Many online service providers still do not provide clear information as to how they protect personal data from their users. Combined with the latter’s increasing wariness, this trend provides fertile ground for independent privacy service providers (PSPs). OPERANDO is trying to establish itself in this new market with easy-to-use privacy protection tools.

Security

A PSP can be seen as a trusted link between the citizen (the data subject) and an organisation wanting to process their personal data (an Online Service Provider (OSP)). For the team running the OPERANDO (Online Privacy Enforcement, Rights Assurance and Optimization) project, this means allowing users to control access and use of their personal data, with the possibility of trading access to this data in exchange for economic or other benefits. “Our main goal was to simplify privacy for end users. This is why OPERANDO offers a simple Privacy Dashboard allowing users to specify their preferences. These will be automatically compared with OSP privacy policies and translated into personal data access control decisions by the PSP,” explains Reynold Greenlaw, coordinator of the project on behalf of Oxford Computer Consultants. Over the past three years, the project has come up with four main innovations. The first is the PlusPrivacy application, which provides consumers with a unified dashboard to control privacy settings in the likes of social network accounts, email applications (hidden email identity), ad blocking, as well as the prevention of malware and unwanted apps from tracking and collecting private data. According to Greenlaw, PlusPrivacy is the most holistic solution available on the market. The second innovation is a G2C privacy enforcement platform available to OSPs as a service. This platform includes a unique architecture for privacy protection, with modules for automated privacy policy decision making, user device privacy, user-centric privacy management and regulatory compliance. For PSPs, OPERANDO provides an open-source software platform to offer privacy as a service, effectively turning these businesses into what the team calls a Privacy Authority (PA). “The PA may store the users’ personal data securely and release it judiciously to authorised OSPs, based on the individual User’s Privacy Policies (UPP). It further introduces the innovative concept of federation of Privacy Authorities, allowing PSPs to offer comprehensive privacy services in partnership with other PSPs,” Greenlaw explains. Finally, the project innovates by proposing a legally motivated privacy framework that aims for beyond-state-of-the-art ambitions to be standardised at European level. This includes translation of privacy and data protection into technical concepts and providing support for cross-border compliance with privacy laws of the EU, even if the OSP is located outside the EU. To privacy regulators, OPERANDO offers machine readable privacy guarantees, the ability to input privacy regulations in a semantic form, and automated compliance audits of OSPs. “The project has also developed guidelines and tools for the privacy-by-design method used when developing the OPERANDO platform,” Greenlaw points out. All OPERANDO tools were tested through integration into existing services. These include: the handling of personal data by a UK volunteer-based social service providing support for vulnerable adults; the management of data from patients with specific dietary needs in an Italian Hospital setting (FoodCoach); the management of personal information on adults being treated for gambling addiction (BetStop); and the registration of “patient” (synthetic) data for fictional surgery. “Subjects reported greater awareness and engagement with their personal data, with a perception of being more empowered. As a specific example, 40 subjects were randomised to receive FoodCoach or FoodCoach + OPERANDO. The subjects from the OPERANDO group showed a greater engagement in terms of daily usage of the platform, due to the privacy enforcement offered through OPERANDO. They felt they had greater control of the data shared through the platform,” says Greenlaw. The project was completed at the end of April 2018. Project partners will now focus on commercialisation plans, which will include promotion in Italy following the recent evolution of the Italian online privacy protection legislation; as well as various social care scenarios in the UK. A global B2C Privacy Authority (PA) based on the OPERANDO platform will also be set up for major online consumer services such as Facebook, LinkedIn and Google. “The cornerstone of the PA business model will be the virality of the service. We will particularly emphasise freemium pricing, the free basic service package for consumers and the various (paid) packages for OSPs,” Greenlaw concludes.

Keywords

OPERANDO, privacy, data, privacy service provider, PSP, online service provider, OSP, PlusPrivacy, open-source, FoodCoach