Learning Privacy Expectations by Crowdsourcing Contextual Informational Norms

Curated on Posted on by Stefaan Verhulst

 at Freedom to Tinker: “The advent of social apps, smart phones and ubiquitous computing has brought a great transformation to our day-to-day life. The incredible pace with which the new and disruptive services continue to emerge challenges our perception of privacy. To keep apace with this rapidly evolving cyber reality, we need to devise agile methods and frameworks for developing privacy-preserving systems that align with evolving user’s privacy expectations.

Previous efforts have tackled this with the assumption that privacy norms are provided through existing sources such law, privacy regulations and legal precedents. They have focused on formally expressing privacy norms and devising a corresponding logic to enable automatic inconsistency checks and efficient enforcement of the logic.

However, because many of the existing regulations and privacy handbooks were enacted well before the Internet revolution took place, they often lag behind and do not adequately reflect the application of logic in modern systems. For example, the Family Rights and Privacy Act (FERPA) was enacted in 1974, long before Facebook, Google and many other online applications were used in an educational context. More recent legislation faces similar challenges as novel services introduce new ways to exchange information, and consequently shape new, unconsidered information flows that can change our collective perception of privacy.

Crowdsourcing Contextual Privacy Norms

Armed with the theory of Contextual Integrity (CI) in our work, we are exploring ways to uncover societal norms by leveraging the advances in crowdsourcing technology.

In our recent paper, we present the methodology that we believe can be used to extract a societal notion of privacy expectations. The results can be used to fine tune the existing privacy guidelines as well as get a better perspective on the users’ expectations of privacy.

CI defines privacy as collection of norms (privacy rules) that reflect appropriate information flows between different actors. Norms capture who shares what, with whom, in what role, and under which conditions. For example, while you are comfortable sharing your medical information with your doctor, you might be less inclined to do so with your colleagues.

We use CI as a proxy to reason about privacy in the digital world and a gateway to understanding how people perceive privacy in a systematic way. Crowdsourcing is a great tool for this method. We are able to ask hundreds of people how they feel about a particular information flow, and then we can capture their input and map it directly onto the CI parameters. We used a simple template to write Yes-or-No questions to ask our crowdsourcing participants:

“Is it acceptable for the [sender] to share the [subject’s] [attribute] with [recipient] [transmission principle]?”

For example:

“Is it acceptable for the student’s professor to share the student’s record of attendance with the department chair if the student is performing poorly? ”

In our experiments, we leveraged Amazon’s Mechanical Turk (AMT) to ask 450 turkers over 1400 such questions. Each question represents a specific contextual information flow that users can approve, disapprove or mark under the Doesn’t Make Sense category; the last category could be used when 1) the sender is unlikely to have the information, 2) the receiver would already have the information, or 3) the question is ambiguous….(More)”

Big Data Is Not a Monolith

Curated on Posted on by Stefaan Verhulst

Book edited by Cassidy R. Sugimoto, Hamid R. Ekbia and Michael Mattioli: “Big data is ubiquitous but heterogeneous. Big data can be used to tally clicks and traffic on web pages, find patterns in stock trades, track consumer preferences, identify linguistic correlations in large corpuses of texts. This book examines big data not as an undifferentiated whole but contextually, investigating the varied challenges posed by big data for health, science, law, commerce, and politics. Taken together, the chapters reveal a complex set of problems, practices, and policies.

