Privacy and Security in an Open/Realtime/Linked Data World AccessNow

28 September 2011 - A Workshop on Security in Nairobi, Kenya


Open, realtime, and linked data generated, gathered, and organized online are proving vital to understanding local communities and the world we live in, ensuring more informed decisions are made at all levels of society. While online data is proving immensely useful, the dramatically increasing trend towards moving data online -- whether knowingly, carelessly, or without consent -- has led to unprecedented challenges to user privacy and security. At this juncture, Internet Governance is needed to clarify and codify the rights and responsibilities of various actors as regards online data.

This workshop will feature short presentations from representatives of civil society, government, academia, and corporations, which will facilitate discussion about theses issues amongst the panelists, the audience, and international remote participants, including members of Access’ network (now in 184 countries).

Topics for discussion include:
• How open/realtime/linked online data can aid development
• The use of crowd-sourced, geolocation, and mobile data
• Existing and emerging privacy and security threats of and to online data and ways to mitigate these risks
• How various stakeholders can assist the public in protecting their data and rights online
• Maintaining the balance between privacy, security, inclusivity, transparency, and accountability in legislation, regulation, and terms of service.



A brief substantive summary and the main events that were raised:
This workshop explored the use of open, real-time and linked data for inclusive development and the privacy and security risks inherent in that use. Access also took the opportunity to launch a paper on “The Importance of Net Neutrality in the Emerging and Development countries” and another titled “Towards a Rights-Respecting Copyright Enforcement Mechanism: An Alternative to Notice & Takedown” at the workshop. Panellists and participants delved into issues as outlined in the background paper provided prior to the workshop. The opportunities for use of open/real-time/linked data were first highlighted. This was followed by the presentations on the challenges of doing so. Many questions were raised by participants through the workshop. There were approximately 100 people in attendance. The full transcript of the workshop is available on the IGF website. Many panellists highlighted the need to educate the public about ways in which data are not only useful, but also about where their data are stored, what they are being used for, and the privacy issues that may arise with their use. The absence of any clear legislative framework for use of these data for development purposes was also noted. The potential for open data to equalise power relationships was repeatedly recognised and so was the potential for such data to be used for development. Privacy and security issues that arise with the use of such data were also discussed at length throughout the workshop.

Erik Hersman spoke about Ushahidi, which gathers information from different sources such as SMS, Twitter, e-mail or web forums and then maps this information (social data and crowd data, or so-called “enablers of this data exhaust”) to help the public understand what is taking place in times of crisis, elections, in post-disaster scenarios, and other situations. Ushahidi is trying to change the way information flows in the world so that ordinary people have a voice. Hersman noted that we need to strive for more equality of power within information collection and sharing because those with the most capital (government and big corporations) can make the best use of data. The challenge is to enable citizens to also be empowered to make use of their data.

He said, however, that “no matter how secure we make the Ushahidi platform we can't secure it completely because at the end of the day if someone sends an SMS, that's open.” Moreover, depending on the relationship between the government and the mobile operator, data might also be easily accessible by government for good or bad purposes. He posed this question: “We have corporate interests who can shut things down, whether or not it's legal. We have governments who can shut down things whether or not it's legal and we have citizens who can bypass all of it as well. So who is in charge of the data?”

Tim Davies founder and co-director of Practical Participation spoke about the open government data portals being made available around the world (including Kenya) but also of the fact that not all datasets are equal. The International Aid Transparency Initiative (IATI), a political process aimed at getting donor governments to open up data on aid projects was also referenced. It is hoped that this effort could encourage greater accountability, cooperation between agencies, limit duplication of efforts, and support innovation. He noted that, “open data alters the balance of power.” However, Davies also spoke of the potential for open data to be misinterpreted or misused. “Making data accessible means more than just publishing a data set for it involves building skills to make sense of the data.”

