Let’s talk about digital identity with Oscar Santolalla, Ann Cavoukian and Katryna Dow.

In this latest episode within the Identity Story Series, Ann Cavoukian, creator of Privacy by Design and Katryna Dow, CEO at Meeco, join Oscar to explore the road to becoming ISO 31700 for Privacy by Design. They discuss the importance of Privacy by Design and how it can help organisations protect their customers’ personal data and comply with data protection regulations and the impact of Privacy by Design becoming an ISO Standard.

[Transcript below]

“If you don’t have a strong foundation of security from end to end with full lifecycle protection, you’re not going to have any privacy.” ~ Ann Cavoukian

Guest Photo: Ann Cavoukian

Dr Ann Cavoukian is recognised as one of the world’s leading privacy experts. Dr Cavoukian served an unprecedented three terms as the Information & Privacy Commissioner of Ontario, Canada. There she created Privacy by Design, a framework that seeks to proactively embed privacy into the design specifications of information technologies, networked infrastructure and business practices, thereby achieving the strongest protection possible. In 2010, International Privacy Regulators unanimously passed a Resolution recognising Privacy by Design as an International Standard. Since then, PbD has been translated into 40 languages! In 2018, PbD was included in a sweeping new law in the EU: the General Data Protection Regulation.

Dr Cavoukian is now the Executive Director of the Global Privacy & Security by Design Centre. She is also a Senior Fellow of the Ted Rogers Leadership Centre at Ryerson University, and a Faculty Fellow of the Centre for Law, Science & Innovation at the Sandra Day O’Connor College of Law at Arizona State University.

Listen to Episode 73, where Ann joined the podcast to discuss Privacy by Design, and connect with Ann on LinkedIn.

“One of the really challenging things about privacy and security is if you don’t bake it in at the lower layers, if you don’t build that foundation, it’s really hard to go back and put it into a product or service afterwards.” ~ Katryna Dow

Guest Photo: Katryna Dow

Katryna Dow is the founder and CEO of Meeco; a personal data & distributed ledger platform that enables people to securely exchange data via the API-of-Me with the people and organisations they trust. Katryna has been pioneering personal data rights since 2002, when she envisioned a time when personal sovereignty, identity and contextual privacy would be as important as being connected. Now within the context of GDPR and Open Banking, distributed ledger, cloud, AI and IoT have converged to make Meeco both possible and necessary.

Find out more about Meeco at meeco.me.

For the past three years, Katryna has been named as one of the Top 100 Identity Influencers. She is the co-author of the blockchain identity paper ‘Immutable Me’ and co-author/co-architect of Meeco’s distributed ledger solution and technical White Paper on Zero Knowledge Proofs for Access, Control, Delegation and Consent of Identity and Personal Data. Katryna speaks globally on digital rights, privacy and data innovation.

Listen to Episode 30, where Katryna joined the podcast to discuss Data minimisation, and connect with Katryna on LinkedIn.

Go to our YouTube to watch the video transcript for episode 89.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

Let's Talk About Digital Identity
Let's Talk About Digital Identity

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.

Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Today we’re happy to bring you a new episode of our Identity Stories Series. Privacy by Design has just become an ISO standard, which we want to celebrate, so let’s go back in time and hear moments of this journey.

Let’s first hear from Privacy by Design’s creator herself, Dr Ann Cavoukian. She is recognised as one of the world’s leading privacy experts and she served an unprecedented three terms as the Information & Privacy Commissioner of Ontario, Canada.

Oscar: Dr Ann Cavoukian welcome back to Let’s talk about digital identity.

Ann Cavoukian: Thank you so much Oscar. It’s a pleasure.

Oscar: Use a time machine and bring us to the moment in which you started writing Privacy by Design.

Ann: We’ll have to go back to the nineties. So, I was first appointed Privacy Commissioner of Ontario, Canada, and I think ‘97. And when I was appointed commissioner, I joined the office, which consisted of brilliant lawyers, and they took, of course, a legal approach to protecting privacy, applying the law after a privacy harm had arisen.

But you see, I’m not a lawyer. I’m a psychologist. I took a very different view of how we should protect privacy in addition to legal means. I wanted something that would prevent the privacy harms from arising. I wanted to have a model of prevention that was proactive, baked into the code, baked into your operations, so that ideally, we can have fewer privacy infractions and data breaches.

