2.13 Privacy in the connected world

Digital Services and Markets

The efficient markets hypothesis states that the market finds the correct price based on available information. Financial Markets only work when information is freely available for all or gathered under the same rules. However, we have to face the fact that information in the internet is not equally available or distributed in the ecosystem. Personal information is gathered by multiple means, correlated within huge databases and analyzed with the available big data algorithms. On the upside this information gathering allows to analyze and human behavior for a social benefit. On the other side this data can be exploited by entities to gain an advantage over competitors in the market, and most importantly, by combining several sources, behavior can be traced back or attributed to a single person.

The digital markets act thus looks out to enforce privacy by so called „soft“ privacy means, which is based on compliance, consent, controls and audits. If a user has given consent to a certain type of data processing, companies make sure that their service offering complies with the the official regulations. Service provider are seen as „trusted“ entities.

Personal data is characterized by asymmetric interest. For each single person it’s own data is very important and valued high. For companies a single dataset is rather uninteresting, but rather Metadata is available and can be gathered from many sources. Looking at it from a different angle: (Protocol-) Metadata can be used in various ways to combine data sources and to draw conclusions, and it is the most underestimated privacy risk that currently exists in reality. It remains thus doubtful if a single entity would be willing to sell it’s data to companies, as the expected price will not be paid. For economic reasons there will always be an over-supply of personal data, and thus the price of each single data set can be expected to be very low. Individuals will thus not be able to „sell“ their data, except when special circumstance are in place (e.g. VIP persons need additional protection). Unfortunately, for this kind of special data, it is in consequence highly desirable to apply stronger protective means.

For these cases so called „hard“ privacy means need to be enforced, which go beyond the standard GDPR regulations. These technologies do not establish „trusted“ entities, instead data is protected by reducing and minimizing data and trusted parties, possibly working in/on encrypted data and platforms.

The problem of collusion

The underlying problem of many data sources emanates from the fact that the collection and correlation of data allows companies to draw conclusions even if each data record has been pseudonymized. The effect is called collusion and exists also as an cybersecurity threat: over time multiple sources or access rights are collected, which in the end may lead to more knowledge than required, also known as "access creep".

Even for companies the problem of meta-data and collusion exists: In common B2B scenarios transactions are covered by contractual work and terms of service. However, as companies grow, they also become attractive for a take over of e.g. competitors. Although the primary business objective could still be covered by the contract, the now available metadata could be an attractive source of information. In addition, the terms of service could be changed on the longer term. How fast can companies switch their technology to an alternative provider, e.g. if an supplier has been bought by an competitor? Hence in addition we can identify the need data portability and of course for common rules and guidelines as they are defined by the IDSA. Although this example may sound artificially constructed, companies to have the obligation to protect the personal data of their customers.

In addition companies not only have to protect the data of their customers. Also the data of their employees need protection for two reasons: First of all being able to track employees and their activities at each step during a process can be seen as a mode of surveillance. Although an enterprise needs to know how well it’s processes are running to improve over time, it should not be possible to attribute it to a single person, but rather on groups. E.g. during the preparation/execution of a phishing simulation, it must be ensured that the results conform to the privacy regulations of the EU. At least in Germany the workforce is organized by intra-company work council, which has to be involved whenever data is collected and possible surveillance scenarios emerge.

Secondly, protecting the privacy of the workforce also protects the customers. As an example: a military camp has been discovered in the internet only because the location of fitness trackers of the employees have been mapped to a card. The regular updates showed the running path in the midst of a forest, where usually no such activities would take place. In addition in cybersecurity settings operators of service providers usually have access to the data of the customer. Protecting the privacy of the workforce minimizes the impact of potential fraud or blackmailing. Furthermore good security practices like four-eye principle and separation of duties ensure that data or money loss can be avoided.