世界經濟論壇：2020年重新設計數據隱私：重新構想用于人機交互的通知和同意 （英文版）（33頁）.pdf

1、Redesigning Data Privacy: Reimagining Notice Unsplash/Raeng-r; Unsplash/ Shane Rounce; Unsplash/Franki Chamaki Redesigning Data Privacy: Reimagining Notice rather, designers, humanitarian experts and creative technologists must have a seat at the table, as well. Existing approaches do not scale for

2、either traditional digital user interfaces or the emergent world of screenless internet of things (IoT) devices, smart cities or other connected environments. Any rethinking of Notice always-on sensors are increasingly embedded within our environments. But regardless of whether the interface is tang

3、ible or not, we are often asked to consent to the collection and use of data generated by us and about us. But how many of us truly understand what this really means? And when we are asked, does the collection and use occur in a way that fundamentally protects our best interests? Further, once we gr

4、ant the requested access, is there any way to change our minds? And can consent truly be given if there is no real choice, an inability to revoke consent or lack of an informed decision because of the complexity of information provided to help make the decision more informed? When an option to conse

5、nt is given to us, there is a sense that we are empowered to make a decision, a sense that we are in control of what data can be processed, who it can be processed by, where it can be processed and for which purposes. Consent has become illusory and, through its current design and deployment, does n

6、ot always operate in expected, or at times even logical, ways. As we increasingly conduct our lives online, we continue to part with more personal information, click through more boxes and increasingly seek to limit any barriers between ourselves and the service or product we intend to access. When

7、the permissions people grant to companies and organizations at one point in time become the gateway for everything that happens to that data in the future, that moment becomes extremely important, perhaps far beyond what could be envisaged. The default means of setting the rules of the game on how d

8、ata about someone can be used is often reliant on what is termed “Notice then, make it both descriptively transparent how the system functions (e.g. through written policies) and pragmatically transparent through proof (e.g. audits).9 Presentation and timing of the notices Another related issue is t

9、he timing of consent- related decisions. Individuals are asked, typically in “take-it-or-leave-it” terms, to make decisions about their personal data at points (often when first signing up for a service) where they may not have the luxury to engage fully in the process that the current notice framew

10、ork demands. Research also demonstrates that the timing10 of when an individual is shown a notice, as well as its visual design and framing language,11 can affect their privacy-related decisions. For example, the more familiar a user12 becomes with a service, the more they are inclined to get a feel

11、 for the implications of their interaction with that technology in ways that were not apparent when they first signed up for the service. Furthermore, as software updates are pushed out, it may be necessary to reconsent to terms and conditions of that service. This is why understanding what the noti

12、ce says under the current model is so important and what has led to consumer distrust of some businesses that collect and use data in a less obvious manner than could ordinarily be expected by the user. The problem with Notice Redesigning Data Privacy: Reimagining Notice “knowledge requires both und

13、erstanding and information in light of the consenting partys motive for consenting”.16 Finally, consent must also be voluntary, “intended rather than reflexive”, and defined by an “absence of undue pressure or coercion”.17 In the context of this white paper, an individual providing consent for data

14、collection would ideally, prior to consenting, understand the collection practices to which they were consenting; do so freely without being coerced or manipulated; and be provided with a means by which they could communicate their consent clearly and affirmatively. In the US, consent as it pertains

15、 to data collection emerged from contract law, which according to Kim “does not require actual (subjective) knowledge”. Instead, contract law substitutes capacity and access to information, or Notice, for knowledge.18 In the majority of instances when individuals are asked to provide their consent o

16、nline, the consent process itself is a first step in contract formation, or entering into a contract, with a website or service provider.19 In US law, knowledge requirements are dependent upon the threat to ones autonomy. For example, a medical procedure that poses “a high- level threat” to ones aut

17、onomy will be regulated more thoroughly than a form asking for emails to be used in a marketing campaign. However, in most online contexts there is no legal obligation for organizations to provide a notice that can be fully read and understood by any individual, or to obtain affirmative, voluntary c

