S3E2: 'My Top 20 Privacy Engineering Resources for 2024' with Debra Farber (Shifting Privacy Left)

Show Notes

In Honor of Data Privacy Week 2024, we're publishing a special episode. Instead of interviewing a guest, Debra shares her 'Top 20 Privacy Engineering Resources' and why. Check out her favorite free privacy engineering courses, books, podcasts, creative learning platforms, privacy threat modeling frameworks, conferences, government resources, and more.

DEBRA's TOP 20 PRIVACY ENGINEERING RESOURCES (in no particular order)

1. Privado's Free Course: 'Technical Privacy Masterclass'
2. OpenMined's Free Course: 'Our Privacy Opportunity' 
3. Data Protocol's Privacy Engineering Certification Program
4. The Privacy Quest Platform & Games; Bonus: The Hitchhiker's Guide to Privacy Engineering
5. 'Data Privacy: a runbook for engineers by Nishant Bhajaria
6. 'Privacy Engineering, a Data Flow and Ontological Approach' by Ian Oliver
7. 'Practical Data Privacy: enhancing privacy and security in data' by Katharine Jarmul
8. Strategic Privacy by Design, 2nd Edition by R. Jason Cronk
9. 'The Privacy Engineer's Manifesto: getting from policy to code to QA to value' by Michelle Finneran-Dennedy, Jonathan Fox and Thomas R. Dennedy 
10. USENIX Conference on Privacy Engineering Practice and Respect (PEPR)
11. IEEE's The International Workshop on Privacy Engineering (IWPE)
12. Institute of Operational Privacy Design (IOPD)
13. 'The Shifting Privacy Left Podcast,' produced and hosted by Debra J Farber and sponsored by Privado
14. Monitaur's 'The AI Fundamentalists Podcast' hosted by Andrew Clark & Sid Mangalik
15. Skyflow's 'Partially Redacted Podcast' with Sean Falconer
16. The LINDDUN Privacy Threat Model Framework & LINDDUN GO Card Game
17. The Privacy Library Of Threats 4 Artificial Intelligence (PLOT4ai) Framework & PLOT4ai Card Game
18. The IAPP Privacy Engineering Section
19. The NIST Privacy Engineering Program Collaboration Space
20. The EDPS Internet Privacy Engineering Network (IPEN)

Read “Top 20 Privacy Engineering Resources” on Privado’s Blog.

Privado.ai
Privacy assurance at the speed of product development. Get instant visibility w/ privacy code scans.

Shifting Privacy Left Media
Where privacy engineers gather, share, & learn

TRU Staffing Partners
Top privacy talent - when you need it, where you need it.

Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Copyright © 2022 - 2024 Principled LLC. All rights reserved.

Chapters

• 2:39: 1) Free Course: Privado's Technical Privacy Masterclass
• 5:28: 2) Free Course: Our Privacy Opportunity
• 10:20: 3) Free Course / Paid Cert: Data Protocol's Privacy Engineering Certification Program
• 14:13: 4) Creative Privacy: Privacy Quest Platform & Games; Bonus: The Hitchhiker's Guide to Privacy Engineering
• 18:51: 5) Book: Data Privacy - a runbook for engineers
• 20:39: 6) Book: Privacy Engineering, a Data Flow and Ontological Approach
• 22:00: 7) Book: Practical Data Privacy, enhancing privacy and security in data
• 24:08: 8) IAPP Textbook: Strategic Privacy by Design, 2nd Edition
• 27:10: 9) Book: The Privacy Engineer's Manifesto: getting from policy to code to QA to value
• 29:14: 10) USENIX Conference: Privacy Engineering Practice and Respect (PEPR)
• 32:24: 11) IEEE Workshop: The International Workshop on Privacy Engineering (IWPE)
• 34:07: 12) Non-Profit: Institute of Operational Privacy Design (IOPD)
• 36:34: 13) Independent Podcast: The Shifting Privacy Left Podcast
• 38:49: 14) Monitaur's Podcast: The AI Fundamentalists
• 40:33: 15) Skyflow's Podcast: Partially Redacted
• 41:18: 16) Threat Model Framework: LINDDUN Privacy Threat Model Framework & LINDDUN GO Card Game
• 43:15: 17) Threat Model Framework: The Privacy Library Of Threats 4 Artificial Intelligence (PLOT4ai) Framework & PLOT4ai Card Game
• 45:04: 18) IAPP Privacy Engineering Section
• 46:48: 19) NIST Privacy Engineering Program Collaboration Space
• 49:27: 20) EDPS Internet Privacy Engineering Network (IPEN)

