Community Research and Development Information Service - CORDIS

H2020

PRIVACY FLAG Report Summary

Project ID: 653426
Funded under: H2020-EU.3.7.

Periodic Reporting for period 1 - PRIVACY FLAG (Enabling Crowd-sourcing based privacy protection for smartphone applications, websites and Internet of Things deployments)

Reporting period: 2015-05-01 to 2016-04-30

Summary of the context and overall objectives of the project

"Personal data have become merchandisable asset encouraging various stakeholders to "collect" such data and trade them without the end-user awareness and acceptance. The European Union (EU) has taken the lead in adapting the legal framework to better protect the citizens’ rights and interests. However, the extent of the Internet and smart phone applications, the fact that data can be retrieved without the owner knowledge and the vast majority of those applications are developed from outside the EU jurisdiction, strongly limit the possibility to effectively impose a privacy-protection framework globally with a conventional approach. Moreover, privacy norms are perceived as complex by many citizens.
Personal data protection is becoming a challenge both in terms of privacy and economic exploitation. The European Union has taken the lead in better protecting its citizens against unilateral collection and exploitation of personal data. However, this effort is facing several challenges. Considering the extent of the Internet and smart phone applications, and the fact that the vast majority of those applications are developed from outside the EU, it is rather difficult to effectively impose and extend a privacy mechanism from a top-down approach or through a simple technological perspective. Data can be retrieved from a smart phone or a computer in a way which remains “invisible” to the data owner. Moreover, personal data protection norms and privacy concepts may be perceived as too complex and subtle by many citizens.

The Privacy Flag (PF) project intends to combine crowdsourcing technologies together with privacy monitoring agents, innovative privacy risk assessment methodology and legal expertise to develop a collective privacy protection framework enabling citizens to better control and protect their personal data. The project will research the potential of crowdsourcing and legal expertise to empower the users to set the desired level of privacy, based on a “simple to understand” visualisation of the privacy level. The project will develop a crowdsourcing-based process and a set of tools and solution(s) enabling the users to collectively assess and control the level of risk for their privacy in the context of web applications, smart phones applications and Internet of Things (IoT) deployments. It will provide a new paradigm of privacy risk assessment combining:
- Crowd sourcing model of risk identification and evaluation;
- Privacy Risk Area Assessment Tool/Methodology technology;
- Distributed agents to monitor, assess and inform on the privacy risk level of any application;
- Full “anonymization” and privacy technology for server connection;
- Legal expertise in privacy and personal data protection;
- Personal data valuation mechanism;
- A voluntary legal binding mechanism for companies located outside of Europe.

The Privacy Flag project will research and combine the potential of crowdsourcing, ICT technologies and legal expertise to protect citizens’ privacy when visiting websites, using smartphone applications, or living in a smart city. It will enable citizens to monitor and control their privacy with a user friendly solution made available as a smart phone application, a web browser add-on, and a public website- all connected to a shared knowledge database. It will benefit from the outcomes of over 18 related research projects,- in order to provide a new paradigm of privacy protection combining “endo-protection” with locally deployed privacy enablers protecting the citizens privacy from unwanted external access to their data, and “exo-protection” with a distributed and crowd-sourced monitoring framework able to provide a collective protection framework together with increased citizen awareness and implicit pressures on companies to improve their privacy compliance.
Our key ambition is to utilize the power of the crowd combined with ICT technology and legal expertise to enable users to monitor, control and increase their level of privacy in three targeted application domains: websites, smartphones applications, and Internet of Things deployments in smart cities. It will develop a clear methodology and a suite of assessment tools to evaluate the level of risk for privacy and personal data exploitation by third parties for different potential end-users perspectives. It will target different segments of end-users, including:
- Citizens, which constitute the main target group;
- Companies and SMEs;
- Smart cities and public administrations considering deploying Internet of Things;
- Researchers and research projects to assess their risk level to breach privacy;
- ICT Lawyers and policy makers.

Privacy Flag combines crowd sourcing, ICT technology and legal expertise to protect citizen privacy when visiting websites, using smart-phone applications, or living in a smart city leveraging user friendly solutions provided as a smart phone application, a web browser add-on and a public website. It will:

1. Develop a highly scalable privacy monitoring and protection solution with:
- Crowd sourcing mechanisms to identify, monitor and assess privacy-related risks;
- Privacy monitoring agents to identify suspicious activities and applications;
- Universal Privacy Risk Area Assessment Tool and Methodology tailored to European norms on personal data protection;
- Personal Data Valuation mechanism;
- Privacy enablers against traffic monitoring and finger printing;
- User friendly interface informing about the privacy risks when using an application or website.

