Title: ‘DATA TRACK’ FOR INCREASING TRANSPARENCY FOR END USERS

‘Data Track’ for Increasing Transparency for End Users

Being able to track what data were disclosed, when, to whom, and how the data are further processed, is an important feature to provide transparency of personal data processing.  

Within the EU FP6 Project PRIME, which develops a working prototype of a privacy-enhancing and user-controlled Identity Management System, this data logging and tracking function is implemented in the so-called “Data Track”. The Data Track is currently extended to also advise users about their rights and enable them to exercise their basic rights to access data, or to rectify and request their deletion online, and help them to check on agreed obligations or to set obligations. 

The privacy principle of transparency is an important prerequisite for users for having control over their personal spheres. Furthermore, also for enhancing trust in privacy-enhancing technologies, the users should feel in control of the technologies concerning them, which could for instance be achieved if procedures are transparent and reversible (see (Andersson, Camenisch, Crane, Fischer-Hübner, Leenes, Pearsson, Petterson and Sommer, 2005). 

In this section, we will discuss the legal foundations of the Data Track function, present its logging and search functionality and its online help functions which enable users to exercise their rights and to keep control over personal data which they have released. 

Legal Background

A society, in which citisens could not know any longer who when and in which situations knows what about them, would be contradictory to the right of informational self-determination and thereby informational privacy. Hence, the privacy principle of transparency of personal data processing is a key to informational self-determination. For this reason, the EU Data Protection Directive 95/46/EC guarantees data subjects extensive information and access rights:

According to Art. 10 of the Directive, individuals from whom personal data will be collected have to be informed about the identity of the controller, the purposes of the data processing, and about further information in so far, as such further information is necessary to guarantee fair data processing, including the existence of the right of access to and the right to rectify personal data. 

Pursuant to Art.12 of Directive 95/46/EC, an individual has the right to access, i.e. the right to obtain from the data processor: 

1. a confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed; and  

2. communications to him in an intelligible form of the data undergoing processing and of any available information as to their source. 

In addition, Art. 12 grants individuals the right to obtain from the controller the rectification, erasure, or blocking of data concerning them each time the processing does not comply with the requirements of the Directive, in particular when the data at issue are incomplete or inaccurate. 

Art. 14 ensures that data subjects are aware of the existence of the right to object e.g. to data processing for direct marketing. 

Logging Functionality

The Data Track allows users to “track” their personal data that they have released to other sites via data records kept at the end user’s side and via compiling requests for information on recording done at the services site.  

It stores transaction records comprising personal data sent, date of transmission, purpose of data collection, recipient, and all further details of the privacy policy that the user and the recipient have agreed upon (see also (Pettersson, Fischer-Hübner and Bergmann, 2006)).  

A legal requirement for requesting data from a data subject is, as noted above, that information about the request (at least the identity of the so-called controller and data processing purposes) is available to the data subject before data disclosure. With PRIME enabled systems on the end user’s side, no data should be released if such information cannot be obtained from the services site. This makes it also possible to record this information at the user’s side in form of a so-called privacy policy under which the data were released. We want to stress the importance of recording this privacy policy which should contain the premises for how the collected data are used and stored: it would constitute a valuable document in case a user feels that something is wrong with how his data have been used. Presently, users may inspect privacy policies published on web sites but if they later on come back to these web pages, they cannot be sure that the same version is still available. This severely restricts transparency. Also negotiated obligations, such as “delete my address after six months” or “notify me whenever my address is sold to another organisation” and “let any third party organisation use my address only once”, should be added to the stored privacy policy.  

In order to make the log files useful for the user, some other information has to be added, such as the pseudonyms used for transactions. By authenticating via a pseudonym a user can in principle identify himself as a previous contact but still be pseudonymous, or if he is not pseudonymous at the current contact, he can at least use the pseudonym employed at that time to demonstrate that it was him who previously released personal information. Also the credentials disclosed or received are as important to store in the transaction record as other types of personal information. They will, at a later time, facilitate the re-identification of the user, and as such belongs to a well-functioning identity management system even without a history function such as the Data Track. For exercising legal rights using the Data Track (see below), users need to have records where individual data items are stored in relation to the conditions of each transaction. There should also be a possibility for users to label transmission records in order to group them in a meaningful way (“Holiday 2006” includes both travel and hotel bookings) and add comments (“I phoned them to make clear that all our children are under 12”). This is not necessarily performed at transaction time, and thereby not purely a logging function, but from the user’s perspective it makes sense to see this information as part of the transaction records.  

Search Functionality

As people engage in many transactions, which may involve multiple providers simultaneously, the implementation of a usable Data Track is difficult from an HCI perspective. Providing users with easy tools to finding relevant data disclosure records is one example. In PRIME several ways are considered as it will be discussed in this subsection. 

