new dataveillance and privacy in social computing: conceptual...
TRANSCRIPT
Dataveillance and privacy in social computing:conceptual exploration and analysis of corporate profiling techniques
Jo Pierson & Rob HeymanEMSOC IBBT-SMIT Vrije Universiteit Brussel
Anonymous no moreThe internet: It is becoming ever more difficult to browse the internet without leaving behind digital footprints that reveal your identity
Mar 10th 2011 | from the print edition
Overview
1. Mass self-communication2. User (dis)empowerment and privacy3. Corporate dataveillance4. Contextual integrity5. Cookies6. Conclusion and recommendations
Mass self-communication
• Forms of communication– Mass communication– Interpersonal communication
• Mass self-communicationMass communication+ Self-communication
– Self-selected in reception– Self-directed in emission – Self-generated in content
• By many who communicate with many• Coexist – interact – complement each other
Mass self-communication
Facebook Factlook, Muhammad Saleem, 2010
Mass self-communication• Networked
individualism & person as the portal (Wellman)
• Increased freedom, but also increased responsibility(vulnerability?)
⇒ User empowerment?
darmano.typepad.com/logic_emotion
User (dis)empowerment• Empowerment / disempowerment paradox
– Techniques and instruments for user empowerment proliferating and reinforcing idea of true user empowerment
– Whereas:• Empirical evidence about what user
empowerment really consists of is too large extent missing
• Risk of denial of disempowerment:• Pressure on ‘always on creativity’• Participation as an obligation rather than as
a choice (e.g. non-inclusion is not an option, especially youngsters)
• Loss of privacy => Vulnerability?
– Castells (2009)– To what extent unprecedented autonomy of creative users shaped,
controlled, curtailed by global multimedia business
Corporate dataveillance and PII
PII
Profile
SNS
Eyeballs
Users/Friends
Contextual integrity: PII exchange fair deal?
Context = Who + sends what + to whom?Contextual integrity = (PII) norms of appropriateness + (to whom) norms of distribution
Implicit
Perceived context
Perceived context
Implicit
Complete context
Complete context
Explicit
Explicit Implicit
Digital privacy:corporate dataveillance
1. Explicit disclosure– Digital footprint/fingerprint– Online identity (EU 54%)– ...
2. Implicit disclosure– Clickstream analysis– Cookies– Profiling– Online behavioural
advertising/targeting– Data mining (cf. Big data)– Deep packet inspection
(DPI)– Recommendation systems– …
Cookies
Cookie affordances1° party http
3° party http
3° p. pixelbug
Flash / LSO Zombie / Respawn
Duration Session/ short-term
Long-term(0-32 years)
Long-term (0-32 years)
Long-term(noexpiration)
Eternity
Reach Ownwebsite
Multiple websites
Multiple websites
Multiple websites
Multiple websites
Default acceptance
Yes* Yes* Yes* Yes** Yes*
Action req No Yes No No No
Removability Easy Easy Easy Hard Hard
Amount of information
4kB 4kB 4kB 100kB 100kB + 4kB
* In Internet Explorer and Mozilla Firefox** Flash player 6 or higher needs to be installed
Relevance cookies• Automatic machine-to-machine, being robust and cross-platform• Giving websites memory: states
– Increasing importance for optimal and convenient functioning internet’s social layer
– ‘Certainly with the much richer and faster environment we are in, this environment will make us end up with more ways of tracking as well.’ (Langheinrich, 2011)
• Evolution– Amount of websites with cookies rises
• Media Matrix Top 500: 81% in 2000 -> 95% in 2007 (98% in 2009)– Amount of cookies per websites increases
• 2.45 cookies in 2000 (1 to 12) -> 8.71 cookies in 2007 – The more popular website, the more cookies
• Consumer tracking technology– Spending of $23 billion (2009) in online advertising economy – On 1,000 popular sites: 40% (2005) -> 80% (2009)
Conclusion
• Cookies are to a large extent missing from users’ perceived context
• Cookie robustness and ubiquitous usage in the social layer of the web make them indispensable– This enables cookie function creep for third
parties• Contextual integrity applied to online user
perception is able to point out key privacy awareness issues and user (dis)empowerment
Recommendations• Increase the perceived context
– Technology: privacy enhancing technologies (PET)?– Users: notification and awareness?
