The need for enhanced privacy and consent dialogues

information security technical report 14 (2009) 167–172

available at www.sciencedirect.com

www.compseconline.com/publications/prodinf.htm

The need for enhanced privacy and consent dialogues Danijela Bogdanovic a, Conn Crawford b, Lizzie Coles-Kemp c,* a

Salford University, United Kingdom Sunderland City Council, United Kingdom c Information Security Group, Royal Holloway, United Kingdom b

abstract The aim of this article is to present the case for a closer examination of the privacy and consent dialogues that take place during the use of on-line services. This article explores the concepts of privacy and consent in on-line services, discusses the facets of both concepts and presents a case study from Sunderland City Council to illustrate the complexity of deploying privacy and consent dialogue within on-line services. The article concludes with an outline of how enhanced understanding of privacy and consent concepts can result in improved tools to support dialogue and result in a negotiated understanding of the privacy that can be expected and the consent that it is required. This rationale is the underpinning of the VOME project – Visualisation and Other Methods of Expression – funded by TSB, EPSRC and ESRC. ª 2009 Elsevier Ltd. All rights reserved.

1.

Introduction

Communications technology is rapidly transforming services used in the social, consumer, administrative and political areas of our lives. The findings of a recent survey from the Oxford Internet Institute reflect the changes in our lives and show the types of impact those changes are having (Dutton et al., 2009). Several studies have shown that the privacy statements used to specify the terms under which we disclose personal information are an ineffective means for users to achieve acceptable levels of control over privacy (Arcand et al., 2007) and, furthermore, research also shows that their effectiveness decreases still further as our familiarity with on-line services increases (Spiekermann et al., 2001). The concepts of privacy and consent are multidimensioned and have social, economic, political and technological facets. In addition, the service user’s perspective of privacy evolves over time (Smith et al., 1996) and so not only does the emphasis of the different facets of these concepts

need to be negotiated, but the constant evolution results in the need for the emphasis to be renegotiated. So, it is perhaps not surprising that if privacy and consent technology offers little opportunity for negotiation, then service users and service providers will have little chance to negotiate a common understanding of privacy and consent goals and expectations. The complexity of the problem lies in the enmeshed nature of both the privacy and consent concepts, the fact that both concepts are multi-faceted where different facets dominate in different contexts and where perceptions of privacy and consent are influenced by cultural factors (Milberg et al., 2000). The concepts can also be regarded as elastic (Allen, 1988) with many different interpretations by different researchers. As the case study in section three illustrates, when considering privacy and consent specifically in the context of on-line services, the development of privacy and consent mechanisms is further complicated by the fast paced development of service delivery and the manner in which on-line services impact many aspects of every day life.

* Corresponding author. E-mail address: [email protected] (L. Coles-Kemp). 1363-4127/$ – see front matter ª 2009 Elsevier Ltd. All rights reserved. doi:10.1016/j.istr.2009.10.011

168

2.

information security technical report 14 (2009) 167–172

Privacy and consent as concepts

It is generally accepted that privacy is a fluid concept. Research shows there are many perceptions of privacy, it is an enmeshed concept. The enmeshed nature of the concept is reflected when people talk about privacy. Typically people do not separate the different privacy dimensions but instead make information disclosure decisions based on context and the expectation is that the context is preserved. Based on this, service users rationalise the risk based on their experiences in similar contexts. Part of that context is the strength of the impulse to come to the end of the transaction and the strength of the impulse influences the privacy risk perception. However, technology increasingly enables de-contextualising and re-contextualising of personal information, resulting in both intended and unintended consequences. It also results in the traditional techniques that people have used to make information disclosure decisions, becoming increasingly ineffective. In one sense, consent is considerably more straight forward as a concept. The paradigm of consent that is reflected in on-line services is a legalistic one and, as the case study in section three shows, consent is often negotiated in the offline, rather than on-line world. In many of the on-line services that are used most heavily, consent is often fundamental and implicit to the use of the on-line service. In many cases, consent is the primary means of a service user identifying the level of privacy that they accept for a particular on-line service and it is also one of the means by which the service provider identifies the parameters of personal information disclosure. The recording of the consent decision enables both the service user and the service provider to revisit the terms of personal information disclosure during the service user’s relationship with a service provider. The extent to which consent needs to be renegotiated and the extent to which paradigms, in addition to the legal one, come into play is not well understood. Whilst it is acknowledged that notions of privacy are subject to a constant process of re-conceptualisation as a result of the evolution of on-line services (Smith et al., 1996; Malhotra et al., 2004), our view of consent still seems to be an off-line one.

