The increasing incursion of social media into our professional and personal lives and shared data storage in the Cloud makes the question of data protection and security ever-more urgent. The answer won’t come from technology alone, but will need to embrace research and policy
“There are no miraculous solutions from policy or technology. It’s a multi-faceted problem and it must be faced like this,” said Mario Campolargo, Director of Emerging Technologies and Infrastructures at the European Commission’s DG Information Society and Media. Researchers and policymakers cannot work in isolation, he told delegates at a Science|Business seminar on ‘Data protection and security: how will new technologies change the policy debate?’ held on 25 May.
In the digital as in the physical world, it is impossible to eradicate crime and risk, but they must be prevented as much as possible, so that a safe environment is created in which people feel at ease. This is as critical when people are navigating digital highways as it is on the streets of a real city. “It’s [about] a balance between opportunity and risk,” said Jean-Eric de Cockborne, an adviser to the director-general of DG Information Society and Media at the European Commission. Information is the critical ingredient in striking this balance. “Digital literacy is absolutely key,” de Cockborne said.
The issue of control lies at the heart of this. Who should control online data: individuals, governments or companies? While Bart Preneel of the Katholieke Universiteit Leuven argued it should be up to individuals to determine how their data is used, other delegates pointed out it is burdensome and time-consuming to control what is done with personal information. Several delegates said the key is for consumers to know the risks they’re taking, enabling them to make informed decisions about whether, and how, to use any particular service or application.
Policy can’t keep up with technology
The need to map out a holistic view, factoring a global perspective of all public policy goals against the requirements of all the different stakeholders, was raised by several delegates. “Traditional policy-making tools are not good at capturing the complexity and pace of ongoing changes and dynamics of technologies,” noted Cornelia Kutterer, Director of Regulatory Policy for Microsoft EMEA. At the same time, “More flexible, self- or co-regulatory schemes may lack mechanisms to address tensions between different, potentially [conflicting] public policy goals.”
Radio frequency identification(RFID) provides an exemplar of how industry, policymakers and consumers can come together to reconcile the advantages that a new technology offers against the potential for invasion of privacy, said Megan Richards, Director for Converged Networks & Services at the European Commission’s DG Information Society and Media. The Privacy Impact Assessment Framework for RFID applications recently agreed by the Commission and industry, in association with civic groups and endorsed by the Article 29 data protection working groups is, “A good example of how technology and policy can develop a common approach, addressing the interests of all,” she said.
Threat of regulation
Delegates agreed it cannot be left to the market alone to ensure digital security and privacy. The threat of regulation is what will make industry take heed, said Preneel. However, there is a self-interest for companies in investing in security and having a robust approach to privacy. This is an important element in gaining consumers’ trust - and their custom – and a requirement that was put in the spotlight by the recent embarrassing breach of Sony’s PlayStation Network.
Any European take on enforcing security and privacy, whether through statutes or codes of practice is likely to be compromised by the global nature of the Internet. But Preneel said that policy makers shouldn’t be put off by this fact. “Europe should impose a more robust infrastructure. Europe should set an example,” he said.
The need for a global policy framework is likely to come to the fore in coming years. Already a global Internet culture is emerging, with consumers on the Internet beginning to have more in common with each other than with their fellow citizens on the high street. Evidence of this trend emerged in a recent World Economic Forum study focusing on issues of freedom of expression, privacy, trust and security on the Internet.
“From a policy point of view it poses a big challenge: how do you combine these four dimensions? You can’t separate out security, or any one element. All four have to be looked at with a holistic vision,” said Soumitra Dutta, professor of Business and Technology and Academic Director of elab at INSEAD.
Delegates at the seminar agreed there are several fine lines to be mapped out - between freedom of expression and privacy; between trust and security; and in the balance of power between industry and other groups. As Jesus Villasante, Head of Unit (Trust and Security) in the Commission’s DG Information Society and Media, pointed out, “All these issues have important industry and societal implications.” The vexed question remains of where the balance should be struck.
‘The New Internet World: A Global Perspective on Freedom of Expression, Privacy, Trust and Security Online’ is a World Economic Forum study that set out to better understand cross-cultural differences in Internet user behaviour and attitudes. Its findings are based on a survey of more than 5,400 adult Internet users from 13 different countries, conducted by the Oxford Internet Institute and INSEAD in collaboration with comScore.
“A global Internet culture is emerging,” said Soumitra Dutta, a co-author of the report, outlining the study’s key findings at the Science|Business seminar. Users worldwide share similar values and attitudes about online freedom of expression, privacy, trust, and security. Interestingly, there are no big differences across age, gender or nationality. As the survey also revealed, “Users want it all,” demanding freedom of expression, privacy, trust, and security. This presents a challenge since these values can be conflicting, Dutta noted.
The study also highlighted how users in emerging markets are more open, more willing to experiment and more leading-edge in using the Internet. These findings provide a useful backdrop to gauge how the Internet world will develop, and how and where it will be shaped and governed, Dutta said.
Marit Hansen, Deputy Privacy and Information Commissioner of the German Lander of Schleswig-Holstein, highlighted the different ways in which online data can be used – and abused – to personalise adverts, determine the price an individual is charged for a product or service, set credit conditions and insurance premiums. Consumers are often unaware of the data trail they are leaving on the Internet and the uses to which this may be put.
Hansen and her team looked at upcoming technologies to see where legislation is currently lacking, and based on this have suggested extending current security and privacy considerations in the design of IT systems, and in policy. In addition to the classic goals of confidentiality, integrity and availability, Hansen says transparency, the ability to de-link one system from another, to keep data on an individual in one system separate from that in another, to minimise the amount of personal data that is stored and providing users with the ability to intervene in processes and, among other things, delete their data, should be factored into systems design. Striking a balance between these factors is, “What we need [to ensure] privacy protection for the long-term,” Hansen said.
Svein Johan Knapskog, Director of the Centre for Quantifiable Quality of Service in Communication Systems at the Norwegian University of Science and Technology, told delegates that privacy and security obstacles can be overcome and electronic voting will be possible in the future. “I think we can make models to identify the main problems,” he said.
Existing technology will be tested in smaller communities in Norway this autumn, as a first test of how potential problems of being able to register the vote while maintaining the principle of a secret ballot and overcoming the risk that an online voter is coerced to vote a certain way, can be overcome. In the trial, online voters will also be able to go to vote in person, with this vote overriding those cast online.
Knapskog said the problems encountered so far in e-voting cannot be solved by technology alone. It also depends on government systems. Finding a solution is complex and involved, he noted.
Bart Preneel, head of the Computer Security and Industrial Cryptography research group at Katholieke Universiteit Leuven, is concerned about the lack of control over online personal data. Not only is it very hard to delete data, but it’s also difficult to know which systems are interconnected and where your data will end up, he noted. As an example of how data can be (mis-)used, Preneel pointed to the Gaydar algorithm developed by two MIT students that uses information about their friends to out gay Facebook users who haven’t disclosed their sexual orientation.
Meanwhile, the website www.pleaserobme.com, alerts users to the risks of sharing information online. “No privacy means no security,” said Preneel, an expert in cryptography. The increased use of centralised data storage that will be ushered in with cloud computing further raises security questions. “Cryptography can be part of the solution,” said Preneel, “But the key should be with the individual, not the company. It should be you who decides.”