Cumulative Revelations of Personal Data *

Lead Research Organisation: University of Dundee
Department Name: Social Digital

Abstract

Cumulative Revelations in Personal Data takes a multidisciplinary approach to investigating how small, apparently innocuous pieces of employees' personal information, which are generated through interactions with/in networked systems over time, collectively pose significant yet unanticipated risk to personal reputation and employers' operational security. Such cumulative revelations come from personal data that are shared intentionally by an individual, from data shared about an individual by others, from recognition software that identifies and tags people and places automatically, and from common cross-authentication practices that favour convenience over security (e.g. signing into AirBnB via Facebook). Brought together, these data can provide unintended insights to others into (for example) an individual's personal habits, work patterns, personality, emotion, and social influence. Collectively these data thus have the potential to create adverse consequences for that individual (e.g. through reputational damage), their employer (e.g. by creating opportunities for cybercrime), and even for national security.

The research brings together multidisciplinary expertise in Socio-Digital Interaction, Co-design, Interactive Information Retrieval, and Computational Legal Theory, all working in collaboration with a key industry partner, the Royal Bank of Scotland, which employs more than 92,000 staff across 12 national, international and private banks and for which security concerns are paramount, as well as UK Government security agencies, via the Government Office for Science and the Centre for Research and Evidence on Security Threats.

The research will examine the potential adverse revelations delivered by an individual employee's holistic digital footprint through the development of a prototype software tool that maps out a portrait of a user's digital footprint and reflects it back to them. This tool will enable individuals to understand the cumulative nature of their personal data, and better comprehend the associated vulnerabilities and risks. Responding to employers' concerns over organisational security risks created by cumulative revelations of their employees' data, the research will also identify conflicts and ambiguities in security service design and implementation when the motivations and actions of individual employees are balanced against organisational security philosophy, enabling mitigation against the attendant risks, issues and consequences of cumulative revelations from organisational and individual perspectives.

Planned Impact

The research will achieve impact in a range of ways. Here we outline them using the EPSRC categories for impact.

Knowledge - techniques. We will develop prototype software tools that map out a holistic portrait of an individual user's digital footprint, and reflect it back to them. These tools will enable individuals to understand their cumulative digital footprints, and to comprehend associated vulnerabilities and risks of cumulative revelations.

Society - Policy. Stakeholder workshops will involve policymakers, who we will access via the Government Office for Science and through CREST. Workshops will use the Picture Book approach that we have used previously with policymakers, law enforcement agencies and industry. This approach maximises opportunities to share research insights in ways that enable them to be operationalised by stakeholders. Further, the involvement of legal experts as project partners (Bristows) and as colaborators (Schafer, co-I) means that our research insights are framed in current and predicted legislation - adding further utility for policy.

Society - Quality of Life. The tools that we develop will increase digital literacy and personal agency over UK citizens' digital footprints. This in turn will assist them in protecting their privacy, reducing risk to reputation, and the potential to be victims of cybercrimes.

People - Skills. Cyber security is an area where there are not sufficient skilled people to fill available posts. We have attracted funding for two PhD studentships and one postdoctoral intern from our project partners - all of whom will emerge from the project with cutting edge cyber security skills. Further, the project team, through interdisciplinary working, will extend their own skills far beyond the traditional borders of their disciplines. The stakeholder workshops, and our deep engagement with project partners, will foster cross-fertilisation of skills across academia, industry and UK security agencies.

Economy - Products and Procedures: Working in partnership with RBS and UK Security Agencies (via GO-Science) we will develop prototype software tools that reduce the risk to organisations of cumulative revelations linked to personal data. The risks that will be reduced include cyber crime and insider threats. These risks are significant, and increasing. An average large organisation can expect 81 million security events over the course of the year, with 55% of security breaches caused by individuals with legitimate access to an organisation's system.

Publications

10 25 50

Related Projects

Project Reference Relationship Related To Start End Award Value
EP/R033889/1 01/04/2019 30/07/2020 £338,038
EP/R033889/2 Transfer EP/R033889/1 31/07/2020 31/03/2022 £230,978
 
Description Submission to UK House of Lords inquiry on Living online: the long-term impact on wellbeing
Geographic Reach National 
Policy Influence Type Gave evidence to a government review
URL https://committees.parliament.uk/writtenevidence/18915/pdf/
 
Description appointed to the Independent advisory group on emerging technologies in policing (Scotland)
Geographic Reach National 
Policy Influence Type Membership of a guideline committee
 