Two search methods are quite straightforward and might appear as the obvious choices: (1) Sorting step-wise by categories, such as ‘Personal data’ and ‘Receivers’; and (2) Simple search box. However, these two approaches seem unsatisfactory because users are unaware of what the system does as revealed in user tests performed by the PRIME group. More suitable methods that are currently pilot-tested include: (3) Template sentences which put search boxes within meaningful frames: “Who has received my [drop-down list with data]?” (4) A scrollable transaction track that shows all the records at once. The records are shown in abbreviated form as small pages stacked along a timeline (see Figure 6.12). A slider provides the possibility to highlight an individual page in the stack. In this way, users could browse through the records without having to understand sorting or to articulate refined search requests. 

Figure 6.12: Data Track window including template sentences and scrollable tracks. 

Obviously, this method seems more appropriate for the beginner whose amount of transaction records will be limited. For the more advanced user combinations of methods have to be explored and developed (see also (Pettersson and Fischer-Hübner, 2006a; Pettersson and Fischer-Hübner, 2006b). 

Figure 6. Tentative Data Track window in web search engine style.

As far as more experienced users may be familiar with an approach similar to a web search engine (see Figure 6.13) we propose such an additional “advanced search” option. The filtering options might be a difficult for lay users to understand. Possibly, specific privacy-related key words (such as ‘date’, ‘order’, ‘buy’, ‘contact’, ‘payment’/’cost’) can be used for filtering or grouping search results. Experiments should evaluate the usefulness of this approach. Due to the lack of availability of a real and huge data pool, we have to postpone this task into a later stage of the PRIME project. 

Support for “Worried Users”

Sociological research on trust has shown that trust in a service provider can be increased if procedures are transparent, reversible, and in case of breaches of trust there are means of redress (see also (Andersson, Camenisch, Crane, Fischer-Hübner, Leenes, Pearsson, Petterson and Sommer, 2005)). This can be provided by the Data Track. However, users might not necessarily believe that the Data Track can offer sufficient help. For instance, a test subject of usability tests performed at Karlstad University said about the Data Track function of the tested UI mockups “Even if it is good to see what information has been sent, it is too late anyway because you cannot undo it.” This is however not really true, because users in Europe still have basic legal rights according to EU Directive 95/46/EC to access, block, rectify or delete data under certain circumstances (see above). Here we have a case where the user interface really can reinforce trust. Our user tests have shown that many people seem to be unaware of these rights. Hence, it is important that the Data Track function also informs users about those rights, and should contain online functions for exercising these rights. It should be also possible to track the fulfillment of agreed obligations via the Data Track interface. Help functions could also inform about available external help, as users may doubt that the system per se can help them all the way through all conceivable situations. One could compare wishes surfacing in user studies that e-commerce companies should provide “Access to helpful people” (Nielsen, Molich, Snyder and Farrell, 2000). The Data Track UI should therefore also provide access to up-dated information on consumer organisations and/or data protection authorities that can help with legal issues.  

Figure 6.14: “Quick demo” window 

Figure 6.14 sketches a “Quick demo” window accessible via the “Quick demo” menu of the Data Track UI (see Figure 6.12), which provides help for “worried users” by informing them about their rights, how to exercise their rights offline or online via the Data Track (see below) and contact addresses for help. The text boxes in the “Quick demo” window are clickable buttons leading to the assistance functions. 

Online Functions for Exercising Rights

The Data Track allows users to easily track what personal data items have been released to whom under which conditions. For released data items, it also provides online functions for users to allow them to easily exercise their rights to obtain from the services site the correction and/or erasure/blocking of data concerning them. Once that a user has “tracked” a specific data record, the Data Track user interface provides buttons that the user can click for activating such online functions (see Figure 6.12).  

Figure 6.15: Buttons for requesting correction or deletion of personal data records. 

Online functions for accessing personal data at the services sides are also provided via the “Assistance” menu (see menu bar in Figure 6.12). The user’s right to access data allows the user to get also an overview of data that a service provider has compiled out of released data items, such as for instance profiling or scoring information. Besides it allows users to check whether data release policies and obligations are followed by the services sides as agreed upon at the time of data release. 

The Independent Centre for Privacy Protection (ICPP) is currently specifying requirements for a “Request PII-related information” online function. Such an online function should assist the user to specify all information needed for a data access request, which comprises: 

1. The contact address of the recipient. 

1. The personal data requested: Even though the user has the right to request access to all information that can be linked to him, the user might often only be interest in data that he released or that were collected about him in a specific context. Hence, the online function should also help the user to specify this context, which might also make it easier for the services side to retrieve the data in its databases. If a user has released data under a certain pseudonym, a proof has to be given that the requesting user is actually the holder of this pseudonym.  

If the user requests access to data that were obtained directly from him, all this information can be compiled from his Data Track’s transaction records. With the help of this information, the “Request PII-related information” online function should compile an access request, e.g. via email, and send it to the respective recipient. Additional information revealed by the request should be minimised; e.g. if the user’s email address has not been released yet, the user may choose another channel instead of email communication or make use of one-show email addresses or other anonymising services. 

If no or only an incomplete answer is received from the services side, the Data Track should provide the option to compile a complaint mail to be sent to the supervisory authority in charge.