2.1.

on-line identity. One of the difficulties for privacy researchers is to understand the relationship between the individual, group and institutional privacy perspectives. Westin considers privacy in terms of states and functions. The four states are: solitude, intimacy, anonymity and reserve. In order to achieve these different states of privacy, co-operation is needed between the service user and service provider. The service provider can help the service user to achieve these states, but the service user’s privacy practices must also support these states. Service user’s privacy practices are fluid and research routinely shows that a service user’s attitude towards privacy does not often translate to their practices (Metzger, 2004). The dimensionality of privacy and privacy practices are greatly affected by the type of on-line activity undertaken and the service user’s existing understanding of the privacy and consent implications. So can we create theories of information disclosure related to the type of on-line service activity that is taking place and then develop theories to understand what happens when those activities become blended? As blended on-line environments become the norm, privacy states become ever more transient and consent ever more ephemeral. Consent in relation to on-line services is less well defined. Clarke (2002) has designed an information system’s paradigm to consider the role of consent. As part of the rationale for his design, he stated that a comprehensive strategy is required to ensure that all the consent requirements are satisfied, and that such a strategy needs to comprise, amongst other things, an architecture that provides a framework within which a cohesive set of safeguards can be devised and implemented. As the Sunderland case study shows, consent can also be considered as a multi-faceted concept. As with privacy, consent has different meanings for different stakeholders. The common understanding of consent is a legalistic one. In addition to the formally negotiated legal consent, there are other forms of informally negotiated consent including consent related to the social and quality aspects of a service. In order to fully understand the concept of consent, it is also important to understand the concept of the on-line service and how the provision of on-line services affects the types of consent dialogues that service provider and service users want and need to have.

Facets of privacy and consent

Part of the difficulty in constructing on-line service functionality that enables meaningful privacy and consent dialogue, is that the motivation behind privacy and consent decision making is not fully understood. Both are complex concepts and the associated decision making is therefore equally complex. This lack of understanding is perhaps not surprising when much of the literature considers privacy and consent as a consumer, rather than a social issue. Privacy is a concept that many have tried to define. Westin (1967) narrowed the definition of privacy to ‘‘the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others’’. This is one of the most used in the informational context. In the context of on-line services, the issue relates to the control of personal information disclosure and, more widely, the control of an individual’s

3.

Case study – Sunderland City Council

Sunderland City Council has led the use of ICT to support community development, within the UK since the mid 1990s, and has developed a body of practice around the evolution of ‘soft infrastructure’, which combines access to technology with support through community intermediaries – those front-office service personnel who are familiar to the service user and who are often best placed to signpost, interpret or even assist the completion of an online transaction. The negotiation of privacy and consent often takes place using these front-office personnel as intermediaries. Sunderland City Council is engaged in transforming a wide variety of local government services. Adult Services, Children Services and Environment and Health Services are at the forefront of this transformation. These services have a wide

