Category Archives: privacy

How to improve how we prove; from paper-and-ink to digital verified attributes

'Stamp of Approval' by Sudhamshu Hebbar, CC-BY 2.0
‘Stamp of Approval’ by Sudhamshu Hebbar, CC-BY 2.0

Personal information management services (PIMS) are an emerging class of digital tools designed to help people manage and use data about themselves. At the core of this is information about your identity and credentials, without which you cannot prove who you are or that you have certain attributes. This is a boring but necessary part of accessing services, claiming benefits and compensation, and a whole range of other general ‘life admin’ tasks.

Currently the infrastructure for managing these processes is stuck somewhere in the Victorian era, dominated by rubber stamps, handwritten signatures and paper forms, dealt with through face-to-face interactions with administrators and shipped around through snail mail. A new wave of technology aims to radically simplify this infrastructure through digital identities, certificates and credentials. Examples include GOV.UK Verify, the UK government identity scheme, and services like MiiCard and Mydex which allow individuals to store and re-use digital proofs of identity and status. The potential savings from these new services are estimated at £3 billion in the UK alone (disclosure: I was part of the research team behind this report).

Yesterday I learned a powerful first-hand lesson about the current state of identity management, and the dire need for PIMS to replace it. It all started when I realised that a train ticket, which I’d bought in advance, would be invalid because my discount rail card expired before the date of travel. After discovering I could not simply pay off the excess to upgrade to a regular ticket, I realised my only option would be to renew the railcard.

That may sound simple, but it was not. To be eligible for the discount, I’d need to prove to the railcard operator that I’m currently a post-graduate student. They require a specific class of (very busy) University official to fill in, sign and stamp their paper form and verify a passport photo. There is a semi-online application system, but this still requires a University administrator to complete the paperwork and send a scanned copy, and then there’s an additional waiting time while a new railcard is sent by post from an office in Scotland.

So I’d need to make a face-to-face visit to one of the qualified University administrators with all the documents, and hope that they are available and willing to deal with them. Like many post-graduate students, I live in a different city so this involves an 190 minute, £38 train round-trip.  When I arrive, the first administrator I ask to sign the documentation tells me that I will have to leave the documentation with their office for an unspecified number of days (days!) while they ‘check their system’ to verify that I am who I say I am.

I tried to communicate the absurdity of the situation: I had travelled 60 miles to get a University-branded pattern of ink stamped on a piece of paper, in order to verify my identity to the railcard company, but the University administrators couldn’t stamp said paper because they needed several days to check a database to verify that I exist and I am me – while I stand before them with my passport, driver’s license, proof of address and my student identity card.

Finally I was lucky enough to speak to another administrator whom I know personally, who was able to deal with the paperwork in a matter of seconds. In the end, the only identity system which worked was a face to face interaction predicated on interpersonal trust; a tried-and-tested protocol which pre-dates the scanned passport, the Kafka-esque rubber stamp, and the pen-pushing Victorian clerk.

Here’s how an effective digital identity system would have solved this problem. Upon enrolment, the university would issue me with a digital certificate, verifying my status as a postgraduate, which would be securely stored and regularly refreshed in my personal data store (PDS). When the time comes to renew my discount railcard, I would simply log in to my PDS and accept a connection from the railcard operator’s site. I pay the fee and they extend the validity of my existing railcard.

From the user experience perspective, that’s all there is to it – a few clicks and it’s done. In the background, there’s a bit more complexity. My PDS would receive a request from the railcard operator’s system for the relevant digital certificate (essentially a cryptographically signed token generated by the University’s system). After verifying the authenticity of the request, my PDS sends a copy of the certificate. The operator’s back-end system then checks the validity of the certificate against the public key of the issuer (in this case, the university). If it all checks out, the operator has assurance from the University that I am eligible for the discount. It should take a matter of seconds.

From a security perspective, it’s harder to fake a signature made out of cryptography than one made out of ink (ironically, it would probably have been less effort for me to forge the ink signature than to obtain it legitimately). Digital proofs can also be better for privacy, as they reveal the minimal amount of information about me that the railcard operator needs to determine my eligibility, and the data is only shared when I permit it.

