The NSF-NWO 2015 Privacy Workshop was organized on behalf of the National Science Foundation (NSF) and the Netherlands Organisation for Scientific Research (NWO) on October 2 and 3 2015. It was hosted in Washington DC by Carnegie Mellon University’s Heinz College and focused on privacy research in the cyber domain.
For this workshop, jointly funded and organised by the US National Science Foundation (NSF) and the Netherlands Organisation for Scientific Research (NWO), about one dozen scientists per country were invited both from the United States and from the Netherlands. Supported by NSF and NWO, Alessandro Acquisti from Carnegie Mellon University and Jaap-Henk Hoepman from Radboud University and Privacy & Identity Lab drew the outlines of the workshop program. Given the interdisciplinary nature of this type of research, scientists skilled in areas like computer science, legal, ethical, social, and economic aspects of privacy were invited to participate.
The objective of the workshop was to help build long-term research collaboration among scientists from the two countries, who are studying technical and social aspects of privacy in relation to cyberspace. The ultimate goal was to form mixed groups of United States and Dutch scholars who by the end of the workshop produced joint research outlines, with the potential to grow into full proposals to be submitted to a NSF-NWO Call for Proposals.
Formal basis for this joint Call for Proposal is a Memorandum of Understanding (MoU) signed by the NSF and the NWO. From a thematic point of view this call is associated with themes 1 and 5 of the Dutch National Cyber Security Research Agenda (NCSRA II), basis for NWO’s cybersecurity program, and the Secure and Trustworthy Cyberspace (SaTC) program of the NSF.
On the first day of the workshop, participants first presented their own ongoing research. After the introduction participants were engaged in tasks designed to stimulate the formation of teams of United States - Netherlands researchers. Several rounds of “speed dating” were held, including a brainstorm on novel research ideas. The second day of the workshop included discussions in four break‐out groups generating ideas for research proposals around four major themes as well as determining whether topics are missing. These themes, combined with topics formulated during the workshop could be a starting point for collaborative research:
1. Identity on the digital stage
This theme included various research topics:
- The normative notions of identity, particularly from the perspective of – but not restricted to – the rise of digital persons, i.e., the ‘data shadows’ of real-life persons in digital sets of data.
- Technical approaches towards identity and identity-management, and how data protection rights and Privacy Enhancing Technologies can help and support individuals to manage their online identities throughout life
- Map ‘privacy disasters’: in what ways, and to what extent, do individuals and society suffer from technical, organisational, or legal errors that hamper their right to privacy?
- Mobile devices such as GSM phones, PDA’s, RFID, offer a technological platform which can help solving the problems of ID management for the roaming user. They can be employed as trusted control interface for applications using personal and privacy sensitive information, and can help support the user to manage their online identities. The concrete objective is the development of the essential elements of an architecture (trust framework) for secure and realistic identity management solutions for mobile devices.
2. Beyond data minimisation
Current approaches to privacy protection (both technical and legal) have largely focused on minimising the amount of personal data being collected. This is problematic for platforms that are actually deployed to promote the sharing of personal data (like social networks), and equally problematic for the use of behavioural data to personalize services or improve their performance. Similarly there are so-called Big Data applications where allowing the use of personal data may benefit society as a whole (like for example medical research). But clearly any risk in the use of personal data in these applications need to be controlled. Research in this domain aims to develop a better understanding of the issues involved and to propose solutions to mitigate risks.
3. The confluence of the real and the virtual
The Internet of Things is nothing new. Yet the imminent confluence of cyberspace and physical space into one ambient intelligent system still poses fundamental research challenges in the area of security, privacy and trustability. In particular the conceptualisation of identity in such an ‘ambient intelligent’ world deserves further study. How much of my identity is constructed consciously, and how much of it is constructed autonomously? Privacy protection in the Internet of Things involves much more than dataminimisation techniques like using pseudonyms and the like. In fact, the vision of an Internet of Things that intelligently supports us in our day to day activities needs to collect large amounts of personal information. The challenge is to accommodate this need for personal data, while maintaining privacy guarantees. Legal protection of individuals against (state) intervention is partly based on space (e.g. inviolability of the home). Technology increasingly obliterates the distinction between private and public space and thus poses challenges to the privacy of individuals.
4. Understanding and constructing privacy
How to construct privacy, both from a technical and a non-technical perspective, especially taking differences in legal regimes and ethical norms across the world into account. Improve the understanding of the meaning of privacy given the current changes in society. Study methods to build more privacy friendly systems, based on privacy by design, and regulation by technology. Also study the organizational dimensions of privacy (such as organisational embeddedness of privacy impact assessments and determination of risk associated with privacy within organisational contexts) and participatory design methods including a multitude of stakeholders. Study how the balance between security and privacy can be regulated by technology alone through, for example, the concept of “revocable privacy”.
October 2 Friday
13:30 Welcome + Agenda + Organisational remarks
13:40 Introductory presentations by NSF and NWO: roles, background and objectives
14:00 Introductory presentations by all participants (6 min each)
16:00 Coffee break
16:30 Introductory presentations by all participants (continued)
17:20 Speed dating Part 1
18:20 Round up - assigning groups for parallel sessions on Saturday
19:00 Dinner at the Hotel George (15 E St NW, Washington, DC 20001)
October 3 Saturday
9:00 Speed dating Part 2
9:45 Breakout into 4 parallel discussion groups
- Identity on the digital stage
- Beyond data minimisation
- The confluence of the real and the virtual
- Understanding and constructing privacy
11:00 Coffee break
11:30 Plenary presentation of results breakout discussion groups
12:00 Identification and brief description of missing themes
12:30 Round up, summary and consolidation of themes
12:40 Further steps
1. Presentation slides (zip file)
2. Draft notes from the workshop and short reports from the break-out sessions (doc file)
3. Breakout discussion photos (pdf file)
4. Speed dating photos (pdf file)
Jeremy Epstein, NSF
Jan Piet Barthel, NWO
Alessandro Acquisti, CMU
Jaap-Henk Hoepman, RUN