What do you think?
Rate this book
Privacy Is Hard and Seven Other Myths: Achieving Privacy through Careful Design
An expert on computer privacy and security shows how we can build privacy into the design of systems from the start.
We are tethered to our devices all day, every day, leaving data trails of our searches, posts, clicks, and communications. Meanwhile, governments and businesses collect our data and use it to monitor us without our knowledge. So we have resigned ourselves to the belief that privacy is hard--choosing to believe that websites do not share our information, for example, and declaring that we have nothing to hide anyway. In this informative and illuminating book, a computer privacy and security expert argues that privacy is not that hard if we build it into the design of systems from the start.
Along the way, Jaap-Henk Hoepman debunks eight persistent myths surrounding computer privacy. The website that claims it doesn't collect personal data, for example; Hoepman explains that most data is personal, capturing location, preferences, and other information. You don't have anything to hide? There's nothing wrong with wanting to keep personal information--even if it's not incriminating or embarrassing--private. Hoepman shows that just as technology can be used to invade our privacy, it can be used to protect it, when we apply privacy by design. Hoepman suggests technical fixes, discussing pseudonyms, leaky design, encryption, metadata, and the benefits of keeping your data local (on your own device only), and outlines privacy design strategies that system designers can apply now.
We are tethered to our devices all day, every day, leaving data trails of our searches, posts, clicks, and communications. Meanwhile, governments and businesses collect our data and use it to monitor us without our knowledge. So we have resigned ourselves to the belief that privacy is hard--choosing to believe that websites do not share our information, for example, and declaring that we have nothing to hide anyway. In this informative and illuminating book, a computer privacy and security expert argues that privacy is not that hard if we build it into the design of systems from the start.
Along the way, Jaap-Henk Hoepman debunks eight persistent myths surrounding computer privacy. The website that claims it doesn't collect personal data, for example; Hoepman explains that most data is personal, capturing location, preferences, and other information. You don't have anything to hide? There's nothing wrong with wanting to keep personal information--even if it's not incriminating or embarrassing--private. Hoepman shows that just as technology can be used to invade our privacy, it can be used to protect it, when we apply privacy by design. Hoepman suggests technical fixes, discussing pseudonyms, leaky design, encryption, metadata, and the benefits of keeping your data local (on your own device only), and outlines privacy design strategies that system designers can apply now.
280 pages, Hardcover
Published October 5, 2021
34 people are currently reading
179 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 6 of 6 reviews
August 14, 2022
I wish I could give it 10 stars.
What a fantastic book.
It has completely changed the way I see things.
The best part about it is that it is a deeply well-researched technology book and yet extremely extremely accessible to a non technical person like me.
The author explains everything in the most layman terms with beautiful analogies and more importantly, his understanding goes beyond mere technology.
He understands society so well and hence, understands the role of privacy in it.
I cannot recommend this enough if you want to learn more on privacy.
What a fantastic book.
It has completely changed the way I see things.
The best part about it is that it is a deeply well-researched technology book and yet extremely extremely accessible to a non technical person like me.
The author explains everything in the most layman terms with beautiful analogies and more importantly, his understanding goes beyond mere technology.
He understands society so well and hence, understands the role of privacy in it.
I cannot recommend this enough if you want to learn more on privacy.
Currently reading
October 20, 202510/20/25
We're really at
*goes to library*
"Damn, look at all the leaks that made it out man. She's reading all this content. Must be a leak."
The Wikileaks: the library
the leakers: normal everyday writers that cry themselves to sleep most days most likely
Like humans are genetic leaks of their parents material. And they got out. They got out. Dang. Dang 8 billion leaks. That is just some solid damage man.
We're really there.
Yep. "Data is the new gasoline." Nord Stream 2. Assange was streamed at his place of residence, violating his privacy to the point of distress. Guess that was "Nord Stream 1". That is REALLY pathetic. Call it what it is. They hate when you call it pathetic when it's pathetic. That is REALLY pathetic. Tied to the Musk Paypal blockages of his payment network. Now doing this to people that say they are even sympathetic to his war crimes and torture work. It's literally this pathetic.
