Privacy in anOpen Data World

Sam Smith( day job: Privacy International

for fun: open data and transparency )

@smithsamsam@privacy.org

1Hi, I'm Sam from the Internet

By day, I work for Privacy International, but have a long standing personal interest in open data.

I'm going to talk about counter examples, and talk about organisations. None of this is specific advice, for that, we need to talk in detail, which is a different talk.

Privacy is best described by principle and example. Or in most cases, counterexample. So, a big tech company...

Redact this slide from the published version

2Privacy is best described by principle and example. Or in most cases, counterexample. So, a big tech company...

wanted to find out how their researchers interactedfully informed consent, had researchers turn on bluetooth, and logged what other devices could be seennice an effective. A couple of devices from 2 researchers could see each other all night.Not quite the type of interaction that the project was looking for.

what could possibly go wrong?

Redact this slide from the published version

3Privacy is best described by principle and example. Or in most cases, counterexample. So, a big tech company...

wanted to find out how their researchers interactedfully informed consent, had researchers turn on bluetooth, and logged what other devices could be seennice an effective. A couple of devices from 2 researchers could see each other all night.Not quite the type of interaction that the project was looking for.

The point of this talk is the bubble that just raised a smile -- what can go wrong when you think about things that should be private in an open way. And how to not do that.

(if anyone is concerned, this is a public example)

https://i.chzbgr.com/maxW500/6526756352/hBF8E39C4/

4

Open data and Privacy are not contradictory. Non-personal open data can be an output from data, but it has to be done carefully.Choices of individuals can be to put their data in the open -- there are projects where someone battling cancer has been open about their medical

records. That's their choice.It's when someone does that to another that privacy comes in.

http://www.cat-talk-101.com/images/indiana-jones-cat-2.jpg

5▼! ❑ ! Background! •!❑ !what is privacy? -- in this talk, it's data about individuals, citizens, customers, only going the subject wants it to go.! ▼! ❑ ! In a privacy context! •!❑ !there's no organisation solely working on data privacy.▼! ❑ ! in an emerging data world, you may find issues that no one has discovered before.

http://cdn.memegenerator.net/instances/400x/30138154.jpg

6▼!❑!in an emerging data world, you may find issues that no one has discovered before. For research, that's relatively rare.

Much more common is a company seeing a revenue source from changing rules.! •! ❑!Principles, and broad understanding helps.! •! ❑!Are you going to sell out your users, or are you going to protect them?! ▼!❑!is your privacy policy written to cover yourselves, or with respect for customers?! •! ❑!how you think, operate and work when you have time and are relaxed, will say a lot about how you are likely to operate when neither of those things are true.In some ways, you've done the hard bit. You've given up friday lunch for a privacy talk. it's your colleagues I'm concerned about

photo Steven Depolo : http://www.flickr.com/photos/stevendepolo/4482491295/in/photostream/ (CC-BY)

7it's easy to screw up. It's really hard to fix.

A large international funder emailed re their "anonymised" data about murder of journalists. Nice open data project, done the same way it's been done for a few years now, and a CSV file of data

One of the problems we have with words is what they mean, and people reusing them to mean something that's different, or easier. "Open data" is seeing that start to happen.

http://www.flickr.com/photos/nataliedowne/6721324917/

8

so, who's pasted the wrong thing into a search box?

One of the organisations that care the most about their users privacy is Wikipedia.The briefly released a research dataset, of things entered into their search box, and no other information...The reason I include this story, and wikipedia care about privacy more than most, is that it's obvious in retrospect this is a problem, in advance, not quite so much.At scale, rare events happen often, and are exceptionally difficult to spot in advance. Privacy is hard. it's what you do next that mattersThe level of standing and perception you have in the world matters.

9

So who's on O2? We all carry tracking devices with us...

To the first approximation, they plan to sell detail of where and when you go. Info they have as a result of being a mobile company.If you were to do a subject access request, they will refuse to give you that data about you.

What data stories could be told to encourage people to opt-in to that? give consumers some benefit....Instead, they're doing it by quietly and not giving customers any choice or ebenfit.

• Explanation

• Informed consent

•Choice

• Benefit

Think about

10

If marketing think it's a good idea, what do the people who will have to answer the phones when it explodes think?

▼! ❑! Open Data?! •!❑! consent! •!❑! choice! •!❑! informed consent

http://karl.marxhausen.net/blog/uploaded_images/bull.w.cat.othic1-v-710156.JPG

11

Phil and Terri's talk about the National Pupil Database a few weeks ago, is an example of what happens when you do none of those things.

If you see children as simply rows in a database, not as human beings, it may make your job easier, but it has real world effects.

Some of those effects may be catastrophic. Do you trust the bureaucracy in the large organisations you use?

http://modishgirl.hubpages.com/hub/Toiletcat

12

▼! ❑! So how do we avoid that?! ▼! ❑! Independent examination! •!❑Look at things from a different perspective

! ▼! ❑! care about individuals! •!❑! NPD seminar from a couple of weeks agoMost privacy problems come from cockups, not conspiracy.

13

Different perspectives are important. If you don't ask, and don't want to know, the one thing that's true, is that in an open world, secrets have a habit of getting out.Diverse peer review helps and is in fact, for large scale data derived from people, often vital.Many eyes make cockups short. Wikipedia pulled their files very fast.

Having that conversation in the open gets you different perspectives than if it's hidden away from the street. That takes some care and considersation

14

▼! ❑! Take away conversations! •!❑! Treat the people about whom you hold data as important.! •!❑! look at the adjacent threats.! •!❑! get external advice

http://i2.kym-cdn.com/photos/images/newsfeed/000/120/933/horse-with-cat-on-boat-in-storm-5907-1238034615-27.jpg

15

Privacy problems come from screwing people over.

Generally because you don't think of them as people.

That used to work, but the world has moved on, and now, should you screw someone over, the internet turns out to care about random things.

Thanks to Carl Malamud at public.resource.org for the photo. http://www.flickr.com/photos/publicresourceorg/493889675/

SI Neg. 77-8474. Date: 1977...Mastodon, Ice Age Hall, National Museum of Natural History ..Credit: Dane A. Penland (Smithsonian Institution)

16

This isn't the old world of requiring paper forms for opt in to things. Digital by Default means that much better can be done. Choices should be two way.

▼ ❑ Full informed consent for data based on individuals is now relatively easy. ▼ ❑ people will say yes to things, including benefits to others. • ❑ people get very cranky when it's imposed. • ❑ Avoid doing things your users haven't chosen to do... • ❑ visualisations • ❑ story-telling • ❑ discussion

http://positivethoughtsonlife.files.wordpress.com/2011/05/kitten-and-lots-of-dogs.jpg

17

Privacy protections around data are one of those topics that are generally thought of as too tightUntil suddenly they're seen as no where near tight enough.Sending CDs via internal mail was a good idea, until suddenly it wasn't.

Whether your organisation is used as a counterexample the next time I give this talk, is mostly up to you.

Hopefully, nothing's about going to bite you shortly.

@smithsamsam@privacy.org

Questions ?

18

When it does, feel free to get in touch.