Cumulative Revelations of Personal Data *
Lead Research Organisation:
University of Strathclyde
Department Name: Computer and Information Sciences
Abstract
Cumulative Revelations in Personal Data takes a multidisciplinary approach to investigating how small, apparently innocuous pieces of employees' personal information, which are generated through interactions with/in networked systems over time, collectively pose significant yet unanticipated risk to personal reputation and employers' operational security. Such cumulative revelations come from personal data that are shared intentionally by an individual, from data shared about an individual by others, from recognition software that identifies and tags people and places automatically, and from common cross-authentication practices that favour convenience over security (e.g. signing into AirBnB via Facebook). Brought together, these data can provide unintended insights to others into (for example) an individual's personal habits, work patterns, personality, emotion, and social influence. Collectively these data thus have the potential to create adverse consequences for that individual (e.g. through reputational damage), their employer (e.g. by creating opportunities for cybercrime), and even for national security.
The research brings together multidisciplinary expertise in Socio-Digital Interaction, Co-design, Interactive Information Retrieval, and Computational Legal Theory, all working in collaboration with a key industry partner, the Royal Bank of Scotland, which employs more than 92,000 staff across 12 national, international and private banks and for which security concerns are paramount, as well as UK Government security agencies, via the Government Office for Science and the Centre for Research and Evidence on Security Threats.
The research will examine the potential adverse revelations delivered by an individual employee's holistic digital footprint through the development of a prototype software tool that maps out a portrait of a user's digital footprint and reflects it back to them. This tool will enable individuals to understand the cumulative nature of their personal data, and better comprehend the associated vulnerabilities and risks. Responding to employers' concerns over organisational security risks created by cumulative revelations of their employees' data, the research will also identify conflicts and ambiguities in security service design and implementation when the motivations and actions of individual employees are balanced against organisational security philosophy, enabling mitigation against the attendant risks, issues and consequences of cumulative revelations from organisational and individual perspectives.
The research brings together multidisciplinary expertise in Socio-Digital Interaction, Co-design, Interactive Information Retrieval, and Computational Legal Theory, all working in collaboration with a key industry partner, the Royal Bank of Scotland, which employs more than 92,000 staff across 12 national, international and private banks and for which security concerns are paramount, as well as UK Government security agencies, via the Government Office for Science and the Centre for Research and Evidence on Security Threats.
The research will examine the potential adverse revelations delivered by an individual employee's holistic digital footprint through the development of a prototype software tool that maps out a portrait of a user's digital footprint and reflects it back to them. This tool will enable individuals to understand the cumulative nature of their personal data, and better comprehend the associated vulnerabilities and risks. Responding to employers' concerns over organisational security risks created by cumulative revelations of their employees' data, the research will also identify conflicts and ambiguities in security service design and implementation when the motivations and actions of individual employees are balanced against organisational security philosophy, enabling mitigation against the attendant risks, issues and consequences of cumulative revelations from organisational and individual perspectives.
Planned Impact
The research will achieve impact in a range of ways. Here we outline them using the EPSRC categories for impact.
Knowledge - techniques. We will develop prototype software tools that map out a holistic portrait of an individual user's digital footprint, and reflect it back to them. These tools will enable individuals to understand their cumulative digital footprints, and to comprehend associated vulnerabilities and risks of cumulative revelations.
Society - Policy. Stakeholder workshops will involve policymakers, who we will access via the Government Office for Science and through CREST. Workshops will use the Picture Book approach that we have used previously with policymakers, law enforcement agencies and industry. This approach maximises opportunities to share research insights in ways that enable them to be operationalised by stakeholders. Further, the involvement of legal experts as project partners (Bristows) and as colaborators (Schafer, co-I) means that our research insights are framed in current and predicted legislation - adding further utility for policy.
Society - Quality of Life. The tools that we develop will increase digital literacy and personal agency over UK citizens' digital footprints. This in turn will assist them in protecting their privacy, reducing risk to reputation, and the potential to be victims of cybercrimes.