2. Develop a global knowledge database of identified privacy risks, together with online services to support companies and other stakeholders in becoming privacy-friendly, including:
- In-depth privacy risk analytical tool and services;
- Voluntary legally binding mechanism for companies located outside of Europe to align with and abide to European standards in terms of personal data protection;
- Services for companies interested in being privacy friendly;
- Labelling and certification process.

3. Collaborate with various standardization bodies and actively disseminate towards the public and specialized communities, such as ICT lawyers, policy makers and academics.
Eleven (-11-) European partners, including SMEs and a large telco operator (OTE), bring their complementary technical, legal, societal and business expertise; Privacy-Flag intends to establish strong links with standardization bodies and international fora and it also intends to assess and incorporate outcomes from over 20 related research projects. It will build and ensure long term sustainability and growth in the context of dedicated exploitation strategy."

Work performed from the beginning of the project to the end of the period covered by the report and main results achieved so far

During the period covered, there were no critical deviations compared to the original scope of properly realizing the scheduled work and for submitting all expected deliverables. Although one of the original partners (IAITL) has announced that “he was no longer able to contribute to the project effort” and has left the project since the early beginning, the PF consortium has taken care, with the full support and the guidance of the European Commission, in order to propose a Request for Amendment to the original GA with the inclusion of two “equivalent” new partners (i.e., UoA and UOB), possessing appropriate expertise and profiles.
The Request for Amendment has been accepted by the Commission (as officially notified on May 02, 2016) and the two new partners have accessed the PF effort.
All expected PF deliverables have been submitted for the 1st Reporting Period and all related milestones have been properly accomplished. Regarding the effort spent -expressed in person months (PMs)- and declared by the PF project partners/beneficiaries, there was no significant deviation between the effort planned versus the effort spent. A total of 150,678 PMs have been totally (i.e. for all WPs) spent for the first year of the original 502 PMs of the entire effort, which corresponds to a “reasonable” consumption of approximately 30% of the personnel effort, during the first year of the project. In the same scope, other expenses performed by the partners have not demonstrated any kind of “deviation”.
All other issues regarding administration and financing have also been treated in a proper way. The cooperation between the partners was sincere, creative and fruitful, while there was effective collaboration between the Project Coordinator, the Technical Manager and the other PF partners/beneficiaries.

A detailed analysis of the work performed and of the specific, per WP, achievements, with correlation to the related deliverables and/or milestones, is provided in the attached Periodic Report Part B.

Progress beyond the state of the art and expected potential impact (including the socio-economic impact and the wider societal implications of the project so far)

"Privacy Flag is foreseen to progress beyond the actual state-of-the-art (SOTA), at different levels such as:

Designing a Universal Privacy Risk Area Assessment Tool
Privacy Flag has researched and developed an initial matrix for an enhanced Privacy Risk Area Assessment Tool (PRAAT), re-named as UPRAAM (Universal Privacy Risk Area Assessment Methodology). It encompasses all the privacy-related risks with smart phone applications, websites and all sorts of Internet of Things (IoT) deployments in smart cities.

Designing an innovative triple layer crowd sourcing based privacy protection
Currently employed techniques in privacy risk detection and prevention are more centralized and are controlled by companies specializing in this area with everyday users playing a minimal role, if any. This "top-down" approach most often involves a company offering privacy/security detection and prevention services by: a) detecting privacy breach attempts on users’ devices with special software monitoring the devices and then remove the risk either automatically or give advice to the users on "how to handle it themselves", and; b) closely analyzing reports on such incidents found on the web or other authoritative sources and publishing on bulletin boards that users can access themselves. Examples of such approaches are the ones followed by e.g. MacAfee and Microsoft in detecting privacy holes in users’ computers and applying and/or proposing corrective measures. Our approach, in order to handle these disadvantages, follows the "bottom-up" and distributed approach and attempts to involve users more actively in protecting their own privacy, increasing their privacy awareness and privacy protection responsibilities, along with all the traditional bottom-up mechanisms as described above. Thus, users collectively participate in diffusing knowledge about privacy breach incidents they come across, so that all the user community becomes aware of the incidents as well as suggestions for their prevention.

