Is taking control over our own data wishful thinking?

Is any part of our private life left only for ourselves? The continuous sharing of our data with apps and digital platforms threatens our privacy. A new research approach explores whether there is appropriate technology to fulfill this promise in real life.

Trading privacy for services

Every day we give away information about parts of our lives to digital services with the hope of getting back better social connections, entertainment, health, and financial recommendations. This transaction might compromise our privacy, because our control over how this information is used is oftentimes limited.

Expectations for privacy protection

Privacy has been seen as a guardian of several fundamental human rights. The EU was therefore quick to introduce data protection regulations (e.g., GDPR) that aim to protect our privacy. These regulations express expectations we should have regarding the control over our personal data. 

For example, the right to be forgotten empowers us to request from a service the deletion of data that reveals information about ourselves. This regulation sets the ambitious expectation that we can essentially control how long a service can store information about ourselves.

The introduction of such data protection regulations had an immediate impact on both industry and academia. They caused distress to companies, because it was not straightforward how such ambitious regulations can be enforced in practice. But they created excitement within the research community of Computer Security. 

Researchers started to propose tools that could automatically check whether a system violates these data regulations. This is not an easy task: for one, data lives in the digital world, whereas data regulations live in the ambiguous world of human language.

Is lowering the expectations justified?

Over time, the interpretation of these regulations has been gradually relaxed from an idealistic one to a pragmatic one. For example, the right to be forgotten has been gradually converted into the right to erasure. 

Upon our request, a service is expected to ensure erasure of certain data items using 'reasonable means.' But erasure using what a service regards as 'reasonable means' does not necessarily imply that our information will be forgotten by that service and any other party that got access to this information. 

For instance, the fact that a field containing your birth date is erased does not necessarily imply that the service will forget your age.

The expectations for privacy protection seem to have been lowered. But are we all aware of this shift? And is there a scientific basis for justifying this lowering of the bar? Is there any study that shows that the initial expectations for data control are technologically infeasible to keep?

A novel approach

My research group at UiT in Tromsø is bringing together researchers from Computer Security and Law, to understand how much control we can really have over our own data. We are asking at what cost one can push the technology to comply with original interpretations of privacy regulations. Our results could be used to justify or question the tendency to lower the expectations for data control.

A necessary condition for controlling data is to know where this data is in the first place. If one is aware of the location of data and how they are used within the system, then there is a chance for controlling who can access them and under what conditions. 

We are building TracE2E, a tool that aims to trace data throughout digital systems, offer this location awareness, and thus enforce data regulations. Our group will assess whether TracE2E can be a realistic approach for controlling our personal data.

Privacy awareness

Understanding the technological and legal limits is difficult. Lowering expectations is easy. And it becomes even easier when we are not champions of our own privacy; when we are giving away voluntarily much more personal information than what services are asked to protect. 

So, efforts to understand whether we can be in control of our data should be synchronised with efforts to increase awareness about privacy among us.

Read also:

Digital healthcare: Norway's path to smarter and greener hospitals

How to improve maternal and child health for migrant communities