Cumulative Revelations of Personal Data *

Lead Research Organisation: University of Edinburgh
Department Name: Sch of Law

Abstract

Abstracts are not currently available in GtR for all funded research. This is normally because the abstract was not required at the time of proposal submission, but may be because it included sensitive information such as personal details.
 
Description When using social media, we are all used to the "cookie pop-up" asking us to consent to the processing of our data. Most of us probably click through the options without much thought - we trust "this" platform sufficiently with "this" data to feel secure. The problem with this picture, driven by the need to comply with the e-commerce directive, is an insufficient understanding of online risks, and also of our cognitive ability to make risk assessments. It may well be that "this" platform can indeed be trusted with "this" data - but what of someone manages to combine our digital traces across several platforms? Each of them individually may appear harmless, and our decision to that extent was sound - but when combined, they allow inferences about us that can be exploited by criminals
What can we do? Our findings suggest that we need technological and legal change, ideally in lockstep: a reform of data protection law, something where in the UK Brexit has opened a regulatory space, and software tools that help us making this decision in a more informed, risk-aware way

We designed two online methods, determined by the necessary move to enable online participation of respondents during Lockdown, as opposed to the planned for face-to-face participatory design workshops. These methods directly built on the outcomes from the data narrative study, with the first one being trialled with some of the same participants. Findings included: That our multi-method approach prompted changes in participants' thought or action concerning their personal online safety and approaches to mitigating risk. Knowledge was exchanged during the research interaction as well as across our wider multi-method approach (including the earlier data narrative study), improving participants' data literacy. The 'ongoingness' of digital traces requires careful management to cope with what Pink et al. (2018) call the 'processual element of the everyday'. Participants' coping strategies include retrospective curation of their information, using pseudonyms, entering fake information, encrypting data, changing privacy settings and using sparingly a particular technology e.g. location tracking. The online Mural format enabled participants to articulate approaches to mitigating online risk and demonstrate their awareness of the care required to control and maintain separation between one's digital traces, e.g. between the public, private, personal and professional self, something that had been challenging for them in the earlier interviews. Mostly, participants discussed these separations and collision of traces from their own perspective and experiences, showing how the online tool and the case of 'Alex Smith' in combination with the discussions with the researcher encouraged some to narrate and self-disclose quite personal information. It was apparent that participants thought digital traces only provide a fragment and/or an incomplete picture of a personality and their values, and that this partial representation could invite inaccurate or harmful inferences. Most were cognisant that the persistent function of someone's online information means that it is always contingent on its context of reception and 'not a reflection of who they are now'. Grounded in these findings we went on the design a more extensive assemblage of 'Taylor Addison's' online information in collaboration with the Strathclyde team. This browser-based cyber safety tool has the dual aim of collecting research data while promoting respondents' awareness of the potential for diachronical (across traces) and synchronical (across time) functions of cumulative risk within digital traces, for deployment amongst a much wider population.
Exploitation Route We have: 1. developed a replicable method (Alex Smith) which has been published in Big Data and Society 2. made our datasets available for reuse, 3. informed the development of a toolbox with AI4People (https://eismd.eu/ai4people/) to help companies carry out the mandated impact assessments under the EU AI Act.
Sectors Government

Democracy and Justice

Security and Diplomacy
 
Description Impact from tool development: Emerging impact from this award lies in the development of new prototype tools to train staff in how to manage their online profiles to avoid others 'joining the dots' and gaining unintended insights into their lives. This is particularly relevant where an employer has security considerations to attend to. The tools are expected to deliver economic impact by protecting organisations from information leakage, and societal impact by enabling citizens to protect their privacy online more effectively. We presented the tool to a variety of potential users, including government and private sector, and engaged in particular with organisations in the decentralised digital economy which are particularly sensitive to cumulative data effects to review their data practices and develop new policies that are safer for their users. The Big Data & Society article Everyday Digital Traces (2023) shares sufficient information on the "Alex Smith" method that we developed to enable contextually relevant customisation Impacts on policy and practice: (1) the research has informed the TAS response to the UK Government consultation on the White paper on AI regulation, and is now also being used to develop a toolbox with AI4People (https://eismd.eu/ai4people/) to help companies carry out the mandated impact assessments under the EU AI Act. (2) The way in which the GDPR conceptualizes consent does not match how people think about it when they organize their daily online activity. The optimism expressed by the EU about the increased understanding of privacy, gained through quantitative surveys, does not match the qualitative interviews we conducted, and which point to a much more sceptical, if not resigned, attitude - one that is also at odds with the depiction of privacy in many of the more GDPR critical news sources that too depict us as (over) confident users of our rights. While this could be mainly a problem of communication, a deeper analysis shows that the GDPR's "risk-based" approach uses an understanding of risk that at odds with the way we make risk-based decisions more generally, and overburdens the individual. Our research also shows possible conflicts with other legal regimes, which will be particularly an issue in the post-Brexit data regime. Equality Legislation, in particular, imposes on employers surveillance duties that can be in conflict with Data Protection requirements if interpreted too broadly. We fed these insights back to policy decision makers and regulators, in particular the ICO
First Year Of Impact 2023
Sector Digital/Communication/Information Technologies (including Software),Government, Democracy and Justice,Security and Diplomacy
Impact Types Policy & public services
 
Description Research Ethics commitee Technische Universität Graz
Geographic Reach Europe 
Policy Influence Type Participation in a guidance/advisory committee
Impact As an outcome of the event, a policy document was drafted for the senate of the university. As this is the first Austrian university to start such a process, hopes are that it could become a blueprint for other universities in the region.
 
