Challenging Absolute Privacy by Design

Privacy by design is important, but designers should always balance privacy against other values and interests. Absolute privacy by design is neither possible, nor desirable. This seemed to be a position that was at the basis of both talks given at our Playground Meeting of 13 December 2018, by Aaron Ding (TU Delft Faculty of Technology, Policy & Management) and Jacky Bourgeois (TU Delft Faculty of Industrial Design Engineering). Their presentations complemented each other very well and led to an engaged discussion among participants, led by Neil Yorke-Smith. It was the second DDfV playground meeting in our new format, in which we focus on a specific form of design for values each time (the first meeting in that format was on design for democracy).

W2R2bWVtYmVyIGlkPSIyMjU3IiBncmlkc3R5bGU9ImZ1bGwiIG9mZnNldD0iMjAiIGl0ZW13aWR0aD0iMjUwIiBzaWRlPSJyaWdodCIgcm91bmRlZD0iIl0=

Privacy Fact Sheets

Aaron Ding started out by sharing some information on the expected growth and the pervasiveness of what he called “the internet of too many things.” The enormous amount of private and personal data that things (will) collect on us makes privacy by design important. However, he claimed, the challenge of privacy is not solved by technology alone. Business interests are a blind spot; Companies worry about surviving, not privacy. A company might stand out as the only one with an ethical technical solution, which may give them some competitive edge. But is that enough on the market?

Moreover, Ding showed with some examples (see powerpoint below), people are themselves sometimes willing to forego their privacy to get other things that they want. There is not necessarily something wrong with that. What we should among others do, he proposed, is not merely protecting people against privacy violations, but empowering them to make better choices regarding privacy. More concretely, his idea is to develop standardized ‘privacy fact sheets’ that should accompany IoT applications, just as drug fact sheets accompany medicines. These privacy fact sheets should contain things such as an overview of what data is being collected, an explanation of how the data will be used and what the risks are of sharing the data.

However, the discussion after both presentations brought to light a major challenge for this idea, namely that often sharing some piece of personal information is not harmful to you by itself. It may only become harmful when several data sources are combined. Drug fact sheets warn you that combining certain medicines poses additional risks, but how could a privacy fact sheet do the same? And how can the common practice of re-purposing data be dealt with? Alternative ideas, such as the Personal Data Vault’, are therefore also worth considering. This would decentralize the control of the data, and not let it all flow to a few big companies which capitalize on it.

W2R2bWVtYmVyIGlkPSI0MTU2IiBncmlkc3R5bGU9ImZ1bGwiIG9mZnNldD0iMjAiIGl0ZW13aWR0aD0iMjUwIiBzaWRlPSJyaWdodCIgcm91bmRlZD0iIl0=PGRpdiBzdHlsZT0ibGVmdDogMDsgd2lkdGg6IDEwMCU7IGhlaWdodDogMDsgcG9zaXRpb246IHJlbGF0aXZlOyBwYWRkaW5nLWJvdHRvbTogNzUuMDAxOSU7IHBhZGRpbmctdG9wOiAzOHB4OyI+PGlmcmFtZSBzdHlsZT0iYm9yZGVyOiAwOyB0b3A6IDA7IGxlZnQ6IDA7IHdpZHRoOiAxMDAlOyBoZWlnaHQ6IDEwMCU7IHBvc2l0aW9uOiBhYnNvbHV0ZTsiIHNyYz0iLy93d3cuc2xpZGVzaGFyZS5uZXQvc2xpZGVzaG93L2VtYmVkX2NvZGUva2V5L053WlpnaXRucGFrdVdCIiB3aWR0aD0iNTk1IiBoZWlnaHQ9IjQ4NSIgZnJhbWVib3JkZXI9IjAiIG1hcmdpbndpZHRoPSIwIiBtYXJnaW5oZWlnaHQ9IjAiIHNjcm9sbGluZz0ibm8iIHN0eWxlPSJib3JkZXI6MXB4IHNvbGlkICNDQ0M7IGJvcmRlci13aWR0aDoxcHg7IG1hcmdpbi1ib3R0b206NXB4OyBtYXgtd2lkdGg6IDEwMCU7IiBhbGxvd2Z1bGxzY3JlZW4+IDwvaWZyYW1lPiA8c3Ryb25nPiA8YSBocmVmPSIvL3d3dy5zbGlkZXNoYXJlLm5ldC9EREZWL2lvdC1wcml2YWN5LWJ5LWRlc2lnbi1vci1hZnRlci1kZXNpZ24iIHRpdGxlPSJJb1QgJiBQcml2YWN5OyAnQnkgRGVzaWduJyBvciAnQWZ0ZXIgRGVzaWduPyIgdGFyZ2V0PSJfYmxhbmsiPklvVCAmIFByaXZhY3k7ICdCeSBEZXNpZ24nIG9yICdBZnRlciBEZXNpZ24/PC9hPiA8L3N0cm9uZz4gZnJvbSA8c3Ryb25nPjxhIGhyZWY9Imh0dHBzOi8vd3d3LnNsaWRlc2hhcmUubmV0L0RERlYiIHNjcm9sbGluZz0ibm8iIGFsbG93ZnVsbHNjcmVlbj0iYWxsb3dmdWxsc2NyZWVuIj48L2E+PC9zdHJvbmc+PC9kaXY+Cgo=

In the second talk at this DDfV Playground Meeting Bourgeois pitched his recently funded DDfV seed project that looks into WiFi data that is being collected at the TU Delft campus. This data is potentially interesting for researchers and could be useful for new design projects, but can currently not be used due to the GDPR. Bourgeois will use this as an explorative case to further develop his ideas about privacy and data-enabled research, and to explore the ethical, legal and organizational issues of using IoT data in TU Delft research (note: it is a fictive case, in the sense that the project will not actually test or implement a new WiFi data system!)