People - Skills. Cyber security is an area where there are not sufficient skilled people to fill available posts. We have attracted funding for two PhD studentships and one postdoctoral intern from our project partners - all of whom will emerge from the project with cutting edge cyber security skills. Further, the project team, through interdisciplinary working, will extend their own skills far beyond the traditional borders of their disciplines. The stakeholder workshops, and our deep engagement with project partners, will foster cross-fertilisation of skills across academia, industry and UK security agencies.
Economy - Products and Procedures: Working in partnership with RBS and UK Security Agencies (via GO-Science) we will develop prototype software tools that reduce the risk to organisations of cumulative revelations linked to personal data. The risks that will be reduced include cyber crime and insider threats. These risks are significant, and increasing. An average large organisation can expect 81 million security events over the course of the year, with 55% of security breaches caused by individuals with legitimate access to an organisation's system.
Knowledge - techniques. We will develop prototype software tools that map out a holistic portrait of an individual user's digital footprint, and reflect it back to them. These tools will enable individuals to understand their cumulative digital footprints, and to comprehend associated vulnerabilities and risks of cumulative revelations.
Society - Policy. Stakeholder workshops will involve policymakers, who we will access via the Government Office for Science and through CREST. Workshops will use the Picture Book approach that we have used previously with policymakers, law enforcement agencies and industry. This approach maximises opportunities to share research insights in ways that enable them to be operationalised by stakeholders. Further, the involvement of legal experts as project partners (Bristows) and as colaborators (Schafer, co-I) means that our research insights are framed in current and predicted legislation - adding further utility for policy.
Society - Quality of Life. The tools that we develop will increase digital literacy and personal agency over UK citizens' digital footprints. This in turn will assist them in protecting their privacy, reducing risk to reputation, and the potential to be victims of cybercrimes.
People - Skills. Cyber security is an area where there are not sufficient skilled people to fill available posts. We have attracted funding for two PhD studentships and one postdoctoral intern from our project partners - all of whom will emerge from the project with cutting edge cyber security skills. Further, the project team, through interdisciplinary working, will extend their own skills far beyond the traditional borders of their disciplines. The stakeholder workshops, and our deep engagement with project partners, will foster cross-fertilisation of skills across academia, industry and UK security agencies.
Economy - Products and Procedures: Working in partnership with RBS and UK Security Agencies (via GO-Science) we will develop prototype software tools that reduce the risk to organisations of cumulative revelations linked to personal data. The risks that will be reduced include cyber crime and insider threats. These risks are significant, and increasing. An average large organisation can expect 81 million security events over the course of the year, with 55% of security breaches caused by individuals with legitimate access to an organisation's system.
Organisations
- University of Strathclyde (Lead Research Organisation)
- Royal Bank of Scotland (United Kingdom) (Collaboration)
- University of California, Irvine (Collaboration)
- University of Colorado Boulder (Collaboration)
- University of Michigan (Collaboration)
- Twitter (Collaboration)
- Facebook (Collaboration)
- Government of the UK (Collaboration)
- DePaul University (Collaboration)
Publications
Schafer B
(2023)
What the Dickens: Post-mortem privacy and intergenerational trust
in Computer Law & Security Review
Armstrong A
(2023)
Everyday digital traces
in Big Data & Society
Nicol E
(2022)
Revealing Cumulative Risks in Online Personal Information: A Data Narrative Study
in Proceedings of the ACM on Human-Computer Interaction
Nash C
(2022)
Making sense of Trifles: Data Narratives and Cumulative Data Disclosure
in Jusletter-IT
Nash C
(2022)
Recht Digital
Schafer, B.
