A bottom-up approach to privacy protection
Recent cases like the Cambridge Analytica data scandal made us all aware of how important it is to protect our privacy when using the Internet. Yet, doing it is a different story. No one really has the time to go through the privacy settings of each app they are using, and the large spectrum of existing third-party apps can be confusing to say the least. The PRIVACY FLAG (Enabling Crowd-sourcing based privacy protection for smartphone applications, websites and Internet of Things deployments) consortium’s objective was to stand out with a unique combination of crowdsourcing, ICT and legal expertise. Their solution enables citizens to monitor and control their privacy with a three-headed combination of a smartphone app, a web browser add-on and a public website containing general information – all connected to a shared database. At the same time, companies can use PRIVACY FLAG services to become privacy-friendly with dedicated solutions, namely voluntary compliance and certification. PRIVACY FLAG built upon the outcomes of 18 other EU-funded projects to create a new paradigm of privacy protection combining ‘endo-protection’ – with locally deployed privacy enablers – and ‘exo-protection’ – with a distributed and crowdsourced monitoring framework putting implicit pressure on companies to improve their privacy compliance. It transformed existing concepts into developed, tested and validated technologies, and whilst the PRIVACY FLAG platform as a complete solution was considered as TRL 2 when it was kicked off, it enables components which had already been tested prior to the project (TRL 4 or 5). What makes the project unique is its use of crowdsourcing: “The basic view of crowdsourcing is that virtually everyone has the potential to contribute with valuable information,” Dr Ioannis Chochliouros, coordinator of the project on behalf of the Hellenic Telecommunications Organisation, explains. “The PRIVACY FLAG project developed a crowdsourcing-based process and a set of tools and solutions enabling the users to collectively assess and control the level of risk for their privacy in the different contexts of web applications, smartphone applications and Internet of Things deployments.” The PRIVACY FLAG platform is based on the Universal Privacy Risk Area Assessment Methodology (UPRAAM), which comprises the GDPR, Swiss and US data protection legislation respectively. By combining this methodology with distributed privacy monitoring agents and crowdsourcing, the platform enables a large-scale risk assessment process that could not be obtained with a regular ‘top-down’ approach. Moreover, as Dr Chochliouros says, ‘by mutualising the skills and capacities of the crowd, it reverses and rebalances the asymmetric relationship between individual users and large, powerful companies with a clear incentive to comply with privacy protection.’ The ‘crowd’ here is organised around a community of privacy defenders. Through ‘finger pointing’ and avoiding websites and applications that are not privacy compliant, PRIVACY FLAG empowers citizens and enables them to select applications based on privacy criteria. Business incentives Enterprises can easily get support to become ‘fully privacy respectful’ and ‘data ownership respectful’, with a corresponding rating on the PRIVACY FLAG platform. SMEs and other interested companies can obtain an in-depth privacy risk analysis of their solutions with a report and recommendations for optimising their practices, which may constitute a competitive advantage for the entire European industry. “The data collected on European citizens is largely used by non-European companies to support marketing and get benefits vis-à-vis the competition. This creates an effective bias in the competition, advantaging companies with such data mining capacities which are mainly based outside of Europe,” Dr Chochliouros explains. “By providing incentives for companies to offer privacy-friendly services/websites/products, the PRIVACY FLAG project also contributes to mitigating this unfair economic bias.” By the end of the project, PRIVACY FLAG solutions had been deployed and tested in an operational environment (TRL 7) and had reached a TRL of 9 with a large-scale exploitation. The consortium plans to generate most revenues from services and consulting, with potential complementary incomes from selective advertisements. “If we manage to convince respectively 1 % of websites and 5 % of applications with a commercial interest or capacity to pay for professional services, we can expect to end up with about 200 000 websites and 4 000 applications paying for your services,” Dr Chochliouros says. In parallel, the consortium plans to approach 100 leading European smart cities and grant them with a specific privacy risk analysis.
Keywords
PRIVACY FLAG, privacy protection, data, crowdsourcing, app, browser add-on, SME