Bourgeois’ starting statement: “Don’t [merely] operationalize privacy, but balance the values of each data stakeholder. Perhaps for some data subjects autonomy is the issue, not privacy…” The main idea that Bourgeois introduced is a system for data donation, comparable to a crowdfunding platform. One of the things that was discussed, is that such a platform could still get different forms:

• Any researcher can use all data that has been donated;
• An ethics committee would decide which data from the donated data pool researchers could get, and what part of that data would be anonymized before making it available;
• Users only opt-in to share certain data for a specific ‘data crowdfunding project’

A challenge for research purposes is that people who are more likely to give their informed consent to use their data are often not representative for the whole population you want to investigate.

Another thing that came up, is on what informational basis people give their informed consent to share (a part of) their data – an issue that was of course also raised by the first talk by Ding. It does not seem feasible to have the full list of possible consequences of sharing certain data in advance. So the platform would have to keep people informed about the usage of their data and should allow people to raise concerns, which might cause other donors to opt-out again. Aspects to be addressed in his seed project thus include public disclosure, the call for donation, reuse of data, opt-out options, and feedback by platform users.

Many more issues were discussed, including the possibility that informed consent perhaps becomes a redundant concept in the future of the Internet of Things, because other people’s devices may accidentally collect enough data about you to create a profile of you even if you manage to share nothing yourself…

W2R2bWVtYmVyIGlkPSIyMzY0IiBncmlkc3R5bGU9ImZ1bGwiIG9mZnNldD0iMjAiIGl0ZW13aWR0aD0iMjUwIiBzaWRlPSJyaWdodCIgcm91bmRlZD0iIl0=PGRpdiBzdHlsZT0ibGVmdDogMDsgd2lkdGg6IDEwMCU7IGhlaWdodDogMDsgcG9zaXRpb246IHJlbGF0aXZlOyBwYWRkaW5nLWJvdHRvbTogNzUuMDAxOSU7IHBhZGRpbmctdG9wOiAzOHB4OyI+PGlmcmFtZSBzdHlsZT0iYm9yZGVyOiAwOyB0b3A6IDA7IGxlZnQ6IDA7IHdpZHRoOiAxMDAlOyBoZWlnaHQ6IDEwMCU7IHBvc2l0aW9uOiBhYnNvbHV0ZTsiIHNyYz0iLy93d3cuc2xpZGVzaGFyZS5uZXQvc2xpZGVzaG93L2VtYmVkX2NvZGUva2V5L3NYN3lGbVVPYUFlQUZmIiB0aXRsZT0iUmVzcG9uc2libGUgVXNlIG9mIElvVCBEYXRhIGluIFJlc2VhcmNoIiB3aWR0aD0iNTk1IiBoZWlnaHQ9IjQ4NSIgZnJhbWVib3JkZXI9IjAiIG1hcmdpbndpZHRoPSIwIiBtYXJnaW5oZWlnaHQ9IjAiIHNjcm9sbGluZz0ibm8iIHN0eWxlPSJib3JkZXI6MXB4IHNvbGlkICNDQ0M7IGJvcmRlci13aWR0aDoxcHg7IG1hcmdpbi1ib3R0b206NXB4OyBtYXgtd2lkdGg6IDEwMCU7IiBhbGxvd2Z1bGxzY3JlZW4+IDwvaWZyYW1lPiA8ZGl2IHN0eWxlPSJtYXJnaW4tYm90dG9tOjVweCI+IDxzdHJvbmc+IDxhIGhyZWY9Ii8vd3d3LnNsaWRlc2hhcmUubmV0L0RERlYvaW90LXByaXZhY3ktYnktZGVzaWduLW9yLWFmdGVyLWRlc2lnbiIgdGl0bGU9IklvVCAmIFByaXZhY3k7ICdCeSBEZXNpZ24nIG9yICdBZnRlciBEZXNpZ24/IiB0YXJnZXQ9Il9ibGFuayI+SW9UICYgUHJpdmFjeTsgJ0J5IERlc2lnbicgb3IgJ0FmdGVyIERlc2lnbj88L2E+IDwvc3Ryb25nPiBmcm9tIDxzdHJvbmc+PGEgaHJlZj0iaHR0cHM6Ly93d3cuc2xpZGVzaGFyZS5uZXQvRERGViIgc2Nyb2xsaW5nPSJubyIgYWxsb3dmdWxsc2NyZWVuPSJhbGxvd2Z1bGxzY3JlZW4iPjwvaWZyYW1lPjwvZGl2Pgo=