And this is a very different approach to the legal one. So literally at my kitchen table over three nights, I created Privacy by Design, and then I took it in, and I sold it to my lawyers. And it didn’t take long, but it was a different approach. And I said, look, this will complement regulatory compliance, which is after the fact, applying a privacy law, after a privacy harm has arisen.

That’s very, very valuable. But I want ideally to minimise the number of privacy harms that arise. And that’s what Privacy by Design is all about. So, they got that. It was a win-win and they liked it. And away we went. And Privacy by Design has grown dramatically since then. It’s been translated into 40 languages. We’ve had great success with it.

Oscar: How was the whole journey since that time until now, 2023? Has the road to becoming an ISO standard been a bumpy road?

Ann: It’s always a bumpy road, there’s no question. But I had great fortune. I was very lucky in 2010. Privacy by Design was unanimously passed as an international standard by the International Assembly of Privacy Commissioners and Data Protection authorities in Brussels. So immediately in the privacy community, it grew enormously. And then when, the new law in the European Union, the General Data Protection regulation, was introduced or came into effect in 2018.

My Privacy by Design was included in the GDPR as well as privacy as the default, which is the second of seven foundational principles of Privacy by Design. This was huge. It being recognised like that was just such a huge development and it took hold globally because everyone around the world wants to do business with Europe and engage in business and trade with the European Union.

So, lots of countries started doing Privacy by Design. And whenever there was a new law that was developed, a privacy law like Brazil last year, they included Privacy by Design in it. So, it really took off. So, when ISO started considering including it as an international standard, that took years in the making. I mean, it just came into effect this year.

But my colleague Michelle Chibba, who’s amazing, I mean, she’s been sitting on committee meetings for the past, I don’t know, three, four or five years with ISO in, in an effort to make Privacy by Design an ISO standard. But we succeeded and that’s the whole thing. It is now an international standard, ISO 31700. And it’s all over the world.

It’s already becoming embraced by countries who recognise the value of ISO standards. So literally, I’m delighted by this.

Oscar: Fantastic. I can hear your, your voice of success when you are sharing this journey. And congratulations for that, of course.

Ann: Thank you.

Oscar: If you were wondering what are these ‘7 principles’, let’s hear now Dr Ann Cavoukian explaining the 7 foundational principles of Privacy by Design. Starting with Principle #1 Proactive not Reactive.

Ann: The first one ‘prevent the harms. You want to be proactive so that you could prevent the harms from arising. It’s very, very clear.

The second one is privacy as the default setting. And that’s– I talked about that quite a bit. It’s absolutely critical, in fact, it’s considered to be so important. When they enacted the GDPR in the European Union, the General Data Protection Regulation, they included not only my Privacy by Design, but specifically privacy as the default setting as well. So that’s very important.

The third one embedded in design is absolutely critical. If it’s not baked into the code into your operations, it’s going to be overlooked.

The fourth one you have to have, what I always say full functionality. Get rid of the zero-sum mindset of privacy versus security, or privacy versus data utility. It can’t be either, or, win, lose. It has to be win-win, privacy and data utility. You make a positive sum, and you get multiple positive gains, privacy and security always intertwined.

And the next one talking about security. While the term privacy subsumes a much broader set of protections and security alone, in this day and age of daily hacking and phishing, if you don’t have a strong foundation of security from end to end, with full lifecycle protection, you’re not going to have any privacy. So, start with a solid foundation of security throughout your entire organisation.

Give individuals access to their own data. I always say to companies and governments, you may have custody and control of someone’s data, but it doesn’t belong to you, it belongs to the data subject. So, give them the right of access that they have, allow them to gain access to personal information you have on them. And companies actually have come back to me, companies that are certified for Privacy by Design, and they say, “We love this. We love this principle. Because once we give customers access to their own data, they come back to us and say – No, no, that’s no longer the case. That was true about me two years ago, here’s what’s going on now.” So, they correct the information. They increase the accuracy of the information we hold. And it increases the quality of the data we have. So, they love it.

