychological Reactance: Antecedents and Consequences of the Perceived Intrusiveness of Pop-Up Ads,” J. Advertising, vol. 313, pp. 83-96, 2002.
[59] S. Spiekermann, “The Desire for Privacy: Insights into the Views and Nature of the Early Adopters of Privacy Services,” Int'l J. Technology and Human Interaction, vol. 11, 2004.
[60] D. Spiegel, “Exhibitionismus—leichtgemacht,” Der Spiegel, vol. 29, 2006.
[61] P. Kumaraguru and L. Cranor, “Privacy Indexes: A Survey of Westin's Studies,” ISRI Technical Report CMU-ISRI-05-138, isri2005/ abstracts05-138.html, 2005.
[62] S. Spiekermann, “Auswirkungen der UC-Technologie auf Verbraucher: Chancen und Risiken,” Technikfolgenabschätzung Ubiquitäres Computing und Informationelle Selbstbestimmung TAUCIS, J.Bizer, O. Guenther, and S. Spiekermann, eds. Berlin, Bundesministerium für Bildung und Forschung BMBF, pp. 153-196, 2006.
[63] G. Löwenstein and D. Prelect, “Anomalies in Intertemporal Choice: Evidence and an Interpretation,” Choices, Values, and Frames, D. Kahneman and A. Tversky, eds., pp. 578-596, Cambridge Univ. Press, 2000.
[64] A. Acquisti, “Privacy in Electronic Commerce and the Economics of Immediate Gratification,” Proc. Fifth ACM Conf. Electronic Commerce, pp. 21-29,, May 2004.
[65] H. Varian, “Economic Aspects of Personal Privacy,” Privacy and Self-Regulation in the Information Age, 1996.
[66] K. Strandburg, Privacy, Rationality, and Temptation: A Theory of Willpower Norms. College of Law, DePaul Univ., 2005.
[67] B. Huberman et al., “Valuating Privacy,” IEEE Security & Privacy, vol. 1, pp. 22-25, 2004.
[68] F.B. Viégas, “Bloggers' Expectations of Privacy and Accountability: An Initial Survey,” J. Computer-Mediated Comm., vol. 103, 2005.
[69] V. Mayer-Schönberger, Useful Void: The Art of Forgetting in the Age of Ubiquitous Computing. John F. Kennedy School of Government, Harvard Univ., 2007.
[70] M. Gumbrecht, “Blogs as 'Protected Space',” Proc. Workshop Weblogging Ecosystem: Aggregation, Analysis, and Dynamics at the World Wide Web Conf., 2004.
[71] J. Gideon, L. Cranor, S. Egelman, and A. Acquisti, “Power Strips, Prophylactics, and Privacy, Oh My,” Proc. Second Symp. Usable Privacy and Security, vol. 149, pp. 133-144, , July 2006.
[72] N.F. Awad and M.S. Krishnan, “The Personalization Privacy Paradox: An Empirical Evaluation of Information Transparency and the Willingness to be Profiled Online for Personalization,” MIS Quarterly, vol. 301, pp. 13-28, 2006.
[73] S. Lederer and A. Dey, A Conceptual Model and a Metaphor of Everyday Privacy in Ubiquitous Computing Environments. Univ. of California, Berkeley, 2002.
[74] Richtlinie Des Europäischen Parlaments Und Des Rates über die Vorratsspeicherung von Daten, die bei der Bereitstellung öffentlich zugänglicher elektronischer Kommunikationsdienste oder öffentlicher Kommunikationsnetze erzeugt oder verarbeitet werden, und zur Änderung der Richtlinie 2002/58/EG, Brussels, European Parlament2005/0182 COD, EU, 2006.
[75] S. Garfinkel, Database Nation—The Death of Privacy in the 21st Century. O'Reilly & Assoc., 2000.
[76] R. Agrawal and R. Srikant, “Privacy-Preserving Data Mining,” SIGMOD Record, vol. 29, no. 2, pp. 439-450, June 2000, doi:
[77] L. F. Cranor, S. Egelman, J. Hong, P. Kumaraguru, C. Kuo, S. Romanosky, J. Tsai, and K. Vaniea, “FoxTor: A Tor Design Proposal,” 113005.pdf , 2005.
