Privacy in an Age of Augmented Humanity

Source badscience.net

The inspiration for this post was the key note from Eric Schmidt (CEO of Google). Some of the things that Eric is talking about are straight from Minority Report but some are with us right now or will be within the next couple of years. I find a lot of these technology enhancements incredibly exciting but I know many will have concerns over privacy and security. So to mitigate some of  the FUD that I'm sure will come, let me present a way the majority of concerns can be placated upfront. I will analyse some of these innovations against the EU privacy principles and the laws of identity with the view that, being early in the piece, security and privacy can be baked in and this can be done right to avoid problems later on.

This joins my other privacy and identity related articles: social location services and review of corporate identity management against the identity laws


What is an Age of Augmented Humanity?

The article and key note are well worth the read but in summary some of the advancements he is talking about include:

Source: Flikr. Creative commons

• Smarter predictive search  / recommendations - that is able to analyse the context that you are in and provide you the information and recommendations before you even know that you need it. This is via a mashup of data from services such as location (e.g. Google latitude, Google places) combined with your phone GPS, reviews from services such as Yelp, HTML 5 microcontent providing semantec search (i.e. think tagging), things you have Facebook "liked" across the web, purchases you have made, things you have tweeted about or Dugg etc. You can already get an application called Pixie that does some of this on your iPad. Google is also looking at improving its search by gaining feedback on your frustration levels through analyzing your behavioral on the search window and in a search transaction

• Push recommendations based on biometrics - like in Minority Report where iris scanning provides customized marketing and recommendations everywhere. This is closer than you think e.g. with Mexico apparently starting iris scanning of all their citizens. Phones can also do voice biometrics - combined with voice based searching, navigation etc this can be automatically tailored to the person's registered voice. Face recognition which Eric actually says would be "too creepy" (interesting where he draws the line :) ) can also be used and with facial recognition improving significantly and using cloud based processing for speed, not mention the increasing amount of CCTV cameras in every city face recognition biometrics for search and recommendations surely has to be on the roadmap. Using connectivity to your watch your heart-rate, posture and movement can be monitored and thus the contextual information suited to your mood e.g. something to excite or calm you. DARPA are working on something a bit further out - integrating fiber optics with your nervous system....

• Push recommendations based on location - Something that is available for everyone are services like Foursquare, Gowalla, Facebook Places where you can get recommendations and discounts for checking in. Service such as Checkmate for iPhone and http://autocheckin.appspot.com/ you don't even have to think about checking in, just go to the places and let your mobile and Google latitude take care of the rest. Of course this advertising is very effective for both the consumer and supplier because if you get an offer for a two for one latte when you are at a Starbucks it is a lot more sensible that when you are watching TV at home as you can act on it immediately

• Private data search and recommendations - services such as Greplin, a bevy of instant search technologies that are available provide the opportunity for your private data services to be searched and used for recommendations and advertising. Amazon recently announced that you can link your Facebook account and get recommendations, sites like Hunch where you can answer a range of interesting questions to get some crowd sourced recommendations. Postrank can analyse your Google reader account and tell you what you should read with your limited time.

• Augmented Reality (AR) - There are already a number of AR apps you can get for the iPhone which basically allow you to use the camera in your phone to layer information on top of the real world e.g. pointing it at a street intersection can overlay the tube stations, their directions and distance. point it at a building and it can overlay what it looked like a 100 years ago and provide you some history. Google googles is another concept similar to this which allows you to take photos to search. Wearable camera's, especially if they are miniaturized and put into things like sunglasses also offer a lot of potential to link what we see with our social network, and to feedback and augment what we see.

source: Gizomodo

• Internet of things -increasingly non sentient beings are being plugged into the Internet this is things like your car, your alarm clock, household appliances, your TV, the beer keg etc etc. This means that these devices can collect data, query data and basically provide a smarter experience. Simple examples are things like your alarm clock querying your calender and setting itself to the right time allowing you that badly needed snooze, your car letting you know when the tires are worn and using Amazon 1-click to order a new pair, being able to pause your favourite movie or TV show and buy the Apple laptop directly from your TV, your TV querying that you liked a show on Facebook and automatically recording it for you, your heater knowing when to turn on if the weather is too cold, the possibilities are endless and the best stuff has not even been thought of. Gizomodo reports that smart phones are just the tip of the iceberg

 I'm sure those are examples that just scratch the surface but you get the idea, moving onto the privacy examination.