information security technical report 14 (2009) 167–172

reach across the Sunderland metropolitan area both in terms of the heterogeneity of the communities for whom the services are designed, the breadth of purpose that services encompass and the diversity of service providers and agencies involved in the design and delivery of each service. These services have several characteristics, including multiple service providers and technology providers are used to deliver the on-line service, a blend of on-line transactional and social networking services are used to deliver the service. Consent services are provided both within the on-line service using a technical infrastructure and externally using a soft infrastructure of human service brokers and community workforce. Functionality within the technology is primarily explained to service users using an extensive community workforce that operates on the front line of on-line service deployment. Common to all these services is the feature of privacy and consent being encapsulated as part of a wider, integrated service. Service users perceive privacy and consent not as separate concepts, but as part of service quality, service brand and service administration. As the case study reflects, the result is a complex set of socio-technical interactions in order to provide the privacy and consent elements of the integrated whole. Providing on-line components to each of these services impacts not only the way the service is delivered but also the nature of the service itself. By using on-line services in order to reach such large sections of society, the service providers must engage with communities of service users who display widely varying perceptions of privacy and consent. This is because these service users represent wide variation in age, education and familiarity with ICT, all of which are factors which have been demonstrated to affect privacy risk perception. The privacy and consent challenge that service providers face when providing these type of service on-line is explained in this problem description from Conn Crawford, Sunderland City Council: ‘‘Consider the case of a young person, aged 13 years, who is ‘at risk’ of offending. They are one of the target groups for the Empowering Young People programme which will shortly commence on the TSI platform. Some of their peers have heard about the scheme and are saying it will be used by the police to keep track of them. Our young person is shy, reserved and has some learning difficulties. How will they express their concerns about how their data will be used, or will they simply choose not to engage? How might this be further complicated if the young person were to be a member of a minority ethnic group? Would a set of tools available to targeted youth work support workers help clarify the issue, and engage the young person? How might the youngster explain how the scheme safeguards information rights to their peers?’’ In order to provide on-line services to hard to reach communities, Sunderland City Council has an ‘e-Neighbourhoods Programme’ which actively promotes the use of, and facilitates access to, Information and Communications Technologies (ICT) within the City of Sunderland, working closely with the voluntary and community group sector. The

169

aim is to promote social inclusion by facilitating the participation of local people in a pro-active role, and to assist the development of community based ICT provision. This enables access to alternative channels of Local Government and service provision to those citizens for whom choices are limited due to their social or economic status. In order to continue to gain trust and promote social inclusion, the eNeighbourhoods Programme must ensure that privacy and consent issues are addressed within the ICT offerings and are discussed with the service users. At the moment this takes place as a secondary negotiation because consent functionality within the service is not sufficiently adept at supporting the necessary negotiations and dialogue. At the front line of this privacy and consent dialogue is the e-Champion. The Community e-Champions Project is an integral part of the e-Neighbourhoods Programme, working in partnership with existing Community and Voluntary Workers who play a key role in engaging local communities in the use of ICT. The Project builds upon their community relationships and networks and encourages the Community e-Champions to act in a facilitation role encouraging other members of their community to identify needs and requirements then use the ICT to help meet these requirements. This community development approach directly engages and encourages the hardest to reach groups to develop skills and knowledge, which enables them to access council e-service provision. The Project develops and builds upon government e-Champions Initiative, where Central Government e-Champions and Local Government e-Champions are uniquely joined in Sunderland by a pool of Community based eChampions. e-Champions provide technologies, deliver ongoing technical support and bespoke training. The majority of this work takes place face to face but some of the support is provided using technology. The Letsgo card scheme is an example of the on-line service introduced and managed by community workers. It is used in the following section as a case study to put into context some of the complexities of designing privacy and consent dialogue functionality.

3.1.

Letsgo card scheme

3.1.1.

Background

Letsgo card was one of nine pilots funded by Department for Children, Schools and Families (DCSF) to test a hypothesis that ‘Empowering individual disadvantaged young people to take part in positive activities of their choice through access to spending power increases their participation in such activities and contributes to educational engagement and other beneficial outcomes.’ DCSF used the term Empowering Young People Pilots (EYPP) collectively for all nine pilots. Sunderland’s became known as Letsgo card, a name established by young people. Letsgo card was live from April 2008 to May 2009. In the 14 months 2001 young people used their Letsgo card spending power and this made a difference to some of the most vulnerable young people in Sunderland. This proved the DCSF hypothesis that having access to spending power does increase engagement in positive activities. 100 different organisations were involved in offering activities.

