Privacy directive to spark demand for content tools

DATA PRIVACY is about to become big business, and a research group within the Waterford Institute of Technology hopes a long-…

DATA PRIVACY is about to become big business, and a research group within the Waterford Institute of Technology hopes a long-standing interest in the area will translate into fresh projects with EU backing.

Europe’s proposed new directive on data protection, which EU commissioner Viviane Reding launched in January and has said she hopes will make it through the European Parliament by next year, will bring stricter data management requirements – enforced by significant fines – for businesses, as well as a novel “right to be forgotten” for EU citizens. This would require businesses that manage user data and uploaded user content to remove certain types of information at a user’s request.

While Europe could choose to bring in the directive as currently formulated, or require changes, the almost-certain outcome is that once a new directive is agreed, businesses will need to be able to hit the ground running with privacy-oriented tools that can manage content and personal data.

This is an area that has been of particular interest to WIT’s Telecommunications Software and Systems Group (TSSG). Researcher Shane Dempsey says TSSG has developed two projects in this area already in ongoing collaborations with other European research groups and industry.

READ MORE

One project, called the Semantic Room, allows observers to monitor and isolate activity across a number of financial services networks in the hope of spotting suspicious activity and preventing serious information breaches and network attacks. While the activity can be monitored, the identity of those on the network is kept anonymous but can be referred to a regulator for deeper investigation if needed. Elements of that project are now being considered for commercialisation by some of their European partners, he says.

Another project, called Endorse and managed by researcher Paul Malone, is a system for enabling organisations to comply with privacy regulations.

“There’s a whole group of steps you have to go through to be sure you should be in possession of a certain piece of information, for example,” says Dempsey. “What we’re really looking at with this is policy-based systems” in which experts in areas such as law, privacy and data management would help feed in information that would be used to determine the policies, he says.

WIT has now co-ordinated a major European proposal that includes Dempsey and TSSG researcher Mark McLaughlin, who has expertise in IT and social sciences. It involves leading European research institutes working on data privacy issues. Unusually, the project was in part inspired by the award-winning book Delete: the Virtue of Forgetting in the Digital Age by Viktor Mayer-Schönberger, which argues that the internet needs to have mechanisms that enable certain types of “forgetting”.

In part, Dempsey says this is because emerging business models on the net mean people’s information is used in ways they don’t understand and didn’t foresee.

Companies that he refers to as “large-scale information hoarders” – search engines, social networks, retailers and advertisement managing companies – want to make a business out of using and selling the data their users divulge when using their service.

The proposed European data protection directive would place more control in the hands of the internet user and more restrictions on companies.

However, Dempsey notes many of the immediate criticisms of the proposed “right to be forgotten” imagined extremes such as requiring companies to delete information from people’s personal computers.

The actual proposal gives a right to have incorrect information removed or changed, and hands ownership of uploaded social media content back to the user.

At the moment people have very little ability to remove material permanently from sites like Facebook, for example.

When recent surveys revealed that three-quarters of people in professional organisations are using social network sites for background checking on employees and prospective employees, people need the ability to correct false information and be offered better privacy controls, Dempsey says.

The proposed project is to develop systems that would enable security auditing that would protect privacy rights, specifying policies which can then manage the flow of information into a cloud environment, between a business and its partners, or between an individual user and a business or service.

“For example, if the business uploads information to a social network site, the business would remain in control of that information, not the social network, and media content such as videos or pictures would also belong to the business. Currently it belongs to the social network.”

Another intention is to consider ways of managing privacy in what Dempsey calls “the extremes of information sharing”. This could be to protect the identity of a citizen journalist who might be blogging from an oppressive country, but could verify who they are to media organisations wanting to use their report as a trustworthy source.

But this type of protective management of information is also needed for sensitive information of other types.

Dempsey, who specialises in the application of technology in law and finance, says child-protection lawyers have raised the issue of needing to be able to transfer information to agencies, law enforcement or other colleagues without divulging an individual’s identity.

“Information needs to be shared in confidence. You could verify the information, but the personal ID would remain hidden.”

Criminal justice departments and other government bodies also need the ability to share information securely, he says.

Again, the EU’s data protection directive would mandate a standardised system of doing this across the EU, an aspect of the proposals that has been overlooked in the greater business and media focus on business data management and social networking.

While politics and commercial pressure may alter the specific provisions of the incoming data protection directive, Dempsey is in no doubt that significant privacy changes are coming.

“This is going to set the blueprint for communications, and we are going to need technological solutions for technological problems.”