(2022)
Making sense of trifles: data narratives and cumulative data disclosure
Description | Key findings include significant new knowledge generated and new research methods developed across the fields of Human-Computer Interaction, Cybersecurity, Law, and Information Retrieval. Across the Cumulative Revelations awards, we have: 1. Proposed a comprehensive taxonomy of online risks and harms that (i) extends across individuals (both adults and children) and organisations and that articulates (ii) the various roles of actors in both causing and experiencing harm, and (iii) the forms of harm that can surface when multiple pieces of personal data are linked together from across time. Findings are relevant to policymakers and designers of online tools and services as they seek to proactively address challenges within the complex landscape of online risks and harms. 2. Uncovered strategies used by people to cope with the 'ongoingness' of their digital traces, including retrospective curation of their information, using pseudonyms, entering fake information, encrypting data, changing privacy settings and using a particular technology - e.g. location tracking - sparingly. 3. Developed a tool (DataMirror) that enhances digital literacy by enabling users to explore different scenarios in which cumulative revelations could have led to hacking, identity theft, unwanted attention, loss of opportunities. Participants reported higher awareness and understanding of the threats and harms that could arise as a consequence of their information behaviours online. 4. Designed two online methods of research to explore the way in which citizens who are not legally trained understand their own online behaviours. These methods enhanced digital privacy literacy, prompting changes in participants' awareness and actions concerning their personal online safety and approaches to mitigating risk. We found that visualisation tools can assist citizens to make better-informed risk decisions. 5. Developed a browser-based cyber safety tool which collected research data whilst promoting respondents' awareness of the potential for diachronical (across traces) and synchronical (across time) functions of cumulative risk within digital traces, for deployment across a wide population. 6. Designed and developed two innovative sets of physical resources that serve as training aids to increase employees' digital privacy literacy. The training aids promote reflection on revealing small pieces of information online over time across multiple channels, and how these pieces of information can be pieced together in ways which may lead to unintended and potentially harmful consequences to the individual. 7. Developed digital tools that make it possible to detect at-risk behaviours in social media posts. 8. Uncovered a mismatch between expressed EU optimism about citizens' increased understanding of privacy and much more sceptical, if not resigned, attitudes expressed by our participants. Our analysis shows that the GDPR's "risk-based" approach uses an understanding of risk that is at odds with the way that people make risk-based decisions, and overburdens the individual. The way risk is conceptualised in other legal fields, most importantly environmental and health law, could lead to a legal regime closer to the needs and capabilities of the citizen. 9. Demonstrated a different way to teach about data self-curation which - together with technological tools - can facilitate inter-generational data transfer, addressing the need to curate one's digital footprint in the context of inheritance and "digital afterlives", and supporting appropriate access to our digital data even after our death. |
Exploitation Route | We have developed a training pack for use in raising digital privacy literacy. This is especially useful for those working in posts where online visibility (or lack of it) is important - e.g. - members of Parliament, civil servants, police officers. |
Sectors | Digital/Communication/Information Technologies (including Software),Government, Democracy and Justice,Security and Diplomacy |
Description | Impact from tool development: Emerging impact from this award lies in development of new prototype tools to train staff in how to manage their online profiles to avoid others 'joining the dots' and gaining unintended insights into their lives. This is particularly relevant where an employer has security considerations to attend to. The tools are expected to deliver economic impact by protecting organisations from information leakage, and societal impact by enabling citizens to protect their privacy online more effectively. Impacts on policy and practice: The way in which the GDPR conceptualizes consent does not match the way in which people think about it when they organize their daily online activity. The optimism expressed by the EU about the increased understanding of privacy, gained through