"Leaking" is now reading books from beginning to end and using deduction. Having basic intelligence putting together the facts in established books now "show signs of leaking". Yeah. There's no leaking happening there. I have basic intelligence. You might want to try it.
The actual gas deal doesn't work, oh how funny, let's try to do a "kook" version where we stream a Nord. Let's abuse our access to data to make money for ourselves. This is so. pathetic. it's not funny. I'm not kidding. It looks like it's coming in through illegal Musk "terrorist" abuses aided and abetted by Tao and Bush era Patriot Act abuses and that's why they're all suddenly and mysteriously sucking up to Bush and Bush administration contacts. Like I said the Intercept just reported on how these massive funds for buying websites are being rationalized through terrorist arguments. This was happening during the Biden administration not just the Trump administration where Terence Tao was a contractor. It was purchased by Musk during the Biden administration, and then Musk and Trump were clearly making concerningly TOGETHER appearances in the exact same way. Things just seem to be serving this guy who shows "I'm the one who creates the correcting equal and opposite reaction" style behavior, just doubling the natural effect with the fraudulent fake effect from some sort of echoic understanding of the whole matter. It's really this. Pathetic. They're making money illegally on people's data, using it for themselves, and then claiming they have nothing for the victims. WHOA. Back up there. It's originating in this Patriot Act abuse.
Same thing that happened with Iraq. The goods are too good, they don't have it, so a bunch of rationalizations for huge sums start happening. I think if 44 billion dollars are involved that person is knee deep in an impulse disorder and narcotic/addiction style pathways. People say they also saw signs Bush didn't have it in that way in a similar fashion. Saying it's about terrorism but it's really because the gas goods are too good and they don't have it. Then Zuckerberg "under advice" starts trying to create manufactured emergencies too. That were you got your inspiration from? Trying to run your literal social media website in the shadow of the US government? Yeah. Stop trying to use your tech company for illegal, unelected government. Same thing with Microsoft.
Pg. 13. Domination for its own sake is not a valid reason for access to anything. It's not a valid motive for privacy violation. That looks like Zuckerberg. Just wants to see himself in a dominant position, screw all the history across the world how all these nations got the way they are. Like I said this shows all the signs of low ecological and somatic intelligence. Autism is CLEARLY disabling. They need to stop and accept their disability.
Yep. Signs of Patriot Act gone crazy data pipelines in a bunch of publication networks. Please don't tell me that's why Merkel is sucking up to Bush, because of this extreme abuse of people's data with extreme Patriot Act exploitations. Please don't tell me this is why she's making apologies for him and going on about him. Read from the Intercept again that they're now trying to frame people literally at protests with signs as terrorists in retaliation for Jan 6 where men who literally were dumb enough to shoot their own in the rampage came in with guns to the US capitol. That is clearly literal terrorism. Holding a sign or having a position is not. It's so pathetic it hurts. And apparently that's how they get funds like 44B opened up, these nonsequiter attempts to call this terrorism. What, does someone jealous sit there and try their best to frame them and say "My top rival for this intelligence position is a top threat to the United States." Yeah. No. That does not make anyone a threat. Apparently that was happening to Sarah Shahi but she looks like she has a vanity problem so I don't really know if I care about all that. All I know is that she liked having a pie in her face and Gates doesn't. So now she's a terrorist because his big raison d'etre for his terrorism crying to Daddy UK, this scene with the pie being thrown in his face by a protester when they could've been much worse it just made his narcissistic behind feel vulnerable and not invulnerable like it once had (invulnerability beliefs being behind his 7-8 monopoly attempts; if there is an original quoter of "I'm a white male, I'll have no consequences" it is from the mouth of Bill Gates on his sixth, seventh or eighth monopoly attempt there) , is disproven as valid because she literally chose her boyfriend Adam Demos because of it.