Review against EU privacy principles

The reason I love principles is that they are technology agnostic, so we can easily apply the to each of the above examples:

Notice 

Source: Flikr. Creative commons

Ensure the end user is clearly informed when data is being collected (i.e. for location data etc there should be clear notification to the end user), what is being collected (your gps location, likes, Diggs, browsing and search patterns and key words, voice, iris, faceprint etc), how it will be used (to inform your friends, maintain location history, provide businesses so that they can provide you specials and cheaper products and services, provide you suggestions before you even know you need them) - all these services and their benefits to the end-user should be clearly articulated

Choice 

It should be the users choice to opt in for everything (not click through or accept or die). This should be clear, explicit and not on by default (aka Facebook places friend check-in). The user should be able to opt out at anytime easily there should be instructions on how to do this clearly available. Cannot overstate how important this is - Mexico type iris scanning is just poor design and would be against most countries privacy legislation

Onward transfer

Prior to any data being collected end users should be clearly informed to who will access to it including any sub-contractors, suppliers, other users, advertisers etc and this should be linked to choice to pick and choose at least whether it is just the first party the user is ok with and whether third parties are included

Security

Goes without being said, this is highly sensitive personally identifiable data, all concepts of good security design must be applied i.e. authentication, authorization, encryption of sensitive information in storage, use and transit, exception handling, logging and monitoring, security configuration etc.

Data integrity

The data collected must only be used for the relevant purpose that it is authorized for. None of this collecting for one things and using for another or mining data collected for one purpose to get metadata that can be used for something else without consent and notice.

Source: Flikr. Creative commons

Access 

There must a be a simple and effective way for users to access all the data that is being collected on them, to be able to edit it and to be able to edit or delete any history e.g. location history.

Enforcement

There must be people, process and technological controls to enforce all of the above. This must be independently certified and not just a tick box exercise.

Review against Identity Laws

Law 1: User Control and Consent

Control and consent as discussed above.

Law 2: Limited Disclosure for Limited Use

Source: Flikr. Creative commons

The minimum identity information that is required for the service provide should be used. For example if iris data or location data is not required for a particular type of search then do not collect, use or store it. If an alarm clock is granted access to an end users calender it only needs access to the time of the first appointment, it does not need anything else.

Law 3: Law of the Fewest Parties

Covered above under onward transfer.

Law 4: Directed Identity

This one I have struggled to articulate well and it is probably the most abstract. Basically the example I have is that in a location example the end user should be able to announce that they have arrived home or at work or a Starbucks (an omniddirectional identifier that they are comfortable sharing) without the specific GPS location (a unidirectional identifier that they are not).

Law 5: Pluralism of operators and technologies

An end-user should be able to use a number of different identity providers (e.g. support for oAuth so that you can use your Twitter, Facebook, Google, Foursquare account etc) as appropriate for the context and service they wish to utilize. For the effective mashups I described above all data such as location, check-in, likes must use a standards based system e.g. common published XML schema so that my alarm clock can read my Google calender without need for a translator. API's must be clearly documented and published, proprietary technologies and standards do not really have a place here.

Law 6: Human Integration

Source: Flikr. Creative commons

The augmented humanity services must be meaningful to the user, predictable, unambiguous and allow for informed decisions. It is linked to notice, choice and consent, the end user must be able to understand that the fact that they are at the local Starbucks is being recorded, they are being checked in (e.g Foresquare, Gowalla show you a nice icon when this happens), the check in experience is consistent no matter where they do it, the information used and say the resultant recommendation must be predictable and allow for simple decisions e.g. purchase, I don't like this I am going to turn it off by clicking this button then I will no longer receive this advertising etc.

Law 7: Consistent Experience Across Context

Linked to notice, pluralism and human integration - for each service it must provide the user the opportunity to choose the appropriate identity and information e.g. I want a recommendation for a PC based on what I have liked on Twitter and what my Facebook friends have Liked, so I need to provide authentication credentials for the private search and recommendation service.

Conclusions

Source: Flikr. Creative commons

As my day job is to write security requirements and review systems architecture I place a lot of value on designing systems, processes and people factors correctly from the start. Hopefully the providers of Augmented Humanity services will take this approach and apply principles like the Privacy principles and Laws of identity to do this right. I have purposely avoided writing a section on the risks of these services as they are self evidenct and as I'm sure others will highlight them sufficiently. Hopefully some of what I talked about assists in the solution rather than focusing on the problem, because make no mistake we are hurtling down this path and many of these technologies will become an integral part of your life whether you like it or not.