And the last principle, keep it user centric. When you keep it focused on the user, all of this flows out. Because it should all be around the individual, when it’s personal information you’re dealing with. Because personal information is about identifiable individuals. So, you have to keep it focused on the user, and what they permit, what they don’t permit, things of that nature. So that’s it. Seven foundational principles by design.

Oscar: Despite all the recognition that Privacy by Design has received for two decades, and the influence it has had in regulations such as the General Data Protection Regulation, GDPR, we saw that the vast majority of Internet products and services still didn’t use the seven foundational principles. An urgent push was necessary. What would help us make waves of such magnitude? Nothing better than a global standard published by the International Organisation for Standardisation, the ISO.

ISO standards are recognised by governments, regulatory bodies, and industry associations around the world, so becoming an ISO standard would increase the adoption of Privacy by Design and it would be recognised globally. It is not easy to become an ISO standard, with thorough review processes including, expert opinions, public consultation, and a vote by ISO members.

On 2018, a technical committee called ISO/PC 317 Consumer protection: Privacy by Design for consumer goods and services was created. Four more years, and all the efforts of this group of motivated and brilliant minds from all over the world came to fruition. On February 8th, 2023, the standard was published with the name “ISO 31700-1:2023 Consumer protection — Privacy by Design for consumer goods and services”.

Let’s now hear from another guest a perspective of a tech entrepreneur who has been incorporating Privacy by Design in their products.

Oscar: We are welcoming back Katryna Dow, who is CEO and founder at Meeco. Hello, Katryna.

Katryna Dow: Hello. It’s nice to be back. Thank you for inviting me.

Oscar: Katryna, how has Privacy by Design influenced you?

Katryna: Well, I’m very privileged. If I think back to when Ann Cavoukian and the Canadian government were at the forefront of bringing the concept of Privacy by Design into the world. I was the recipient of an early Privacy by Design Ambassador Award and I think that was twofold.

One, because after reading about the principles of Privacy by Design, we immediately decided to bake those things into the development of Meeco as a product. So architecturally, to adopt them. And secondly, we were invited, around 2016, to submit a consultation to the Canadian government in support of Privacy by Design, and really in support of why it was important from a technology design perspective and actually how it could make a difference.

We all remember, a lot of this thinking was pre GDPR. This was kind of at the forefront of the concept of considering for citizens. Initially, Canadians and now all around the world, this idea of taking a principle of privacy and considering it in every aspect of the design of a product or service.

Oscar: Thank you. And on your opinion, how has Privacy by Design influenced digital identity as an industry?

Katryna: So, I think it’s an interesting question about digital identity. Optimistically, I guess what we’ve seen with the advent and the evolution and the maturing of Self-Sovereign identity. At the heart of that are principles around human centred design and control. So, I think there are great parallels with Privacy by Design. However, if we step back and look at the whole digital identity landscape, I’m not sure that it has had a wide enough impact in the design of systems.

Certainly, large tech platforms or even some governments have not really thought about that human centred Privacy by Design, progressive disclosure, anchoring core part. And as a result of that, I think in the digital identity landscape, we have lots of really great systems and solutions, but they’re not always designed from a human centric or Privacy by Design point of view.

And I guess one topical example of that recently with the acquisition of Twitter by Elon Musk and then opening up Twitter blue for everyone and not having a proper process in place for verification or identity protection in any way. We all saw that. That was a very short-lived example of what happens if you don’t understand some of the foundation principles of identity privacy, and if you don’t design from that perspective of understanding, you want to in one way protect the individual, but another way to be able to open up that identity for authentication, authorisation or access to trusted parties in a progressive way.

So, I think sometimes that balance, we don’t see enough in the design of digital identity.

Oscar: If you have some final idea, you would like to share about Privacy by design?

Katryna: I think one of the things that we’ve noticed just recently, being involved in a community project, where privacy and security were acknowledged to be important, but not enough to slow down architecture and design. So, the desire was to be able to build something really quickly and get it out into the community.

And one of the really challenging things about privacy and security is if you don’t bake it in at the lower layers, if you don’t build that foundation, it’s really hard to go back and put it into a product or service afterwards. I sometimes think about building a house. You imagine if you, if you didn’t put down a strong foundation and you were building on sand and then you went back later and you wanted to try and reinforce that structure, it’s not impossible, but it’s costly.

