Privacy as an opportunity

Privacy as an opportunity
Informatics colloquium, March 6 2015
Marc van Lieshout
2
Content presentation
Introduction
The concept ‘Privacy’
Personal data – big data
‘It takes two to tango’
The value of personal data
Privacy as an innovation carrier
Opportunities for privacy – privacy as an opportunity
2
05 March 2015
Themes & Roadmaps
4
5
Strategy & Policy
6
Privacy related research
Incentives and barriers PbD in
the NL (EL&I/TNO) 2011
Personal data Market 2014
One of THE knowledge
partners on privacy &
identity management
national and international
Monitoring Privacy
perceptions (2014)
Privacy Roadweb Ziggo
Action Plan Privacy 2014
7
Privacy as a concept
7
8
Privacy: universal value
Universal declaration of human rights (1948)
“No one shall be subjected to arbitrary interference with his privacy, family,
home or correspondence, nor to attacks upon his honour and reputation.
Everyone has the right to the protection of the law against such interference or
attacks.”
EU Charter of Fundamental Rights (2009)
Article 7: Respect for private and family life: Everyone has the right to respect
for his or her private and family life, home and communications.
Article 8: Protection of personal data: Everyone has the right to the protection
of personal data concerning him or her..
9
Virtual
Reserve
Anonymity
Informational
Relational
Collective
Individual
Bodily
Spatial
Solitude
Intimacy
Physical
10
PRIVACY
SUBSTANTIVE
CASE BY CASE
‘CONCEALMENT’
Autonomy
Data protection
PROCESS ORIENTED
RULE-BASED
‘TRANSPARENCY’
Free flow of products and persons
11
Statement
Within an open society one should be able to
remain anonymous
12
Personal data - Big data
12
13
The challenge
14
http://www.businessinsider.com/growth-in-the-internet-of-things-2013-10?IR=T
15
16
Internet becoming personal
http://cloudtweaks.com/2014/12/personal-space-internet-things-iot/
17
World Economic Forum
“Personal data as the new oil”
- Personal data as raw material
- Personal data as intermediate product
- Personal data as service
1. Personally provided data
2. Observed data
3. Inferred data
Boston Consulting Group (2012)
Personal data market: 8% van EU GDP in 2020
CAGR Communication and entertainment: 22%
e-Commerce: 15%; Web communities: 100%
Marktomvang: €330 billion; consumentenvoordeel: €670 billion
Gereduceerde prijzen, tijdsbesparingen, gratis online diensten
18
Youtube
•
•
•
1 billion unique visitors each
month
Watching 6 billion hours of
Youtube movies
Offered 100 hrs of new Youtube
material each minute
Music platforms
http://www.jeffbullas.com/2014/01/17/20-social-media-facts-and-statistics-youshould-know-in-2014/
19
Adwhirl
DoubleClick
4th Screen
Advertising
UDID
GPS location
Number listened
City
Greystripe
AdMob
Mobclix
Medialets
UDID
User name
City/Province
E-mailadress
~25% of apps zendt
observed data zonder
consent
Bron: Computeridee, 2011
Flurry
UDID
Contacts
UDID
GPS location
Age
Gender
20
Inferred data - 1
Database with data on 3 million patients
Correlation between use of anti-depressives by pregnant women
and the incidence of autism with babies
21
Stelling
Though people may expose quite substantial
information about themselves through social media,
the real threat to privacy is the hidden collection of
personal data by firms and governments.
22
‘It takes two to tango’
22
23
23
http://www.emc.com/campaign/privacy-index/index.htm
24
24
http://www.emc.com/campaign/privacy-index/index.htm
25
25
http://www.emc.com/campaign/privacy-index/index.htm
26
Stelling
Institutions are to blame for
people having very low trust in them
27
The perspective of the data subject
27
28
A behaviouristic perspective
(Acquisti 2011)
 Individual as a rational actor
 Is presumed to show stable preferences
 Is presumed to consider privacy as a value that can be
traded against other goods
 Is Willing to Accept benefits in exchange for personal data
 Will similarly be Willing to Pay for privacy protection
 Willingness to Pay= maximum price people are willing to pay for
protecting their personal data (‘I will pay maximum xxx to have
my personal data protected’)
 Willingness to Accept = minimum price people want to have for
selling their personal data (‘I want at least xxx for revealing my
personal data’)
 Rational choice theory:
 WtA=WtP
29
A behaviouristic perspective
 Behavioural economics takes preferences into account
 People are affected by a sense of endowment in the privacy
of their data
 People tend to value the following two situations differently:
 A - Get money to sacrifice part of privacy
 B - Pay money to obtain more privacy
 The fraction of persons that will reject A (WTA) is larger
than the fraction of persons that will accept B (WTP)
 The distribution of privacy valuations is not normal
30
Name
Name
Phone (mobile)
Phone (mobile)
Date of birth
Date of birth
E-mail
Price per ticket: € 7,50
Price per ticket: € 7,00
I accept the general conditions
of Event sales
I accept the general conditions
of Cine sales
I accept the privacy statement
of Event sales
I accept the privacy statement
of Cine sales
Continue
Continue
31
A behaviouristic perspective
Buying a cinema ticket
1
2
Difference in data usage/difference in number of data items
Difference in prices/same prices
Pilot studies and field experiment with 443 participants
Overview
Number
Firm 1
Firm 2
No ticket
251
-
-
One ticket
40
29
11
Two tickets
152
128
176
- Loyal
142
59
83
- Switch
10
9 from 1 to 2
1 from 2 to 1
32
A behaviouristic perspective