Transcript

Debra J Farber: 0:49

Hello, I am Debra J Farber. Welcome to The Shifting Privacy Left Podcast, where we talk about embedding privacy by design and default into the engineering function to prevent privacy harms to humans and to prevent dystopia. Each week, we'll bring you unique discussions with global privacy technologists and innovators working at the bleeding edge of privacy research and emerging technologies, standards, business models and ecosystems. Welcome everyone to Shifting Privacy Left. I'm your host and resident privacy guru, Debra J Farber. Today, for the Special Data Privacy Day episode, I am not interviewing a guest, but I am sharing with you my top 20 privacy engineering resources and why I'm recommending them. So let's dive in. Now, why am I doing this? Well, I'm often asked about how and where people can learn more about privacy engineering and technical privacy topics, so I recently compiled a list of my favorite privacy engineering resources and posted that to LinkedIn. I was just shocked at how much interest there was in that post and how viral it kind of went within the privacy community, and so I thought it only made sense to write an article that gives more context as to why I recommended each resource. Well, I finally wrote that article, which will soon be published by Privado, and I hope you find it helpful and that you share these resources with others seeking to get into privacy, and so I've now taken that article and turned it into a podcast, in case this is a way that you better consume information. So I've organized this information in groupings based on you know, here's a bunch of courses, here's a bunch of podcasts, here's a creative privacy engineering approaches and so forth. I guess we'll start. It's not in an order of my favorite ranked, but we'll start with Privado's Technical Privacy Masterclass. 1) Actually, we're starting with 'Courses,' and the first one in courses is Technical Privacy Masterclass. So this is with Nishant Bajaria as instructor. He's the privacy engineering manager at Meta and author of Data Privacy, a runbook for engineers. He's also a provado advisor as well. Now, who is this technical privacy masterclass for? It looks to me like it's for privacy engineers, for people in DevOps, tpms and people in privacy operations. The course is completely free. It takes about two and a half to three hours to complete and there is a certificate of completion, so you can get a certificate awarded if the student completes the course and the quiz questions. However, upon completion of the course, you will receive a certified credential that you can add to your LinkedIn profile. Now let me tell you a little bit about why I recommended this.

Debra J Farber: 3:46

Nishant does an excellent job of just distilling down his wisdom that he's gained from his many years in privacy engineering, and this is a really engaging and strategic course. So first he makes the case for how privacy and security can enable engineering and reduce costs by building a proactive privacy program. Second, nishant details effective approaches for tackling common privacy engineering problems and he gives really illustrative use cases, so for example, around data inventory and classification, technical privacy reviews and privacy code scanning. And then he lays out ways to successfully build privacy tools and infrastructure. So this would be around like DSAR and rights management, consent management and maybe even building a privacy center. And then, lastly, nishant demonstrates how to scale and mature a technical privacy program. So that would be you know what are those KPIs and how do you address governance, and you know scale the program through maturity. And you know some of the modules and topics include I'll talk about the groupings, not the individual modules, but the module. Yeah, I'll talk about the modules, but not the individual topics. How about that? So first you've got an introduction to technical privacy, then you've got building a proactive privacy program, building privacy tools into infrastructure, scaling and maturing a privacy program. And then he's got a whole bonus module about his own story, where Nishant talks about becoming an accidental privacy engineer, and his story is so different from mine. So you know, I love to hear everybody else's origin stories to how they came to privacy.

Debra J Farber: 5:29

2) All right, the second privacy resource that I'm going to recommend to you is a course by openmined. org. That's openmined dot org, and the course I'm recommending although they have several courses is our privacy opportunity. The instructors are Andrew Trask, who's the founder and leader at OpenMind and also senior researcher at DeepMind and PhD student at the University of Oxford. I have asked Andrew to be on this podcast numerous times. He was just in the middle of writing, you know, defending his PhD and completing his schoolwork there. So, given that he's working on so much and has developed a community of 16,000 plus, you know, developers and data scientists we will have him on the show eventually, but I just wanted to call attention to all the great work that Andrew's doing. The other instructor is Emma Blumke, phd, who is a research manager at the Center for Governance of AI.

Debra J Farber: 6:32

So who's this course for? I think it's for anyone interested in a holistic, socio-technical approach to today's privacy problems and the key privacy enhancing technologies that data scientists can leverage for sharing and using data in a privacy preserving way is opening up the value of the data that you have, but still preserving privacy. Now I mentioned, this course is completely free and it takes about eight hours for the online modules and any additional time if you are submitting for certification. So there is a certificate of completion, but only if you complete and pay for the full certification process. There's no certificate of completion for just completing the online course modules, and that certification is available for free if you complete the course. In addition to you know review and acceptance of a submitted sample privacy product specification that, based on learning about privacy enhancing technologies and the various approaches to data science today, you would submit a sample privacy product specification.

Debra J Farber: 7:38

Why am I recommending this course? Our privacy opportunity? I've been in privacy for a long time right, 18 years and I took this course about a year ago. I was blown away. Blown away by how well the instructors lay the case for a socio-technical perspective for privacy before they even get into the technical weeds. Right. This course does an outstanding job of detailing how privacy infrastructure is changing, how societies manage information and information flows and how baking privacy into infrastructure during this current period of technological advancement presents us with the opportunity and disruption within nearly every corner of society. So you'll also come away better understanding the benefits of privacy enhancing technologies, which they describe in a way that is more impactful to society than your typical privacy compliance training.