It takes time and it creates all sorts of adjacent problems, particularly if you’re building a digital system. So, I think I would encourage people to think it may slow down architecture, it may slow down consensus, it may slow down the beginning of a project, but it means you can go much, much faster once you’re up and running. And it also means that you’ve not created technical debt, policy, debt, compliance, debt that you will have to circle back and address later on.

So, it’s definitely worth investing that time upfront and building on a strong foundation.

Oscar: I couldn’t agree more. There was an excellent analogy in the very visual analogy that help us understand the importance of Privacy by Design.

Oscar: The stories that Katryna Dow just shared with us might sound like we’re still in a sombre passage of this journey. But it shouldn’t surprise us. Designing Internet services is only getting more complex: tight deadlines, limited budgets, scarcity of technical experts, all this determines and shapes the outcome. And those new applications are built to help the lives of millions of citizens, students, patients, and people of all ages.

At this crossroads, how can we make sure that this ISO standard builds the required momentum so what we’ll see in the next years is an avalanche of services that really protect our privacy?

Oscar: So now that it has become an ISO standard, what is the impact of having Privacy by design an ISO standard?

Ann: I think the impact will be significant because you see we’re struggling right now at a time where surveillance is mounting steadily mounting on a daily basis. We need massive intervention to put the brakes on it. And with Privacy by Design, being recognised as an ISO standard, that will draw so much more attention to privacy, embedding it proactively into the design of your operations. Into AI, artificial intelligence. We have to embed privacy into this from the beginning in order for it to take.

And that’s why I’m so excited about the timing of this, because it will attract a lot of attention to privacy, and privacy forms the foundation of our freedom. If you want free and open societies, you have to have freedom. And this will help to preserve freedom. So, ISO standards, marrying with Privacy by Design. The sky’s the limit – privacy and freedom.

And also, privacy and security go hand in hand. While privacy subsumes a much broader set of protections than security alone in this day and age of massive phishing and ransomware attacks, and all this, if you don’t have a strong foundation of security from end to end with full lifecycle protection, you’re not going to have any privacy. So, you have to have privacy and security by design.

Oscar: No doubt. Is there something else you would like to tell or share?

Ann: And what I want to remind people is please don’t be alarmed by the odds. Meaning people say to me, you know, I tweet every morning, I have a large Twitter following and I tweet about the latest stories of the day. And someone invariably will come back to me and say, Lady, give it up. That ship has had sailed.

Privacy is dead. And I go back again. Another friggin ship. You don’t give up on privacy. You don’t give up on freedom just because the odds are small. They’re getting bigger. But you look at what is important to preserve. Freedom is the most important thing to me to preserve. I’m Armenian. I come from a background, in 1915, 1.5 million Armenians were killed.

It’s you don’t give up. You know, that’s the whole point. You always come back. You never give up on freedom. And so, I just urge people don’t be alarmed at the odds that it seems to be overwhelming that we can’t do this. Yes, you can. We can do this. We have to do this. We want to preserve freedom for ourselves, for our children, for the future. We must do this. So please stay with me and embed privacy into your operations.

And one last thing. If you do shopping, either online or in real stores physically, if you express an interest in privacy, you will get so much more protection. You can imagine I always ask what they’re going to do with my information. I’m at a store, they’re asking for my postal code or this or that, and I say, “Oh, and how will you be protecting my privacy?” The guy I’m dealing with doesn’t know, but he’ll go get the manager, and the manager will say, “Oh, you care about privacy. Here’s what we can do. Boom, boom, boom.” And immediately the protections go up.

So just express your interest in privacy and see how much more protection it will lead to. It’s a win-win.

Thank you for your time.

Oscar: Privacy is not only an Internet issue, a technology issue, it follows us everywhere we go. 

From a kitchen table to an ISO standard, the world just saw how Privacy by Design arrived to this elusive, but crucial destination.

What’s our next milestone on this journey? The road that will come can be long and bumpy but as Dr Ann Cavoukian said, it’s never time to give up.

This was a special story episode of Let’s Talk About Digital Identity. Thank you to our guests Dr Ann Cavoukian and Katryna Dow. The story of this episode was edited by Chloe Hartup with help of me Oscar Santolalla.