Enabling Crowd-sourcing based privacy protection for smartphone applications, websites and Internet of Things deployments

The Privacy Flag (PF) project has researched and combined the potential of crowdsourcing, ICT technologies and legal expertise to protect citizens’ privacy when visiting websites, using smartphone applications or living in a smart city. It has enabled citizens to monitor and control their privacy with a user-friendly solution made available as a smartphone application, a web browser add-on, and a public website, all connected to a shared knowledge database.

Our key ambition has been to utilize the power of the crowd combined with ICT technology and legal expertise to enable users to monitor, control and increase their level of privacy in three targeted application domains: websites, smartphones applications, and Internet of Things (IoT) deployments in smart cities. PF has targeted different segments of end-users, including:
- Citizens (main target group);
- Companies and SMEs;
- Smart cities and public administrations considering deploying IoT;
- Researchers and research projects to assess their risk level to breach privacy;
- ICT Lawyers and policy makers.

The main aims have been to:

1. Develop a highly scalable privacy monitoring and protection solution with:
- Crowd sourcing mechanisms to identify, monitor and assess privacy-related risks;
- Privacy monitoring agents to identify suspicious activities and applications;
- Universal Privacy Risk Area Assessment Tool and Methodology tailored to European norms on personal data protection;
- Privacy enablers against traffic monitoring and finger printing;
- User friendly interface informing about the privacy risks when using an application or website.

2. Develop a global knowledge database of identified privacy risks, together with online services to support companies and other stakeholders in becoming privacy-friendly, including:
- In-depth privacy risk analytical tool and services;
- Voluntary legally binding mechanism for companies located outside of Europe to align with and abide to European standards in terms of personal data protection;
- Services for companies interested in being privacy friendly;
- Labelling and certification process.

3. Collaborate with various standardization bodies and actively disseminate towards the public and specialized communities, such as ICT lawyers, policy makers and academics.

PF intended to combine crowdsourcing technologies together with privacy monitoring agents, innovative privacy risk assessment methodology and legal expertise to develop a collective privacy protection framework enabling citizens to better control and protect their personal data. PF has developed a crowdsourcing-based process and a set of tools and/or application(s) enabling the users to collectively assess and control the level of risk for their privacy. It has so provided a new paradigm of privacy risk assessment combining:
- Crowdsourcing model of risk identification and evaluation;
- Privacy Risk Area Assessment Methodology technology;
- Distributed agents to monitor, assess and inform on the privacy risk level of any application;
- “Anonymization” and privacy technology for server connection;
- Legal expertise in privacy and personal data protection;
- Personal data valuation mechanism;
- A voluntary legal binding mechanism for companies located outside of Europe.

PF has supported progress beyond the actual state-of-the-art, at different levels such as:

Designing a Universal Privacy Risk Area Assessment Methodology (UPRAAM): PF has researched and developed a methodology enabling non-specialists to assess, identify and mitigate risks of breaching personal data protection and other privacy-related norms. The UPRAAM has been extended to encompass all the privacy-related risks with smartphone applications, websites and all sorts of IoT deployments in smart cities.

Designing an innovative triple layer crowd sourcing based privacy Protection: Currently employed techniques in privacy risk detection and prevention are more centralized and are controlled by companies specializing in this area with everyday users playing a minimal role, if any. This “top-down” approach most often involves a company offering privacy/security detection and prevention services by: (i) detecting privacy breach attempts on users’ devices with special software monitoring the devices and then remove the risk either automatically or give advice to the users on “how to handle it themselves”, and; (ii) closely analyzing reports on such incidents found on the web or other authoritative sources and publishing on bulletin boards that users can access themselves. Our approach follows the “bottom-up” and distributed approach and attempts to involve users more actively in protecting their own privacy, increasing their privacy awareness and privacy protection responsibilities.

Building a global knowledge database on privacy risks: PF aimed to develop and provide a global knowledge database combining data from human and machine sources together, that is: privacy monitoring agent alerts; crowd alerts; UPRAAM-based evaluation by the crowd; in-depth evaluations by experts; company voluntary commitments and potential certifications. PF provides a unique source of information on privacy risk with several levels of granularity.

Standard design and labelling: The UPRAAM enables PF to develop a clear methodology to assess the privacy-related risks for applications, websites and IoT deployments in smart cities, serving as a basis to design a labelling and certification process.

Crowdsourcing personal data valuation: PF has developed a crowdsourcing-based process and a set of tools and solutions enabling the users to collectively assess and control the level of risk for their privacy in the different contexts of web applications, smartphones applications and IoT deployments. For this process it has been of prime importance to build-up a crowd with active participation of individuals. The process has been designed in an iterative and interactive manner, engaging the crowd in the implementation to design their PF tools.
The outcomes of the PF project are listed as follows:
- Three user-friendly and freely available tools for citizens
- Distributed crowdsourcing privacy monitoring platform
- Universal Privacy Risk Area Assessment Tool & Methodology
- Privacy enablers
- Global knowledge database on privacy risks
- Voluntary compliance commitment tool
- On-line resources
- In-depth privacy risk analysis on-line tool
- Contributions to labelling and certification processes
- Contributions to standardization on privacy

Benefits coming from the PF project are listed as follows:

Providing an on-going platform for privacy Protection

Improving privacy and personal data ownership
• Designing a methodology for privacy risk analysis
• Improving privacy risk identification
• Rebalancing the inherent asymmetry between individuals and ICT
• Improving personal data valuation
• Scalability and viral dissemination
• Support to privacy labelling and certification

Societal impact and user awareness
• Towards a democratic model of privacy management
• Extending the geographic scope of personal data protection
• Exploring potential room for a new international convention
• Raise user awareness

Economic Impact
• Rebalancing and mitigating unfair competitive advantages
• Supporting European SMEs and industry