Skip to main content

Enabling Crowd-sourcing based privacy protection for smartphone applications, websites and Internet of Things deployments

Periodic Reporting for period 1 - PRIVACY FLAG (Enabling Crowd-sourcing based privacy protection for smartphone applications, websites and Internet of Things deployments)

Reporting period: 2015-05-01 to 2016-04-30

"Personal data have become merchandisable asset encouraging various stakeholders to ""collect"" such data and trade them without the end-user awareness and acceptance. The European Union (EU) has taken the lead in adapting the legal framework to better protect the citizens’ rights and interests. However, the extent of the Internet and smart phone applications, the fact that data can be retrieved without the owner knowledge and the vast majority of those applications are developed from outside the EU jurisdiction, strongly limit the possibility to effectively impose a privacy-protection framework globally with a conventional approach. Moreover, privacy norms are perceived as complex by many citizens.
Personal data protection is becoming a challenge both in terms of privacy and economic exploitation. The European Union has taken the lead in better protecting its citizens against unilateral collection and exploitation of personal data. However, this effort is facing several challenges. Considering the extent of the Internet and smart phone applications, and the fact that the vast majority of those applications are developed from outside the EU, it is rather difficult to effectively impose and extend a privacy mechanism from a top-down approach or through a simple technological perspective. Data can be retrieved from a smart phone or a computer in a way which remains “invisible” to the data owner. Moreover, personal data protection norms and privacy concepts may be perceived as too complex and subtle by many citizens.


The Privacy Flag (PF) project intends to combine crowdsourcing technologies together with privacy monitoring agents, innovative privacy risk assessment methodology and legal expertise to develop a collective privacy protection framework enabling citizens to better control and protect their personal data. The project will research the potential of crowdsourcing and legal expertise to empower the users to set the desired level of privacy, based on a “simple to understand” visualisation of the privacy level. The project will develop a crowdsourcing-based process and a set of tools and solution(s) enabling the users to collectively assess and control the level of risk for their privacy in the context of web applications, smart phones applications and Internet of Things (IoT) deployments. It will provide a new paradigm of privacy risk assessment combining:
- Crowd sourcing model of risk identification and evaluation;
- Privacy Risk Area Assessment Tool/Methodology technology;
- Distributed agents to monitor, assess and inform on the privacy risk level of any application;
- Full “anonymization” and privacy technology for server connection;
- Legal expertise in privacy and personal data protection;
- Personal data valuation mechanism;
- A voluntary legal binding mechanism for companies located outside of Europe.

The Privacy Flag project will research and combine the potential of crowdsourcing, ICT technologies and legal expertise to protect citizens’ privacy when visiting websites, using smartphone applications, or living in a smart city. It will enable citizens to monitor and control their privacy with a user friendly solution made available as a smart phone application, a web browser add-on, and a public website- all connected to a shared knowledge database. It will benefit from the outcomes of over 18 related research projects,- in order to provide a new paradigm of privacy protection combining “endo-protection” with locally deployed privacy enablers protecting the citizens privacy from unwanted external access to their data, and “exo-protection” with a distributed and crowd-sourced monitoring framework able to provide a collective protection framework together with increased citizen awareness and implicit pressures on companies to improve their privacy compliance.
Our key ambition is to utilize the power of the crowd combined with ICT technology and legal expertise to enable users to monitor, c"
During the period covered, there were no critical deviations compared to the original scope of properly realizing the scheduled work and for submitting all expected deliverables. Although one of the original partners (IAITL) has announced that “he was no longer able to contribute to the project effort” and has left the project since the early beginning, the PF consortium has taken care, with the full support and the guidance of the European Commission, in order to propose a Request for Amendment to the original GA with the inclusion of two “equivalent” new partners (i.e. UoA and UOB), possessing appropriate expertise and profiles.
The Request for Amendment has been accepted by the Commission (as officially notified on May 02, 2016) and the two new partners have accessed the PF effort.
All expected PF deliverables have been submitted for the 1st Reporting Period and all related milestones have been properly accomplished. Regarding the effort spent -expressed in person months (PMs)- and declared by the PF project partners/beneficiaries, there was no significant deviation between the effort planned versus the effort spent. A total of 150,678 PMs have been totally (i.e. for all WPs) spent for the first year of the original 502 PMs of the entire effort, which corresponds to a “reasonable” consumption of approximately 30% of the personnel effort, during the first year of the project. In the same scope, other expenses performed by the partners have not demonstrated any kind of “deviation”.
All other issues regarding administration and financing have also been treated in a proper way. The cooperation between the partners was sincere, creative and fruitful, while there was effective collaboration between the Project Coordinator, the Technical Manager and the other PF partners/beneficiaries.

