Making context the central concept in privacy engineering
Tóm tắt
There is a gap between people’s online sharing of personal data and their concerns about privacy. Till now, this gap is addressed by attempting to match individual privacy preferences with service providers’ options for data handling. This approach has ignored the role different contexts play in data sharing. This paper aims at giving privacy engineering a new direction putting context centre stage and exploiting the affordances of machine learning in handling contexts and negotiating data sharing policies. This research is explorative and conceptual, representing the first development cycle of a design science research project in privacy engineering. The paper offers a concise understanding of data privacy as a foundation for design extending the seminal contextual integrity theory of Helen Nissenbaum. This theory started out as a normative theory describing the moral appropriateness of data transfers. In our work, the contextual integrity model is extended to a socio-technical theory that could have practical impact in the era of artificial intelligence. New conceptual constructs such as ‘context trigger’, ‘data sharing policy’ and ‘data sharing smart contract’ are defined, and their application is discussed from an organisational and technical level. The constructs and design are validated through expert interviews; contributions to design science research are discussed, and the paper concludes with presenting a framework for further privacy engineering development cycles.
Tài liệu tham khảo
Badillo-Urquiola, K., Yao, Y., Ayalon, O., Knijnenurg, B., PAGE, X., Toch, E., et al. (2018). Privacy in context (pp. 425–431). Presented at the Companion of the 2018 ACM Conference. New York: ACM Press. https://doi.org/10.1145/3272973.3273012.
Barkhuus, L. (2012). The mismeasurement of privacy: using contextual integrity to reconsider privacy in HCI. the 2012 ACM annual conference, (pp. 367–376). New York: ACM. https://doi.org/10.1145/2207676.2207727.
Barth, A., Datta, A., Mitchell, J. C., & Nissenbaum, H. (2006). Privacy and contextual integrity: framework and applications, (pp. 15–198). Presented at the 2006 IEEE Symposium on Security and Privacy, IEEE. https://doi.org/10.1109/SP.2006.32.
Baruh, L., Secinti, E., & Cemalcilar, Z. (2017). Online privacy concerns and privacy management: a meta-analytical review. Journal of Communication, 67(1), 26–53. https://doi.org/10.1111/jcom.12276.
Baskerville, R., Baiyere, A., Gergor, S., Hevner, A., & Rossi, M. (2018). Design science research contributions: finding a balance between artifact and theory. Journal of the Association for Information Systems, 19(5), 358–376. https://doi.org/10.17705/1jais.00495.
Bastien, C. (1999). Does context modulate or underlie human knowledge? In A. C. Quelhas, & F. Péreira (Eds.), Cognition and Context. Lisbonnes: Analise psicologica.
Bazire, M., & Brézillon, P. (2005). Understanding context before using it. In Business Process Models. Change Management, (vol. 3554, pp. 29–40). Berlin, Heidelberg: Springer Berlin Heidelberg. https://doi.org/10.1007/11508373_3.
Belanger, F., & Crossler, R. E. (2011). Privacy in the digital age: a review of information privacy research in information systems. MIS Quarterly, 35, 1–63.
Benthall, S., Gürses, S., & Nissenbaum, H. (2017). Contezxtual integrity through the lens of computer science. Foundations and Trends® in Privacy and Security, 2(1), 1–69. https://doi.org/10.1561/3300000016.
Berners-Lee, T. (2017). Three challenges for the web, according to its inventor. Online: https://webfoundation.org/2017/03/web-turns-28-letter/
Brézillon, P. (2003). Representation of procedures and practices in contextual graphs. The Knowledge Engineering Review, 18(2), 147–174. https://doi.org/10.1017/S0269888903000675.
Brézillon, P. (2005). Task-realization models in contextual graphs. in business process models. Change Management (Vol. 3554, pp. 55–68). Berlin, Heidelberg: Springer Berlin Heidelberg. doi.https://doi.org/10.1007/11508373_5
Brézillon, P., & Pomerol, J.-C. (1999). Contextual knowledge sharing and cooperation in intelligent assistant systems. Le Travail Humain, 62(3) Paris: PUF, 223–246.
Campbell, R., Robinson, W., Neelands, J., Hewston, R., & Massoli, L. (2007). Personalised learning: ambiguities in theory and practice. British Journal of Educational Studies, 55(2), 135–154.
Cavoukian, A. (2009). Privacy by design—the 7 Foundation Principles. Online: https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf. Accessed: 2019-12-09
Choi, H., Park, J., & Jung, Y. (2017). The role of privacy fatigue in online privacy behavior, computers in human behavior. https://doi.org/10.1016/j.chb.2017.12.001.
Durbin, R. J., Markey, E.M., & Blumenthal, R., 2019). Letter to Mr. Sundaar Pichai, August, 12, 2019. Online: https://iblnews.org/senators-go-after-edtech-top-players-on-student-data-collection-practices/.
EU (2012). Regulation of the European Parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, COM(2012) 11 final. Brussels: European Commission.
Fluid Project. (n.d.). Project description: Understanding, Discovering and Asserting Personal Privacy Preferences (UDAPPP). https://wiki.fluidproject.org/display/fluid/(Floe)+Privacy+Needs+and+Preferences
Gregor, S., & Hevner, A. R. (2013). Positioning and presenting design science research for maximum impact. MIS Quarterly, 37(2), 337–355.
