Privacy as an opportunity
Transcription
Privacy as an opportunity
Privacy as an opportunity Informatics colloquium, March 6 2015 Marc van Lieshout 2 Content presentation Introduction The concept ‘Privacy’ Personal data – big data ‘It takes two to tango’ The value of personal data Privacy as an innovation carrier Opportunities for privacy – privacy as an opportunity 2 05 March 2015 Themes & Roadmaps 4 5 Strategy & Policy 6 Privacy related research Incentives and barriers PbD in the NL (EL&I/TNO) 2011 Personal data Market 2014 One of THE knowledge partners on privacy & identity management national and international Monitoring Privacy perceptions (2014) Privacy Roadweb Ziggo Action Plan Privacy 2014 7 Privacy as a concept 7 8 Privacy: universal value Universal declaration of human rights (1948) “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” EU Charter of Fundamental Rights (2009) Article 7: Respect for private and family life: Everyone has the right to respect for his or her private and family life, home and communications. Article 8: Protection of personal data: Everyone has the right to the protection of personal data concerning him or her.. 9 Virtual Reserve Anonymity Informational Relational Collective Individual Bodily Spatial Solitude Intimacy Physical 10 PRIVACY SUBSTANTIVE CASE BY CASE ‘CONCEALMENT’ Autonomy Data protection PROCESS ORIENTED RULE-BASED ‘TRANSPARENCY’ Free flow of products and persons 11 Statement Within an open society one should be able to remain anonymous 12 Personal data - Big data 12 13 The challenge 14 http://www.businessinsider.com/growth-in-the-internet-of-things-2013-10?IR=T 15 16 Internet becoming personal http://cloudtweaks.com/2014/12/personal-space-internet-things-iot/ 17 World Economic Forum “Personal data as the new oil” - Personal data as raw material - Personal data as intermediate product - Personal data as service 1. Personally provided data 2. Observed data 3. Inferred data Boston Consulting Group (2012) Personal data market: 8% van EU GDP in 2020 CAGR Communication and entertainment: 22% e-Commerce: 15%; Web communities: 100% Marktomvang: €330 billion; consumentenvoordeel: €670 billion Gereduceerde prijzen, tijdsbesparingen, gratis online diensten 18 Youtube • • • 1 billion unique visitors each month Watching 6 billion hours of Youtube movies Offered 100 hrs of new Youtube material each minute Music platforms http://www.jeffbullas.com/2014/01/17/20-social-media-facts-and-statistics-youshould-know-in-2014/ 19 Adwhirl DoubleClick 4th Screen Advertising UDID GPS location Number listened City Greystripe AdMob Mobclix Medialets UDID User name City/Province E-mailadress ~25% of apps zendt observed data zonder consent Bron: Computeridee, 2011 Flurry UDID Contacts UDID GPS location Age Gender 20 Inferred data - 1 Database with data on 3 million patients Correlation between use of anti-depressives by pregnant women and the incidence of autism with babies 21 Stelling Though people may expose quite substantial information about themselves through social media, the real threat to privacy is the hidden collection of personal data by firms and governments. 22 ‘It takes two to tango’ 22 23 23 http://www.emc.com/campaign/privacy-index/index.htm 24 24 http://www.emc.com/campaign/privacy-index/index.htm 25 25 http://www.emc.com/campaign/privacy-index/index.htm 26 Stelling Institutions are to blame for people having very low trust in them 27 The perspective of the data subject 27 28 A behaviouristic perspective (Acquisti 2011) Individual as a rational actor Is presumed to show stable preferences Is presumed to consider privacy as a value that can be traded against other goods Is Willing to Accept benefits in exchange for personal data Will similarly be Willing to Pay for privacy protection Willingness to Pay= maximum price people are willing to pay for protecting their personal data (‘I will pay maximum xxx to have my personal data protected’) Willingness to Accept = minimum price people want to have for selling their personal data (‘I want at least xxx for revealing my personal data’) Rational choice theory: WtA=WtP 29 A behaviouristic perspective Behavioural economics takes preferences into account People are affected by a sense of endowment in the privacy of their data People tend to value the following two situations differently: A - Get money to sacrifice part of privacy B - Pay money to obtain more privacy The fraction of persons that will reject A (WTA) is larger than the fraction of persons that will accept B (WTP) The distribution of privacy valuations is not normal 30 Name Name Phone (mobile) Phone (mobile) Date of birth Date of birth E-mail Price per ticket: € 7,50 Price per ticket: € 7,00 I accept the general conditions of Event sales I accept the general conditions of Cine sales I accept the privacy statement of Event sales I accept the privacy statement of Cine sales Continue Continue 31 A behaviouristic perspective Buying a cinema ticket 1 2 Difference in data usage/difference in number of data items Difference in prices/same prices Pilot studies and field experiment with 443 participants Overview Number Firm 1 Firm 2 No ticket 251 - - One ticket 40 29 11 Two tickets 152 128 176 - Loyal 142 59 83 - Switch 10 9 from 1 to 2 1 from 2 to 1 32 A behaviouristic perspective Buying a cinema ticket 1 2 Difference in data usage/difference