The advent of big data methodologies has challenged the theory-driven approach to scientific knowledge in favor of a data-driven one. Social media platforms and self-tracking tools change the way we see ourselves and others. The collection of data by corporations and government threatens privacy while promoting transparency. Meanwhile, politicians, policy makers, and ethicists are ill-prepared to deal with big data’s ramifications. The contributors look at big data’s effect on individuals as it exerts social control through monitoring, mining, and manipulation; big data and society, examining both its empowering and its constraining effects; big data and science, considering issues of data governance, provenance, reuse, and trust; and big data and organizations, discussing data responsibility, “data harm,” and decision making….(More)”

Nudges for Privacy and Security: Understanding and Assisting Users’ Choices Online

Curated on Posted on by Stefaan Verhulst

Paper by Alessandro Acquisti et al: “Advancements in information technology often task users with complex and consequential privacy and security decisions. A growing body of research has investigated individuals’ choices in the presence of privacy and information security trade-offs, the decision-making hurdles affecting those choices, and ways to mitigate those hurdles. This article provides a multi-disciplinary assessment of the literature pertaining to privacy and security decision making. It focuses on research on assisting individuals’ privacy and security choices with soft paternalistic interventions that nudge users towards more beneficial choices. The article discusses potential benefits of those interventions, highlights their shortcomings, and identifies key ethical, design, and research challenges….(More)”

The Future of Drone Use: Opportunities and Threats from Ethical and Legal Perspectives

Curated on Posted on by Stefaan Verhulst

Book by Bart Custers: “Given the popularity of drones and the fact that they are easy and cheap to buy, it is generally expected that the ubiquity of drones will significantly increase within the next few years. This raises questions as to what is technologically feasible (now and in the future), what is acceptable from an ethical point of view and what is allowed from a legal point of view. Drone technology is to some extent already available and to some extent still in development. The aim and scope of this book is to map the opportunities and threats associated with the use of drones and to discuss the ethical and legal issues of the use of drones.
This book provides an overview of current drone technologies and applications and of what to expect in the next few years. The question of how to regulate the use of drones in the future is addressed, by considering conditions and contents of future drone legislation and by analyzing issues surrounding privacy and safeguards that can be taken. As such, this book is valuable to scholars in several disciplines, such as law, ethics, sociology, politics and public administration, as well as to practitioners and others who may be confronted with the use of drones in their work, such as professionals working in the military, law enforcement, disaster management and infrastructure management. Individuals and businesses with a specific interest in drone use may also find in the nineteen contributions contained in this volume unexpected perspectives on this new field of research and innovation….(More)”

Reframing Data Transparency

Curated on Posted on by Stefaan Verhulst

“Recently, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP, a privacy and information policy think tank based in Brussels, London and Washington, D.C., and Telefónica, one of the largest telecommunications company in the world, issued a joint white paper on Reframing Data Transparency (the “white paper”). The white paper was the outcome of a June 2016 roundtable held by the two organizations in London, in which senior business leaders, Data Privacy Officers, lawyers and academics discussed the importance of user-centric transparency to the data driven economy….The issues explored during the roundtable and in the white paper include the following:

  • The transparency deficit in the digital age. There is a growing gap between traditional, legal privacy notices and user-centric transparency that is capable of delivering understandable and actionable information concerning an organization’s data use policies and practices, including why it processes data, what the benefits are to individuals and society, how it protects the data and how users can manage and control the use of their data.
  • The impact of the transparency deficit. The transparency deficit undermines customer trust and customers’ ability to participate more effectively in the digital economy.
  • Challenges of delivering user-centric transparency. In a connected world where there may be no direct relationship between companies and their end users, both transparency and consent as a basis for processing are particularly challenging.
  • Transparency as a multistakeholder challenge. Transparency is not solely a legal issue, but a multistakeholder challenge, which requires engagement of regulators, companies, individuals, behavioral economists, social scientists, psychologists and user experience specialists.
  • The role of data protection authorities (“DPAs”). DPAs play a key role in promoting and incentivizing effective data transparency approaches and tools.
  • The role of companies. Data transparency is a critical business issue because transparency drives digital trust as well as business opportunities. Organizations must innovate on how to deliver user-centric transparency. Data driven companies must research and develop new approaches to transparency that explain the value exchange between customers and companies and the companies’ data practices, and create tools that enable their customers to exercise effective engagement and control.
  • The importance of empowering individuals. It is crucial to support and enhance individuals’ digital literacy, which includes an understanding of the uses of personal data and the benefits of data processing, as well as knowledge of relevant privacy rights and the data management tools that are available to them. Government bodies, regulators and industry should be involved in educating the public regarding digital literacy. Such education should take place in schools and universities, and through consumer education campaigns. Transparency is the foundation and sine qua non of individual empowerment.
  • The role of behavioral economists, social scientists, psychologists and user experience specialists. Experts from these disciplines will be crucial in developing user-centric transparency and controls….(More)”.