Debra J Farber: 8:30

I think Andrew and Emma are incredible and they're engaging instructors who share how and when each type of PET can be used. They dive into what they call structured transparency. They dive into input and output privacy and input and output verification, and they also dive into information flow governance Some of their modules, just to give you a sense of what I'm talking about. Their modules include the following Society runs on information flows, information flows within communities, information flows within markets and their incentives, the limitations of information flows. Introducing structured transparency. Input privacy, output privacy input verification, output verification and flow governance. The impact of structured transparency and create a product specification, which again is optional and that's for full certification, which I did not do but I encourage others to do. There's also a community of, like I said, 16,000 data scientists really in the weeds working on implementing privacy enhancing technologies using PyTorch using all of the. You know it's as deep as I could go, talking about the tools of the trade.

Debra J Farber: 9:50

But there are other courses as well. I just have not taken them around federated learning, around data science, privacy generally, because they're a little more lab focused and a little too technical for me. But I encourage you to look at openmindorg, definitely, take our privacy opportunity and then take a look at the other courses. I mean, there's one course I think it takes like 60 hours to complete. Again, it's also free. So there's there's so much there that you can learn and there's a community for you to plug into. All right.

Debra J Farber: 10:20

3) Number three under courses, it would be Data Protocols' Privacy Engineering Course, their modules and certification. So who's it for? It's for privacy engineers, those in DevOps, TPMs and those in privacy operations. So this is an interesting model too. So data protocols privacy engineering course is free to complete all of the course modules, but if you wanted an official certification, it's $495 to you pay for a final assessment and I guess that's to pay for the reviewer and the process fee and all that. So if you wanted to attain an official certification of their privacy engineering course, which I do believe they offer to the big tech developers, and so that's becoming a little bit of a standardized course in the, the Metas, the Netflix, the you know that that space right, the big tech companies. It takes about five to six hours to complete and there's no certificate of completion, as I mentioned, for just completing the online course. There is certification if you complete the curriculum, pass the comprehensive final exam or final assessment excuse me, it's not an exam and pay the final assessment fee, then you'll earn your data protocol privacy engineering certification and a badge If you wanted to display your badge somewhere on your personal website or whatever and you will receive a certified credential that you can add to your LinkedIn profile to prove that you completed it. Now, why am I recommending it to you?

Debra J Farber: 12:36

This course is also led by renowned instructor Nashant Bajaria. In this course, he dives into the basics of privacy engineering. You will gain the knowledge and skills that you need to protect data privacy while designing and building products and processes. So these eight courses and six hands on labs they test your ability to design the secure data processes and also to address vulnerabilities. So data protocols mission is to educate and engage developers and it's designed to drive adoption, support education and grow community. It has a significant user base across the major tech companies, as I mentioned. So the value of its full certification program is increasingly becoming an indicator of baseline privacy engineering knowledge and skills. So really urge you to check it out.

Debra J Farber: 13:28

The modules, courses and labs include well, let's see, there's a governance module. It talks about data classification. There's a lab, a data classification lab, talks about data categorization and associated lab, and then there's a retrieval lab as well. Then there's a systems module which includes consent management. In addition consent management lab, there's a security and privacy course, a data deletion course and lab and a data sharing course and lab. And then, lastly, there's an execution module where you learn the basics of privacy tech and technical privacy consulting All right out of courses.

Debra J Farber: 14:13

4) This next recommendation kind of stands on its own under the moniker of creative privacy engineering, education and awareness. So I've been working with a founder Mert Çan Boyer from Imagine Privacy, doing business now as a Privacy Quest. So Privacy Quest is a gamified learning experience that was inspired by the capture the flag or CTF style competitions that the application security industry has really used to drive awareness of vulnerabilities and software, and the founders designed privacy quest here in that same kind of gamified way, but to help non technical individuals enter the privacy engineering field by providing a comprehensive learning experience that covers all the necessary IT foundations. It is expanding now to include modules for current privacy engineers to upskill to other areas. Privacy quest is for beginners, intermediate learners and advanced privacy professionals. The platform is pretty flexible, offers a variety of challenges and competitions to suit different skill levels and will also be expanding into other overlapping areas soon.

Debra J Farber: 15:25

Like definitely a deeper dive into privacy and AI For privacy awareness. For data privacy day events, mayor Sean has expanded. Well, he's created this data privacy day village and has an entire storyline of the battle for AI and there's two different factions and you pick a faction. That's going on right now until February 18th. It's like a month long group of activities and events that even I've been participating in a quiz night, different fireside chats. I mean there's a lot going on. So I, you know, definitely urge you to check out privacy quest for data privacy day events and competitions, but this is also a platform year round that you could use throughout the year for learning. It's for privacy and data protection managers, privacy lawyers and privacy engineers.

Debra J Farber: 16:19

Even though I've given you a lot of reasons why you should go check it out. I've got another set of reasons as well. One of the things I really love is the use of immersive storytelling, visual art, music and a game of fine learning platform. So you'll gain all of this invaluable privacy and security knowledge and when you're delving into the intricacies of privacy engineering through you know the various quests. You know you're going to develop a deep understanding of these concepts concepts like data protection, threat modeling, risk mitigation and encryption. Privacy quest equips you and your teams with practical skills that you need to navigate the complex landscape of privacy and security. It provides a platform for continuous learning and growth, and also you could connect with the community of privacy enthusiasts and professionals, showcase your experience and position yourself as a valuable asset in the privacy and security domain. Companies can even leverage privacy quest to deliver privacy engineering education to their employees in a way that is memorable, engaging and effective. Teams can even partner with privacy quest to create, like a privacy awareness day or week, various activities. We've expanded this to include, like tabletop games, escape room events and gamified workshops. So if you're thinking about how can I gain privacy engineering awareness and spread the message of why it's important throughout your organization and can help use privacy quest to do this with your workforce.