Robert Kirkpatrick, Director of UN Global Pulse, gave a brief introduction to his initiative, which is exploring how to use this new world of big data to improve government and public understanding of whether policies and programs are working, help populations who are at risk of harm, and assessing policies leading to reversals in global development. UN Global Pulse is looking into using corporate data, in particular, to inform development policy. He, however, acknowledged that “If we compromise privacy and safety [of users] in order to protect them, we have failed.”

Moez Chakchouk, CEO of the Tunisian Internet Agency (ATI), spoke about privacy and security issues in Tunisia, both before the revolution earlier this year that saw the overthrow of long-time dictator, President Zine El Abidine Ben Ali, and the challenges facing the interim government especially regarding Internet censorship. Before the revolution, strong partnerships between ATI and some North American and European companies were in place and making the agency a testing ground of censorship technology. Those companies offered significant discounts on use of software and hardware to the Tunisian government as well as privileges in exchange for testing and bug-tracking of new solutions. He said confidentiality contracts preclude him from naming the companies, but said after the revolution the ATI is determined to evolve those partnerships in order to transform all censorship equipments for another use. Government subsidization for censorship is no longer available after the revolution and ATI can no longer pursue any kind of censorship activity. Chakchouk spoke of the challenges of overcoming this history, crafting regulations that genuinely protect users and their rights, as well as becoming a leading Internet Exchange Point in accordance to best practices in the field in term of transparency and neutrality. Simultaneously, Chakchouk related, the elected Tunisian constitutional assembly, following elections to be held on October 23rd of this year, will begin writing a new constitution which he hopes will incorporate privacy and free speech issues on the Internet as well as Internet access as a fundamental human right for Tunisians. He, however, noted that privacy is a subject that must be discussed more and more as the government considers its position on censorship and the Internet neutrality.

Anahi Ayala Iacucci, Internews Innovation Advisor for Africa, presented on a Ghanaian project that she is involved in which is developing a real-time system that enables rural areas and specific villages to bring information to the NGOs and civil society organizations, so that they can respond immediately to a specified problem, in this case, child exploitation. Speaking about the project, she noted that the majority of the child trafficking and violence happens in rural areas, but most of the people that can actually respond and make policy around this terrible problem are in the capital. She further noted the privacy and prosecution challenges around these kinds of data, as data protection regulations in most jurisdictions strictly prohibit the sharing of information about children. She also noted a lack of understanding and knowledge amongst small NGOs and individuals on the ground about the security threats inherent in the use of real-time data. She said that in order to build a successful technology project we also need think about what we would do if the technology was for whatever reason no longer available. “There should be a focus not only on technology but on real people and social networks as well.”

Sophie Kwasny, lawyer, Council of Europe’s Data Protection Unit, spoke about the Council of Europe’s perspective that data protection is linked to fundamental human rights. The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data is a general framework for protecting personal data and applies to public sector, private sector. This 30 year old convention was valid today as it was 30 years ago since it was drafted in a technology neutral style. They are now assessing if the protection principles are still fully sufficient/relevant. She noted that sensitive data cannot be part of profiling except if legal safeguards allows it and that if adequate provisions for personal data protection are not in place this will also affects freedom of expression.


Conclusions and further comments:
Importance of Education and Building Awareness
The workshop highlighted the importance of building awareness, encouraging users to make more conscious choices about what data they share, as well as educating the public about the benefits and privacy issues inherent in the use of their data. The way in which privacy concerns limit the potential for the use of data for development efforts was also noted. As Davies pointed out, “There has to be a scale of different levels of resistance to access data as this is not a simple open/closed dichotomy.”

Who owns the data and what data are being collected?
Kirkpatrick brought up the issue of control over citizen data. Different models regarding such control are arising and being adopted by various governmental agencies. Is it the individual, the government, or corporations that should assume control and ownership of these data? Hersman pointed out that the people making the rules are not the ones using the data. “The future is all about contention over information... that is the big battlefront of our generation ... This will play out in different ways with different government and different corporations.”