Well, guess who's newly single, Sarah Shahi, and guess who's being tied up in this terrorist crap now. Fits exactly with this "the goods were too good" terrorist rationalization and manufacture of emergency for getting access to oil seen on Iraq, with all these Iraq veterans clocking the real reason like "that was the most horrific, nonsensical use of funds for the purpose of war I've seen in my life. I was literally other-handicapped by the incompetence of the Bush Administration. That is why we can't afford incompetent administrations. There is an excess of other-handicapping." They're using Patriot Act data access pathways for personal reproductive pathways on the taxpayer dime. That is so horrific it's not even funny. These guys are sitting there desperately reading everything you read, getting 2% from it that you did, getting into a rage about it from the looks of all my Palestine books disappearing, and then that's what they do with it. P a t h e t i c. Things like high reproductive prospect young women crashing into cop cars or having questionable or just downright disturbing interactions with police at multiple locations when apparently it might have been interference from a vehicle following them from behind in an operation desperate to create a narrative of potential terrorism to get access for personal reproductive purposes on the taxpayer dime. HORRIFIC. For them to be framed, and for the taxpayer money to be used to that degree for personal reproductive use. HORRIFIC.
This is how pathetic some of the Gates reasoning is. Same thing with how he got a divorce from his wife, only for him to express regret for that, but to not mention her at all in his book. Why would you just not speak on someone you're the one who regrets divorcing? That mistake is yours. Most narcissistic thing I've seen in my life.
My question is how did the effing courts get taken over by the mob outside of these Israeli originating Covid-19 emergency stops that were lifted at the court, especially in Washington? How the hell did the literal mob take over the court to the point they have lawyers from the mob infesting and doing terrible work but still winning the case on the clearly inferior argument and writing? Seems connected to Kim Kardashian trying to become a lawyer. Which I support, but she can win on her merit, not on it being purchased through corruption. Same thing with Angelina Jolie and Emma Watson doing fantastic work in the UN, with the Murad Code, etc. They were winning on their merit until this 8 over the speed limit narcissistic rage infestation in the UK, probably one of the most pathetic and desperate attacks trying to demonize I've seen, doing it again in the US, stinks of a false abdication system with Prince Harry with the main stench exuding from him from, if this is the case, a profound sovereignty violation. Why are the courts infested with the mob? How did this happen?
We don't need RICO for Antifa we need international Nuremberg style support to do RICO for a mob infested court from the looks of it. Which was the original, sane application of RICO.
I mean function creep to the point easily compromised centralized systems and social services are being repurposed for predatory, especially sexually predatory purposes. Then these guys self-congratulate on compromising a centralized system which is low hanging fruit and this book is just like, "Damn, that's literally the easiest thing to compromise. Stop self-congratulating."
10/18/25
Isn't it ironic.
When Wikileaks wants to information share, which isn't wrong in itself, but then shows narcissistic and teenage-like patterns of exposure when they don't get exactly what they want and show associative logic about who is like who, they then only get the information out they need about their own chokeholding in a book, ironically, about privacy.
Isn't it funny.
I'm all for information sharing in responsible ways. I am. Especially under an administration that shows all the signs of having purchased its IQ score when the learning rates and repetition of mistakes doesn't add up to what they're saying they're at, which means someone inside the structure is selling it. I don't know how I feel about that, all I know is I'm not going to be told someone with a 150 IQ is making the exact same flunking mistakes that crashed the economy and cost the entire world as last time. I am so sick of these narcissists in the US costing everyone across the world because they refuse to accept their limitations.
Information sharing is great when it's being done by non-narcissists. But there are real signs of narcissism on Julian Assange that compromise whether or not information sharing at such a critical time will be a good or bad thing. If he uses it for personal purposes to just bludgeon women he has a misogyny issue with, or to tantrum against a Muslim man that's not that interested in him then that is not in the constructive use of information sharing. But if it's truly to beat intelligence collapses like the one we see now, the exact same mistakes due to profound and sickening narcissism, then it's a good thing. But with too much narcissism it's ruined. He's really on the brink of too much and "ok, just some tendencies". Sometimes it really feels like it's about to tip over into "too much". I can't think of anyone who would use Trump to start a revolution without having actually researched revolutions how they felt, what they took, and how they devastated those countries. At least with Nestor Makhno he tried every last stop before engaging and every last stop flunked before he took that final action. I see none of that on Julian Assange. He just wants a cathartic bombastic narcissistic catastrophe. What I would be interested in is more of a inflammatory response to real issues like we're seeing. But that is IMPOSSIBLE around failure to recognize and financially back. It's like your body hearing signals of infection but then failing to send support down to the t-cells. You're just going to die doing that. You're just dead if you get the signals but fail to take action. That immune system is essentially functionally retarded, in the full sense of the word, too slow.