Debra J Farber: 17:45

BONUS: Now, I also want to highlight bonus material. I didn't make this a standalone of my top 20, you know recommendations, because there's just already so much Mert Çan has also written The Hitchhiker's Guide to Privacy Engineering, and he created this guide for privacy professionals with legal backgrounds who want to level up their knowledge of technical data privacy, and with the Hitchhiker's Guide, you can grasp the technical mechanisms that keep privacy intact and then speak with credibility when you're working with technical teams. Right. This was a creative passion project from Mert Çan and he really does combine his love for science fiction and data privacy here, and he offers up a really fun, engaging and immersive privacy learning experience for attorneys to improve their technical skills. It's also designed to provide a pretty solid foundation in privacy engineering principles and practices, and it enables privacy lawyers to better understand and address the complex privacy issues facing digital society and thus their organization.

Debra J Farber: 18:51

5) All right, now let's turn to books - 'Data Privacy: a run book for engineers.' I talked about that so much on this show, but I'm going to give a brief rundown again. The author again is Nishant Bajaria, and his book is basically for system designers, architects and engineers that work with data, especially in highly distributed architectures. However, anyone should read this book, from management to media, to regulators to attorneys. You know it really gives you baseline knowledge that enables you to offer commentary and analysis that is rooted in context and experience. You know this is the first book in the era of cloud computing and identity graphs, you know, to help engineers implement complex privacy goals like data governance, technical privacy reviews, data deletion, consent management and so on. It teaches you how to navigate the tradeoffs between strict data security and real world business needs. So in this practical book, you'll learn how to design and implement privacy programs that are easy to scale and automate. This includes workable solutions and smart repurposing of existing security tools that help set and achieve your privacy goals. So chapters here would include privacy engineering, why it's needed, how to scale it, understanding data and privacy, data classification, data inventory, data sharing, the technical privacy review, data deletion, exporting user data via DSARS, building a consent management platform and closing security vulnerabilities. Then also scaling, hiring and considering regulations.

Debra J Farber: 20:40

6) The second book, so the sixth resource that I am in my top 20 here is Privacy Engineering, a Data Flow and Ontological Approach by Ian Oliver, and he wrote this book for software developers, software architects, system designers and TPMs. So I'm recommending this book because it presents an approach that's based upon data flow modeling, coupled with standardized terminological frameworks, classifications and ontologies to properly annotate and describe the flow of information into, out of and across these systems. It also provides the structures and frameworks for the engineering process, requirements and audits, and even the privacy program itself, but takes a pragmatic approach and encourages the use and modification of tools and techniques presented as the local context and needs required. Chapters include case studies, privacy, engineering process structure, data flow modeling, security and information type classifications, additional classification structures, requirements, risk and assessment, notice and consent, privacy enhancing techniques, auditing and inspection, developing a privacy program and conclusions.

Debra J Farber: 22:01

7) My seventh recommendation and another book is Catherine Jarmul's Practical Data Privacy Enhancing Privacy and Security and Data. Catherine Jarmul is the principal data scientist at ThoughtWorks. She's a previous guest on my show and I've been using her book ever since I got it, ever since it was published. I think I even have a preprint, I think, because it is so helpful for data scientists and privacy enhancing technology enthusiasts. So this is the first book I've seen that is really addressing the overlap of privacy in data science and it gets really technical. So some of that technical stuff, lab stuff, is where I stop and some of the others on this call will listen. But I love how Catherine balances a deep technical perspective with really plain language overviews of the latest privacy technology approaches and architectures and she really talks about it in the data science workflows and machine learning workflows. Her book serves as an essential guide that will give you a fundamental understanding of modern privacy building blocks like differential privacy, federated learning and encrypted computation. She shares like really solid advice and best practices for integrating breakthrough privacy enhancing technologies into production systems. So chapters here include data governance and simple privacy approaches, anonymization, building privacy into data pipelines, privacy attacks, especially of the models, and the training, data privacy aware machine learning and data science. I'm giving an entire talk for Data Privacy Day that's based on chapter five of her privacy aware machine learning and data science Just great stuff. Also includes federated learning and data science, encrypted computation, navigating the legal side of privacy, privacy and practical considerations, faqs and their answers and then a fun last chapter go forth and engineer privacy.