170

information security technical report 14 (2009) 167–172

Success has been achieved by positive partnership work with a wide network of partners. The main partnership was between the Letsgo card Children’s Services team, young people and their families. Young people were always at the centre of the project so that they are empowered by having choice, opportunities and a voice. Personal accounts from young people trying something new or doing something with their family for the first time were the main inspiration for the team, who went out of their way to accommodate individual needs regardless of additional work involved.

3.1.2.

Privacy and consent dialogues

In the Letsgo scheme, after the young person was recruited and registered to the scheme they were given a smartcard which they could use to access the Letsgo portal, using the card to give them (strongly-authenticated) access to their own personal account space, within which they could search for and book positive activities (as electronic tickets); check their account balance and record of transactions (purchases, refunds etc); engage in bi-directional messaging with support staff and; maintain a personal profile containing their registered details and their (voluntary) indication of preferences for services and communication channel. Consent issues played an important factor in the initial design of the recruitment and registration process for Letsgo and indeed was a cause of the scheme only being offered to 13 years and above (12 being the age of consent), as offering the scheme to younger people would have required an expensive mechanism/process for engaging and obtaining consent from parents or guardians. This was considered to be highly likely to introduce unacceptable delay and confusion in the target community and contra-intuitive to the goal of ‘empowering’ the young person to control their own purchasing decisions. Children’s services, however, also needed to be cognisant of the views of the parental stakeholder and so the design involved the initial marketing of the scheme being directed to the parent. This marketing material advised that their child would be asked for consent to the operating policies of the scheme at a school based registration process. A privacy policy statement was also contained in the marketing information and several requirements for consent were derived and presented as specific consents to the young person on registration and then subsequently upon each login to the portal. Significant effort was devoted to the development of privacy statements, scheme rules and mechanisms which required the young person to step-through the process of giving and affirming consent (at each long-in). However, the young people involved in user consultations were extremely dismissive of the value involved. Many times they referred to their habit of simply clicking through consent statements without second thought (they had seen enough of such statements elsewhere to assume that ‘clicking through’ would ensure progress whilst the alternative would only be to deny themselves access). The council ICT department were the technical suppliers of the scheme and had indeed mooted much more developed ideas to deploy consent tools within the account space to enable a young person to (specifically) consent to the exchange of personal data attributes with service providers (to enable more personalised service offers to be returned to the

young person). Regrettably this was to be deemed to be out of scope for the pilot initiative by the project board. While the technicians maintained that this would constrain the creative possibilities of the scheme and pointed out that there was a natural ‘circle of trust’ relationship between local activity providers and the Children’s Trust (the scheme sponsor), the project board members were entirely unfamiliar with the technical language used to articulate such possibilities. The functionality of the personal profile was thus constrained. Privacy concerns were also explored in the development of the messaging tools which were deployed within the Portal. These included bi-directional messaging between support staff and the young person and the use of SMS texting between these parties as the scheme progressed. Again, the design of the scheme could have encompassed much broader use of social networking tools, enabling communication between young people as they used the portal. This was discounted by the project board because of the reputational and safeguarding risks which may have arisen from misuse of this facility. Whilst registration for the Letsgo card was an activity for the child to undertake, many stakeholders were involved in the registration process. The registration process contained the most discussions related to the legal aspects of consent and included a number of stakeholders (SCC, 2009): parents, schools, young people, practitioners supporting young people and activity providers. Each stakeholder engaged with the registration process in different ways, had different perspectives on both consent and privacy and required different types of support during the registration process. As the young people were over 12 years of age, parental consent was not required, however, as in many cases young people, required parental support to take part in Letsgo activities, their implicit consent was necessary. Whilst schools and practitioners do not give consent, they fulfilled an important function in the explanation of the privacy and consent aspects of the service. Activity providers needed to understand the privacy and consent expectations as well as service requirements in order to ensure that trust in the Letsgo service is fostered and maintained. Registration commenced in February 2008. As registration was slower than intended, it was agreed that young people who moved into school year 9 in September 2008 became eligible for a card. Therefore, the registration period was extended until December 2008. In order to comply with the security arrangements for the scheme young people were registered using both face to face and telephone communication. As a result of the security arrangements, most of the consent discussions were initially held face to face. However, having these discussions was not always straightforward due to difficulties with the registration process itself. It was difficult and time-consuming to make contact with those who were non-school attenders, or where correspondence had not been returned. The involvement of stakeholders was ongoing during the project with the card holders needing a considerable amount of support. The following are examples of the types of support needed (SCC, 2009):  Over 60 home visits were made to support the setting up of the Letsgo card software on young people’s home computers.  The free phone helpdesk which was available 7 days a week from 8.00am–9.00pm. On average 700 calls a month

