Trust and Internet Identity Meeting Europe
2013 - 2020: Workshops and Unconference

TIIME 2015 Session 25: PbD (Privacy by Design)

Convener: Berit Skjernaa

Abstract: How do we as community facilitate the adoption of PbD for SMEs?

Tags: Privacy by Design


How can we as a community facilitate the adoption of principles in small medium enterprises?

We are making a survey for an agency for the use of privacy design - how can they facilitate the adoption of PbD? How can we as society do that?

There's a gap between the university sector and the private sector. So, we do consultancy, and we see that there is willingness to protect private data, but also a lack of knowledge how to do that. So, e.g., the passwords are often implemented wrong.

For security the way forward is to turn the willingness into capability to actually protect the data.

In small organisations it is easier to find responsible persons, it is easier for a small organisation to say what it would like to do (e.g. Daimler Benz - what is the ethical policy with data there? It is much harder to say because it is a bigger organisation).

You can’t have a single person responsible all the time. We don’t host our website by ourselves, we outsourced it, so we give control away in that matter.

Aud 1: main problem in comp is the lacking willingness to protect data. Data minimization on the Internet doesn't work because we want technical support in our lives in so many ways, so data minimization is a good idea but it doesn't work in our modern world. My approach is therefore that we need more anonymization.

Berit: How can they (companies) use data to get value?

We collect data because it became cheaper and cheaper, and companies can make money from it. So why do companies want to preserve privacy?

  1. users require some privacy standards
  2. law requires privacy standards

: We want to do the right thing all around, so users trust us because we tend to do the right thing.

Aud B: A lot of electronic payment is accompanied by background checks, so they collect a lot of data to make sure that it is really me who is using the card - and it is working very well. It is not only a governmental problem if you want to protect against hackers. For sure companies don't want to be known to misuse the trust of the customers.

Berit: There are technologies to protect privacy, but what can we do to make them more available?

Aud C: Are there incentives for companies to do something about privacy?

Aud D: The regular way is to treat data properly because otherwise you can be sued; there are also cultural and ethical requirements.

The culture aspect: to build a culture of health and safety, also a culture of security awareness - right, there are technologies available to protect data (encrypting), and part of the culture aspect is: people are more likely to ask for security possibilities.

Also: e.g. Avanote is user-friendly, but we don't know what it does with the data (encrypting? cloud?) - so is it a good thing to use? If I'm using a package service, it can be hard to encrypt stuff.

Aud E: Also, how do we design this system that uses privacy by design? How do people in companies know how to use this new technology, even the engineers don't know how to implement this in their system? Is that true?

Aud D: There are different systems, also process designs, some need PbD.

Walter: It is risky to touch the running systems and implement them. So let us go 2 steps back - incentives is a good point, but it's not only about them. By default, not even intentionally, we collect data, if we do nothing the data gets stored. But is it allowed to store the data? Deleting is also a conscious decision. And there is also a responsibility issue - who is deciding to delete what? - And an awareness problem.

Aud F: The problem is: the end user cannot know how good the service is - you don't know which service protects your privacy. It would be interesting for end users - and possible help - to establish some label/standard - this service complies with security standards (could be easier to see what technologies qualify)

Berit: e.g. the e-trade-deal in Denmark - could that be a way forward?

Walter: Europrise seal, certification that you comply with data protection law (but it's not the same thing). Car industry: seals - car can only be sold if it has the certification. On international level it will be difficult, but in other areas we have it as well/already.

Trust marks are very useful and are part of the process in educating users. When it comes to the point when the user has to make a choice (e.g. supermarket food). A trust mark would work the same way, e.g. how the traffic light system works: when you know what a traffic light is (you have to be able to understand the information) then you can get to next level information (e.g. knowing 13 % of something is high, then you can decide to buy something with only 5%) -- Informing the user makes informed choice more likely! Example: In the food sector labelling organic food worked well.

Walter: It has to be easy to understand. We should try to find something similar for the security sector as well, something that can be understood easily.

Another factor with labels: the first thing easy labelling does: to question whether something is privacy friendly or not, so to start labelling can bring consumers to think about those issues in the first place.

Aud D: Another example for this is the fair trade logo. It started to appear before people knew what it was about, but once it appeared the consumers started to look it up, and it changed their view on products. But: follow up information is very important in security sector!

Aud: When it comes to privacy you would have to change a lot of things in the system: e.g. it is not profitable mostly to increase security - not always, but in a lot of cases.

Aud G: Yes, profit is one driver, but as well are the costs for investing in security sector. Investment is - for small companies - a difficult decision, but bigger companies are the important one's (banks, insurance companies, web 2.0 companies, governments) - The large players are important.

Berit: I am not sure if I agree with that. E.g. a company in Denmark is collecting data from mobile phones to do investigations of traffic - which routes do people take? Based on this data the traffic routes are made more efficient - it's a small company and it collects a lot of data, they have a lot of sensitive data, and this company is protecting the data very well.

Aud G: Okay, yes, when company is connected to internet/collecting data from the internet of course they have to take special requirements to protect this data.

Walter: To conclude this: we have to distinguish in answering the question: data driven businesses (data is their asset) vs. 'normal companies' who just process their customer’s data, but only process it to run the service. So regulation, legislation and enforcement is very important (data driven businesses especially). The law is already there but can be easily ignored.

Berit: Even small companies often use the data for ads etc., doesn't that account for them as well?

Walter: Theoretically yes, but when I open the internet in the first seconds already something can happen (with my data)

Aud: So better prepared data protection could be a driver for web industry.

Aud: I think what people want is: they don't want to become experts, but they want some system they understand/decide what a safe technology that protects their privacy is.

Aud: For businesses privacy costs something, we don’t know how much, so it needs also higher profits to make it interesting for them - people need to pay something for privacy (in the future).

But are you willing to see one more commercial before entering your email account?

Aud: it also costs money to safe data.

Aud: But now already some services emerged, and people might be prepared to pay a small amount for privacy services.