Debra J Farber: 24:08

8) My eighth resource and next book is Strategic Privacy by Design, the second edition by R Jason Cronk. He's the owner of For Right Web Services also enter privacy consulting group. He's also on the board and helped bring to life the IOPD, the Institute of Operational Privacy by Design, and he wrote this book for operational privacy managers and privacy engineers. In fact, this is one of the official textbooks published by the IOPP for studying for their Certified Information Privacy Technologist Certification, the CIPT. I really love how this book focuses on how to build and implement better processes, products and services that consider individuals' privacy interests as a design requirement. It is about how to build things that people can trust. Jason has over 100 additional pages in his second edition of Strategic Privacy by Design, so I really urge you to get a copy of the newer book. He really refines his thinking over time of having deployed his framework to many organizations. He was able to then provide dozens of illustrative examples, a new chapter on threat modeling for privacy, and then he's added a glossary and model answers to the numerous exercises that he's listed throughout the book.

Debra J Farber: 25:31

Chapters in his book include intro what is privacy by design? Building blocks, so really this talks about the different actors and their roles. What are potential privacy harms and moral consequences? There's also physical, mental and other tangible consequences that we don't normally think about, if we're just thinking about data privacy. So he adds those in as well. He talks about controls and then has this ongoing example and exercise around creating a application for reporting potholes, so he'll call that the pothole application example. Then this next chapter is around modeling, so threats, interactions and relationships, risk analysis, mitigating risks, and then again using the pothole application example and exercises to demonstrate what he means by modeling. Chapters on designing for privacy, design methodology, pothole application example and exercises. And then there's a glossary and this includes categories of personal information, risk terminology, hierarchy of controls and then Dan Solov's taxonomy of privacy harms. And then he's got some appendices he's added this year or to the second edition around privacy engineering, privacy enhancing technologies and privacy at scale. He's got one on quantifying risks, another on the model answers to his exercises and he kind of does a crosswalk and maps to the CIPT body of knowledge which, again, this book is one of the official textbooks for the CIPT.

Debra J Farber: 27:10

9) I would be remiss if I didn't also include, as my ninth resource and next book, 'The Privacy Engineer's Manifesto: getting from policy to code to QA to value.' This book is by one of my heroes, Michelle Finneran-Dennedy, CEO of Privacy Code, as well as Jonathan Fox, Director of Strategy and Planning at the Office of the CPO at Cisco, as well as Thomas R Finneran (that's Michelle Dennedy's father, who has recently passed, but an amazing engineer). So this book is for privacy managers, privacy engineers and their managers, CPOs, DPOs and IT management. You know, this seminal work in privacy engineering really provides a systematic engineering approach to develop privacy policies that are based on enterprise goals and appropriate government regulations. Privacy procedures, standards, guidelines, best practices, privacy rules and privacy mechanisms can then be designed and implemented according to a systems engineering set of methodologies, models and patterns that are well known and well regarded, but are also presented in a creative way. I have it on good knowledge that there's a second edition of this book in the works, so you might want to wait before running out and getting a copy.

Debra J Farber: 28:33

This is the book that pretty much inspired me to focus on this idea of privacy engineering. It's been out about I don't know close to 10 years now, and it really got me thinking about how do we close the gap between legal and engineering, and it was really important to me on my own privacy journey, so I urge you to check it out as well. Here chapters include, you know, part one is getting your head around privacy. Part two is the privacy engineering process. Part three is organizing for the privacy information age and part four is where do we go from here, kind of presenting a vision of the future and how to prepare technologically for it. All right, we're almost at the halfway mark.

Debra J Farber: 29:14

10) Number 10, we're starting with the privacy engineering focus conferences that are my favorite. So number 10, Privacy Engineering Practice and Respect Conference, otherwise known as PEPR. This is put on by the non-profit engineering org USENIX. So what is it? PEPR is focused on designing and building products and systems with privacy and respect for their users and the societies in which they operate, with the goal to improve the state of the art and practice of building for privacy and respect and to foster a deeply knowledgeable community of both privacy practitioners and researchers that collaboratively work towards that goal. The 2024 USENIX conference on privacy engineering, practice and respect will take place at Hyatt Regency, Santa Clara, on June 3rd and 4th in 2024. So you know, view the call for participation, get your submissions in. Submissions are due Monday, february 12th 2024, and I really urge you to attend. This really is the preeminent privacy conference for privacy engineers and technologists.

Debra J Farber: 30:25

The PEPR conference is now my absolute favorite annual conference, and because I love this community so much, I decided to join the PEPR conference programming committee. I'm really excited about that. Just to show you how much I love this conference. Here's a short example to show I'm not exaggerating I am getting married this Memorial Day weekend. Okay, it's a long time coming. Covid actually canceled our original plans but we're finally getting married Memorial Day weekend and I let my fiancée\ know that we need to postpone our honeymoon by a week so that I can ensure that I make it down to the Bay Area to attend PEPR first. So I'm not exaggerating when I say how much I enjoy this event that I am, you know, one of the most important days of people's lives, right, you know I'm making room for PEPR. And then USENIX also makes for the perfect conference venue, as it's a nonprofit engineering organization that's committed to education, and the founders of the conference are really two stalwarts in the field Professor Lorrie Cranor and Lea Kissner.

