The Community for Technology Leaders

Everything You Wanted to Know about Privacy (But Were Afraid to Ask)

Shari Lawrence Pfleeger, RAND Corp.

Pages: p. 5

As nations struggle to balance national security concerns against privacy issues, individuals are increasingly eager to know not only what privacy rights they can expect but also how technology can help ensure those rights. J.C. Cannon's book promises to deliver on both counts.

Cannon's message is clear: privacy should be a primary concern, not an afterthought. He offers tips on establishing a corporate privacy policy and provides templates and reference material to simplify policy generation. He also gives useful, detailed diagrams on integrating privacy controls into each stage of software development. Similarly, Cannon discusses the need for careful privacy analysis and includes examples of privacy-enhancing code involving data protection and disclosure of the type of privacy the subject application offers.

However, the book could have used a good editor. The focus shifts back and forth from a bird's-eye view of issues to microscopic detail—a characteristic that can be quite disconcerting. For example, Cannon paints recent US privacy-related legislation, such as the Sarbanes-Oxley and Gramm-Leach-Bliley Acts, with a broad brush, followed shortly thereafter by a button-by-button description of browser privacy settings. The opening example in chapter 8 is reused almost verbatim from chapter 1. Acronyms are undefined or used well before they're defined. The book's grammatical errors (subject-verb agreement) and typos (references to "Gramm-Leach-Billey") distracted me and made me wonder what else might be incorrect.

Cannon would offer more to a wider audience if he acknowledged a broader and more complete international perspective throughout the book. Although he discusses the EU Privacy Directive, for example, he fails to point out that it prohibits the use of personal data for purposes other than those for which it was originally collected. Moreover, he never makes it clear which country's privacy laws take precedence when selling or using software.

Although the back cover suggests that it takes a comprehensive look at privacy issues, the book leaves a gaping hole where history and ethics should be; there's very little substantive discussion of the notion of privacy as a right rather than a privilege. Cannon mentions fair information practices only in an appendix, denying the reader a sense of the evolution of privacy issues and law. For instance, he mentions digital rights management (DRM), but focuses on DRM software and standards rather than on the changing notions of copyright protection. I strongly recommend that readers read the privacy and ethics sections of Sara Baase's A Gift of Fire (Prentice Hall, 2002) before diving into Cannon's book. Such grounding and a healthy skepticism will balance Cannon's more naïve suggestions. He describes how to delete a browser's Internet history, for example, but fails to wonder whether it might still exist somewhere that the user can no longer see it.


Cannon's is one of a host of privacy books available to software practitioners and users that inform the much-needed discussion about who should have access to our data, what they should be able to do with it, and to what end. It's essential that we as practitioners have a voice in this discussion, particularly when we're asked to capture, store, and use personal or corporate information.

About the Authors

Shari Lawrence Pfleeger is a senior information scientist at the RAND Corporation, where she investigates how decisions are made as software is developed and deployed. Her research interests include software engineering, cybersecurity economics, and empirical evaluation. Pfleeger has a PhD in information technology and engineering from George Mason University. Contact her at
67 ms
(Ver 3.x)