Cumulative Revelations of Personal Data *
Lead Research Organisation:
University of Edinburgh
Department Name: Sch of Law
Abstract
Abstracts are not currently available in GtR for all funded research. This is normally because the abstract was not required at the time of proposal submission, but may be because it included sensitive information such as personal details.
Organisations
People |
ORCID iD |
| Burkhard Schafer (Principal Investigator) |
Publications
Azzopardi, L.
(2021)
Cumulative revelations in personal data
Nash C
(2022)
Recht Digital
Nash C
(2022)
Making sense of Trifles: Data Narratives and Cumulative Data Disclosure
in Jusletter-IT
Nicol E
(2022)
Revealing Cumulative Risks in Online Personal Information: A Data Narrative Study
in Proceedings of the ACM on Human-Computer Interaction
Schafer B
(2021)
Death by a Thousand Cuts: Cumulative Data Effects and the Corbyn Affair
in Datenschutz und Datensicherheit - DuD
Tristan Henderson
(2019)
Regulating Industrial Internet Through IPR, Data Protection and Competition Law
| Description | Key findings include significant new knowledge generated and new research methods developed across the fields of Human-Computer Interaction, Cybersecurity, Law, and Information Retrieval. Across the Cumulative Revelations awards, we have: 1. Proposed a comprehensive taxonomy of online risks and harms that (i) extends across individuals (both adults and children) and organisations and that articulates (ii)the various roles of actors in both causing and experiencing harm, and (iii) the forms of harm that can surface when multiple pieces of personal data are linked together from across time.Findings are relevant to policymakers and designers of online tools and services as they seek to proactively address challenges within the complex landscape of online risks and harms. 2. Uncovered strategies used by people to cope with the 'ongoingness' of their digital traces, including retrospective curation of their information, using pseudonyms, entering fake information, encrypting data, changing privacy settings and using a particular technology - e.g. location tracking - sparingly. 3. Developed a tool (DataMirror) that enhances digital literacy by enabling users to explore different scenarios in which cumulative revelations could have led to hacking, identity theft, unwanted attention, loss of opportunities. Participants reported higher awareness and understanding of the threats and harms that could arise as a consequence of their information behaviours online. 4. Designed two online methods of research to explore the way in which citizens who are not legally trained understand their own online behaviours. These methods enhanced digital privacy literacy, prompting changes in participants' awareness and actions concerning their personal online safety and approaches to mitigating risk. We found that visualisation tools can assist citizens to make better-informed risk decisions. 5. Developed a browser-based cyber safety tool which collected research data whilst promoting respondents' awareness of the potential for diachronical (across traces) and synchronical (across time) functions of cumulative risk within digital traces, for deployment across a wide population. 6. Designed and developed two innovative sets of physical resources that serve as training aids to increase employees' digital privacy literacy. The training aids promote reflection on revealing small pieces of information online over time across multiple channels, and how these pieces of information can be pieced together in ways which may lead to unintended and potentially harmful consequences to the individual. 7. Developed digital tools that make it possible to detect at-risk behaviours in social media posts. 8. Uncovered a mismatch between expressed EU optimism about citizens' increased understanding of privacy and much more sceptical, if not resigned, attitudes expressed by our participants. Our analysis shows that the GDPR's "risk-based" approach uses an understanding of risk that is at odds with the way that people make risk-based decisions and overburdens the individual. The way risk is conceptualised in other legal fields, most importantly environmental and health law, could lead to a legal regime closer to the needs and capabilities of the citizen. 9. Demonstrated a different way to teach about data self-curation which - together with technological tools - can facilitate inter-generational data transfer, addressing the need to curate one's digital footprint in the context of inheritance and "digital afterlives", and supporting appropriate access to our digital data even after our death. |
| Exploitation Route | The findings align with the current much broader discussion on "data trusts" and in that way could inform the way in which consent for data use is collected. It also shows how to develop tools that can assist employers, especially during onboarding of new staff or training staff with specific responsibilities, such as data protection officers. For the legislative side, it also shows some of the issues the UK will have to resolve as it moves to a post -Brexit data protection regime. |
| Sectors | Government, Democracy and Justice |
| Description | appointed to the Independent advisory group on emerging technologies in policing (Scotland) |
| Geographic Reach | National |
| Policy Influence Type | Membership of a guideline committee |
| Description | Engineering Fiction |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | Regional |
| Primary Audience | Policymakers/politicians |
| Results and Impact | Facilitated by an external expert and supported by SUII, the activity brought together members from the Scottish Government, Police Scotland, ORG and academics to use the prism of 3 fictional provocations to explore the future of surveillance, including the reaction to the pandemic. Participants then explored their own reactions to these provocations through the medium of art. The resulting collection of s scenario-descriptions, sonnets, and a short academic analysis will be made available as a digital booklet |
| Year(s) Of Engagement Activity | 2020 |
| Description | Panel discussion on ethical AI during the Royal Bank of Scotland Datafest, November 2019 |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Industry/Business |
| Results and Impact | Panel discussion organised by the Royal Bank of Scotland as part of their "Datafest" - members of the RBS Data and Analytics | Services attended a panel of academics and their own policy makers on the issues that ethical and law compliant use of customer data raises, with a special emphasis on how cumulative data disclosure needs joint-up privacy policies that track accumulation of information. |
| Year(s) Of Engagement Activity | 2019 |
| Description | Public engagement event: Eyes Online: Understand your data, switch on your rights |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | Regional |
| Primary Audience | Public/other audiences |
| Results and Impact | A one day drop-in event with lightening talks and 1:1 advice to members the public who want to know about their online risks, digital rights and how to protect and enforce them in practice. Talks from academics but also Police Scotland, and Scottish government |
| Year(s) Of Engagement Activity | 2020 |