Debra J Farber: 31:26

PEPR features a two day lineup of talks and panels from leaders across privacy engineering. It's basically a show and tell of privacy engineering practitioners, where we can gain insights from the lessons learned of others and network with this real small but growing community. So last year there were about 150 to 200 privacy engineers in attendance and you know, most of the feedback from others was how much we all felt invigorated by our discussions with one another and how it felt like a love bubble of sorts. If you'd seen our posts on LinkedIn, it was just everyone just just professing our love for this conference because of how it made us feel. You know, it might get a little too large in the future. I do anticipate in the future there'll be thousands of people and maybe they'll feel overwhelming, but for now you'd be plugging into a really you know, warm, welcoming, nurturing community and it just feels it's just wonderful. So if you're a privacy engineer, this is the one conference that I would be sure not to miss.

Debra J Farber: 32:24

11) All right, next up, number 11 top privacy engineering resource, is the International Workshop on Privacy Engineering, or the IWPE. The organization that hosts this is the IEEE, and the workshop takes place annually during the IEEE European Symposium on Security and Privacy. This is a forum for concrete proposals for models, methods, techniques and tools that support data protection. Engineers and organizations in this endeavor are few and in need of immediate attention. So to cover this gap, the topics at the conference focus on all the aspects of privacy engineering, ranging from its theoretical foundations, engineering approaches and support infrastructures to its practical application projects of different scale. So this is a broader perspective than the USENIX Pepper Conference, which favors practical approaches over discussions of theoretical foundations.

Debra J Farber: 33:28

The 2024 conference will take place on July 8th in Vienna, austria. There's a call for submission, so submit your lightning talk proposal or panel discussion by April 15. This conference is for privacy engineers and while I have not personally attended this conference, I know many who have and had a great time speaking at and attending this event, while it's pretty heavy on participants from academia. Organizers have opened up an industry talk track to invite practitioners to share their experience, lessons learned or challenges faced with a wider audience. So I invite you to help make this conference great.

Debra J Farber: 34:07

12) Okay, so next up, we've got a non-profit organization that I'm recommending that you follow and engage, so this is my number 12 on my top 20 list the Institute of Operational Privacy Design, or IOPD. The mission of the IOPD is to define and drive the adoption of privacy design standards to provide accountability and public recognition for good privacy practices. It's for operational privacy managers and privacy engineers and anybody who wants to get more involved in understanding how to design privacy into your products and services. So until now, implementing privacy by design in default has been kind of squishy, hard to define, kind of difficult to implement. And the IOPD has changed this paradigm by developing the industry's first standard for a repeatable and comprehensive process by which a company can reduce its privacy risks, and they call this the IOPD process design standard, so the process design standard. By adopting it, organizations will be able to reduce the complexity of the overall design process and create significant efficiencies that reduce cost while increasing consumer trust. This standard covers the design process by which an organization designs its products, services or even other business processes. The goal of this standard is to ensure privacy is a forethought in the design. Now the second standard which we'll be working on this year yes, I'm participating in IOPD, I'm on a subcommittee on risk controls. We're working on an assurance standard which will cover the end result the product, the service or the business, ensuring that it does in fact reduce privacy risks to an acceptable level. So, in theory, any product, service or business process designed and developed using the design standard should result in meeting the subsequent standard, though the latter will have more rigorous risk tolerances included. Organizations that meet the requirements of the privacy by design assurance standard are able to display then a IOPD privacy seal for their product, their service or business process, and then from members of the IOPD.

Debra J Farber: 36:20

The organization hosts monthly discussions with movers and shakers in the privacy engineering space, and it's called privacy, engineering and technology education discussion, or, for short, PETed. 13) Okay on to podcasts, for number 13, I would be remiss to not include the Shifting Privacy Left podcast, with me as host and sponsored by Privado. What is it? Well, you kind of know that shifting privacy left features lively discussions on the need for organizations to embed privacy by design into the UX/UI, architecture, engineering, devops and the overall product development processes before coder products are ever shipped. Each week, we publish a new episode that features interviews with privacy engineers, technologists, researchers, ethicists, innovators, market makers and industry thought leaders. We dive deeply into this subject and unpack the existing elements of emerging technologies and tech stacks that are driving privacy innovation, strategies and tactics that win trust, privacy pitfalls to avoid and privacy tech issues ripped from the headlines, and then some other juicy topics of interest.

Debra J Farber: 37:38

I crafted this show for privacy engineers. That is the community that I am thinking about when I put these shows together and other technologists. Of course, anyone can listen to it, but expect that there'll be technical content. The reason I'm recommending my own podcast is I really enjoy producing and hosting Shifting Privacy Left and I think my passion for privacy engineering and privacy tech and building community comes through my desire to inspire others. We go deeper into technical privacy topics across guests with various backgrounds and interests, sometimes diving into implementation and tech stacks, while making sure to also look at problems holistically. Recently, I'm really proud that the show has won the Privacy Podcast People Choices Awards. We won in three categories Second place for Best Privacy Podcast, first place for Best Newcomer and second place for Best Interviewer. From the feedback that I've received, people really seem to like my authenticity, practical perspectives and provocative questions that nudge the audience to think differently and creatively.