quantitative surveys, does not match the qualitative interviews we conducted, and which point to a much more sceptical, if not resigned, attitude - one that is also at odds with the depiction of privacy in many of the more GDPR critical news sources that too depict us as (over) confident users of our rights. While this could be mainly a problem of communication, a deeper analysis shows that the GDPR's "risk-based" approach uses an understanding of risk that at odds with the way we make risk-based decisions more generally, and overburdens the individual. Our research also shows possible conflicts with other legal regimes, which will be particularly an issue in the post-Brexit data regime. Equality Legislation, in particular, imposes on employers surveillance duties that can be in conflict with Data Protection requirements if interpreted too broadly. Our research so far indicates that the way risk is conceptualised in other legal fields, most importantly environmental and health law, could lead to a legal regime closer to the needs and capabilities of the citizen. Furthermore, we showed how visualisation tools can assist citizens to make better-informed risk decisions. |
First Year Of Impact | 2020 |
Sector | Digital/Communication/Information Technologies (including Software),Security and Diplomacy |
Impact Types | Societal,Policy & public services |
Description | Contribution of evidence to House of Lords COVID-19 Committee - Living online: the long term impact on wellbeing |
Geographic Reach | National |
Policy Influence Type | Contribution to a national consultation/review |
URL | https://pureportal.strath.ac.uk/en/activities/contribution-of-evidence-to-house-of-lords-covid-19-co... |
Description | NPCC Violence against women and girls Roundtable |
Geographic Reach | National |
Policy Influence Type | Participation in a guidance/advisory committee |
Description | AP4L: Adaptive PETs to Protect & emPower People during Life Transitions |
Amount | £2,794,276 (GBP) |
Funding ID | EP/W032473/1 |
Organisation | Engineering and Physical Sciences Research Council (EPSRC) |
Sector | Public |
Country | United Kingdom |
Start | 04/2022 |
End | 03/2025 |
Description | Cum. Revelations |
Organisation | Government of the UK |
Department | Government Office for Science |
Country | United Kingdom |
Sector | Public |
PI Contribution | Presentations at Home Office and ACE Vivace events |
Collaborator Contribution | Attendance at advisory board, and ad-hoc advice |
Impact | Recorded under other sections in Researchfish |
Start Year | 2019 |
Description | International workshop: Researcher Wellbeing and Best Practices in Emotionally Demanding Research |
Organisation | DePaul University |
Country | United States |
Sector | Academic/University |
PI Contribution | Researcher Wellbeing and Best Practices in Emotionally Demanding Research (Forthcoming). Feuston, Jl., Bhattacharya, A., Andalibi, N., Ankrah, E., Erete, S., Handel, M., Moncur, W., Vieweg, S., Brubaker, J. CHI2022 Workshop. |
Collaborator Contribution | This workshop is one of a number of developments that have emerged as a result of my single-author 2013 paper, "The emotional wellbeing of researchers: considerations for practice". HCI researchers increasingly conduct emotionally demanding research in a variety of different contexts. Though scholarship has begun to address the experiences of HCI researchers conducting this work, there is a need to develop guidelines and best practices for researcher wellbeing. In this one-day CHI workshop, we will bring together a group of HCI researchers across sectors and career levels who conduct emotionally demanding research to discuss their experiences, self-care practices, and strategies for research. Based on these discussions, we will work with workshop attendees to develop best practices and guidelines for researcher wellbeing in the context of emotionally demanding HCI research; launch a repository of community-sourced resources for researcher wellbeing; document the experiences of HCI researchers conducting emotionally demanding research; and establish a community of HCI researchers conducting this type of work. |
Impact | The collaboration has led to a workshop at CHI, the premier HCI cOnference globally. |
Start Year | 2021 |
Description | International workshop: Researcher Wellbeing and Best Practices in Emotionally Demanding Research |
Organisation | |
Department | Facebook, UK |
Country | United Kingdom |
Sector | Private |
PI Contribution | Researcher Wellbeing and Best Practices in Emotionally Demanding Research (Forthcoming). Feuston, Jl., Bhattacharya, A., Andalibi, N., Ankrah, E., Erete, S., Handel, M., Moncur, W., Vieweg, S., Brubaker, J. CHI2022 Workshop. |