Anyway, Paypal was blocking Julian Assange's donations just like is happening to Palestine. They were reversing them and blocking them. From the looks of it, they started doing this to people who faintly remind them of the guy from the world's sloppiest, most horrifying nonsequiter associative logic. They're even doing it if you state that they are in solidarity or sympathetic. That is TRUE. GROSS. INCOMPETENCE. But that is clear evidence they were doing that to Wikileaks. They were actually financially chokeholding them. That is HORRIFYING. And isn't it funny, later Musk wants to work his way in. Look at the people closest and near you. Ask; is this person forcing me into actions I don't want to take to get something I don't really want to give to them? He needs to start asking that, we all need to start asking that. I asked that and found, yes, legal counsel is being abused to make me do things I don't want to do. I saw that immediately. It was the hardest thing to see because that forced me to start doing that work when I'm exhausted and have never been to law school.
In either case, that's absolutely disgusting and horrifying. It's what's happening to Palestine too from the looks of it.
Stop running with the mob, The Scientist literally profiled that it acts exactly like a pathogen, and keep an eye out for Julian Assange's narcissism tipping over past the point that information sharing is a good thing anymore. Otherwise I'm definitely against torture and war crimes, when it's actually about torture and war crimes from a cool-headed and objective perspective, not people that cause narcissistic injury being framed.
Honestly deliberately bad legal advice as legal malpractice in such life and death situations should be considered a war crime in themselves.
We're really at
*goes to library*
"Damn, look at all the leaks that made it out man. She's reading all this content. Must be a leak."
The Wikileaks: the library
the leakers: normal everyday writers that cry themselves to sleep most days most likely
Like humans are genetic leaks of their parents material. And they got out. They got out. Dang. Dang 8 billion leaks. That is just some solid damage man.
We're really there.
Yep. "Data is the new gasoline." Nord Stream 2. Assange was streamed at his place of residence, violating his privacy to the point of distress. Guess that was "Nord Stream 1". That is REALLY pathetic. Call it what it is. They hate when you call it pathetic when it's pathetic. That is REALLY pathetic. Tied to the Musk Paypal blockages of his payment network. Now doing this to people that say they are even sympathetic to his war crimes and torture work. It's literally this pathetic.
"Leaking" is now reading books from beginning to end and using deduction. Having basic intelligence putting together the facts in established books now "show signs of leaking". Yeah. There's no leaking happening there. I have basic intelligence. You might want to try it.
The actual gas deal doesn't work, oh how funny, let's try to do a "kook" version where we stream a Nord. Let's abuse our access to data to make money for ourselves. This is so. pathetic. it's not funny. I'm not kidding. It looks like it's coming in through illegal Musk "terrorist" abuses aided and abetted by Tao and Bush era Patriot Act abuses and that's why they're all suddenly and mysteriously sucking up to Bush and Bush administration contacts. Like I said the Intercept just reported on how these massive funds for buying websites are being rationalized through terrorist arguments. This was happening during the Biden administration not just the Trump administration where Terence Tao was a contractor. It was purchased by Musk during the Biden administration, and then Musk and Trump were clearly making concerningly TOGETHER appearances in the exact same way. Things just seem to be serving this guy who shows "I'm the one who creates the correcting equal and opposite reaction" style behavior, just doubling the natural effect with the fraudulent fake effect from some sort of echoic understanding of the whole matter. It's really this. Pathetic. They're making money illegally on people's data, using it for themselves, and then claiming they have nothing for the victims. WHOA. Back up there. It's originating in this Patriot Act abuse.
Same thing that happened with Iraq. The goods are too good, they don't have it, so a bunch of rationalizations for huge sums start happening. I think if 44 billion dollars are involved that person is knee deep in an impulse disorder and narcotic/addiction style pathways. People say they also saw signs Bush didn't have it in that way in a similar fashion. Saying it's about terrorism but it's really because the gas goods are too good and they don't have it. Then Zuckerberg "under advice" starts trying to create manufactured emergencies too. That were you got your inspiration from? Trying to run your literal social media website in the shadow of the US government? Yeah. Stop trying to use your tech company for illegal, unelected government. Same thing with Microsoft.