Description appointed to the Independent advisory group on emerging technologies in policing (Scotland)
Geographic Reach National 
Policy Influence Type Membership of a guideline committee
 
Title Alex Smith method 
Description The Big Data & Society article Everyday Digital Traces (2023) https://journals.sagepub.com/doi/full/10.1177/20539517231213827 presents the replicable and contextually customsiable "Alex Smith" method that we developed. We used a co-designed, fictional persona called Alex Smith to concretise and represent people's online information to help participants (through role-playing) to reflect on data and digital traces. Drawing together four fields of scholarly research concerning personal data: digital traces and the digital self, datafication and dataveillance, mundane, everyday data and the data journey - we advanced understandings of personal data by exploring ordinary people's seemingly innocuous digital traces generated through everyday online interactions. The method developed enabled investigations into ordinary people's engagement with their data, and can be adapted for and used with different participant groups, which also supports their awareness of cumulative functions of personal data and potential use by un/known actors. 
Type Of Material Improvements to research infrastructure 
Year Produced 2023 
Provided To Others? Yes  
Impact Too early to quantify 
URL https://journals.sagepub.com/doi/full/10.1177/20539517231213827
 
Title Cumulative Revelations in Personal Data Study 1 
Description Data collected in respect of EPSRC Cumulative Revelations in Personal Data EP/R033889/1 This project was a major EPSRC funded study that sought to better understand the revelations that arise when pieces from an individual's personal information available online are connected over time and across multiple platforms. Such more complete digital traces can give unintended insights into their life and opinions. Extensive fieldwork included an interview study (Study 1) with UK employees regarding their experiences of cumulative revelation of their data. We examined the risks and harms to individuals and employers when others joined the dots between their online information. Interviews employed a "digital narrative" technique where participants were asked to make drawings of their information and communication networks, the types of information shared and details of to whom it was available or visible. Study 1 was conducted online in the period May 2020-August 2020 when much of the UK was in lockdown due to the Covid-19 pandemic. Interviews included questions addressing changes to information sharing behaviour occurring during lockdown conditions. The dataset contains: • Transcripts of 26 interviews with the Uk public • Photographic images of drawings created by participants during the interviews • Data from a technology survey completed by participants at the start of each interview regarding their use of devices, information channels and data storage 
Type Of Material Database/Collection of data 
Year Produced 2023 
Provided To Others? Yes  
Impact None yet 
 
Description EDEN Community Webinar: Lawful Hacking within Investigations of Serious and Organized Crime 
Form Of Engagement Activity A formal working group, expert panel or dialogue
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact participation in a panel discussion organized for the Europol Data Protection Experts Network (EDEN) on the topic of lawful equipment interference. Discussing results of TAS and Cumulative Disclosure research projects to warn about significantly higher privacy risks, and risks to the safety of digital infrastructures, than this is currently cosnidered.
Year(s) Of Engagement Activity 2023
URL https://www.youtube.com/watch?v=v76h_t4WoDk
 
Description Engineering Fiction 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach Regional
Primary Audience Policymakers/politicians
Results and Impact Facilitated by an external expert and supported by SUII, the activity brought together members from the Scottish Government, Police Scotland, ORG and academics to use the prism of 3 fictional provocations to explore the future of surveillance, including the reaction to the pandemic. Participants then explored their own reactions to these provocations through the medium of art. The resulting collection of s scenario-descriptions, sonnets, and a short academic analysis will be made available as a digital booklet
Year(s) Of Engagement Activity 2020
 
Description Panel discussion on ethical AI during the Royal Bank of Scotland Datafest, November 2019 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Industry/Business
Results and Impact Panel discussion organised by the Royal Bank of Scotland as part of their "Datafest" - members of the RBS Data and Analytics | Services attended a panel of academics and their own policy makers on the issues that ethical and law compliant use of customer data raises, with a special emphasis on how cumulative data disclosure needs joint-up privacy policies that track accumulation of information.
Year(s) Of Engagement Activity 2019
 
Description Public engagement event: Eyes Online: Understand your data, switch on your rights 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach Regional
Primary Audience Public/other audiences
Results and Impact A one day drop-in event with lightening talks and 1:1 advice to members the public who want to know about their online risks, digital rights and how to protect and enforce them in practice. Talks from academics but also Police Scotland, and Scottish government
Year(s) Of Engagement Activity 2020