Description Cum. Revelations 
Organisation Government of the UK
Department Government Office for Science
Country United Kingdom 
Sector Public 
PI Contribution Project is in its early days, so no contribution yet.
Collaborator Contribution Attendance at advisory board, and ad-hoc advice
Impact No outputs yet
Start Year 2019
 
Description Royal Bank of Scotland 
Organisation Royal Bank of Scotland
Country United Kingdom 
Sector Private 
PI Contribution Project is in its early days, so no contribution yet.
Collaborator Contribution Membership of strategic advisory board, and provision of access to bank staff for research purposes.
Impact Project is in its early days, so no contribution yet.
Start Year 2019
 
Description Engineering Fiction 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach Regional
Primary Audience Policymakers/politicians
Results and Impact Facilitated by an external expert and supported by SUII, the activity brought together members from the Scottish Government, Police Scotland, ORG and academics to use the prism of 3 fictional provocations to explore the future of surveillance, including the reaction to the pandemic. Participants then explored their own reactions to these provocations through the medium of art. The resulting collection of s scenario-descriptions, sonnets, and a short academic analysis will be made available as a digital booklet
Year(s) Of Engagement Activity 2020
 
Description Panel discussion on ethical AI during the Royal Bank of Scotland Datafest, November 2019 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Industry/Business
Results and Impact Panel discussion organised by the Royal Bank of Scotland as part of their "Datafest" - members of the RBS Data and Analytics | Services attended a panel of academics and their own policy makers on the issues that ethical and law compliant use of customer data raises, with a special emphasis on how cumulative data disclosure needs joint-up privacy policies that track accumulation of information.
Year(s) Of Engagement Activity 2019
 
Description Poster at Public Engagement Event: Eyes Online 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach Regional
Primary Audience Public/other audiences
Results and Impact E Nicol and A Htait manned a poster stand with a specially created poster at drop-in event about online risks and digital rights. Talked to attendees and distributed flyers about project and forthcoming interview study.
Year(s) Of Engagement Activity 2020
URL https://www.designinformatics.org/event/eyes-online-understand-your-data-switch-on-your-rights/
 
Description Poster at Security: The Human Angle" at the UK Home Office Security and Policing conference 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact iPresented poster "Security: The Human Angle" at the UK Home Office Security and Policing conference 9-11 March 2021 as part of the University of Strathcyde's presence at the Academic RiSC stand. Academic RiSC (Academic Resilience & Security Community) is a network of universities formed to promote academic engagement in solving challenges in national security and resilience.
Year(s) Of Engagement Activity 2021
URL https://www.securityandpolicing.co.uk/
 
Description Presentation at CybSafe Impact conference 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Emma Nicol presented a 15 minute overview of the project and the studies planned for WP1 (Strathclyde) in particular to an online audience of cybersecurity professionals in government and industry, academics, PG students and policy makers.
Year(s) Of Engagement Activity 2020
URL https://www.theimpactconference.com/
 
Description Presentation at DHAWG Digital Health resaerch group 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach Local
Primary Audience Postgraduate students
Results and Impact Interactive online presentation at Digital Health and Wellbeing Being (DHAWG) research group at Dept of Computer and Information Sciences, University of Strathclyde. Delivered by W Moncur and E Nicol. Audience of PGRs, researchers and academics.
Year(s) Of Engagement Activity 2020
 
Description Presentation at SPRITE+ ( Security, Privacy, Identity, and Trust Engagement NetworkPlus) Showcase 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Poster+Presentation+breakout room engagement session at SPRITE+ ( Security, Privacy, Identity, and Trust Engagement NetworkPlus) Showcase. E Nicol displayed poster, delivered short talk and engaged with visitors to virtual poster stand.
Year(s) Of Engagement Activity 2021
URL https://spritehub.org/2020/10/20/sprite-showcase-registration-now-open/?notification-cache-refresh=1
 
Description Presentation at Strathclyde iSchool research group (SiSRG) 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach Local
Primary Audience Postgraduate students
Results and Impact Interactive online presentation at Strathclyde iSchool research Group (SiSRG) at Dept of Computer and Information Sciences, University of Strathclyde. Delivered by W Moncur and E Nicol. Audience of PGRs, researchers and academics.
Year(s) Of Engagement Activity 2020
 
Description Public engagement event: Eyes Online: Understand your data, switch on your rights 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach Regional
Primary Audience Public/other audiences
Results and Impact A one day drop-in event with lightening talks and 1:1 advice to members the public who want to know about their online risks, digital rights and how to protect and enforce them in practice. Talks from academics but also Police Scotland, and Scottish government
Year(s) Of Engagement Activity 2020