People must know what data is generated and processed
People must be able to know what data is being generated by devices, the networks and platforms we use, and the infrastructure within which devices become embedded. People should be able to know and ultimately determine the manner of processing.
People don’t know or control what data is on devices and how it is used by others, and how this can be used against them. In the future, individuals’ data held on technologies and devices can be exploited beyond the control of the individual, to anybody with the authority and capability.
What's the problem?
The era where we were in control of the data on our own computers is nearly over. We were once able to access, process, and delete our data on our devices, with few exceptions. Now industry is building an era where devices and services are
- generating data we cannot control,
- storing data we cannot access,
- using systems we cannot monitor, and
- accessing and sharing data without our knowledge.
Often, there is more data being generated than is necessary for the provision of a service, the functionality of a device, or the clearly-stated business purpose. This excessive generation of data, often done beyond our control, leads to excessive processing, often done without our knowledge, and may exceed the reasonable expectation of users.
Why this matters
In the future, individuals’ data held on technologies and devices can be exploited beyond the control of the individual, to anybody with the authority and capability. Data on mobile phones and health devices are already used as evidence in criminal proceedings and are increasingly monitored by employers.
Data is generated by technologies and systems designed for the ambitions of companies and governments rather than prioritising the interests of the individual. This means those companies have immense power over these systems and the data.
What we would like to see
Data generated by systems will be under the control of the individual within a framework of legal rights and protections, and minimally generated and even more minimally processed. The individual would be able to gain access and see explanations of all data on devices, in networks, and on platforms.
We want a world where the default of computing is that the individual will be able to prevent data generation in the first place, and then be able to access, process, and delete the data (and request its deletion when it is held by other parties). The exceptions to this are permissible, but subject to tests of being fair and lawful in accordance to consumer and human rights protections. Access to such data is essential, in both raw and meaningful forms, as it is the precondition for verifying, identifying, and challenging any, inaccuracies, misuse and non-compliance, for instance with data protection law.
We would like people to be able to know, and ultimately decide when and how data is being used to understand, judge, and control them and others.
What this will mean
No data about the individual and his/her devices and use of systems should be beyond the reach of the individual. This means that the individual can access, process, and delete data on their devices – and exceptions to this must be justified, be necessary and proportionate. You should be able to see all data generated on your smartphone, or all data created by a smart city about you, and know what that data is, and if you object be able to have it modified and removed. You will then be able to know what data is feeding systems that make decisions about you and others.
Listening and always on devices will limit data collection on device, e.g. recording/processing in buffers only, and provide users with access to all data generated and some controls over the personal data.
Essential reform actions
Industry must ensure our systems and services only generate data that is strictly necessary, and that we have insight into that data and its processing.
Industry and governments must provide people with the means to prevent the collection of usage and pattern data without our knowledge and consent, and provide the means for this data to be collected only when privacy enhancing technologies are being applied and informed consent ascertained or lawful measures in place.
Particularly in environments where individuals are not in direct control over devices that are generating and collection data, regulations and regulators must require companies and governments to limit generation of data, provide details on collection of data from individuals and their devices and use of services, so as to inform the necessary democratic and legal debates that must decide what constitutes as fair and lawful processing.
Industry must ensure that their government transparency reports (on access by law enforcement) include reporting on data that is not under the control of individuals, including requests on device-level data and activities arising from device-level data. As a result, we would like to see more device manufacturers and related service providers issue transparency reports about government access, and governments must lift restrictions on publication of this data so we can know the forces that may shape our technologies and use.