Roger Clarke's Web-Site

 

© Xamax Consultancy Pty Ltd,  1995-2017


Roger Clarke's 'Big Data Prophylactics'

Big Data Prophylactics
How Negative Impacts Can, and Cannot, be Avoided

Abstract of 3 August 2016

As a basis for a Keynote Session at the
IFIP Summer School on Privacy and Identity Management
Karlstad, Sweden, 21-26 August 2016

Roger Clarke **

© Xamax Consultancy Pty Ltd, 2016

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at http://www.rogerclarke.com/DV/KS16.html

The accompanying slide-set is at http://www.rogerclarke.com/DV/KS16.pdf


Abstract

Big data is a fashion-item, and is already undergoing its first brand-refresh, with 'big data analytics' being re-dubbed 'data science'. As projected to date, however, big data bears a stronger resemblance to an ideology than to a science.

A range of risks arise from the current spate of over-enthusiastic and uncritical adoption of the big data meme, and of its companion notions of open government data, social media exploitation, location and tracking of people and the devices that they use, and the Internet of Things. Many of these risks will be borne by individuals rather than by the organisations that make big-data-originated mistakes. So 'big data analytics' needs to be accompanied by 'big data prophylactics', to provide people with protections against organisations' potentially harmful acts against them.

One of the most important forms of protection is the conduct of evaluations of big data initiatives prior to their implementation. These should identify in advance ideas whose potential benefits do not justify the negative impacts and risks, and lead to their substantial re-working, or abandonment. An examination of a couple of mainstream techniques - business case preparation and risk assessment - gives rise to serious doubts about their effectiveness. They provide inadequate protection even for the organisations that conduct them; still less do they protect against unjustifiable negative impacts on other parties.

Attempts to embed privacy impact assessment (PIA) within organisations' risk assessment processes have met with little success. It is argued that this was inevitable, because organisations are uniformly unwilling to reflect the interests of multiple stakeholders within their evaluations. Privacy impacts are an externality; market failure is rampant. It is therefore necessary for requirements to be imposed on organisations from the outside.

Several instances of regulatory measure are considered - industry and professional codes, PIAs in national security contexts, the forthcoming 'DPIA' requirement within the EU GDPR, and the much-vaunted 'precautionary principle'. These cases all indicate that market failure is matched by regulatory failure. Neither parliaments nor regulatory agencies are providing effective restraints on organisational misbehaviour, even in conventional data processing contexts, let alone in the field of big data analytics.

In order to protect people's interests, public activism is needed. This paper suggests one particular form that activism can take. The time has come for civil society to abandon its half-hearted and ineffectual involvement in standards processes conducted by industry and government. NGOs need to develop, adopt, promulgate and promote their own series of Civil Society Standards. These can specify the principles and processes for evaluation, processes for quality assurance and audits, and checklists of mitigation measures and controls. This would establish benchmarks against which big data initiatives can be assessed, and a firm basis for calls for appropriate mitigation measures and controls.


Primary Resources

APF (2013) 'Meta-Principles for Privacy Protection' Australian Privacy Foundation, March 2013, at http://www.privacy.org.au/Papers/PS-MetaP.html

ASA (2016) 'Ethical Guidelines for Statistical Practice' American Statistical Association, April 2016, at http://ww2.amstat.org/about/pdfs/EthicalGuidelines.pdf

Bennett Moses L. & Chan J. (2014) 'Using Big Data for Legal and Law Enforcement Decisions: Testing the New Tools' University of New South Wales Law Journal 37, 2 (2014) 643-678, at http://papers.ssrn.com/sol3/Papers.cfm?abstract_id=2513564

boyd D. & Crawford K. (2011) `Six Provocations for Big Data' Proc. Symposium on the Dynamics of the Internet and Society, September 2011, at http://ssrn.com/abstract=1926431

Brey P.A.E. (2012) 'Anticipating ethical issues in emerging IT' Ethics and Information Technology 14, 4 (2012) 305-317

Buhl H.U. & Heidemann J. (2013) `Big Data: A Fashionable Topic with(out) Sustainable Relevance for Research and Practice?' Editorial, Business & Information Systems Engineering 2 (2013) 65-69, at http://www.bise-journal-archive.org/pdf/01_editorial_36315.pdf

Chan J. & Bennett Moses L. (2016) 'Is Big Data challenging criminology?' Theoretical Criminology February 2016 vol. 20 no. 1 21-39

Clarke R. (1997) 'Introduction to Dataveillance and Information Privacy, and Definitions of Terms' Xamax Consultancy Pty Ltd, August 1997, at http://www.rogerclarke.com/DV/Intro.html

Clarke R. (2009) 'Privacy Impact Assessment: Its Origins and Development' Computer Law & Security Review 25, 2 (April 2009) 123-135, PrePrint at http://www.rogerclarke.com/DV/PIAHist-08.html

Clarke R. (2011) 'An Evaluation of Privacy Impact Assessment Guidance Documents' International Data Privacy Law 1, 2 (March 2011), PrePrint at http://www.rogerclarke.com/DV/PIAG-Eval.html