Hanseth, O., & Lyytinen (2010). Design theory for dynamic complexity in information infrastructures: the case of building internet. Journal of Information Technology, 25(1), 1–19. https://doi.org/10.1057/jit.2009.19.
Hoel, T., & Chen, W. (2019). Privacy engineering for learning analytics in a global market: defining a point of reference. The International Journal of Information and Learning Technology. https://doi.org/10.1108/IJILT-02-2019-0025.
ISO. (2008). Information technology -- individualized adaptability and accessibility in e-learning, education and training -- part 1: framework and reference model (ISO/IEC 24751-1:2008). International Organization for Standardization. Retrieved from https://www.iso.org/standard/41521.html
Kenny, S. & Borking J. (2002). The value of privacy engineering. The Journal of Information, Law and Technology (JILT). Online: http://elj.warwick.ac.uk/jilt/02-1/kenny.html
Komljenovic, J. (2019). Making higher education markets: trust-building strategies of private companies to enter the public sector. Higher Education, 78(1), 51–66. https://doi.org/10.1007/s10734-018-0330-6.
Lahlou, S., Langheinrich, M., & Rucker, C. (2005). Privacy and trust issues with invisible computers. Communications of the ACM, 48(3).
Lyons, T., Courcelas, L., & Timsit, K. (2018). Blockchain and the GDPR. Report produced by ConsensSys AG on behalf of the European Union Blockchain Observatory and Forum.
Mansour, R. F. (2016). Understanding how big data leads to social networking vulnerability. Computers in Human Behavior, 57(C), 348–351. https://doi.org/10.1016/j.chb.2015.12.055.
Mostéfaoui, G. K. & Brézillon, P. (2004). Modeling context-based security policies with contextual graphs. Proceedings of the Second IEEE Annual Conference on Pervasive Computing and Communications Workshops (PERCOMW’04) 0-7695-2106-1/04
Nature (2019). Protect AI panel from interference. Nature, 572, 415 Editorial published 22 August 2019.
Nissenbaum, H. (2004). Privacy as contextual integrity. Washington Law Review, 79, 119–157.
Nissenbaum, H. (2010). Privacy in context: technology, policy, and the integrity of social life. Stanford: Stanford University Press.
Norberg, P. A., Horne, D. R., & Horne, D. A. (2007). The privacy paradox: personal information disclosure intentions versus behaviors. Journal of Consumer Affairs, 41(1), 100–126. https://doi.org/10.1111/j.1745-6606.2006.00070.x.
Peffers, K., Tuunanen, T., & Niehaves, B. (2018). Design science research genres: introduction to the special issue on exemplars and criteria for applicable design science research. European Journal of Information Systems, 27(2), 129–139. https://doi.org/10.1080/0960085X.2018.1458066.
Prain, V., Cox, P., Deed, C., Dorman, J., Edwards, D., Farrelly, C., et al. (2012). Personalised learning: lessons to be learnt. British Educational Research Journal, 65(3), 1–23. https://doi.org/10.1080/01411926.2012.669747.
Royal Society (2017). Machine learning: the power and promise of computers that learn by example. ISBN: 978-1-78252-259-1. United Kingdom: The Royal Society.
Scott, M. (2006). Programming language pragmatics. San Francisco: Morgan Kaufmann Publishers.
Shalev-Shwartz, S., & Ben-David, S. (2014). Understanding machine learning: from theory to algorithms. Cambridge: Cambridge University Press.
Sheeran, P. (2002). Intention behavior relations: a conceptual and empirical review. European Review of Social Psychology, 12, 1–36.
Shvartzshnaider, Y., Apthorpe, N., Feamster, N., & Nissenbaum, H. (2018). Analyzing privacy policies using contextual integrity annotations. Online: https://arxiv.org/pdf/1809.02236. Accessed: 2019-12-11.
Slade, S., Prinsloo, P., & Khalil, M. (2019). Learning analytics at the intersections of student trust, disclosure and benefit, 1–1. Tempe: Proceedings of the 9th Learning analytics and Knowledge Conference 2019 (LAK 19).
Smith, H. J., Dinev, T., & Xu, H. (2011). Information privacy research: an interdisciplinary review. MIS Quarterly, 35(4), 989–1015.
Snowden, D. J. (2005). Complex acts of knowing: paradox and descriptive self-awareness. Bulletin of the American Society for Information Science and Technology, 29(4), 23–28. https://doi.org/10.1002/bult.284.
Strauss, A., & Corbin, J. (1990). Basics of qualitative research. Sage publications.
Taddei, S., & Contena, B. (2013). Privacy, trust and control: which relationships with online self-disclosure? Computers in Human Behavior, 29, 821–826.
Tuomi, I. (2018). The impact of artificial intelligence on learning, teaching, and education. Policies for the future, Eds. Cabrera, M., Vuorikari, R & Punie, Y., EUR 29442 EN, Publications Office of the European Union, Luxembourg, ISBN 978-92-79-97257-7, doi:10.2760/12297, JRC113226.
Westin, A. F. (2003). Social and political dimensions of privacy. Journal of Social Issues, 59(2), 431–453. https://doi.org/10.1111/1540-4560.00072.