• Awareness - practices - skills - attitudes– Policy: (self)regulation or enforcement?
• Avoiding privacy divide• Future research
1. Mapping and analysis of corporate profiling techniques, beyond cookies
2. Analysis of business practices in profiling 3. Analysis of everyday user practices in relation to privacy4. Linking user practices with affordances of profiling
technologies and business activities ⇒ Policy recommendations on local, national and European
level
Q & A
Vrije Universiteit Brussel (VUB)Interdisciplinary institute for BroadBand Technology (IBBT)
Studies on Media, Information & Telecommunication (SMIT)Pleinlaan 2, B-1050 Brussels - Belgium
http://smit.vub.ac.be
prof. dr. Jo PiersonRob Heyman
T: +32 2 6292412E: [email protected]
<http://www.nytimes.com/interactive/2010/05/12/business/facebook-privacy.html?ref=personaltech>
Evolution in data protection norms
• Generational Development of Data Protection in Europe– Not ‘data’ in need of protection, but the individual
to whom data relates (Mayer-Schönberger)• 4 generations of data protection norms
throughout multiple Data Protection Authorities (DPA)
• Europe shifts responsibility towards its citizens
12/11/09 23 eTHOS
Evolution EU data protection• 1st generation: megaDB vs the state
– 1970: the first databases• Created mistrust among citizens• Only the big ones were regulated
– Regulation was focused on technical aspects of safety– Problem:
• A new actor emerged: the minicomputer, which created multiple databases• The law was unable to control privacy due to the sheer number of new databases
• 2nd generation: the minicomputer– Civilians become the new prosecutors
• DPA becomes ombudsman and regulator– Privacy: ‘the right to be let alone’ (Westin)– All or nothing policy
• Disclosure of personal information more often than not is a precondition to individual participation
• Is it acceptable that such data protection can be exercised only by ‘hermits’?
12/11/09 24 eTHOS
Evolution EU data protection• 3rd generation: right to informational self determination
– Privacy returns in discourse– All or nothing policy is awkward and difficult
• The civilian should have more specific control– He or she should be aware of every use of his or her personal information
• Even more initiative and responsibility shifted towards citizens– Procedures are slow and hard to control and so is the right to privacy
• 4th generation: holistic and sectoral– Civilians are not capable to ensure compliance
• Fortify this position through no fault compensation• The government takes responsibility (Belgian Law 8-12-92 art. 6, 7 and
8) for personal data (health, law and etnicity)• Every sector (e.g. health) has its own specific needs
– Every sector has its own sectoral rules (self-regulation)
12/11/09 25 eTHOS
Implications• Consumer oriented interdisciplinary research on privacy
– Implicit disclosure: analysis of technological affordances and industry developments and user perspectives
– Explicit disclosure: everyday user practices and privacy enhancing solutions
– Points of attention• Awareness: What do people know? (e.g. Facebook Inc.)• Practices: What do people do? (e.g. privacy paradox)• Skills: What are people able to do? (e.g. right not to be identified)• Attitudes: What do users want? (e.g. mediating techno-privacy)
– Interdisciplinary perspective (user, legal, educational, HCI,...)– Link with empowerment (i.e. also inclusion and digital literacy)
• Actions needed for enlarging ‘perceived context’– Interaction with civil society, industry and government on local, national
and European level?– Systematic monitoring?– Educational and training tools?– Awareness campaigns?
Exchange PII between users and digital services: fair deal?
• Contextual integrity (Nissenbaum)– An alternative benchmark for ethics and privacy,
to capture the nature of challenges posed by mass self-communication
– Informational norms• Norm of appropriateness• Norm of information flow
– Link with• Sense of vulnerability• Subjective privacy
– E.g. Google Buzz
Everybody knows you’re a dog...