18、onsent. Instead, a companys privacy policy, which describes data collection, is typically a legally focused document not constructed for the end users easy and rapid consumption. There has been a recognition by some companies that privacy policies are difficult to navigate and some companies have st

19、epped forward with improved interactive notices and so- called privacy check-ins. The importance of Consent Redesigning Data Privacy: Reimagining Notice many of us live a social life online, connect to our communities or access public services. The digital footprints that we leave across the interne

20、t on a daily basis affect us as humans, not merely as consumers. In contrast, existing mechanisms of Notice the way we relate to friends and family; the quality of our mental and even physical health we need a broader understanding of privacy than simply the consumer context, and it needs to be used

21、 to reconceptualize consent mechanisms that serve those privacy values. People absolutely need help with managing their data in complex environments, and privacy frameworks and tools should support these needs. The aim should be a system that can guide and inform consumers about the implications of

22、their choices, whether through human advice-giving, data visualizations or digital tools to aid in managing our data relationships, including to whom we have provided consent, and how to revoke it. A key challenge is to find a compromise between the extremes of a) providing broad consent and ceding

23、all control of ones privacy, and b) requiring “microconsent”38 every time ones data is used, resulting in an inability to fully understand every consent request and consent fatigue. Solutions should both maximize access to the data and protect each individuals right to control of privacy and data us

24、e transparency. Solutions should not require permanence; the right to revoke consent/ access should ideally be preserved for all individuals. Redesigning Notice (2) not enough pressure on companies to make any changes; (3) technical compliance paying lip service to the law; and (4) user apathy. This

25、 is now changing, and people are more interested in how their personal information is being processed. Organizations are becoming more transparent in terms of data collection, and regulation has helped, although regulation alone is not going to solve the problem completely. For example, the current

26、compliance mechanism for cookies in the EU demands separate consent, opt-in options, different boxes for different purposes etc., and although many companies implement and comply technically, the individual ultimately gets to decide how much they care to interact with the banner notifications compar

27、ed to how much they just want to use the services. For this reason, many companies have gone beyond legal requirements and notices in terms of educating their users, and in doing so can build increased trust with their users. There are also ethical questions regarding whether data created in one con

28、text (e.g. healthcare data) should be made available for use in another context (e.g. consumer goods), even if the notice communicates this use. Article 6 of the GDPR addresses this issue by stipulating five alternative legal grounds45 for data collection depending on appropriateness, with an expect

29、ation that relying upon Notice while the growing ubiquity of smartphones might help bridge earlier gaps in implementation and connect new avenues for negotiating data collection (such as ubiquitous computing), the fundamentals remain: Without regulation, these proposals are likely to die on the vine

30、. Automating Notice some nations or cultures may prioritize a different set of values from those identified in this paper. Making explicit ethical frameworks Many members of the project community carried a heightened awareness of the need to account for the needs and concerns of the most vulnerable

31、in our societies, and to ensure that they are included in future design efforts. There was a specific call to recognize the disparate impact of data collection and use on different socioeconomic and racial groups. To a large extent, existing technologies as well as Notice it is inherently a human-te

32、chnology interaction problem, one that requires the expertise of those professionals and academics versed in human- computer interaction issues and, ideally, public policy and ethics. As discussed above, taking a step back to adopt a global, technologically neutral approach that is ethical, includes

33、 an awareness of society and involves industry is key. And, critically, professional UX designers who fundamentally understand how people interact with technology will need to tap into design thinking to try to address this intractable problem. How do we move forward? Industry must be included in th

34、is conversation at all stages or we risk a race towards compliance for compliances sake. Redesigning Data Privacy: Reimagining Notice comprehension; control; accountability and explainability; prevention of exploitation, manipulation, and discrimination. In other words, we need to move towards meani

35、ngful “choice” instead of merely “consent”. What are the characteristics of better alternatives? The project community explored different ideas aimed at reforming both the basis and the mechanisms for Notice refusing to use third-party tracking mechanisms on websites or mobile applications; and, ger

36、mane to this white paper, potentially being pre-certified as compliant in respect of certain legal requirements for the handling of personal data practices if certain conditions are met. Such a model assumes the existence of a supervising regulatory body with the capacity to manage practices, conduc