Buying a cinema ticket
1
2
Difference in data usage/difference in number of data items
Difference in prices/same prices
Pilot studies and field experiment with 443 participants
Main results:
 In all choices offered, when no price difference exists subjects
tend to choose the privacy-friendly firm
 When price differences exist, the share of the privacy-friendly firm
drops considerably, even with a price difference of only €0,50
33
A behaviouristic perspective (Spiekermann 2012)
“My dear friends, it’s
over …
I hereby announce that
Facebook will cease to
exist …”
Scenario FB
Scenario FB user
1
Facebook data will be deleted
Download data to your hard disk
2
Facebook data will be deleted
Transfer data to new SN
3
Facebook data will be sold
Download data to your hard disk
4
Facebook data will be sold
Transfer data to new SN
5
Facebook data will be sold
Share in selling
34
A behaviouristic perspective
Investigate Willingness to Pay
in order to protect one’s personal data
1553 Facebook users
Scenario FB user
Median
Mean
SD
€ WTP to save a copy
No asset awareness
(1 and 2)
€0
€16,50
€104,50
€WTP to save a copy
and prevent selling
Asset awareness
(3 and 4)
€5
€54
€167,50
€ expected as share in
sale
Sharing but no control
(5)
€0
€508
€1335
35
Conclusions on behavioural perspectives
1. Endowment effect (people ascribe more value to things simply
because they have them - also known as ‘divestiture aversion’)
2. Hyperbolic discounting (people choose smaller pay-offs now over
higher pay-offs later)
3. Instant gratification (people value what they receive immediately
higher than what they can achieve later on)
4. Psychology of ownership (people tend to value what they own
higher than what they do not own)
5. Risk aversion (people tend to averse risks over achieving profits)
36
Privacy as an opportunity
 Privacy is an interplay between
 What Society wants
 What Technology enables
 What Laws and Regulations enforce
 Distinct value sets for society, technology and law
 Autonomy, choice, control
 Reliability, efficiency, availability
 Transparency, equality, accountability
37
Privacy, data protection and information security
Autonomy
Intimacy
Self-determination
Privacy
Choice
Consent
Control
Confidentiality
Integrity
Availability
Information
security
Data
protection
Legitimacy
Transparency
Accountability
38
Privacy, data protection and information security
Information security:
“The assurance that data meet requirements of confidentiality, integrity
and availability”
“The assurance that data are secured with appropriate technological and
organisational safeguards”
Data protection (Art 8 EU Charter):
“The free flow of personal data” (95/46/E’; GDPR)
“The rules that govern the flow and use of personal data”
Privacy (Art 7 EU Charter):
“The right to be let alone”
“The right to determine what, how and in what extent information about you
is communicated to others.”
39
Principles for Privacy, Data protection and Information security
Autonomy
Choice
Control
Individual participation
Openness
Use limitation
Purpose specification
Collection limitation
Data quality
Security safeguards
Confidentiality
Availability
Integrity
40
An innovative perspective on privacy
Innovation is a combination of
Technological
Institutional
Organisational
Societal
measures
41
Framework
IS
Privacy Impact
29134 Assessment –
4th WD Methodology
WG 5
SD2
Privacy
Reference List
(freely available)
http://www.jtc1sc27.din.de/
IS
27002
:2013
Code of
practice for
info. sec.
management
IS
29151
3rd WD
IS
Privacy Capability
29190
Maturity Model st
1 CD
IS
27018
:2014
Code of
Code of Practice for
practice for
PII protection in
PII protection
public clouds
acting as PII processors
Technology
Controls
IS
29100 Privacy
:2011 Framework
Management
ISO JTC SC27 family of privacy standards
IS
29101
:2013
IS
29191
:2012
Req. for
Privacy
partially
anonyArchitecture
Framework mous, partially
unlinkable authent.
42
Privacy ‘Schijf van vijf’
Learning
environment
Securing
responsibilities
Transparency
tool
External
Environment
Internal
environment
Code of
conduct
Annual privacy
report
Privacy
platform
Privacy
benchmark
Trusted
partner
Privacy Impact
Assessment
Customer
channel
Processes
Privacy by
Design
Awareness
panel
Privacy
maturity check
Products
Trusted
Architecture
Privacy
dashboard
43
IRMA: I Reveal My Attributes
A project on practical attribute-based
Identity management.
https://www.irmacard.org/
User-centric issuance model
A grassroots project founded by:
Smartcard as root of trust
Technology available now,
pilots ongoing.
44
Action Plan Privacy
45
Privacy as an opportunity
‘Privacy-respecting’ approaches:
Data vault to store personal CV data (CVOK/YOPS)
Technology that enables to control attributes by
individuals (IRMA-technology)
Trust assured platform that offers full control to
data subjects
Key management systems that secures
exchange of data between parties under strict
control regime
46
Conclusions
Privacy solutions are an interplay between technical, organisational
and institutional measures
An encompassing approach that takes information security, data
protection and privacy dimensions into respect is essential
New business approaches are under development that incorporate
these various perspectives
A coalition between technologists, NGOs, lawyers and firms is
necessary to realise large scale implementation of promising privacy
technologies
47
Marc van Lieshout
Marc.vanlieshout@tno.nl
088 – 8667125
06 – 51246618