in number of data items Difference in prices/same prices Pilot studies and field experiment with 443 participants Main results: In all choices offered, when no price difference exists subjects tend to choose the privacy-friendly firm When price differences exist, the share of the privacy-friendly firm drops considerably, even with a price difference of only €0,50 33 A behaviouristic perspective (Spiekermann 2012) “My dear friends, it’s over … I hereby announce that Facebook will cease to exist …” Scenario FB Scenario FB user 1 Facebook data will be deleted Download data to your hard disk 2 Facebook data will be deleted Transfer data to new SN 3 Facebook data will be sold Download data to your hard disk 4 Facebook data will be sold Transfer data to new SN 5 Facebook data will be sold Share in selling 34 A behaviouristic perspective Investigate Willingness to Pay in order to protect one’s personal data 1553 Facebook users Scenario FB user Median Mean SD € WTP to save a copy No asset awareness (1 and 2) €0 €16,50 €104,50 €WTP to save a copy and prevent selling Asset awareness (3 and 4) €5 €54 €167,50 € expected as share in sale Sharing but no control (5) €0 €508 €1335 35 Conclusions on behavioural perspectives 1. Endowment effect (people ascribe more value to things simply because they have them - also known as ‘divestiture aversion’) 2. Hyperbolic discounting (people choose smaller pay-offs now over higher pay-offs later) 3. Instant gratification (people value what they receive immediately higher than what they can achieve later on) 4. Psychology of ownership (people tend to value what they own higher than what they do not own) 5. Risk aversion (people tend to averse risks over achieving profits) 36 Privacy as an opportunity Privacy is an interplay between What Society wants What Technology enables What Laws and Regulations enforce Distinct value sets for society, technology and law Autonomy, choice, control Reliability, efficiency, availability Transparency, equality, accountability 37 Privacy, data protection and information security Autonomy Intimacy Self-determination Privacy Choice Consent Control Confidentiality Integrity Availability Information security Data protection Legitimacy Transparency Accountability 38 Privacy, data protection and information security Information security: “The assurance that data meet requirements of confidentiality, integrity and availability” “The assurance that data are secured with appropriate technological and organisational safeguards” Data protection (Art 8 EU Charter): “The free flow of personal data” (95/46/E’; GDPR) “The rules that govern the flow and use of personal data” Privacy (Art 7 EU Charter): “The right to be let alone” “The right to determine what, how and in what extent information about you is communicated to others.” 39 Principles for Privacy, Data protection and Information security Autonomy Choice Control Individual participation Openness Use limitation Purpose specification Collection limitation Data quality Security safeguards Confidentiality Availability Integrity 40 An innovative perspective on privacy Innovation is a combination of Technological Institutional Organisational Societal measures 41 Framework IS Privacy Impact 29134 Assessment – 4th WD Methodology WG 5 SD2 Privacy Reference List (freely available) http://www.jtc1sc27.din.de/ IS 27002 :2013 Code of practice for info. sec. management IS 29151 3rd WD IS Privacy Capability 29190 Maturity Model st 1 CD IS 27018 :2014 Code of Code of Practice for practice for PII protection in PII protection public clouds acting as PII processors Technology Controls IS 29100 Privacy :2011 Framework Management ISO JTC SC27 family of privacy standards IS 29101 :2013 IS 29191 :2012 Req. for Privacy partially anonyArchitecture Framework mous, partially unlinkable authent. 42 Privacy ‘Schijf van vijf’ Learning environment Securing responsibilities Transparency tool External Environment Internal environment Code of conduct Annual privacy report Privacy platform Privacy benchmark Trusted partner Privacy Impact Assessment Customer channel Processes Privacy by Design Awareness panel Privacy maturity check Products Trusted Architecture Privacy dashboard 43 IRMA: I Reveal My Attributes A project on practical attribute-based Identity management. https://www.irmacard.org/ User-centric issuance model A grassroots project founded by: Smartcard as root of trust Technology available now, pilots ongoing. 44 Action Plan Privacy 45 Privacy as an opportunity ‘Privacy-respecting’ approaches: Data vault to store personal CV data (CVOK/YOPS) Technology that enables to control attributes by individuals (IRMA-technology) Trust assured platform that offers full control to data subjects Key management systems that secures exchange of data between parties under strict control regime 46 Conclusions Privacy solutions are an interplay between technical, organisational and institutional measures An encompassing approach that takes information security, data protection and privacy dimensions into respect is essential New business approaches are under development that incorporate these various perspectives A coalition between technologists, NGOs, lawyers and firms is necessary to realise large scale implementation of promising privacy technologies 47 Marc van Lieshout [email protected] 088 – 8667125 06 – 51246618