Privacy Dynamics: Learning from The Wisdom of Groups

We propose to study privacy management by investigating how individuals learn and benefit from their membership of social or functional groups, and how such learning can be automated and incorporated into modern mobile and ubiquitous technologies that increasingly pervade society. We will focus on the privacy concerns of individuals in the context of their use of pervasive technologies, such as Smartphones and personal sensors which share data in the Cloud.

We aim to contribute to research in three areas:

(1) software engineering of adaptive systems that guide their users to manage their privacy;

(2) development of machine learning techniques to alleviate the cognitive and physical load of eliciting and personalising users' privacy requirements; and

(3) empirical investigation of the privacy behaviour of, and in, groups, in the context of both collaboration and conflict.

The ability to control and maintain privacy is central to the preservation of identity. In recent years, social psychologists have made a core distinction between personal identity (which refers to what makes us unique, as individuals, compared to other individuals) and social identity (which refers to our sense of ourselves as members of a social group and the meaning that group has for us). In the latter case, our sense of who we are can be derived from our membership of social groups. Identity is not fixed, but is rather the outcome of a dynamic process. We can move from a personal to a social identity (and back again) depending on the context. We can move between different social identities (for example, as a male, a father, a worker, a football fan, English, British, etc). Identity matters because it provides a prism through which we perceive the world, experience events, decide how to act, and understand our relationships to other people. It tells who is and who is not of us, who is for us and who is against us. Understanding the identity process is therefore key to assessing the impact that privacy and security policies have on people's behaviours. This is essential in order to be able to deliver systems that can express and analyse users' privacy requirements and, at runtime, self-adapt and guide users as they move from context to context.

Broadly speaking, our proposed project asks the following two questions and attempts to answer them from both a social psychology and a computing perspective:

Can privacy be a distributed quality (across 'the group')?
If so, under what conditions might this be the case?

Can the group protect the privacy of the individual?
If so, how does the group manage the privacy-related behaviour of its members?

The research challenges for the project are to devise non-intrusive yet rigorous ways in which to study privacy, both using pervasive technologies (such as life-logging cameras and biometric sensors) and in order to deliver more effective privacy management. At the heart of the project is a hypothesis that individuals are able to better manage their privacy by adopting or learning from the 'wisdom of groups' - we use this term as an acknowledgement of the crowd sourcing movement, also adapted by others in the catchphrase 'wisdom of friends'. Our novelty is in extending this idea to exploit the wisdom of particular subsets of people - groups whose positions and knowledge are more nuanced than a crowd. Our technical challenge is to investigate what we call the privacy dynamics of individuals as they relate to their membership of social, professional or other groups, to develop computational (machine learning) techniques that support such dynamics, and then to deliver privacy management capabilities interactively, autonomously, and adaptively as individuals' contexts change.

The proposed research aims to have impact in four distinct areas:

(1) practitioners and professional services: by involving industry partners in an iterative user-centred design and evaluation processes during the course of the project, we will enable professional software engineers to include privacy considerations in their development practices. Additionally, the project will deliver a research-based automated adaptive privacy engineering environment and software architecture geared towards designers of ubiquitous computing systems.

(2) society and culture: we will engaging communities of end-users of the mobile privacy management technologies by involving them in our field studies and publicising our results through a variety of public-facing media. This will have the impact raise awareness of privacy issues relating to next-generation technologies in society at large, and lead to better adoption of these technologies.

(3) public policy: we will build on past work (e.g. our contribution to ENISA's lifelogging privacy report) to contribute to European initiatives to increase policy-makers' understanding of privacy issues relating to ubiquitous computing technologies. We will also continue our engagement with relevant European agencies and Information Commissioners to promote best practice and influence policy.

(4) economic: working with the respective university's technology transfer offices, we will develop a commercialisation strategy aimed at creating a viable route to market for the framework and mechanisms and offer consultancy services based on its capabilities.

We will design and deliver a demonstration of the privacy engineering tools at conferences such as ACM SIGCHI, ICSE and intermediary organisations such as the British Computer Society RE Specialist Group. Our experience has shown that much of this research is particularly accessible and relevant to the wider scientific community as well as the general public. The skills of the Media and Public Relations teams at all three institutions will be used to enable the research investigators to make research results accessible to the wider public through major newspapers, magazines, Internet publishing and broadcast media.

We will set up a project committee consisting of the applicants, university technology transfer officers, and senior members of industrial partners to maintain a register of impact pathways, opportunities and risks to decide the most important forms of dissemination to maximise impact.

Additionally, any peer-reviewed publications arising from this grant will be registered on the Open University's open access institutional repository - Open Research Online (ORO) at http://oro.open.ac.uk. ORO is now one of the largest repositories in the UK. The site receives an average of 40,000 visitors per month from over 200 different countries and territories and has received over 2.2 million visitors since 2006. It enables access to research outputs via common search engines including Google, by using the OAI (Open Archives Initiative) Protocol for Metadata Harvesting.