Clarke R. (2015) 'Quasi-Empirical Scenario Analysis and Its Application to Big Data Quality' Proc. 28th Bled eConference, Slovenia, 7-10 June 2015, PrePrint at http://www.rogerclarke.com/EC/BDSA.html

Clarke R. (2016a) 'Big Data, Big Risks' Information Systems Journal 26, 1 (January 2016) 77-90, PrePrint at http://www.rogerclarke.com/EC/BDSA.html

Clarke R. (2016b) 'Quality Assurance for Security Applications of Big Data' Proc. European Intelligence and Security Informatics Conference (EISIC), Uppsala, 17-19 August 2016, PrePrint at http://www.rogerclarke.com/EC/BDQAS.html

Croll A. (2012) `Big data is our generation's civil rights issue, and we don't know it: What the data is must be linked to how it can be used' O'Reilly Radar, 2012

DSA (2016) 'Data Science Code Of Professional Conduct' Data Science Association, undated but apparently of 2016, at http://www.datascienceassn.org/sites/default/files/datasciencecodeofprofessionalconduct.pdf

ICO (2012) 'Anonymisation: managing data protection risk: code of practice' Information Commissioners Office, November 2012, at http://ico.org.uk/for_organisations/data_protection/topic_guides/~/media/documents/library/Data_Protection/Practical_application/anonymisation-codev2.pdf

ICO (2014) 'Conducting privacy impact assessments: code of practice' UK Information Commissioner's Office, February 2014, at https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf

ICO (2016) 'Guide to data protection' UK Information Commissioner's Office, June 2016, at https://ico.org.uk/for-organisations/guide-to-data-protection/

Ipsos Mori (2016) 'Public Dialogue on the ethics of data science in government' Ipsos MORI, May 2016, at https://www.ipsos-mori.com/Assets/Docs/Publications/data-science-ethics-in-government.pdf

Jacobs A. (2009) 'The Pathologies of Big Data' Communications of the ACM 52, 8 (August 2009) 36-44

Mayer-Schönberger V. & Cukier K. (2013) 'Big data: A revolution that will transform how we live, work, and think' Houghton Mifflin Harcourt, 2013

Oboler A., Welsh K. & Cruz L. (2012) `The danger of big data: Social media as computational social science' First Monday 17, 7 (2 July 2012), at http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/3993/3269

Ohm P. (2010) 'Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization' 57 UCLA Law Review 1701 (2010) 1701-1711, at http://www.patents.gov.il/NR/rdonlyres/E1685C34-19FF-47F0-B460-9D3DC9D89103/26389/UCLAOhmFailureofAnonymity5763.pdf

OPMT (2016) 'Data science an introduction' Open Policy Making Toolkit, undated and unversioned but presumably of 2016, at https://www.gov.uk/guidance/open-policy-making-toolkit/a-z#data-science-introduction

SEP (2015) 'Computer and Information Ethics' Stanford Encyclopedia of Philosophy, October 2015, at http://plato.stanford.edu/entries/ethics-computer/

Slee T. (2011) 'Data Anonymization and Re-identification: Some Basics Of Data Privacy: Why Personally Identifiable Information is irrelevant' Whimsley, September 2011, at http://tomslee.net/2011/09/data-anonymization-and-re-identification-some-basics-of-data-privacy.html

Sweeney L. (2002) 'k-anonymity: a model for protecting privacy' International Journal on Uncertainty, Fuzziness and Knowledge-based Systems 10, 5 (2002) 557-570, at http://arbor.ee.ntu.edu.tw/archive/ppdm/Anonymity/SweeneyKA02.pdf

UKCO (2016) 'Data Science Ethical Framework' UK Cabinet Office, v.1, 19 May 2016, at https://www.gov.uk/government/publications/data-science-ethical-framework

UNSD (1985) 'Declaration of Professional Ethics' United Nations Statistical Division, August 1985, at http://unstats.un.org/unsd/dnss/docViewer.aspx?docID=93#start

Warren A., Bayley R., Charlesworth A., Bennett C., Clarke R. & Oppenheimer C. (2008) 'Privacy Impact Assessments: international experience as a basis for UK Guidance' 24, 3 (May-June 2008) 233-242

Wigan M.R. & Clarke R. (2013) `Big Data's Big Unintended Consequences' IEEE Computer 46, 6 (June 2013) 46 - 53, PrePrint at http://www.rogerclarke.com/DV/BigData-1303.html

Wright D. (2011) 'A framework for the ethical impact assessment of information technology' Ethics and Information Technology 13, 3 (September 2011) 199-226

Wright D. & De Hert P. (eds) (2012) 'Privacy Impact Assessments' Springer, 2012

Wright D., Wadhwa K., Lagazio M., Raab C. & Charikane E. (2014) 'Integrating privacy impact assessment in risk management' Int'l Data Privacy Law 4, 2 (May 2014) 155-170