Pg. 13. Domination for its own sake is not a valid reason for access to anything. It's not a valid motive for privacy violation. That looks like Zuckerberg. Just wants to see himself in a dominant position, screw all the history across the world how all these nations got the way they are. Like I said this shows all the signs of low ecological and somatic intelligence. Autism is CLEARLY disabling. They need to stop and accept their disability.
Yep. Signs of Patriot Act gone crazy data pipelines in a bunch of publication networks. Please don't tell me that's why Merkel is sucking up to Bush, because of this extreme abuse of people's data with extreme Patriot Act exploitations. Please don't tell me this is why she's making apologies for him and going on about him. Read from the Intercept again that they're now trying to frame people literally at protests with signs as terrorists in retaliation for Jan 6 where men who literally were dumb enough to shoot their own in the rampage came in with guns to the US capitol. That is clearly literal terrorism. Holding a sign or having a position is not. It's so pathetic it hurts. And apparently that's how they get funds like 44B opened up, these nonsequiter attempts to call this terrorism. What, does someone jealous sit there and try their best to frame them and say "My top rival for this intelligence position is a top threat to the United States." Yeah. No. That does not make anyone a threat. Apparently that was happening to Sarah Shahi but she looks like she has a vanity problem so I don't really know if I care about all that. All I know is that she liked having a pie in her face and Gates doesn't. So now she's a terrorist because his big raison d'etre for his terrorism crying to Daddy UK, this scene with the pie being thrown in his face by a protester when they could've been much worse it just made his narcissistic behind feel vulnerable and not invulnerable like it once had (invulnerability beliefs being behind his 7-8 monopoly attempts; if there is an original quoter of "I'm a white male, I'll have no consequences" it is from the mouth of Bill Gates on his sixth, seventh or eighth monopoly attempt there) , is disproven as valid because she literally chose her boyfriend Adam Demos because of it.
Well, guess who's newly single, Sarah Shahi, and guess who's being tied up in this terrorist crap now. Fits exactly with this "the goods were too good" terrorist rationalization and manufacture of emergency for getting access to oil seen on Iraq, with all these Iraq veterans clocking the real reason like "that was the most horrific, nonsensical use of funds for the purpose of war I've seen in my life. I was literally other-handicapped by the incompetence of the Bush Administration. That is why we can't afford incompetent administrations. There is an excess of other-handicapping." They're using Patriot Act data access pathways for personal reproductive pathways on the taxpayer dime. That is so horrific it's not even funny. These guys are sitting there desperately reading everything you read, getting 2% from it that you did, getting into a rage about it from the looks of all my Palestine books disappearing, and then that's what they do with it. P a t h e t i c. Things like high reproductive prospect young women crashing into cop cars or having questionable or just downright disturbing interactions with police at multiple locations when apparently it might have been interference from a vehicle following them from behind in an operation desperate to create a narrative of potential terrorism to get access for personal reproductive purposes on the taxpayer dime. HORRIFIC. For them to be framed, and for the taxpayer money to be used to that degree for personal reproductive use. HORRIFIC.
This is how pathetic some of the Gates reasoning is. Same thing with how he got a divorce from his wife, only for him to express regret for that, but to not mention her at all in his book. Why would you just not speak on someone you're the one who regrets divorcing? That mistake is yours. Most narcissistic thing I've seen in my life.
My question is how did the effing courts get taken over by the mob outside of these Israeli originating Covid-19 emergency stops that were lifted at the court, especially in Washington? How the hell did the literal mob take over the court to the point they have lawyers from the mob infesting and doing terrible work but still winning the case on the clearly inferior argument and writing? Seems connected to Kim Kardashian trying to become a lawyer. Which I support, but she can win on her merit, not on it being purchased through corruption. Same thing with Angelina Jolie and Emma Watson doing fantastic work in the UN, with the Murad Code, etc. They were winning on their merit until this 8 over the speed limit narcissistic rage infestation in the UK, probably one of the most pathetic and desperate attacks trying to demonize I've seen, doing it again in the US, stinks of a false abdication system with Prince Harry with the main stench exuding from him from, if this is the case, a profound sovereignty violation. Why are the courts infested with the mob? How did this happen?