Identity infrastructure is important for reasons beyond convenience and security – it’s also about equality and access. I’m lucky that I can afford to pay the costs when these boring parts of ‘life admin’ go wrong – paying for a full price ticket wouldn’t have put my bank balance in the red. But if you’re at the bottom of the economic ladder, you have much more to lose when you can’t access the discounted services, benefits and compensation you are entitled to. Reforming our outdated systems could therefore have a disproportionately positive impact for the least well-off.

Public Digital Infrastructure: Who Pays?

Glen Canyon Bridge & Dam, Page, Arizona, by flickr user Thaddeus Roan under CC-BY 2.0
Glen Canyon Bridge & Dam, Page, Arizona, by flickr user Thaddeus Roan under CC-BY 2.0

Every day, we risk our personal security and privacy by relying on lines of code written by a bunch under-funded non-profits and unpaid volunteers. These essential pieces of infrastructure go unnoticed and under-funded; that is, until they fail.

Take OpenSSL, one of the most common tools for encrypting internet traffic. It means that things like confidential messages and credit card details aren’t transferred as plain text. It probably saves you from identity fraud, theft, stalking, blackmail, and general inconvenience dozens of times a day. At the time when a critical security flaw (known as ‘Heartbleed’) was discovered in OpenSSL’s code last April, there was just one person paid to work full-time on the project – the rest of it being run largely by volunteers.

What about the Network Time Protocol? It keeps most of the world’s computer’s clocks synchronised so that everything is, you know, on time. NTP has been developed and maintained over the last 20 years by one university professor and a team of volunteers.

Then there is OpenSSH, which is used to securely log in to remote computers across a network – used every day by systems administrators to keep IT systems, servers, and websites working whilst keeping out intruders. That’s maintained by another under-funded team who recently started a fundraising drive because they could barely afford to keep the lights on in their office.

Projects like these are essential pieces of public digital infrastructure; they are the fire brigade of the internet, the ambulance service for our digital lives, the giant dam holding back a flood of digital sewage. But our daily dependence on them is largely invisible and unquantified, so it’s easy to ignore their importance. There is no equivalent to pictures of people being rescued from burning buildings. The image of a programmer auditing some code is not quite as visceral.

So these projects survive on small handouts, occasionally large ones from large technology companies. Whilst it’s great that commercial players want to help secure the open source code they use in their products, this alone is not an ideal solution. Imagine if the ambulance service were funded by ad-hoc injections of cash from various private hospitals, who had no obligation to maintain their contributions. Or if firefighters only got new trucks and equipment when some automobile manufacturer thinks it would be good PR.

There’s a good reason to make this kind of critical public infrastructure open-source. Proprietary code can only be audited behind closed doors, so that means everyone who relies on it has to trust the provider to discover its flaws, fix them, and be honest when they fail. Open source code, on the other hand, can be audited by anyone. The idea is that ‘many eyes make all bugs shallow’ – if everyone can go looking for them, bugs are much more likely to be found.

But just because anyone can, that doesn’t mean that someone will. It’s a little like the story of four people named Everybody, Somebody, Anybody, and Nobody:

There was an important job to be done and Everybody was sure that Somebody would do it. Anybody could have done it, but Nobody did it. Somebody got angry about that because it was Everybody’s job. Everybody thought that Anybody could do it, but Nobody realized that Everybody wouldn’t do it. It ended up that Everybody blamed Somebody when Nobody did what Anybody could have done.

Everybody would benefit if Somebody audited and improved OpenSSL/NTP/OpenSSH/etc, but Nobody has sufficient incentive to do so. Neither proprietary software nor the open source world is delivering the quality of critical public digital infrastructure we need.

One solution to this kind of market failure is to treat critical infrastructure as a public good, deserving of public funding. Public goods are traditionally defined as ‘non-rival’, meaning that one person’s use of the good does not reduce its availability to others, and ‘non-excludable’, meaning that it is not possible to exclude certain people from using it. The examples given above certainly meet this criteria. Code is infinitely reproducible at nearly zero marginal cost, and its use, absent any patents or copyrights, is impossible to constrain.

