Out-Law News | 14 Nov 2011 | 3:03 pm | 3 min. read
In a report into the impact of personal data 'life-logging', the European Network and Information Security Agency (ENISA) said that individuals that give over their details in order to use social networking sites, such as Facebook, can end up "trapped into 'personalised information silos'" as a result of "suboptimal information" being fed to them.
ENISA said that companies storing personal data about users may not be providing the best information to users as a result of the way they use the data to personalise services.
"There is ... a risk that the judgements made by machines are not optimal or are biased," the ENISA report said. "Simplistic routines and algorithms, i.e., for the personalisation of life-logging services, may lead to suboptimal information search and information display as well as less good decision-making as a result."
"Early examples of personalisation mechanisms, such as Amazon’s book suggestions, Google’s ‘Social Search’ functionality [where you can see recommendations from your contacts using the same functionality], YouTube’s recommended videos or Facebook’s news feed prioritisation – despite their virtues – show how easy it is for people to be trapped into ‘personalised information silos’ that they cannot or do not control," it said.
"The concern is basically that people might not realise that all recommenders provide filtered information, and they may fail to explore alternative sources. This impacts their choices and decisions and may seriously affect their ability to make informed decisions," the report said.
ENISA said that, whilst 'life-logging' services present benefits to individuals, businesses and governments, they also carry privacy and security risks. It said that individuals are becoming more "dependent" on devices for storing information and that this increases the risk over data privacy and theft.
"The top risk for individuals utilising life-logging devices and scenarios is the threat to privacy that accompany using them," ENISA said. "Loss of control over this data might result in individuals being subjected to financial fraud or unauthorised access might result in reputational harm or discrimination and exclusion."
"This risk is compounded by the nature of life-logging in that apart from privacy threat to individuals coming from commercial entities and governmental agencies, there is also a threat of deliberate or accidental data collection about one person by other individuals," it said.
Companies offering services that involve the storage of personal data also risk losing trust, damaging their reputation and being sanctioned if data is "compromised, lost, stolen or erroneous," ENISA said in its report.
Governments have to guard against "legal gaps or a loss of sovereignty" when trying to ensure a "balanced regulatory environment" around data protection in life-logging services, ENISA said.
"The top risk for Government is not ensuring a balanced regulatory environment which guarantees fundamental rights and protects citizens and society, while at the same time does not constrain or have negative consequences on the growth and competitiveness of European industry," ENISA said.
"While a regulatory lag is often present in relation to the development of new technologies and services, life-logging presents particular risks due to the pervasiveness of data collection and the persistence of data in various forms. Risk of abuse of information is inherent both to private and public sector, however in the case of government (e.g. data manipulation in statistics), issues that are at risk are even more important (e.g. liberty, dignity)," it said. "Since data storage or processing is often done outside of national borders, there is a risk of legal gaps or a loss of sovereignty, as well potential conflicts as a consequence of incoherence in legislations or legal gaps."
ENISA said that individuals must "be alert for protecting their own privacy" when using services that log their personal information. Individuals should also utilise privacy friendly tools to manage what information they give out about themselves, it said.
ENISA recommended that internet service providers and other industry groups that log personal data should incorporate "privacy-friendly default configurations and settings" that are widely "intelligible" into new services when they are being designed. The group also called on the providers to assess privacy and information security risks and to give users "direct online access" to information that explains "when and with whom data is being shared, including an audit trail of accesses". Government and other public bodies could lead the way in developing privacy frameworks around these aims, it said.
Personal data loggers should also consider using stricter encryption standards on information stored on devices, such as "two or three-factor authentication methods," ENISA said.
Companies could consider storing data on a decentralised basis, "allowing users to store and process their data on their own equipment, with strict access controls, and the provision of interoperable services by separate companies rather than integrated large-scale data processors," ENISA said.
The group recommended that Governments, EU institutions and regulators provide incentives to businesses to offer more "privacy-aware or privacy friendly devices and services while supporting competition through promotion of interoperability and interconnection between devices, services as well as providers". It also called for "real sanctions" to be introduced for personal data breaches.