We don't need RICO for Antifa we need international Nuremberg style support to do RICO for a mob infested court from the looks of it. Which was the original, sane application of RICO.
I mean function creep to the point easily compromised centralized systems and social services are being repurposed for predatory, especially sexually predatory purposes. Then these guys self-congratulate on compromising a centralized system which is low hanging fruit and this book is just like, "Damn, that's literally the easiest thing to compromise. Stop self-congratulating."
10/18/25
Isn't it ironic.
When Wikileaks wants to information share, which isn't wrong in itself, but then shows narcissistic and teenage-like patterns of exposure when they don't get exactly what they want and show associative logic about who is like who, they then only get the information out they need about their own chokeholding in a book, ironically, about privacy.
Isn't it funny.
I'm all for information sharing in responsible ways. I am. Especially under an administration that shows all the signs of having purchased its IQ score when the learning rates and repetition of mistakes doesn't add up to what they're saying they're at, which means someone inside the structure is selling it. I don't know how I feel about that, all I know is I'm not going to be told someone with a 150 IQ is making the exact same flunking mistakes that crashed the economy and cost the entire world as last time. I am so sick of these narcissists in the US costing everyone across the world because they refuse to accept their limitations.
Information sharing is great when it's being done by non-narcissists. But there are real signs of narcissism on Julian Assange that compromise whether or not information sharing at such a critical time will be a good or bad thing. If he uses it for personal purposes to just bludgeon women he has a misogyny issue with, or to tantrum against a Muslim man that's not that interested in him then that is not in the constructive use of information sharing. But if it's truly to beat intelligence collapses like the one we see now, the exact same mistakes due to profound and sickening narcissism, then it's a good thing. But with too much narcissism it's ruined. He's really on the brink of too much and "ok, just some tendencies". Sometimes it really feels like it's about to tip over into "too much". I can't think of anyone who would use Trump to start a revolution without having actually researched revolutions how they felt, what they took, and how they devastated those countries. At least with Nestor Makhno he tried every last stop before engaging and every last stop flunked before he took that final action. I see none of that on Julian Assange. He just wants a cathartic bombastic narcissistic catastrophe. What I would be interested in is more of a inflammatory response to real issues like we're seeing. But that is IMPOSSIBLE around failure to recognize and financially back. It's like your body hearing signals of infection but then failing to send support down to the t-cells. You're just going to die doing that. You're just dead if you get the signals but fail to take action. That immune system is essentially functionally retarded, in the full sense of the word, too slow.
Anyway, Paypal was blocking Julian Assange's donations just like is happening to Palestine. They were reversing them and blocking them. From the looks of it, they started doing this to people who faintly remind them of the guy from the world's sloppiest, most horrifying nonsequiter associative logic. They're even doing it if you state that they are in solidarity or sympathetic. That is TRUE. GROSS. INCOMPETENCE. But that is clear evidence they were doing that to Wikileaks. They were actually financially chokeholding them. That is HORRIFYING. And isn't it funny, later Musk wants to work his way in. Look at the people closest and near you. Ask; is this person forcing me into actions I don't want to take to get something I don't really want to give to them? He needs to start asking that, we all need to start asking that. I asked that and found, yes, legal counsel is being abused to make me do things I don't want to do. I saw that immediately. It was the hardest thing to see because that forced me to start doing that work when I'm exhausted and have never been to law school.
In either case, that's absolutely disgusting and horrifying. It's what's happening to Palestine too from the looks of it.
Stop running with the mob, The Scientist literally profiled that it acts exactly like a pathogen, and keep an eye out for Julian Assange's narcissism tipping over past the point that information sharing is a good thing anymore. Otherwise I'm definitely against torture and war crimes, when it's actually about torture and war crimes from a cool-headed and objective perspective, not people that cause narcissistic injury being framed.
Honestly deliberately bad legal advice as legal malpractice in such life and death situations should be considered a war crime in themselves.