37、t audits and enforce penalties against violators. Positive regulation can also come from the private sector in the form of an industry-led code of conduct to address data handling practices. Such a model is common in the realm of technical international norm-setting in regards to technical standards

38、, for example. Regulators could recognize and incentivize the use of a standards model that ultimately is industry- led and continuously updated and signed off on. Perhaps this system could develop into one that allowed more freedom, such as being exempted from future (more robust) Notice the chroni

39、c fatigue associated with near-constant consent for data collection and processing is no longer reasonable. People lose the very thing that matters the most when it comes to privacy: control. There are better ways to ensure that people have a say in what happens to their data. We need to re-examine

40、and reconcile our models of institutional control of collected data to take into consideration personal agency of such information. By taking a human-centred design approach and challenging the reliance on paper-like contracts displayed on screens, we have outlined alternative models for more fit-fo

41、r-purpose data collection and processing. It is not a balancing act between human rights and technology, not is it about justifying trade-offs; it is about how to make technology work for people, rather than the reverse. Sustainable innovation relies on taking a stakeholder approach to avoid systemi

42、c risk and optimize outcomes. What happens next is up to those stakeholders. Exciting experiments are already under way, and we anticipate a proliferation of innovative approaches as the world begins to catch up with the new reality. The key will be to bring policy-makers along for the ride. This pa

43、per is part of a series by the Centre for the Fourth Industrial Revolution focusing on data policy in a post COVID-19 world. Redesigning Data Privacy: Reimagining Notice Fellow, Alan Turing Institute Allan Milington Director, Data Office, EY Jessica MT Nelson Project Manager, Canadas Michael Smith G

44、enome Sciences Centre at BC Cancer Agency m. c. schraefel Professor of Computer Science and Human Performance, WellthLab, University of Southampton Fabrice Tocco Co-Chief Executive Officer and Co-Founder, Dawex Joe Toscano Founder, Better Ethics and Consumer Outcomes Network (BEACON) Alexander Tyulk

45、anov Deputy Department Director for Regulation of Cyberphysical Systems and Big Data, Skolkovo Foundation Gabriela Zanfir-Fortuna Senior Policy Counsel, Future of Privacy Forum (FPF) Redesigning Data Privacy: Reimagining Notice Member of the Executive Committee, World Economic Forum Emilia Porubcin

46、Center for Internet and Society, Stanford University Hong Qu Adjunct Lecturer and Research Director, Harvard Kennedy School Hannah Quay-de la Vallee Center for Democracy and Technology Hannah Ransom Event and Hospitality Specialist, World Economic Forum Redesigning Data Privacy: Reimagining Notice M

47、ilne, George R., Mary J. Culnan and Henry Greene. 2006. “A Longitudinal Assessment of Online Privacy Notice Readability”. Journal of Public Policy Reidenberg, Joel R., Travis Breaux, Lorrie Faith Cranor, Brian French, Amanda Grannis, James Graves, Fei Liu, et al. n.d. “Disagreeable Privacy Policies:

48、 Mismatches between Meaning and Users Understanding”. SSRN Electronic Journal: https:/doi.org/10.2139/ ssrn.2418297 (links as of 18/7/20). 4. See generally: Jensen, Carlos, and Colin Potts. 2004. “Privacy Policies as Decision-Making Tools”. Proceedings of the 2004 Conference on Human Factors in Comp

49、uting Systems CHI 04: https:/doi.org/10.1145/985692.985752; Turow, Joseph, Michael Hennessy and Nora Draper. 2018a. “Persistent Misperceptions: Americans Misplaced Confidence in Privacy Policies, 20032015”. Journal of Broadcasting Turow, Joseph, Jennifer King, Chris Jay Hoofnagle, Amy Bleakley and Michael Hennessy. 2009. “Americans Reject Tailored Advertising and Three Activities that Enable It”. SSRN Electronic Journal: https:/doi.org/10.2139/ssrn.1478214 (links as of 18/7/20). 5. See generally: Adjerid, Idris, Alessandro Acquisti, Laura Brandimarte and George