[78] OECD, “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,”,2340,en_2649_201185_1815186_1_1_1_1,00.html , 1980.
[79] US Federal Trade Commission, Privacy Online: Fair Information Practices in the Electronic Marketplace, A Report to Congress, , 2000.
[80] D. Chaum, “Security without Identification: Transaction Systems to Make Big Brother Obsolete,” Comm. ACM, vol. 28, no. 10, 1030-1044,, Oct. 1985.
[81] J. Camenisch and E. Van Herreweghen, “Design and Implementation of the 'Idemix' Anonymous Credential System,” Proc. Ninth ACM Conf. Computer and Comm. Security, V. Atluri, ed., pp. 21-30,, Nov. 2002.
[82] B. Pfitzmann, M. Waidner et al. “Rechtssicherheit Trotz Anonymität in Offenen Digitalen Systemen; Datenschutz und Datensicherung,” Datenschutz und Datensicherheit DuD, vol. 14, pp. 5-6, 1990.
[83] M.K. Reiter, and A.D. Rubin, “Anonymous Web Transactions with Crowds,” Comm. ACM, vol. 42, no. 2, pp. 32-48,, Feb. 1999.
[84] J.I. Hong and J.A. Landay, “An Architecture for Privacy-Sensitive Ubiquitous Computing,” Proc. Second Int'l Conf. Mobile Systems, Applications, and Services, pp. 177-189,, June 2004.
[85] A. LaMarca, Y. Chawathe, S. Consolvo, J. Hightower, I. Smith, J. Scott, T. Sohn, J. Howard, J. Hughes, F. Potter, J. Tabert, P. Powledge, G. Borriello, and B. Schilit, “Place Lab: Device Positioning Using Radio Beacons in the Wild,” Proc. Int'l Conf. Pervasive Computing, 2005.
[86] J. Canny, “Collaborative Filtering with Privacy,” Proc. IEEE Symp. Security and Privacy, pp. 45-57, 2002.
[87] J. Zibuschka, L. Fritsch, M. Radmacher, T. Scherner, and K. Rannenberg, “Enabling Privacy in Real-Life LBS: A Platform for Flexible Mobile Service Provisioning,” New Approaches for Security, Privacy and Trust in Complex Environments, H. Venter, M. Eloff, L. Labuschagne, J. Eloff, and R. von Solms, eds., IFIP Int'l Federation for Information Processing, vol. 232, pp. 325-336, Springer, 2008.
[88] M. Gruteser and D. Grunwald, “Enhancing Location Privacy in Wireless LAN through Disposable Interface Identifiers: A Quantitative Analysis,” Mobile Networks and Applications, vol. 10, no. 3, pp. 315-325, June 2005, doi: .
[89] S. Spiekermann et al., “User Agents in E-Commerce Environments: Industry versus Consumer Perspectives on Data Exchange,” Proc. 15th Conf. Advanced Information Systems Eng., 2003.
[90] A. Kobsa and J. Schreck, “Privacy through Pseudonymity in User-Adaptive Systems,” ACM Trans. Internet Technology, vol. 3, no. 2, pp. 149-183,, May 2003.
[91] A. Kobsa, “Privacy-Enhanced Web Personalization,” The Adaptive Web: Methods and Strategies of Web Personalization, P. Bruslikovsky, A. Kobsa, and W. Nejdl, eds., Springer Verlag, 2007.
[92] M. Barbaro and T. Zeller, “A Face is Exposed for AOL Searcher No. 4417749,” The New York Times, 9 Aug. 2006.
[93] E. Mills and A. Broache, “Three Workers Depart AOL after Privacy Uproar,” CNET, 21 Aug. 2006.
[94] A. Pfitzmann and M. Hansen, Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management—A Consolidated Proposal for Terminology Version v0.30, http://dud.inf.tu-dresden.deAnon_Terminology.shtml , Nov. 2007.
[95] A. Narayanan and S. Vitaly, “Robust De-Anonymization of Large Sparse Datasets,” Proc. IEEE Symp. Security and Privacy, 2008.
