formance requirements of the technology—and that technology should be developed and deployed that conforms to the demands of policy. On the other hand, policy that is highly protective of privacy on one day can be changed to one that is less protective the next day. Thus, a second view of privacy would argue that technology should constitute the basis for privacy protection, because such a foundation is harder to change or circumvent than one based on procedural foundations.37 Further, violations of technologically enforced privacy protections are generally much more difficult to accomplish than violations of policy-enforced protections. Whether such difficulties are seen as desirable stability (i.e., an advantage) or unnecessary rigidity (i.e., a disadvantage) depends on one’s position and perspective.
In practice, of course, privacy protections are founded on a mix of technology and policy, as well as self-protective actions and cultural factors such as ethics, manners, professional codes, and a sense of propriety. In large bureaucracies, significant policy changes cannot be implemented rapidly and successfully, even putting aside questions related to the technological infrastructure. Indeed, many have observed that implementing appropriate human and organizational procedures that are aligned with high-level policy goals is often harder than implementing and deploying technology.