4,190 research outputs found
Making GDPR Usable: A Model to Support Usability Evaluations of Privacy
We introduce a new model for evaluating privacy that builds on the criteria
proposed by the EuroPriSe certification scheme by adding usability criteria.
Our model is visually represented through a cube, called Usable Privacy Cube
(or UP Cube), where each of its three axes of variability captures,
respectively: rights of the data subjects, privacy principles, and usable
privacy criteria. We slightly reorganize the criteria of EuroPriSe to fit with
the UP Cube model, i.e., we show how EuroPriSe can be viewed as a combination
of only rights and principles, forming the two axes at the basis of our UP
Cube. In this way we also want to bring out two perspectives on privacy: that
of the data subjects and, respectively, that of the controllers/processors. We
define usable privacy criteria based on usability goals that we have extracted
from the whole text of the General Data Protection Regulation. The criteria are
designed to produce measurements of the level of usability with which the goals
are reached. Precisely, we measure effectiveness, efficiency, and satisfaction,
considering both the objective and the perceived usability outcomes, producing
measures of accuracy and completeness, of resource utilization (e.g., time,
effort, financial), and measures resulting from satisfaction scales. In the
long run, the UP Cube is meant to be the model behind a new certification
methodology capable of evaluating the usability of privacy, to the benefit of
common users. For industries, considering also the usability of privacy would
allow for greater business differentiation, beyond GDPR compliance.Comment: 41 pages, 2 figures, 1 table, and appendixe
ICT Systems Security and Privacy Protection: 29th IFIP TC 11 International Conference, SEC 2014 Marrakech, Morocco, June 2-4, 2014
International audienceBook Front Matter of AICT 42
The internet: a framework for understanding ethical issues.
The impact and influence of the Internet as a communications medium cannot be overstated. It has had a profound effect on economic, political, and other social infrastructures, and has introduced ways of communicating which have transformed social relationships. The Internet has opened up information exchange on a global scale, offering enormous opportunities and advantages to an hitherto unknown degree.
The Internet has also raised a number of serious, and urgent, ethical challenges. The discussions and debate surrounding ethical issues such as trust, security and privacy, amongst others, conducted at all levels (international, government, academia and the popular press) in themselves are evidence of the complexity of the problem of Internet ethics.
The research unravels some of the complexity and muddle of Internet ethics, with the objective of providing a foundation for further research. This thesis offers four perspectives on the problems of Internet ethics: technical, conceptual, regulatory and ethical. These different viewpoints are not only useful in drawing out insights concerning the ethical framework of the Internet, they also provide leverage for the analysis of pertinent issues.
The work in this thesis thus offers a framework for understanding, and analysis, which can be developed and used in continuing investigations. The research is a combination of theory and practice - both informing each other. The approach taken arose from the author's direct involvement in many of the expert discussions and debates which (together with the literature), identified a need for foundational work. In-depth work with a number of specialised groups has provided the practical backdrop, and grounding to this research - published results appear as Appendices
Human choice and computers : an ever more intimate relationship
Since 1974, the Human Choice and Computers (HCC) conference series has firmly remained at the cutting edge of innovative thinking about the interface between the social and technology. This introductory chapter to the proceedings of the 12th Human Choice and Computers conference points out that what has set HCC conferences apart is the critical perspective that is its hallmark. HCC12 continues this tradition
TIRA: An OpenAPI Extension and Toolbox for GDPR Transparency in RESTful Architectures
Transparency - the provision of information about what personal data is
collected for which purposes, how long it is stored, or to which parties it is
transferred - is one of the core privacy principles underlying regulations such
as the GDPR. Technical approaches for implementing transparency in practice
are, however, only rarely considered. In this paper, we present a novel
approach for doing so in current, RESTful application architectures and in line
with prevailing agile and DevOps-driven practices. For this purpose, we
introduce 1) a transparency-focused extension of OpenAPI specifications that
allows individual service descriptions to be enriched with transparency-related
annotations in a bottom-up fashion and 2) a set of higher-order tools for
aggregating respective information across multiple, interdependent services and
for coherently integrating our approach into automated CI/CD-pipelines.
Together, these building blocks pave the way for providing transparency
information that is more specific and at the same time better reflects the
actual implementation givens within complex service architectures than current,
overly broad privacy statements.Comment: Accepted for publication at the 2021 International Workshop on
Privacy Engineering (IWPE'21). This is a preprint manuscript (authors' own
version before final copy-editing
Methodology and workflow to perform the Data Protection Impact Assessment in healthcare information systems
Background: The General Regulation on Data Protection (GDPR) modernizes and harmonizes personal data protection laws across the European Union, affecting all economic sectors including the healthcare industry. The new regulation introduces two specific duties: the Record of Processing Activities (ROPA) and, for each high-risk processing, the Data Protection Impact Assessment (DPIA). Currently, there are no specific DPIA methodologies for the healthcare environment, but only broad methodologies applicable in all economic sectors. Objectives: This work aims to propose a methodology to perform DPIA for healthcare information systems, considering the specific constraints and criticisms posed by the heterogenous and highly sensitive nature of data and software use in hospitals. Methods: We first performed a GDPR analysis and an examination of other sources regarding DPIA.This analysis led to the identification of issues related to GDPR application in the healthcare environment. We then developed a workflow for DPIA execution, and implemented a software to apply it in a real environment. The methodology was applied on 11 softwares and devices already in use in the Trieste area, Italy. Results: The most important issue identified in the analysis is the definition of "processing activity", which was overcome by focusing the methodology on the information system processing the data instead of the processing activity per se. We therefore designed a workflow for the risk assessment of an information system establishing that the DPIA shall be performed after the purchase, usually a bid with strict IT security requirements of the information system, but before its deployment in the real environment. The validation of the developed software to implement the workflow on the 11 softwares showed the ability of the proposed workflow to perform the DPIA, and to uncover some important issues in the examined systems. Conclusions: The proposed methodology can be applied to perform DPIA in the healthcare environment by supporting risk evaluation and management, focusing on each software component added to the healthcare information system
The control over personal data: True remedy or fairy tale ?
This research report undertakes an interdisciplinary review of the concept of
"control" (i.e. the idea that people should have greater "control" over their
data), proposing an analysis of this con-cept in the field of law and computer
science. Despite the omnipresence of the notion of control in the EU policy
documents, scholarly literature and in the press, the very meaning of this
concept remains surprisingly vague and under-studied in the face of
contemporary socio-technical environments and practices. Beyond the current
fashionable rhetoric of empowerment of the data subject, this report attempts
to reorient the scholarly debates towards a more comprehensive and refined
understanding of the concept of control by questioning its legal and technical
implications on data subject\^as agency
Yes, I know this IoT Device Might Invade my Privacy, but I Love it Anyway! A Study of Saudi Arabian Perceptions
The Internet of Things (IoT) ability to monitor our every move raises many privacy concerns. This paper reports on a study to assess current awareness of privacy implications of IoT devices amongst Saudi Arabians. We found that even when users are aware of the potential for privacy invasion, their need for the convenience these devices afford leads them to discount this potential and to ignore any concerns they might initially have had. We then conclude by making some predictions about the direction the IoT field will take in the next 5-7 years, in terms of privacy invasion, protection and awareness
- …