Nikita Samarin
EECS Department
University of California, Berkeley
Technical Report No. UCB/EECS-2024-231
December 20, 2024
http://www2.eecs.berkeley.edu/Pubs/TechRpts/2024/EECS-2024-231.pdf
Modern software often fails to meet privacy regulations and user expectations due to evolving legal landscapes, complex requirements, and a lack of structured engineering processes. Despite robust principles like Privacy by Design and formal regulatory frameworks such as the GDPR and CCPA, developers struggle to translate abstract obligations into actionable technical requirements. The resulting breaches and data misuse erode user trust and highlight systemic failures in embedding privacy within software systems.
This dissertation explores the causes of these failures and proposes professionalizing privacy engineering as a solution. Through an in-depth review of current regulations, two empirical studies of privacy engineering failures, and interviews with practicing privacy engineers, it identifies the persistent challenges developers face. These include unclear guidance for operationalizing legal mandates, inadequate technical tools, poor organizational incentives, and limited expertise in navigating complex privacy frameworks.
The research argues that formalized privacy engineering roles—encompassing technical, legal, and ethical understanding—can help ensure privacy requirements are integrated from the earliest stages of software development. By defining specialized skill sets, establishing clearer processes, and creating measurable metrics for success, privacy engineering professionals can bridge the gap between lofty data protection principles and practical implementation in code.
Ultimately, this dissertation concludes that professionalizing privacy engineering encourages a proactive, systematic, and ethically grounded approach to privacy. It calls on organizations, regulators, and policymakers to support these roles, offer clearer technical guidance, and align incentives so that privacy evolves into an intrinsic product quality rather than a compliance afterthought. This shift stands to improve user trust, reduce costly breaches, and better align digital technologies with fundamental rights and societal values.
Advisor: David A. Wagner and Serge Egelman
![\"Edit](\"https://www2.eecs.berkeley.edu/Assets/edit-page-blue.gif\" "\\"Edit")
";
?>
BibTeX citation:
@phdthesis{Samarin:EECS-2024-231,
Author = {Samarin, Nikita},
Title = {Measuring and Engineering Privacy Protections},
School = {EECS Department, University of California, Berkeley},
Year = {2024},
Month = {Dec},
URL = {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2024/EECS-2024-231.html},
Number = {UCB/EECS-2024-231},
Abstract = {Modern software often fails to meet privacy regulations and user expectations due to evolving legal landscapes, complex requirements, and a lack of structured engineering processes. Despite robust principles like Privacy by Design and formal regulatory frameworks such as the GDPR and CCPA, developers struggle to translate abstract obligations into actionable technical requirements. The resulting breaches and data misuse erode user trust and highlight systemic failures in embedding privacy within software systems.
This dissertation explores the causes of these failures and proposes professionalizing privacy engineering as a solution. Through an in-depth review of current regulations, two empirical studies of privacy engineering failures, and interviews with practicing privacy engineers, it identifies the persistent challenges developers face. These include unclear guidance for operationalizing legal mandates, inadequate technical tools, poor organizational incentives, and limited expertise in navigating complex privacy frameworks.
The research argues that formalized privacy engineering roles—encompassing technical, legal, and ethical understanding—can help ensure privacy requirements are integrated from the earliest stages of software development. By defining specialized skill sets, establishing clearer processes, and creating measurable metrics for success, privacy engineering professionals can bridge the gap between lofty data protection principles and practical implementation in code.
Ultimately, this dissertation concludes that professionalizing privacy engineering encourages a proactive, systematic, and ethically grounded approach to privacy. It calls on organizations, regulators, and policymakers to support these roles, offer clearer technical guidance, and align incentives so that privacy evolves into an intrinsic product quality rather than a compliance afterthought. This shift stands to improve user trust, reduce costly breaches, and better align digital technologies with fundamental rights and societal values.}
}
EndNote citation:
%0 Thesis %A Samarin, Nikita %T Measuring and Engineering Privacy Protections %I EECS Department, University of California, Berkeley %D 2024 %8 December 20 %@ UCB/EECS-2024-231 %U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2024/EECS-2024-231.html %F Samarin:EECS-2024-231