Tools for usable privacy as control
The Tupac project is part of my research on emancipatory security. That is, information security for the people, that liberate them rather than enslaving them to centralized platforms supposed to act for “their own good”. This is why I approach privacy from a control point of view. The control I refer to is people's control over their personal data. Indeed, I believe this should be the definition of privacy nowadays, rather then the “right to be let alone” as originally defined in 1890 by Warren and Brandeis.
The goal of this research project is thus to empower people with more control over their personal data. In previous work with Daniel Le Métayer, we laid the necessary theoretical foundation to undertake this challenge. Three dimensions of control have been identified, which correspond to the capacities for an individual
- to perform actions on their personal data,
- to prevent others from performing actions on their personal data, and
- to be informed of actions performed by others on their personal data.
Based on this we built Capacity, a framework to formally model, characterize, and evaluate control, and thus, privacy.
Now, this project aims at building actual tools based on Capacity. These tools should be usable by all actors, not only computer science researchers trained in formal methods: lawyers and engineers (typically those working for data controllers and data processors), but also and more importantly, final users. Indeed, trust and informed (lack of) consent are key to control, and while I'm clearly not in favor of “technological solutionism”, I believe we can improve privacy by giving people tools that help them better understand and evaluate the control they can have over their personal data, and the impact on this control of the decisions they can make. The same tools could also be used by developers to guide their implementation choices to favor privacy by design.
Files: project proposal.