Privacy — MyData — Group Privacy — Our Data
Yesterday (while laying in neck massage) I participated in the webinar where Ain Aaviksoo from the Estonian Ministry of Health and Social Affairs stated their thinking on personal data. He used several times the slogan: “Using personal data securely — not securing data of being used”.
From Privacy to Usage of Data (MyData)
In the core of the traditional data protection thinking is the notion that all personal data collection may potentially harm the privacy of the individuals — “the less data is collected the smaller the risks”. However, if we focus only on the protection side we may forget the benefits that the data collection could have for the individuals. Hopefully I am not protected against of using my own data?
Solving this perceived contradiction between privacy and data utility is one of the main shifts that the MyData community aims. It is written in the MyData Declaration as follows:
Data protection regulation and corporate ethics codes are designed to protect people from abuse and misuse of their personal data by organisations. While these will remain necessary, we intend to change common practices towards a situation where individuals are both protected and empowered to use the data that organisations hold about them. Examples of such uses include simplifying administrative paperwork, processing data from multiple sources to improve one’s self-knowledge, personalised AI assistants, decision-making, and data sharing under the individual’s own terms.
In my own presentations I have used this double-dichotomy where the easy utility of the data is on one axes and the privacy and protection on the other.
From Individual Privacy to Group Privacy
In the MyData 2017 conference (where also the above mentioned declaration was launched) Linnet Taylor had a keynote talk about group privacy. Unfortunately I didn’t see the much praised presentation live, but this week I watched it from video and read the first two chapters of the book ‘Group Privacy’ (Taylor, Floridi, and van der Sloot 2016).
In privacy debates the big data advocates commonly underline that the organisations are not interested in the individuals, but they look for the trends and generalisations that apply to many. The argument is that by proper anonymisation and aggregation the individual privacy could be protected while running the machine learning algorithms which are mainly targeted on the group level. Others oppose this thinking by reminding how hard problem anonymisation actually is.
Linnet Taylor bypasses altogether the anonymisation debate and goes to the point that even if anonymisation works perfectly and no individuals could be identified it does not automatically mean that the data would be safe. The whole idea behind big data analysis is to retrieve actionable insights from the data and often times to influence in the behavior of the people.
If the analyst has malicious intentions (or good intentions but bad implementation) real harm can be caused to real people also without identifying exactly who the targets are. One example of this is discriminatory pricing on online shopping, where users of Apple computers have been shown higher prices. On her presentation Linnet Taylor had much more brutal examples where people have even been killed when non personal data ended in wrong hands.
Should the groups then then be protected and have right to ‘group privacy’? First difficulty in that discussion is to define the ‘group’. Few passages from the first chapter of the book:
Groups are usually dynamic entities: they come in an endless number of sizes, compositions, and natures, and they are fluid. The group of people on the same bus dissolves and recomposes itself at every stop, for example.
[…] it is the choice of a particular property that determines who belongs to that group. It is the property of being “quadrilateral” that puts some figures of the plane in a particular set. Change the property– quadrilateral and rightangled– and the size (cardinality) and composition of the group follows.
Linnet Taylor and co-authors suggest that it is best to define the groups as something that the data analysis creates and not something that pre-existed before: “it is misleading to think of a group privacy infringement as something that happens to a group that exists before and independently of the technology that created it as a group”. I try to cling on that definition in the last part of this blogpost.
From Group Privacy to Our Data
The traditional data privacy approaches protect individuals against malicious use of their personal data. MyData approach underlines the benefits that the people could get from their data.
The group privacy raise to the discussion the need to protect groups against malicious activities that are targeted to them with advanced data analytics also when not a single individual could be identified.
Let’s consider ‘Our Data’ as the benefit and empowerment focused equivalent of MyData for groups and try to put into use the above mentioned definition of group as something that is created by the technology at the time of data analysis.
What would ‘Our Data’ look like?
Should groups have some level of control over the data analytics or the actions taken based on the analytics? If there would be a way to ask from the Apple users group on the online shopping site if it is ok that they are shown higher prices than Windows users it is quite obvious that the ‘group’ would not ‘give its consent’ for that. But if the profiling would be used to show Apple users the Apple products on the same site the ‘group’ would probably agree on that.
Could the groups be empowered by the analytics and data? Maybe the profiled group could be engaged somehow: “hey people, our super data analysis machine have found out that you have something in common, how would you like to be treated as a group?”.
How on earth would the control or empowerment work in practice if the groups are dynamically created on the fly?
These are big and messy questions right now, but somehow intuitively I find it interesting to also think the collectives as taking action and benefitting of their collective data. I think that the first step for the group to get empowered by data is for the group to become self aware.