The role of individual citizens versus suppliers of public services was also brought up by Davies. He noted that we want data on companies, but when it's data about money individuals received from the government, that is commonly considered private. “I think this open data from governments versus open data we publish ourselves will create a whole set of new issues.”

The extent to which we save our content and protect our privacy while social media continually request more information about us was questioned. Using data for unfair profiling of individuals was also raised and so was the impact that using pseudonyms will have on the value of open data. Hersman noted that Ushahidi are strong proponents of pseudonyms. “We just care that the source of information, whether e-mail address, phone number, Twitter handle, whatever, can be trusted.” However, whenever you allow everybody to be anonymous you are also allowing government to be anonymous, which in some cases has led to arrest and torture. The use of technology without a clear framework and proper procedures can create problems.

Richard Allen, Facebook's Director of Policy Europe, Middle East, and North Africa, who was in the audience, noted that though some services offer anonymity, Facebook requires a reciprocal relationship. “Facebook works because people have real identities.” While he said that his company understands the cause for anonymity, they do not think that others should dictate how web services are set up.

Jochai Ben-Avie, Access’ Policy Director and the panel moderator, cited eBay as an example of the use of pseudonyms working. People buy things on eBay from people all over the world, who they have never met, and who don't use their real names everyday, instead relying on the trust rankings of others in order to have confidence in online transactions and interactions.

Issues Surrounding Regulation
Questions circulate around how to use data for development while protecting privacy. For instance, how do rules regarding what data you keep and how long you are allowed to keep it affect the use of this data for development? There were also concerns about whether privacy regulations may affect smaller organisations being able to gather and use data. In addition, one participant said “regarding this paradox between open flows and people's demand for privacy, if it isn't courts that make the decision, then who does make the decisions on this?”

Ben-Avie further noted in his introductory remarks, “that the capability to spatially display different datasets (either with or without a map background) has meant that one can eventually identify someone or thing with a high degree of accuracy. This is one of the challenges that arises when developing and applying privacy regulations. In other words, how does one apply a privacy test to a data set which itself may not identify a data subject, but when combined with another dataset might enable identification?”

Kirkpatrick noted that an analogy can be drawn with a lot of different products and services that we regulate where there's a risk of harm along with a recognized benefit. For example, in the U.S. and Europe, advertisements for pharmaceutical products talk about the benefits they offer, but, by law, they have to talk about side effects as well. It is worth considering these types of regulations for internet platforms as well. For instance, companies may be asked to provide tools which alert users about the implications of their use of a particular technology or platform.

Davies also brought up the need for a taxonomy of privacy: “We have to really get into what do we mean when we say privacy is under threat.” He noted that information collection, processing, dissemination, invasion, and intrusion all relate to very different types of data, very different types of concerns, and solicit different types of regulatory responses. If data is being collected, harvested, and shared without our consent, we need to set responses that may need to be legislative and technical. For example, if data is being abused for decision interference by insurance companies, “we hope [that] can be dealt with by legislation around banning that use of the data but not necessarily saying it shouldn't be there,” said Davies.

This workshop engaged multiple stakeholders in a conversation about the use and privacy and security issues of open, real-time, linked, and geolocation data. Significant work remains to be done to harmonise discussion, education, and regulation on open, real-time, and linked data for development, privacy, and security. The workshop revealed that issues are continually coming to the fore in the open/realtime/linked data world on the one hand and data privacy and security on the other. These divergent issues are continually colliding. The use of data for development and privacy will need to be informed by Internet Governance, yet little work has been done to date in this sphere. More work by multiple stakeholders is needed to ensure that these issues, which include those that arose in this workshop -- like the need to build awareness, educate users and governments, as well as craft better regulation -- are addressed. We must continue to learn from each other and work together to ensure that the data collected online enables development and does not hinder or at worst reverse progress already made. We hope that the information and dialogue generated from this workshop has helped inform those involved in Internet Governance and ICT policy about not only privacy and security but also the benefits of using data for development. The panellists and the panel organizers look forward to working together to continue the conversation about these issues within the multi-stakeholder IGF environment.