A decentralized web would give power back to the people online

Curated on Posted on by Stefaan Verhulst

 at TechCrunch: “…The original purpose of the web and internet, if you recall, was to build a common neural network which everyone can participate in equally for the betterment of humanity.Fortunately, there is an emerging movement to bring the web back to this vision and it even involves some of the key figures from the birth of the web. It’s called the Decentralised Web or Web 3.0, and it describes an emerging trend to build services on the internet which do not depend on any single “central” organisation to function.

So what happened to the initial dream of the web? Much of the altruism faded during the first dot-com bubble, as people realised that an easy way to create value on top of this neutral fabric was to build centralised services which gather, trap and monetise information.

Search Engines (e.g. Google), Social Networks (e.g. Facebook), Chat Apps (e.g. WhatsApp )have grown huge by providing centralised services on the internet. For example, Facebook’s future vision of the internet is to provide access only to the subset of centralised services endorses (Internet.org and Free Basics).

Meanwhile, it disables fundamental internet freedoms such as the ability to link to content via a URL (forcing you to share content only within Facebook) or the ability for search engines to index its contents (other than the Facebook search function).

The Decentralised Web envisions a future world where services such as communication,currency, publishing, social networking, search, archiving etc are provided not by centralised services owned by single organisations, but by technologies which are powered by the people: their own community. Their users.

The core idea of decentralisation is that the operation of a service is not blindly trusted toany single omnipotent company. Instead, responsibility for the service is shared: perhaps by running across multiple federated servers, or perhaps running across client side apps in an entirely “distributed” peer-to-peer model.

Even though the community may be “byzantine” and not have any reason to trust or depend on each other, the rules that describe the decentralised service’s behaviour are designed to force participants to act fairly in order to participate at all, relying heavily on cryptographic techniques such as Merkle trees and digital signatures to allow participants to hold each other accountable.

There are three fundamental areas that the Decentralised Web necessarily champions:privacy, data portability and security.

  • Privacy: Decentralisation forces an increased focus on data privacy. Data is distributed across the network and end-to-end encryption technologies are critical for ensuring that only authorized users can read and write. Access to the data itself is entirely controlled algorithmically by the network as opposed to more centralized networks where typically the owner of that network has full access to data, facilitating  customer profiling and ad targeting.
  • Data Portability: In a decentralized environment, users own their data and choose with whom they share this data. Moreover they retain control of it when they leave a given service provider (assuming the service even has the concept of service providers). This is important. If I want to move from General Motors to BMW today, why should I not be able to take my driving records with me? The same applies to chat platform history or health records.
  • Security: Finally, we live in a world of increased security threats. In a centralized environment, the bigger the silo, the bigger the honeypot is to attract bad actors.Decentralized environments are safer by their general nature against being hacked,infiltrated, acquired, bankrupted or otherwise compromised as they have been built to exist under public scrutiny from the outset….(More)”

Privacy Preservation in the Age of Big Data

Curated on Posted on by Stefaan Verhulst

A survey and primer by John S. Davis II and Osonde Osoba at Rand: “Anonymization or de-identification techniques are methods for protecting the privacy of subjects in sensitive data sets while preserving the utility of those data sets. The efficacy of these methods has come under repeated attacks as the ability to analyze large data sets becomes easier. Several researchers have shown that anonymized data can be reidentified to reveal the identity of the data subjects via approaches such as so-called “linking.” In this report, we survey the anonymization landscape of approaches for addressing re-identification and we identify the challenges that still must be addressed to ensure the minimization of privacy violations. We also review several regulatory policies for disclosure of private data and tools to execute these policies….(More)”.

