Periodic Reporting for period 2 - OPERANDO (Online Privacy Enforcement, Rights Assurance and Optimization)
Période du rapport: 2016-05-01 au 2018-04-30
Online privacy is a pervasive European market need. Europe’s citizen privacy laws, especially GDPR, are world-leading. However, users have little power to control personal data disclosed to service providers, and cannot verify that the data are not passed onto third parties. Lack of visible privacy protection limits the willingness of users to use online services and the economic value of personal data is neither adequately understood nor taken advantage of by users.
The OPERANDO project developed comprehensive user privacy enforcement in the form of a dedicated online service, a “Privacy Authority”. The OPERANDO platform supports flexible and viable business models, including targeting of individual market segments such as public administrations, social networks and Internet of Things.
OPERANDO contributes to the entire ecosystem of online privacy stakeholders: Users, Privacy Service Providers (PSPs), Online Service Providers (OSP) and their technology suppliers, and Regulators.
The objectives of the project can be summarised as follows:
O1 - Enable user-friendly privacy enforcement
Provide users with easy-to-use tools for granular control over of their personal data, as well as the ability to trade the value of the data for benefit.
O2 - Implement Privacy-by-Design
Enable online services to comply with Privacy-by-Design principles. Create the technology for enforcement of European privacy laws, best practices and user privacy preferences, including cross-border services.
O3 - Create viable business and trust models
Provide support for a range of Privacy Service Provider business models and profit strategies, with strong value for OSPs, while being free for users. Create strong trust models easily understood and accepted by users.
O4 - Demonstrate and validate the solution
Implement, test and validate the solution through multiple real OSPs representing different market segments.
O5 - Ensure that OPERANDO framework is sustainable
Identify and initiate a joint exploitation strategy building on project demonstrations, endorsements and dissemination, and other mechanisms such as Open Source release . Gain endorsement of the solution by consumer organizations, and position it for endorsement by governments.
1. PlusPrivacy Application
As a direct-to-user (B2C) service OPERANDO offers a privacy product to consumers which is currently available to the public. PlusPrivacy (https://plusprivacy.com/) gives users a unified dashboard for protecting themselves from a variety of threats to privacy. It enables control over the privacy settings in social network accounts, hidden email identity, ad blocking, and prevention of malware and unwanted apps or browser extensions from tracking and collecting private data.
2. OPERANDO G2C Platform – Privacy as a Service
OPERANDO offers OSPs a privacy enforcement platform, available as a service from public bodies (government) to consumers (G2C). This platform contains many innovations, including a unique architecture for privacy protection. The architecture includes automated privacy policy decision making, user device privacy, user-centric privacy management and regulatory compliance.
This platform has been used in three rounds of testing with G2C test sites across the UK and Italy to validate the use cases identified for the platform, and demonstrate the functionality of the platform is of value to these service providers in the healthcare and social care sectors. Testing was also used to improve the platform in an iterative way using the feedback from potential customers, working to provide a solution which is more appealing at the end of the project.
3. Privacy Service Provider Business Concept
OPERANDO innovates by a new service and business model. Privacy Service Providers (PSPs) use the OPERANDO software to offer Privacy as a Service, thereby becoming a Privacy Authority (PA). They provide free privacy services to citizens (“user-side services”) and associated paid services to OSPs, supporting a trusted privacy protection relationship between OSPs, users and a Privacy Regulator. The PA may store the users’ personal data securely and release it judiciously to authorized OSPs, based on each individual’s User Privacy Policy (UPP). The concept of a PA was developed and business plans produced for a model PSP business. The concept was included in testing and validation of the OPERANDO platform, where OPERANDO partners acted as a PSP business to deliver the platform to a test site (an OSP). OPERANDO source code is available as open source software allowing others to replicate the platform to provide privacy as a service to customers.
4. Legally compliant Privacy Framework
OPERANDO innovates in proposing a legally motivated privacy framework that pursues beyond-state-of-the-art ambitions to be standardized at European level. This includes translation of privacy and data protection into technical concepts and providing support of cross-border compliance with privacy laws of the EU, even if the OSP is located outside the EU. The OPERANDO method brings about advances by ensuring that PSPs consider ethical and legal values and demonstrate the methodology to DPAs.
For Privacy Regulators OPERANDO provides machine readable privacy guarantees, the ability to input privacy regulations in a semantic form, and automated compliance audit of the OSP’s. The project has also developed guidelines and tools for the privacy-by-design method used when developing the OPERANDO platform.
The B2C service PlusPrivacy is unique. There is no existing holistic solution of this kind available in the market, most competitor solutions are only available as modules which consumers must individually install and set up.
OPERANDO has also produced detailed business plans for privacy service provider, studies of existing similar business models and studies of trust models needed to create such a business. This includes introduction of ideas such as the innovative concept of PSP federation that will enable the PSPs to expand the range of their services and serve customers outside their specialization area, by borrowing service capabilities from other federated PSPs. These research and planning tasks support these innovative outcomes. Such research and planning has been done for both the G2C and B2C case studies and sectors.
The G2C work has produced a platform to enable privacy as a service for G2C organisations. This platform itself contains many innovations, including a unique architecture for privacy protection.
The architecture includes modules for:
- automated privacy policy decision making
- user-centric privacy management
- regulatory compliance
To increase the transparency of the privacy services and dissemination of results, OPERANDO has been implemented as Open Source for further evolution beyond the scope of the project.