Debra J Farber: 38:49

14) Next up on podcasts is The AI Fundamentalists. We've got hosts Andrew Clark he's the co-founder and CTO at Monitaur, an AI governance company, and Sid Mangalik, research scientist at Monitaur and computer science PhD candidate at Stony Brook University. So Monitaur is obviously the sponsor of The AI Fundamentalists and it's a podcast about the fundamentals of safe and resilient modeling systems behind the AI that impacts our lives and our businesses. It's really for data scientists, ai system designers and privacy engineers. Again, I like this podcast because it talks about the technical and about different approaches where there might be problems with some of the approaches. So when I was seeking bite-sized podcasts for learning more about AI myself, I came across this podcast pretty much in its infancy I think it was like the third or fourth episode ever and after listening to just one episode on some of the drawbacks to using synthetic data and AI and some of the few use cases that it's really good and some of the use cases that actually aren't so great, I was really hooked. Andrew and Sid are expert data scientists. They're also pretty riveting in and compelling in their discussions and they have a very clear and practical communication style that really resonated with me and cuts through the marketing fluff that many AI-focused companies put out there. So while their podcast is squarely one about AI, I felt that I needed to include a nod to their content here, as they often discuss the overlapping issues of privacy and AI on their show, and their podcast has truly rounded out my understanding of that intersection.

Debra J Farber: 40:33

15) The next podcast is number 15 on my list is Partially Redacted with host Sean Falconer, the head of marketing at Skyflow. This is a privacy engineering focused podcast show produced and hosted by Skyflow, and it's for privacy engineers and technologists. Partially Redacted, focuses its episodes on a variety of topics around privacy engineering. The interviews, half of which are with Skyflow employees and half from outside guests, are really packed with information and novel insights for a privacy engineering audience. I haven't listened to too many episodes, so I you know I can't say too much about it, but I really like the focus of the content and you should check it out. 16) Then, my next category is threat modeling frameworks and card games - probably something you might not have expected, and I'm hoping that this is pointing people to new resources they never even considered. You may have heard about LINDDUN, which is a recognized privacy threat modeling framework. There's also a card game that goes with it, linden Go, which I'll talk about in a moment.

Debra J Farber: 41:44

LINDDUN is a recognized privacy threat modeling framework developed by privacy experts at KU Leuven. It offers mature support to identify and mitigate privacy threats early in the development lifecycle, and when you adopt Linden, you can therefore help build privacy into the system's core. It's intended for privacy engineers, security analysts and operational privacy managers, and the reason I'm recommending it is well. Privacy is increasingly important, yet often misunderstood. I really like how Linden categorizes by privacy threat type, like linking, identifying, non-repudiation, detecting data, disclosure, unawareness and non-compliance. Those are the different privacy threat types. What's great about Linden is that you can apply it to an actual software system for a thorough investigation, and when you adopt Linden throughout the software design phase, you then can uncover and fix relevant privacy gaps. The creators have also included open-sourced resources like privacy threat types, threat trees and methods, and so, for those who learn by doing, you can even buy the Linden Go card game. It's got 33 threat cards that highlight the most common privacy threats and system hotspots, and then this game transforms the privacy assessment process into an engaging collaborative experience with your team. It's designed for structured brainstorming with a diverse team, and Linden Go requires only the card deck and a system sketch to kickstart your journey.

Debra J Farber: 43:16

17) Now Now Now Now number 17 is kind of a little bit of an extension of Linden, but applied to AI, so that's the Privacy Library of Threats for Artificial Intelligence, shortened as PLOT the number 4 AI, so it's the PLOT 4ai framework, and it also includes a Plot 4ai card game. The creator of Plot 4ai is Isabel Barbara. She's the founder at Rhite, a consulting firm in the AI privacy space, and Plot 4 AI is a library that contains 86 threats related to AI and machine learning. These threats have been classified into eight categories, and there's also a Plot 4ai game to help AI teams with threat modeling for privacy, and even a free self-assessment tool for your AI project. There's also a paper that she co-authored called Threat Modeling Generative AI Systems that you can refer to, where the authors use Plot 4ai to create an open-source library of potential threats for generative AI systems.

Debra J Farber: 44:21

Plot 4ai is for data scientists, privacy and data protection managers, privacy engineers, security analysts and AI governance managers. I really like that. Isabel created Plot 4 AI based off of the Linden Threat Model Framework, though cataloging threats mapped to AI specifically rather than to software systems generally. It's also notable that Plot 4ai is not solely focused on privacy and security by design. It does cover the whole concept of responsibility towards the individuals that we want to protect and humanity as a whole, so I especially appreciate that. And then, Plot 4ai helps you to connect with the people that are represented in your data and with the people that one day could be affected by your models.

