Designing systems with privacy in mind

Due to a malfunction a journalist got banned from using her work tool Google Docs. Reporting about wildlife crime, an automated process flagged her content as malicious and locked her out due to violation of the Terms of Service. This happened automatically without human intervention. The system performs analysis in real time of everything we write in our online documents – including this one, ironically (I usually write my drafts in Google Docs). This real-time inspection of my text in Google Docs cannot be turned off because it’s considered a core feature.


Privacy by Design means that you build systems in a way that allows for technically enforced privacy.

Privacy invasion by design

Last year the rollout of Office 365 for tens of thousands of municipal employees was stopped because of the same reason. The data is protected from a malicious hacker in transit, but not from a rogue Microsoft employee with high privileges, or for that matter, subpoenas from the American state. Since the municipality is processing sensitive data on the citizens, this was deemed unacceptable.

For some entities, this concern has been a reason not to buy products like G Suite (Gmail for business) or Office 365. As a journalist, I am obliged to protect my sources. I may also be expected to use tools such as Google Drive or Office 365, which are tools that are not designed with Privacy By Design in mind. If my organization is handling patient data, anonymous sources, business secrets or sensitive personal data, these products have an insufficient level of protection. 

So, to summarize, both Google and Microsoft have designed their business grade, subscription based products on the premise that some Google or Microsoft employees can read their customer’s data.

Paranoid Privacy by Design

On the other side of the design spectrum we have Signal Secure Messaging. Signal uses the same kind of End to End encryption that the more popular Whatsapp does (or, actually it’s the other way around). Similar to the examples above, the data is protected in transit. On top of that, the provider has no means to access the content of your chats, ever. The actual data, your messages and images, are only visible on the end points (your phones). On top of that, Signal treats the metadata as toxic waste and only keeps a bare minimum. They know the time that someone has created an account, and they know the last time it was used. That’s it. Whatsapp keeps all the metadata – exactly when did you write to whom, how big was the payload, where where you when you wrote it, etc.

Analyzing the privacy of your design

Some design their products to hoard data compulsively, some treats data as toxic waste. Designing a system, this is a core design choice you have to think about.

  • What do I want to know?
  • Are there other means of learning what I need to know than to keep data?
  • What is the benefit of keeping that data?
  • What is the downside of keeping that data?
  • For how long do I need to keep that data?