[96] B. Malin, “Betrayed by My Shadow: Learning Data Identity Via Trail Matching,” J. Privacy Technology, , 2005.
[97] L. Sweeney, “$k$ -Anonymity: A Model for Protecting Privacy,” Int'l J. Uncertainty, Fuzziness and Knowledge-Based Systems, vol. 10, no. 5, pp. 557-570, 2002.
[98] A. Machanavajjhala, D. Kifer, J. Gehrke, and M. Venkitasubramaniam, “L-Diversity: Privacy Beyond $k$ -Anonymity,” ACM Trans. Knowledge Discovery from Data, vol. 1, no. 3, Mar. 2007, doi: .
[99] A.K. Ghosh, Security and Privacy for E-Business. John Wiley & Sons, 2001.
[100] R.J. Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, 2001.
[101] “The Center for Information Policy Leadership,” Multi-Layered Notices Explained, FileUpload265/1303CIPL-APEC_Notices_White_Paper.pdf , Jan. 2007.
[102] L.F. Cranor, Web Privacy with P3P. O'Reilly, 2002.
[103] I. Pollach, “What's Wrong with Online Privacy Policies?” Comm. ACM, vol. 50, no. 9, pp. 103-108, , Sept. 2007.
[104] Microsoft, Privacy Guidelines for Developing Software Products and Services—Version 1.0, 2006.
[105] D. McFarlane, “Comparison of Four Primary Methods for Coordinating the Interruption of People in Human-Computer Interaction,” Human-Computer Interaction, vol. 173, pp. 63-139, 2002.
[106] G. Hsieh, K.P. Tang, W.Y. Low, and J.I. Hong, “Field Deployment of 'IMBuddy': A Study of Privacy Control and Feedback Mechanisms for Contextual IM,” Proc. Ninth Int'l Conf. Ubiquitous Computing, pp. 91-108, 2007.
[107] J. Cornwell, I. Fette, G. Hsieh, M. Prabaker, J. Rao, K. Tang, K. Vaniea, L. Bauer, L. Cranor, J. Hong, B. McLaren, M. Reiter, and N. Sadeh, “User-Controllable Security and Privacy for Pervasive Computing,” Proc. Eighth IEEE Workshop Mobile Computing Systems and Applications, 2007.
[108] M. Prabaker, J. Rao, I. Fette, P. Kelley, L. Cranor, J. Hong, and N. Sadeh, “Understanding and Capturing People's Privacy Policies in a People Finder Application,” Proc. Workshop Ubicomp Privacy, Sept. 2007.
[109] Information Commissioner's Office, “What Price Privacy? The Unlawful Trade in Confidential Personal Information,” corporate/ research_and_reportswhat_price_privacy.pdf , 2006.
[110] D. McCullough and A. Broache, “HP Scandal Reviving Pretexting Legislation,” CNET, 15 Sept. 2006.
[111] “Your Grocery Purchases on the Web for All to See?” Privacy J., vol. 27, no. 5, pp. 1-7, Mar. 2001.
[112] Vodafone, Vodafone Location Services—Privacy Management Code of Practice, 2003.
[113] A. Barth and J.C. Mitchell, “Enterprise Privacy Promises and Enforcement,” Proc. Workshop Issues in the Theory of Security, pp.58-66, , Jan. 2005.
[114] C. Powers and M. Schunter, “Enterprise Privacy Authorization Language EPAL 1.2,” W3C Member Submission 10,, Nov. 2003.
[115] M. Deng, L. Fritsch, and K. Kursawe, “Personal Rights Management,” Proc. Sixth Workshop Privacy-Enhancing Technologies, G.Danezis and P. Golle, eds., 2006.
[116] J. Kang, “Information Privacy in Cyberspace Transactions,” Stanford Law Rev., vol. 50, pp. 1194-1294, 1998.

Index Terms:
Privacy, Legal Aspects of Computing, Security and Protection, Requirements/Specifications
Sarah Spiekermann, Lorrie Faith Cranor, "Engineering Privacy," IEEE Transactions on Software Engineering, vol. 35, no. 1, pp. 67-82, Jan.-Feb. 2009, doi:10.1109/TSE.2008.88
Usage of this product signifies your acceptance of the Terms of Use.