information security technical report 14 (2009) 167–172







 

 





(approximately 24 calls a day) were received for booking activities or raising queries. Access to the portal was made available in every library across the City and trained library staff were available to support young people. Young people also had access to the portal in Connexions offices in Houghton and Sunderland City Centre. There were over 1000 visits where young people requested some form of support from the Letsgo team in 12 months. The portal was available in all Children’s Homes and face to face support was given to staff and young people to maximise the use by residents. Where possible (due to ICT network restrictions) access was made available in schools. Over 200 card holders attended group support sessions in their local community either in schools, libraries and youth projects. They were shown how to use the portal, given information about new activities and supported to book tickets. During school holidays the Letsgo card team supported young people to attend activities. Throughout the project sessional workers telephoned those not using their card advising them of new activities on the portal and supporting them in booking and spending their subsidy. Meetings were arranged with practitioners supporting young people to explain about Letsgo card, what activities were available and to give advice to them in supporting the young people they worked with to use their card. Parents were also encouraged to support their child using their card. Letters were sent before Christmas holidays and towards the end of the pilot detailing the available balance and the activities available.

This list clearly shows the ways that Letsgo card could be accessed and the variety of support available where young people feel most comfortable that resulted in the large numbers of young people using their spending power. This shows the level of complexity in delivering such an on-line service. The legalistic aspects of consent were addressed using the agreement but a considerable amount of work was needed not only to explain the agreement, but also to explain the service. In this follow-up explanation, secondary conversations were had about privacy and consent issues. As can be seen from this service example, consent is negotiated off-line using a wide variety of face to face mechanisms. On-going discussion about consent takes place informally as part of the off-line support for the service. The mediation and safeguarding of the consent is conducted by a range of project staff. The manner in which card holders develop their relationship with the Letsgo service reflects that making consent decisions is not a one-off activity. The agreement is just the start of the consent process. The project staff were responsible for the consent management lifecycle and for the on-going discussion. For the types of consent that need to be negotiated as part of the secondary negotiation between service provider and service user, the current approach is cumbersome and expensive to implement and acts as a barrier to sustaining existing services or the deployment of complex services

171

across whole communities. Some of the off-line dialogue on privacy and consent need to be placed within the on-line service and some aspects need to be discussed as part of community education.

4.