Debra J Farber: 45:05

18) My last few selections here are to call attention to some other resources that can't be categorized very well, and the first one would be the IAPP, the International Association of Privacy Professionals. They've got a privacy engineering section so you could sign up for news and event information and engagement around the topic of privacy engineering. This is where privacy professionals working in the IT and privacy engineering fields plug into the other areas of the privacy profession. The privacy engineering section does offer a range of programs, events, content and networking opportunities through which privacy pros working in IT and related fields can connect in advance. It's kind of for privacy engineers and IT privacy managers, and I recommend it because the IAPP has focused most of its services to the privacy community on the needs of DPOs, dpo's, privacy attorney's, consultants and the GRC functions. But if you're a member of the IAPP, you might find it helpful to join the privacy engineering section for networking, speaking and writing opportunities etc. However, I do want to note that the IAPP does charge extra for attendance at the privacy engineering section's day-long lineup at its conferences, usually day before the main conference and kind of seen almost as a workshop rather than like a formal conference programming. The costs are then often prohibitive and the actual attendance by the audience can be pretty anemic, with most of the speakers as the audience members. There's a lot of potential for the IAPP to invest more in bringing technical content to its members, like how it's currently investing in AI and privacy with a separate conference, but it's not clear that they have the political will to do so. So I'll continue to keep recommending the privacy engineering focus conferences.

Debra J Farber: 46:48

19) Number 19 is the U. S. government has the NIST Privacy Engineering Program Space. Space Given concerns about how information technologies may affect privacy at individual and societal NIST's. Nist's privacy engineering program supports the development of trustworthy information systems by applying measurement, science and systems engineering principles to the creation of frameworks, risk models, guidance tools and standards that protect privacy and, by extension, civil liberties. Nist's privacy engineering collaboration space is an online venue open to the public where practitioners can discover, share, discuss and improve upon open source tools, solutions and processes that support privacy engineering and risk management. It's definitely for privacy engineers and the reason for my recommendation is multiple Tools and use cases are currently focused on dissociability and privacy risk assessment within this collaboration space. Anyone could submit open source tools and use cases to be included in the collaboration space. For example, I was excited to see that literally just yesterday, it's January 26th right now. Just yesterday, NIST added Privado Scan to the collaboration space.

Debra J Farber: 48:09

The privacy engineering collaboration space and Privado Scan obviously by Privado. It's an open source privacy scanner that allows an engineer to scan their application code and discover how data flows in the application. It detects hundreds of personal data elements being processed and further maps the data flow from the point of collection to syncs, such as external third parties, databases, logs and internal APIs. It allows privacy engineers to concretely verify and assess if a certain data collection policy set on an application actually matches the implementation right in the code itself. Thus it embeds privacy assessments into the developer's workflow. Talk about shifting left right. And then another tool available in the NIST collaboration space is the FAIR F-A-I-R all capital letters FAIR Privacy Quantitative Privacy Risk Framework from Jason Cronk and Enter Privacy. He talks about FAIR a lot in his book Strategic Privacy by Design. This framework is based on FAIR. Fair stands for Factors Analysis in Information Risk, which is extended into the privacy domain, and this examines personal privacy risks to individuals and quantifies it so you can make decisions better.

Debra J Farber: 49:27

20) Last but not least, my 20th resource - drumroll please - is from the EU government. It's the EDPS Internet Privacy Engineering Network, or IPEN. So the purpose of IPEN is for the European Data Protection Supervisor, the supervisor's org, to bring together developers and data protection experts that have technical backgrounds from different areas in order to launch and support projects that build privacy into everyday tools and develop new tools that can effectively protect and enhance our privacy. It supports engineers working on reusable building blocks, design patterns and other tools for selected internet use cases where privacy is at stake. It aims to build bridges where privacy and data protection experts from other disciplines and it also promotes wider understanding of the technologies that enable the protection of personal data. It facilitates exchanges to coordinate work and aims to create a community pursuing common objectives by connecting existing initiatives, groups and individuals working on privacy engineering. It's squarely for privacy engineers and the reason I'm recommending it is.

Debra J Farber: 50:38

IPEN events bring together privacy experts and engineers from public authorities, industry, academia and civil society, discussing relevant challenges and developments for the engineering and technological implementation of data protection and privacy requirements into all phases of the development process. So, for example, last year their annual event focused on explainable artificial intelligence, so there was an overlap with privacy. I also really like that they maintain a wiki for privacy standards and privacy projects. While I am unable to attend the events in the EU, I do like to stay connected by subscribing to IPEN's listserv, reading its blog posts and referring to its wiki when needed. So that is it. That is my top 20 privacy engineering resources.

Debra J Farber: 51:30

Let me know what you think. What did I miss? DM me. Share this episode online. Reach out to me. You can email me at debra@ shiftingprivacyleftcom. You could find me on LinkedIn. I'd really love to know. Do you have a resource to add? Is there anything I'm missing? Do you like the 20 resources that I shared with you? Well, until next Tuesday, everyone, when we'll be back with engaging content and probably a really great guest this time instead of just me. Take care To learn more. Go to privado. ai. Be sure to tune in next Tuesday for a new episode. Bye for now. Thanks for joining us this week on Shifting Privacy Left. Make sure to visit our website, shiftingprivacyleft. com, where you can subscribe to updates so you'll never miss a show. While you're at it, if you found this episode valuable, go ahead and share it with a friend. And, if you're an engineer who cares passionately about privacy, check out Privado: the developer-friendly privacy platform and sponsor of this show. To learn more, go to privado. ai. Be sure to tune in next Tuesday for a new episode. Bye for now.