A detailed analysis of the work performed and of the specific, per WP, achievements, with correlation to the related deliverables and/or milestones, is provided in the attached Periodic Report Part B.
"Privacy Flag is foreseen to progress beyond the actual state-of-the-art (SOTA), at different levels such as:

Designing a Universal Privacy Risk Area Assessment Tool
Privacy Flag has researched and developed an initial matrix for an enhanced Privacy Risk Area Assessment Tool (PRAAT), re-named as UPRAAM (Universal Privacy Risk Area Assessment Methodology). It encompasses all the privacy-related risks with smart phone applications, websites and all sorts of Internet of Things (IoT) deployments in smart cities.

Designing an innovative triple layer crowd sourcing based privacy protection
Currently employed techniques in privacy risk detection and prevention are more centralized and are controlled by companies specializing in this area with everyday users playing a minimal role, if any. This ""top-down"" approach most often involves a company offering privacy/security detection and prevention services by: a) detecting privacy breach attempts on users’ devices with special software monitoring the devices and then remove the risk either automatically or give advice to the users on ""how to handle it themselves"", and; b) closely analyzing reports on such incidents found on the web or other authoritative sources and publishing on bulletin boards that users can access themselves. Examples of such approaches are the ones followed by e.g. MacAfee and Microsoft in detecting privacy holes in users’ computers and applying and/or proposing corrective measures. Our approach, in order to handle these disadvantages, follows the ""bottom-up"" and distributed approach and attempts to involve users more actively in protecting their own privacy, increasing their privacy awareness and privacy protection responsibilities, along with all the traditional bottom-up mechanisms as described above. Thus, users collectively participate in diffusing knowledge about privacy breach incidents they come across, so that all the user community becomes aware of the incidents as well as suggestions for their prevention.

During Y1 Privacy Flag has worked to develop a privacy risk detection framework based on a triple layered crowdsourcing model:
- Privacy agents will be distributed and deployed by the users. Their large scale distribution will enable a quick identification of new threatening applications and websites, even if their behavior is hidden to the user. It will also enable to identify applications and websites which used to be privacy-compliant and which may change their behaviour and policy.
- Crowd-based risk detection and evaluation by enabling users to point out suspicious applications and websites, as well as to assess them with the UPRAAM methodology, benefitting from the human capacity to identify suspicious patterns from a different perspective.
- Enable experts to perform in-depth risk analysis.
It will enable a dual privacy protection combining:
- “Endoprotection” (by analogy to endoskeletons) of privacy mechanisms protecting the citizens privacy against unwanted external access to their data from their device, by locally deployed privacy agents and privacy enablers.
- “Exoprotection” (by analogy to exoskeletons) protecting citizens' privacy from outside, by collective and distributed crowd-sourced monitoring providing a form of collective and external protection supported by the common knowledge database, as well as by pushing for an environmental change in raising awareness and encouraging companies to better respect privacy.
This approach is unique and is addressing a new field of research which is almost empty. The main reference in using crowd sourcing for privacy is My WoT (www.mywot.com) which relies on a very simple and subjective crowd-based appreciation, where users are invited to answer the question: ""How much do you trust this site?"" There is neither a methodology enabling the crowd to objectively assess the risk, nor any technical monitoring. Privacy Flag is innovating with:
- A multiple layers approach combining human a"
"A depiction of the proposed ""core"" architecture of the Privacy Flag full effort"
A global view of the modern ICT-based world where privacy challenges should be critical
A general depiction of the Privacy Flag processes