Tools for better dialogue

It can be seen from the Letsgo card example that complex online services do not use a simple solution to deliver privacy and consent functionality. Instead, the complex problem is responded to using a combination of privacy and consent mechanisms, some within the on-line service and some as part of the context in which the on-line service operates. Today, these blended approaches are cumbersome and do not scale well due to the fact that the traditional understanding of privacy and consent is being used. This traditional understanding makes consent, and to a lesser extent privacy, a moribund concept that is hard-wired into the infrastructure of the service. The Letsgo example also shows that there are difficulties in dialogue, not only between service user and service provider but between the different stakeholders in the service provider community. It is not only the concepts of privacy and consent that are difficult to articulate and discuss but also the relationship between these concepts and the technology being deployed and the impact that the one has on the other. By understanding the different aspects of privacy and consent and the motivation for disclosing personal information at different times and in different contexts, it becomes possible for the design of an on-line service to allow for a toolkit of different responses to these contexts. Some of the responses are embedded into the infrastructure and some are co-constructed as the service evolves, as the Letsgo example shows. Unpacking the example, we can also see that a number of consent attributes emerge depending on the purpose of the consent discussion, the stakeholders involved, the type of dialogue used and the speed with which consent negotiation is required. The response may not necessarily be within the service itself, it may be external to the communications technology but part of the context in which the on-line service operates. The responses enable dialogue both between the service provider and the service user and within each of these communities. The objective of the responses is negotiation of the level of privacy and the extent of consent for a particular on-line service. The responses are a toolkit that allow for on-going renegotiation of different aspects of privacy and consent. Responses external to the service include community debate on the role of privacy within a particular service where community debate may be stimulated using many means including: art, story telling or participative technology exhibitions. Responses internal to the service include on-line games, digital interactive storyboards and interactive means to articulate which aspects of privacy and consent are dominant within an on-line service at a particular time. This diversity of responses and their different positioning relative to the on-line service, gives both service user and service provider a means by which to foreground and background different dimensions of privacy and consent as necessary for the context. In order for such a broad toolkit to be effective, there needs to be an underpinning education programme that

172

information security technical report 14 (2009) 167–172

spans the range of the toolkit. Each on-line service also needs to be bounded by a governance model that has visibility of the full range of privacy and consent dialogues. The type of response selected depends on the aspect of privacy and consent that needs to be negotiated. Today the technology is designed for a legal and regulatory dialogue which either excludes service users in the earlier part of their ICT journey or is less relevant to them in the latter part of their ICT journey (Spiekermann et al., 2001). Where it exists, privacy dialogue is relatively simple and allows a service user only to select or de-select the use of specific privacy technologies. Both the existing mechanisms for consent and privacy dialogues assume that service users have a clear mental model of privacy and consent concepts and that this is a common mental model shared by all service users. As a result, the technology does not address the enmeshed nature of the concepts and the elasticity of information disclosure responses.

5.

Conclusion

Research to better understand the different facets of privacy and consent and the associated dialogues that are needed during the lifetime of the service will perhaps yield results that better inform the development of services such as Letsgo. In order to achieve this, a significant amount of social research needs to be conducted to understand these dialogues in context and to develop general theories as to their behaviour.

Acknowledgements This work was supported by the Technology Strategy Board; the Engineering and Physical Sciences Research Council and

the Economic and Social Research Council [grant number EP/ G00255/X]" Thanks to Yee-Lin Lai for her contribution to the references for privacy definitions.

references

Allen. Uneasy access: privacy for women in a free society. Totowa, NJ: Rowman & Littlefield; 1988. Arcand M, Nantel J, Arles-Dufour M, Vincent A. The impact of reading a web site’s privacy statement on perceived control over privacy and perceived trust. Online Information Review 2007;31(5):661–81. Clarke R. eConsent: a critical element of trust in eBusiness; 2002. Dutton WH, Helsper EJ, Gerber MM. The Internet in Britain 2009. University of Oxford: Oxford Internet Institute; 2009. Malhotra NK, Kin SS, Agarwal J. Internet users’ information privacy concerns (IUIPC): the construct, the scale and the causal model. Information Systems Research 2004;15:336–55. Metzger MJ. Privacy, trust and disclosure: Exploring barriers to electronic commerce. Journal of Computer-Mediated Communication 2004;9(4). Milberg SJ, Smith HJ, Burke SJ. Information privacy: corporate management and national regulation. Organization Science 2000;11(1):35–57. Smith JH, Milberg SJ, Burke SJ. Information privacy: measuring individuals concerns about organizational practice. MIS Quarterly 1996;June:167–96. Spiekermann, S., Grossklags, J., and Berendt, B. (2001) ‘‘E-privacy in 2nd generation E-Commerce privacy preferences versus actual behaviour’’ In Proceedings of EC’01: Third ACM Conference on Electronic Commerce, Association for Computing Machinery, pp. 38–47. Sunderland City Council. Project evaluation report for Letsgo card/empowering young people project; 2009. Westin AF. Privacy and freedom. New York: Atheneum; 1967.