Hear from the experts on how organisations and individuals can protect themselves this Data Privacy Day, 28 January 2020

January 28th marks Data Privacy Day, “an international effort to create awareness about the importance of respecting privacy, safeguarding data and enabling trust”.

There is currently a widespread shift in Australia towards increasing consumer rights around data privacy and protection, which recognises that data belongs with the individual. Changing regulations are also top of mind for organisations, with legislation like the Data Availability and Transparency Bill being thrashed out in Parliament.

CSIRO’s Data61, the data science and digital specialist arm of Australia’s national science agency, is at the forefront of data privacy, delivering ground-breaking research and design technologies which promote the privacy and security of data.

To commemorate Data Privacy Day, three experts from CSIRO’s Data61 share their thoughts on a range of topics, including what consumers need to know about their data, what steps organisations need to take, and what the future of data privacy looks like. 

 

Data Privacy: Why should we care? 

Hugo O’Connor, Senior Engineer at CSIRO’s Data61, said data privacy relates to the concept of autonomy and how you live your life.

“Personal information is now in the hands of organisations, who have accumulated more consumer information than consumers have on themselves — this is information asymmetry,” Mr O’Connor said. 

“While this can be helpful in terms of personalising user experiences, it can also be weaponised, such as in cases of election manipulation through targeted ads. 

“In these cases, the individual’s autonomy is essentially removed, and they’re manipulated by their own personal data. This is why it’s so important to be aware of how your data is collected, used, and could be used in future.”

Dr Adnene Guabtni, Senior Research Scientist at Data61, said that data privacy needs to be addressed as organisations continue to scale. 

“When the amount of data an organisation collects is small, individuals are less at risk,” Dr Guabtni said.

“However, massive organisations like Facebook can reach billions of people worldwide, making them the perfect conduits for targeted manipulation campaigns.

“This wasn’t possible five years ago, however, the Cambridge Analytica scandal has proven it is both possible and actively being implemented, highlighting the new challenges we face in terms of restricting data collection and use, preventing this from happening again.”

 

Is it all smoke and mirrors?

According to Dr Guabtni, managing data privacy and enforcing compliance is a global issue. 

“Consumers are being forced to give up data in order to receive personalised experiences or use basic apps or services. There needs to be a full-scale revamp of data requirements and management on a broad scale, so organisations are transparent on how, what and why they collect data, giving consumers more oversight.” Dr Guabtni said.

“Consent is currently managed through End User Licensing Agreements (EULA), but these contracts are not detailed enough to describe the implications of organisations having your data, and they are designed to protect businesses —not users. 

“Consumers would be surprised to know that because of these EULA’s, some organisations have kept a backlog of 10 years’ worth of geolocation data, recorded at an almost hourly level – you can delete it, but why was it collected in the first place?”

Professor Kaafar said tracking mechanisms can be complex and unexpected. 

“Traditionally, cookies have been used to track users’ travels around the Internet. They are now disappearing, which sounds like good news, but they are only disappearing because of newer, more sophisticated tracking methods,” Professor Kaafar said.

“For instance, you can be tracked based on the uniqueness of your browser, while having just six attributes publicly available on Facebook will allow you to be identified.

“This activity can be seen from sites like Twitter, which has a history of tracking individuals even if they don’t have an account or are signed in. Once we give away data, it’s incredibly difficult to trace back and find out who’s using it, who’s already used it and for what purpose.”

Data storage centre 

How can organisations better protect customer data?

Mr O’Connor believes that organisations have a high level of responsibility for protecting customer data. 

“Organisations also need to re-evaluate what they need data for, and ensure they are only collecting what they need for the service or app to function. For example, if a customer is ordering food online, don’t ask for age or gender, as you don’t really need to know that to get food from A to B.” Mr O’Connor said. 

“Organisations need to improve how user consent is given. End User Licensing Agreements are often lengthy and unread, and users would be shocked by what they had agreed to if they did read them. Organisations need to be short, sharp and snappy on what users are consenting to, should provide a receipt of what they’ve agreed to, and should provide an avenue to rescind consent.”

Dr Guabtni said collecting personal data is a risk for all companies, but particularly small companies who may not have the infrastructure that will keep it secure and protected.

“The less data you collect, the less vulnerable you’ll be, and less likely targeted by malicious actors,” Dr Guabtni said. 

“So, if you are an organisation who insists on collecting data, reconsider how granular you need it to be – for instance, do you really need exact GPS coordinates, or can you achieve the same results by collecting postcode, region or city data?

“If you do need granular data for analytics, my recommendation would be to collect the data locally on the device, rather than on a central server, and run analytics at the user level, such as for personalisation. In cases where this isn’t possible and big data analysis is required across users, the data does need to be centralised, so the recommendation there would be to ensure it’s all anonymised, collected with explicit consent, and kept stored securely.”

 

What’s the value in privacy preserving technology?

Professor Kaafar believes there is plenty of economic value to be unlocked. 

“A past Mackenzie report estimated that the data sharing industry has an economic value of up to $4.5 billion across seven industry sectors globally. This is a tremendous amount, which has remained untapped due to privacy regulations or hesitation from organisations,” Professor Kaafar said. 

“Privacy is understandably risky, so the economic potential is in getting things right when it comes to enabling and maximising the use of data, while guaranteeing its protection. This opportunity is huge, but it is also a global multidisciplinary challenge between technology, economic value, regulatory implications, and the fundamental human right to privacy.

“At Data61, we are working to create systems which guarantee some element of privacy, while enabling some utility from the data to be gained. If we could create an algorithm that protects data but allows insights to be extracted, companies would be able to collect data with informed consent, while providing guarantees that they know how to manage the risks of having such data.”

 

How to protect your data: Top tips from the experts