During Y1 Privacy Flag has worked to develop a privacy risk detection framework based on a triple layered crowdsourcing model:
- Privacy agents will be distributed and deployed by the users. Their large scale distribution will enable a quick identification of new threatening applications and websites, even if their behavior is hidden to the user. It will also enable to identify applications and websites which used to be privacy-compliant and which may change their behaviour and policy.
- Crowd-based risk detection and evaluation by enabling users to point out suspicious applications and websites, as well as to assess them with the UPRAAM methodology, benefitting from the human capacity to identify suspicious patterns from a different perspective.
- Enable experts to perform in-depth risk analysis.
It will enable a dual privacy protection combining:
- “Endoprotection” (by analogy to endoskeletons) of privacy mechanisms protecting the citizens privacy against unwanted external access to their data from their device, by locally deployed privacy agents and privacy enablers.
- “Exoprotection” (by analogy to exoskeletons) protecting citizens' privacy from outside, by collective and distributed crowd-sourced monitoring providing a form of collective and external protection supported by the common knowledge database, as well as by pushing for an environmental change in raising awareness and encouraging companies to better respect privacy.
This approach is unique and is addressing a new field of research which is almost empty. The main reference in using crowd sourcing for privacy is My WoT (www.mywot.com), which relies on a very simple and subjective crowd-based appreciation, where users are invited to answer the question: "How much do you trust this site?" There is neither a methodology enabling the crowd to objectively assess the risk, nor any technical monitoring. Privacy Flag is innovating with:
- A multiple layers approach combining human and machine generated inputs;
- A clear methodology to assess the privacy risk level with the UPRAAT through a systematic and objective manner (not just a gut feeling);
- The use of distributed agents to identify any sign of privacy breach, which may be hidden to the user;
- The extension and scope of our tool, which is not limited to web browsers, but will also cover smart phone applications and IoT deployments in smart cities;
- A tailored solution to address and match the European and international norms in terms of privacy and personal data protection that takes into account the specificities of European personal data protection.

Building a global knowledge database on privacy risks
Privacy Flag has started to set up a global knowledge database combining data from human and machine sources together: privacy monitoring agent alerts; crowd alerts; UPRAAM-based evaluation by the crowd; in-depth evaluations by experts; company voluntary commitments and potential certifications. By combining the potential of crowdsourcing together with ICT enablers and experts’ inputs, it will provide a unique source of information on privacy risk with several levels of granularity.

Standard design and labelling
The UPRAAM will enable Privacy Flag to develop a clear methodology to assess the privacy-related risks for applications, websites and Internet of Things deployments in smart cities. This methodology based on the UPRAAM model will serve as a basis to design a labelling and certification process. Cooperation with ISO and other standardization bodies is foreseen and will be explored too.

Crowd sourcing personal data valuation
The Privacy Flag project has worked to develop a crowdsourcing-based process and a set of tools and solutions enabling the users to collectively assess and control the level of risk for their privacy in the different contexts of web applications, smart phones applications and Internet of Things deployments. Next step within this process will be to build up a crowd with active participation of individuals. To motivate crowd participants, we need to define and implement motivators to reach both individuals and the collective activism of people joining forces together. The project will pay extra attention in the design of the process for crowd-sourcing personal data valuation. This process is being designed in an iterative and interactive manner engaging the crowd in the implementation to design their Privacy Flag tools.

The total expected outcomes of the PF project are listed as follows:
- Three user-friendly and freely available tools for citizens
- Distributed crowdsourcing privacy monitoring platform
- Universal Privacy Risk Area Assessment Tool & Methodology
- Privacy enablers
- Global knowledge database on privacy risks
- Voluntary compliance commitment tool
- On-line resources
- In-depth privacy risk analysis on-line tool
- Contributions to labelling and certification processes
- Contributions to standardization on privacy

Expected benefits coming from the PF project are listed as follows:
Providing an on-going platform for privacy protection
Improving privacy and personal data ownership
• Designing a methodology for privacy risk analysis
• Improving privacy risk identification
• Rebalancing the inherent asymmetry between individuals and ICT
• Improving personal data valuation
• Scalability and viral dissemination
• Support to privacy labelling and certification
Societal impact and user awareness
• Towards a democratic model of privacy management
• Extending the geographic scope of personal data protection
• Exploring potential room for a new international convention
• Raise user awareness
Economic Impact
• Rebalancing and mitigating unfair competitive advantages
• Supporting European SMEs and industry"

Related information

Record Number: 192887 / Last updated on: 2016-12-15