Privacy Laws Around the World

Curated on Posted on by Stefaan Verhulst

Bloomberg Law: “Development of international privacy laws and regulations with critical impact on the global economy been extremely active over the last several years.

Download Privacy Laws Around the World to access common and disparate elements of the privacy laws from 61 countries. Crafted by Cynthia Rich of Morrison & Foerster LLP, the report includes expert analysis on privacy laws in Europe and Eurasia (non-EEA); East, Central and South Asia and the Pacific; the Western Hemisphere (Latin America, Caribbean and Canada); as well as Africa and the Near East.

Privacy Laws Around the World…access:

Side-by-side charts comparing four key compliance areas including registration requirements, cross-border data transfer limitations, data breach notification requirements and data protection officer requirements

A country-by-country review of the special characteristics of framework privacy laws

An overview of privacy legislation in development around the world…(More) (Requires Registration)”

Data governance: a Royal Society and British Academy project

Curated on Posted on by Stefaan Verhulst

Call for Evidence from The British Academy and the Royal Society: “…The project seeks to make recommendations for cross-sectoral governance arrangements that can ensure the UK remains a world leader in this area. The project will draw on scholars and scientists from across disciplines and will look at current and historical case studies of data governance, and of broader technology governance, from a range of countries and sectors. It will seek to enable connected debate by creating common frameworks to move debates on data governance forward.

Background

It is essential to get the best possible environment for the safe and rapid use of data in order to enhance UK’s wellbeing, security and economic growth. The UK has world class academic expertise in data science, in ethics and aspects other of governance; and it has a rapidly growing tech sector and there is a real opportunity for the UK to lead internationally in creating insights and mechanisms for enabling the new data sciences to benefit society.

While there are substantial arrangements in place for the safe use of data in the UK, these inevitably were designed early in the days of information technology and tend to rest on outdated notions of privacy and consent. In addition, newer considerations such as statistical stereotyping and bias in datasets, and implications for the freedom of choice, autonomy and equality of opportunity of individuals, come to the fore in this new technological context, as do transparency, accountability and openness of decision making.

Terms of Reference

The project seeks to:

  • Identify the communities with interests in the governance of data and its uses, but which may be considering these issues in different contexts and with varied aims and assumptions, in order to facilitate dialogue between these communities. These include academia, industry and the public sector.
  • Clarify where there are connections between different debates, identifying shared issues and common questions, and help to develop a common framework and shared language for debate.
  • Identify which social, ethical and governance challenges arise in the context of developments in data use.
  • Set out the public interests at stake in governance of data and its uses, and the relationships between them, and how the principles of responsible research and innovation (RRI) apply in the context of data use.
  • Make proposals for the UK to establish a sustained and flexible platform for debating issues of data governance, developing consensus about future legal and technical frameworks, and ensuring that learning and good practice spreads as fast as possible….(More)”

Privacy and Open Data

Curated on Posted on by Stefaan Verhulst

A Research Briefing by Wood, Alexandra and O’Brien, David and Gasser, Urs: “Political leaders and civic advocates are increasingly recommending that open access be the “default state” for much of the information held by government agencies. Over the past several years, they have driven the launch of open data initiatives across hundreds of national, state, and local governments. These initiatives are founded on a presumption of openness for government data and have led to the public release of large quantities data through a variety of channels. At the same time, much of the data that have been released, or are being considered for release, pertain to the behavior and characteristics of individual citizens, highlighting tensions between open data and privacy. This research briefing offers a snapshot of recent developments in the open data and privacy landscape, outlines an action map of various governance approaches to protecting privacy when releasing open data, and identifies key opportunities for decision-makers seeking to respond to challenges in this space….(More)”