Collaborator Contribution | This workshop is one of a number of developments that have emerged as a result of my single-author 2013 paper, "The emotional wellbeing of researchers: considerations for practice". HCI researchers increasingly conduct emotionally demanding research in a variety of different contexts. Though scholarship has begun to address the experiences of HCI researchers conducting this work, there is a need to develop guidelines and best practices for researcher wellbeing. In this one-day CHI workshop, we will bring together a group of HCI researchers across sectors and career levels who conduct emotionally demanding research to discuss their experiences, self-care practices, and strategies for research. Based on these discussions, we will work with workshop attendees to develop best practices and guidelines for researcher wellbeing in the context of emotionally demanding HCI research; launch a repository of community-sourced resources for researcher wellbeing; document the experiences of HCI researchers conducting emotionally demanding research; and establish a community of HCI researchers conducting this type of work. |
Impact | The collaboration has led to a workshop at CHI, the premier HCI cOnference globally. |
Start Year | 2021 |
Description | International workshop: Researcher Wellbeing and Best Practices in Emotionally Demanding Research |
Organisation | |
Country | United States |
Sector | Private |
PI Contribution | Researcher Wellbeing and Best Practices in Emotionally Demanding Research (Forthcoming). Feuston, Jl., Bhattacharya, A., Andalibi, N., Ankrah, E., Erete, S., Handel, M., Moncur, W., Vieweg, S., Brubaker, J. CHI2022 Workshop. |
Collaborator Contribution | This workshop is one of a number of developments that have emerged as a result of my single-author 2013 paper, "The emotional wellbeing of researchers: considerations for practice". HCI researchers increasingly conduct emotionally demanding research in a variety of different contexts. Though scholarship has begun to address the experiences of HCI researchers conducting this work, there is a need to develop guidelines and best practices for researcher wellbeing. In this one-day CHI workshop, we will bring together a group of HCI researchers across sectors and career levels who conduct emotionally demanding research to discuss their experiences, self-care practices, and strategies for research. Based on these discussions, we will work with workshop attendees to develop best practices and guidelines for researcher wellbeing in the context of emotionally demanding HCI research; launch a repository of community-sourced resources for researcher wellbeing; document the experiences of HCI researchers conducting emotionally demanding research; and establish a community of HCI researchers conducting this type of work. |
Impact | The collaboration has led to a workshop at CHI, the premier HCI cOnference globally. |
Start Year | 2021 |
Description | International workshop: Researcher Wellbeing and Best Practices in Emotionally Demanding Research |
Organisation | University of California, Irvine |
Country | United States |
Sector | Academic/University |
PI Contribution | Researcher Wellbeing and Best Practices in Emotionally Demanding Research (Forthcoming). Feuston, Jl., Bhattacharya, A., Andalibi, N., Ankrah, E., Erete, S., Handel, M., Moncur, W., Vieweg, S., Brubaker, J. CHI2022 Workshop. |
Collaborator Contribution | This workshop is one of a number of developments that have emerged as a result of my single-author 2013 paper, "The emotional wellbeing of researchers: considerations for practice". HCI researchers increasingly conduct emotionally demanding research in a variety of different contexts. Though scholarship has begun to address the experiences of HCI researchers conducting this work, there is a need to develop guidelines and best practices for researcher wellbeing. In this one-day CHI workshop, we will bring together a group of HCI researchers across sectors and career levels who conduct emotionally demanding research to discuss their experiences, self-care practices, and strategies for research. Based on these discussions, we will work with workshop attendees to develop best practices and guidelines for researcher wellbeing in the context of emotionally demanding HCI research; launch a repository of community-sourced resources for researcher wellbeing; document the experiences of HCI researchers conducting emotionally demanding research; and establish a community of HCI researchers conducting this type of work. |
Impact | The collaboration has led to a workshop at CHI, the premier HCI cOnference globally. |
Start Year | 2021 |
Description | International workshop: Researcher Wellbeing and Best Practices in Emotionally Demanding Research |
Organisation | University of Colorado Boulder |
Country | United States |
Sector | Academic/University |
PI Contribution | Researcher Wellbeing and Best Practices in Emotionally Demanding Research (Forthcoming). Feuston, Jl., Bhattacharya, A., Andalibi, N., Ankrah, E., Erete, S., Handel, M., Moncur, W., Vieweg, S., Brubaker, J. CHI2022 Workshop. |