December 9, 2022
Book review: Privacy Is Hard and Seven Other Myths: Achieving Privacy through Careful Design
Reviewer: Ben Rothke
It's unclear who initially observed that "if you tell a lie and tell it frequently enough, it will be believed." For example, the FCC and telephone have told the public that scam robocalls are extremely hard to stop. When in fact, with some simple controls, about 60% of them could be stopped. Stopping those would collapse the economic incentive, and scam robocalls would be a thing of the past.
Regarding computer security, countless lies and myths have been propagated to the general public. For the longest time, people were told that they should change their passwords every 90 days for effective computer security.
But overly frequent password changes can, in fact, make security worse. That is why NIST updated their guidance in NIST Special Publication 800-63B, noting that password expiration is a concept that needs to be relooked at. Lance Spitzner writes that there has been a community effort to kill password expiration for years, but this is not something new. People like Per Thorsheim, Microsoft's Dr. Cormac Herley, Gene Spafford of Purdue, and the Chief Technologist at FTC have been working hard to kill password expiration.
In Privacy Is Hard and Seven Other Myths: Achieving Privacy through Careful Design, author Jaap-Henk Hoepman (associate professor at the Institute for Computing and Information Sciences, Radboud University, Netherlands) attacks eight myths that have long been treated as gospel within information technology in general, and information security specifically.
The myths the book masterfully shreds are:
1. We Are Not Collecting Personal Data
2. You Have Zero Privacy Anyway—Get Over It
3. I've Got Nothing To Hide
4. It's Merely Metadata
5. We Always Need To Know Who You Are
6. Your Data Is Safe With Us
7. Privacy and Security are a Zero-Sum Game
8. Privacy Is Hard
Perhaps the most pervasive and well-known of the myths is the observation by then CEO of Sun Microsystems Scott McNealy that "you have zero privacy anyway, get over it." Hoepman shows how this erroneous notion can be countered.
And that is the central message of the book, that the architecture of a system, the way it is designed, has a fundamental impact on whether it respects and protects our privacy or not. Those that take privacy seriously (and that does not include Facebook, Google, Instagram, etc.) need to address this in the architecture of their systems.
This notion of privacy by design is an important engineering approach. The essential idea is that privacy should be considered first as a design requirement from the beginning and through the lifecycle of a system.
When it comes to scam robocalls, there is an economic incentive both for the scammers and the telecommunication companies for it to continue. When it comes to privacy, the incentives are often, as the book details, favored in place of the software vendors and not the consumer.
Anyone who has ever downloaded a copy of their information on Facebook is astounded by the depth and breadth of the information there. Every search, like, post, message, location, ad clicked, and much more is there in detail. And Facebook is but one of the scores, if not hundreds, of information junctions where a person can be monitored.
The book systematically and articulately takes apart the eight myths and details the privacy design strategies vendors and system architects need to implement for effective security and privacy. And it's no myth to say this is one of the most important books you can read on the topic.
Reviewer: Ben Rothke
It's unclear who initially observed that "if you tell a lie and tell it frequently enough, it will be believed." For example, the FCC and telephone have told the public that scam robocalls are extremely hard to stop. When in fact, with some simple controls, about 60% of them could be stopped. Stopping those would collapse the economic incentive, and scam robocalls would be a thing of the past.
Regarding computer security, countless lies and myths have been propagated to the general public. For the longest time, people were told that they should change their passwords every 90 days for effective computer security.
But overly frequent password changes can, in fact, make security worse. That is why NIST updated their guidance in NIST Special Publication 800-63B, noting that password expiration is a concept that needs to be relooked at. Lance Spitzner writes that there has been a community effort to kill password expiration for years, but this is not something new. People like Per Thorsheim, Microsoft's Dr. Cormac Herley, Gene Spafford of Purdue, and the Chief Technologist at FTC have been working hard to kill password expiration.
In Privacy Is Hard and Seven Other Myths: Achieving Privacy through Careful Design, author Jaap-Henk Hoepman (associate professor at the Institute for Computing and Information Sciences, Radboud University, Netherlands) attacks eight myths that have long been treated as gospel within information technology in general, and information security specifically.