Other Resources

Clarke R. (2016) 'Quality Assurance for Security Applications of Big Data' Proc. Euro. Intelligence & Security Informatics Conf. (EISIC'16), Uppsala, August 2016, PrePrint at http://www.rogerclarke.com/EC/BDQAS.html

Clarke R. (2016) 'Privacy Impact Assessments as a Control Mechanism for Australian National Security Initiatives' Computer Law & Security Review 32, 3 (May-June 2016) 403-418, PrePrint at http://www.rogerclarke.com/DV/IANS.html

Clarke R. (2016) 'Submission to the Productivity Commission re its Inquiry into 'Data Availability and Use'' Xamax Consultancy Pty Ltd, May 2016, at http://www.rogerclarke.com/EC/PCDUA.html
incl. Reidentifiability vs. Anonymisation, and Data Falsification:
http://www.rogerclarke.com/EC/PCDUA.html#KRA

Clarke R. (2016) 'Personal Data Markets: A Matter of Perspective' Working Paper, Xamax Consultancy Pty Ltd, February 2016, at http://www.rogerclarke.com/EC/PDMP.html

Clarke R. (2016) 'Big Data, Big Risks' Information Systems Journal 26, 1 (January 2016) 77-90, PrePrint at http://www.rogerclarke.com/EC/BDBR.html

Manwaring K. & Clarke R. (2015) 'Surfing the third wave of computing: a framework for research into eObjects' Computer Law & Security Review 31,5 (October 2015) 586-603, PrePrint at http://www.rogerclarke.com/II/SSRN-id2613198.pdf

Clarke R. (2015) 'Quasi-Empirical Scenario Analysis and Its Application to Big Data Quality' Proc. 28th Bled eConference, Slovenia, 7-10 June 2015, PrePrint at http://www.rogerclarke.com/EC/BDSA.html

Clarke R. (2014) 'Quality Factors in Big Data and Big Data Analytics' Working Paper, Xamax Consultancy Pty Ltd, December 2014, at http://www.rogerclarke.com/EC/BDQF.html

Clarke R. & Bennett Moses L. (2014) 'The Regulation of Civilian Drones' Impacts on Public Safety' Computer Law & Security Review 30, 3 (June 2014) 263-285, PrePrint at http://www.rogerclarke.com/SOS/Drones-PS.html

Clarke R. (2014) 'Approaches to Impact Assessment' Notes for a Panel Presentation at CPDP'14, Brussels, January 2014, at http://www.rogerclarke.com/SOS/IA-1401.html

Wigan M.R. & Clarke R. (2013) `Big Data's Big Unintended Consequences' IEEE Computer 46, 6 (June 2013) 46 - 53, PrePrint at http://www.rogerclarke.com/DV/BigData-1303.html

Michael K. & Clarke R. (2013) 'Location and Tracking of Mobile Devices: Überveillance Stalks the Streets' Computer Law & Security Review 29, 3 (June 2013) 216-228, PrePrint at http://www.rogerclarke.com/DV/LTMD.html

APF (2013) 'Policy Statement on Privacy Impact Assessments' Australian Privacy Foundation, March 2013, at http://www.privacy.org.au/Papers/PS-PIA.html

APF (2013) 'Meta-Principles for Privacy Protection' Australian Privacy Foundation, March 2013, at http://www.privacy.org.au/Papers/PS-MetaP.html

Clarke R. & Wigan M.R. (2011) 'You Are Where You've Been: The Privacy Implications of Location and Tracking Technologies' Journal of Location Based Services 5, 3-4 (December 2011) 138-155, PrePrint at http://www.rogerclarke.com/DV/YAWYB-CWP.html

Clarke R. (2011) 'An Evaluation of Privacy Impact Assessment Guidance Documents' International Data Privacy Law 1, 2 (March 2011) 111-120, PrePrint at http://www.rogerclarke.com/DV/PIAG-Eval.html

Clarke R. (2010) 'Civil Society Must Publish Standards Documents' Proc. Human Choice & Computers (HCC9), IFIP World Congress, Brisbane, September 2010, pp. 180-184, PrePrint at http://www.rogerclarke.com/DV/CSSD.html

Clarke R. (2009) 'Privacy Impact Assessment: Its Origins and Development' Computer Law & Security Review 25, 2 (April 2009) 123-135, PrePrint at http://www.rogerclarke.com/DV/PIAHist-08.html

Clarke R. (2008) 'Business Cases for Privacy-Enhancing Technologies' Chapter 7 in Subramanian R. (Ed.) 'Computer Security, Privacy and Politics: Current Issues, Challenges and Solutions' IDEA Group, 2008, pp. 135-155, PrePrint at http://www.rogerclarke.com/EC/PETsBusCase.html


Acknowledgements

This presentation has benefited from feedback from several people, in particular Charles Raab.


Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in Cyberspace Law & Policy at the University of N.S.W., and a Visiting Professor in the Computer Science at the Australian National University.



xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 12 June 2016 - Last Amended: 3 August 2016 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/KS16.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2017   -    Privacy Policy