IT can have a major impact on personal privacy even if system developers do not plan any deliberate intrusion, so IT specialists need to think more widely about the potential uses of their systems.
This understanding emerged from a BCS debate involving senior representatives from IT user companies, suppliers, government and universities as part of the national Foresight Programme of advanced research.
The "thought leadership" debate, held under a rule of anonymity, considered some uncomfortable questions that IT developers might ask themselves, for example:
- Does someone developing a system to make web page creation easy need to consider that people can extract personal web content and use it in different ways to those intended by the originator?
- Does the developer of a database application need to think about whether they give people a simple way to check their personal data which might be managed by the system?
- Should someone writing software to connect mobile devices to a network consider privacy issues around the personal data that flies around when someone connects to a network?
- Does someone writing software to manage credit card transactions need to think about the privacy implications of the secondary uses of a card: for example, to collect air tickets already paid for and to check in automatically?
So how can proper deliberation of privacy and security implications be initiated?
IT people should start to think beyond engineering and take account of the need to respect and protect privacy. They should not consider themselves as mere tool developers, use of whose tool is someone else's concern, the debate heard.
At system development level, IT professionals need to think about the privacy and security implications of what they are developing, how to minimise leakage, and how to enable individuals to check personal information handled by their systems. Security professionals need to be included in the design of systems, not just at the deployment stage.
At a broader professional level, IT people need to think about privacy, spread awareness of the issues, and consider social needs and how they are met in systems. IT professionals at this level have a duty to share awareness of what a system implies for the overall context, involving IT and human processes, the debate heard.
It is not enough for IT professionals to give reassurances that encryption for communication protects privacy if they ignore the point that users are working with databases at either end of the communications link. Arguably all IT professionals must have ethical training, because of the pervasive nature of IT.
RFID and privacy
The BCS thought leadership debate heard that the privacy issues discussed affect radio frequency identification tagging technology. Under European law, any company that uses RFID must notify the consumer the tag is on the product and provide details on how to discard the tag and access the information held on it.