The myths the book masterfully shreds are:
1. We Are Not Collecting Personal Data
2. You Have Zero Privacy Anyway—Get Over It
3. I've Got Nothing To Hide
4. It's Merely Metadata
5. We Always Need To Know Who You Are
6. Your Data Is Safe With Us
7. Privacy and Security are a Zero-Sum Game
8. Privacy Is Hard
Perhaps the most pervasive and well-known of the myths is the observation by then CEO of Sun Microsystems Scott McNealy that "you have zero privacy anyway, get over it." Hoepman shows how this erroneous notion can be countered.
And that is the central message of the book, that the architecture of a system, the way it is designed, has a fundamental impact on whether it respects and protects our privacy or not. Those that take privacy seriously (and that does not include Facebook, Google, Instagram, etc.) need to address this in the architecture of their systems.
This notion of privacy by design is an important engineering approach. The essential idea is that privacy should be considered first as a design requirement from the beginning and through the lifecycle of a system.
When it comes to scam robocalls, there is an economic incentive both for the scammers and the telecommunication companies for it to continue. When it comes to privacy, the incentives are often, as the book details, favored in place of the software vendors and not the consumer.
Anyone who has ever downloaded a copy of their information on Facebook is astounded by the depth and breadth of the information there. Every search, like, post, message, location, ad clicked, and much more is there in detail. And Facebook is but one of the scores, if not hundreds, of information junctions where a person can be monitored.
The book systematically and articulately takes apart the eight myths and details the privacy design strategies vendors and system architects need to implement for effective security and privacy. And it's no myth to say this is one of the most important books you can read on the topic.
December 12, 2023
Important subject but I disagree with the author such as on the parking lot, restaurant, and salary examples. There are valid, pro-social uses with allowing retention of such information. Of course limits must be set, but as the author states in section 5.7 there are often tradeoffs between customer experience and privacy. Decentralizing or distributing information storage to local clients is also not really feasible in a market where customers are not prepared or ready to manage their own data in such a way, otherwise products like Tim Berners-Lee's Solid would have greater adoption. (There would also be other tradeoffs from this approach too, for example data backup and migration would be more of a hassle like in the pre-cloud days.)
While "privacy is a form of personal security" as covered in section 7.3, the real problem is not technological but rather with corruption and misuse in the real world, for example with misapplication of justice by governmental law enforcement. On a philosophical level, privacy is fundamentally antithetical with transparency, which is the real ideal we should be prioritizing in society. Privacy is needed in a sub-ideal reality to protect against the abuse of transparency such as the persecution of journalists, but excessive applications of privacy should also be avoided just as excessive use of personal data should be limited.
Ultimately we live in an information-rich world, and we should take advantage of that. What limiting data use excessively does (like in the parking lot, restaurant, and other examples) is artificially create a grossly simplified abstraction of reality which does not utilize the full potential of information.
While "privacy is a form of personal security" as covered in section 7.3, the real problem is not technological but rather with corruption and misuse in the real world, for example with misapplication of justice by governmental law enforcement. On a philosophical level, privacy is fundamentally antithetical with transparency, which is the real ideal we should be prioritizing in society. Privacy is needed in a sub-ideal reality to protect against the abuse of transparency such as the persecution of journalists, but excessive applications of privacy should also be avoided just as excessive use of personal data should be limited.
Ultimately we live in an information-rich world, and we should take advantage of that. What limiting data use excessively does (like in the parking lot, restaurant, and other examples) is artificially create a grossly simplified abstraction of reality which does not utilize the full potential of information.
March 7, 2023
Goed overzicht van manieren waarop privacy verbeterd kan worden in systemen. Het laatste hoofdstuk geeft de meeste handvatten voor de praktijk, waar de technieken besproken in voorgaande hoofdstukken wat beter in context worden geplaatst. Ik had deze structuur het liefst in de rest van het boek ook terug gezien, de huidige structuur springt van het ene onderwerp naar het andere en voelt daardoor nogal chaotisch aan.
March 24, 2025
Read it for work. Very informative! Helps explain a complex topic.
Displaying 1 - 6 of 6 reviews