Collaborator Contribution | This workshop is one of a number of developments that have emerged as a result of my single-author 2013 paper, "The emotional wellbeing of researchers: considerations for practice". HCI researchers increasingly conduct emotionally demanding research in a variety of different contexts. Though scholarship has begun to address the experiences of HCI researchers conducting this work, there is a need to develop guidelines and best practices for researcher wellbeing. In this one-day CHI workshop, we will bring together a group of HCI researchers across sectors and career levels who conduct emotionally demanding research to discuss their experiences, self-care practices, and strategies for research. Based on these discussions, we will work with workshop attendees to develop best practices and guidelines for researcher wellbeing in the context of emotionally demanding HCI research; launch a repository of community-sourced resources for researcher wellbeing; document the experiences of HCI researchers conducting emotionally demanding research; and establish a community of HCI researchers conducting this type of work. |
Impact | The collaboration has led to a workshop at CHI, the premier HCI cOnference globally. |
Start Year | 2021 |
Description | International workshop: Researcher Wellbeing and Best Practices in Emotionally Demanding Research |
Organisation | University of Michigan |
Country | United States |
Sector | Academic/University |
PI Contribution | Researcher Wellbeing and Best Practices in Emotionally Demanding Research (Forthcoming). Feuston, Jl., Bhattacharya, A., Andalibi, N., Ankrah, E., Erete, S., Handel, M., Moncur, W., Vieweg, S., Brubaker, J. CHI2022 Workshop. |
Collaborator Contribution | This workshop is one of a number of developments that have emerged as a result of my single-author 2013 paper, "The emotional wellbeing of researchers: considerations for practice". HCI researchers increasingly conduct emotionally demanding research in a variety of different contexts. Though scholarship has begun to address the experiences of HCI researchers conducting this work, there is a need to develop guidelines and best practices for researcher wellbeing. In this one-day CHI workshop, we will bring together a group of HCI researchers across sectors and career levels who conduct emotionally demanding research to discuss their experiences, self-care practices, and strategies for research. Based on these discussions, we will work with workshop attendees to develop best practices and guidelines for researcher wellbeing in the context of emotionally demanding HCI research; launch a repository of community-sourced resources for researcher wellbeing; document the experiences of HCI researchers conducting emotionally demanding research; and establish a community of HCI researchers conducting this type of work. |
Impact | The collaboration has led to a workshop at CHI, the premier HCI cOnference globally. |
Start Year | 2021 |
Description | Royal Bank of Scotland |
Organisation | Royal Bank of Scotland |
Country | United Kingdom |
Sector | Private |
PI Contribution | Project is in its early days, so no contribution yet. |
Collaborator Contribution | Membership of strategic advisory board, and provision of access to bank staff for research purposes. |
Impact | Project is in its early days, so no contribution yet. |
Start Year | 2019 |
Description | Demonstrator Booth |
Form Of Engagement Activity | Participation in an activity, workshop or similar |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Professional Practitioners |
Results and Impact | Approx. 50 information retrieval and behaviour professionals visited our demonstration booth at ACM SIGIR Conference 2022 to view and interact with our persona based scenarios tool for raising awareness about the threats and harms of cumulative revelations in online data. |
Year(s) Of Engagement Activity | 2022 |
Description | Home Office STAR presentation |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | National |
Primary Audience | Policymakers/politicians |
Results and Impact | This was an invited talk at Home Office STAR Week 2022. The host was the Behavioural and Social Science Programme Lead, Science & Technology Team, Homeland Security Group. Talk title was "Leaks and Secrets: Creative Approaches to Cybersecurity Training". 50-60 Home Office staff attended in person/ by Teams link. We showcased three creative approaches to delivering training on cybersecurity issues, informed by four years of cybersecurity research. The focus was on information revealed online, and secrets kept - with relevance for onboarding staff and for increasing citizens' digital privacy literacy. There were follow-on discussions with Behavioural and Social Science Programme Lead and the Deputy Head of Science for the Home Office. |
Year(s) Of Engagement Activity | 2022 |