The costs of creating and sustaining a global, secure, open and free-as-in-freedom digital infrastructure are tiny in comparison to the benefits. But direct, ongoing public funding for those who maintain this infrastructure is rare. Meanwhile, we find that billions have been spent on intelligence agencies whose goal is to make security tools less secure. Rather than undermining such infrastructure, governments should be pooling their resources to improve it.


Related: The Linux foundation have an initiative to address this situation, with the admirable backing of some industry heavyweights http://www.linuxfoundation.org/programs/core-infrastructure-initiative/
While any attempt to list all the critical projects of the internet is likely to be incomplete and lead to disagreement, Jonathan Wilkes and volunteers have nevertheless begun one https://wiki.pch.net/doku.php?id=pch:public:critical-internet-software

A Study of International Personal Data Transfers

Whilst researching open registers of data controllers, I was left with some interesting data on international data transfers which didn’t make it into my main research paper. This formed the basis of a short paper for the 2014 Web Science conference which took place last month.

The paper presents a brief analysis of the destinations of 16,000 personal data transfers from the UK. Each ‘transfer’ represents an arrangement between a data controller in the UK to send data to a country located overseas. Many of these destinations are simply listed by the rather general categories of ‘European Economic Area’ or ‘Worldwide’, so the analysis focuses on just those transfers where specific countries were mentioned.

I found that even when we adjust for the size of their existing UK export market, countries whose data protection regimes are approved as ‘adequate’ by the European Commission had higher rates of data transfers. This indicates that easing legal restrictions on cross-border transfers does indeed positively correlate with a higher number of transfers (although the direction of causation can’t be established). I was asked by the organisers to produce a graphic to illustrate the findings, so I’m sharing that below.

datatransfers

Snowden, Morozov and the ‘Internet Freedom Lobby’

The dust from whistleblower Edward Snowden’s revelations has still not settled, and his whistle looks set to carry on blowing into this new year. Enough time has elapsed since the initial furore to allow us to reflect on its broader implications. One interesting consequence of the Snowden story is the way it has changed the debate about Silicon Valley and the ‘internet freedom’ lobby. In the past, some commentators have (rightly or wrongly) accused this lobby of cosying up to Silicon Valley companies and preaching a naive kind of cyberutopianism.

The classic proponent of this view is the astute (though unecessarily confrontational) journalist Evgeny Morozov, but variations on his theme can be found in the work of BBC documentarian-in-residence Adam Curtis (whose series ‘All Watched Over by Machines of Loving Grace‘ wove together an intellectual narrative from 60’s era hippies, through Ayn Randian libertarianism to modern Silicon Valley ideology). According to these storytellers, big technology companies and non-profit groups have made faustian bargains based on their perceived mutual interest in keeping the web ‘free from government interference’. In fact, they say, this pact only served to increase the power of both the state and the tech industry, at the expense of democracy.

Whilst I agree (as Snowden has made clear) that modern technology has facilitated a something of a digital land grab, the so-called ‘internet freedom lobby’ are not to blame. One thing that was irksome about these critiques was the lack of distinction between parts of this ‘lobby’. Who exactly are they talking about?

Sure, there are a few powerful ideological libertarians and profiteering social media pundits in the Valley, but there has long been a political movement arguing for digital rights which has had very little to do with that ilk. Morozov’s critique always jarred with me whenever I came across one of the many the principled, privacy-conscious technophiles who could hardly have been accused of Randian individualism or cosying up to powerful elites.

If there is any truth in the claim, it is this; on occasion, the interests of internet users have coincided with the interests of technology companies. For instance, when a web platform is forced to police behaviour on behalf of the Hollywood lobby, both the platform and its users lose. More broadly, much of the free/libre/open source world is funded directly or indirectly from the profits of tech companies.

But the Snowden revelations have driven a rhetorical wedge further between those interests. Before Snowden, people like Morozov could paint digital rights activists as naive cheerleaders of tech companies – and in some cases they may have been right. But they ignored the many voices in those movements who stood both for emancipatory power of the web as a communications medium, and against its dangers as a surveillance platform. After Snowden, the privacy wing of the digital rights community has taken centre stage and can no longer be ignored.

At a dialectical level, Silicon Valley sceptics like Morozov should be pleased. If any of his targets in the digital rights debate have indeed been guilty of naivety about the dangers of digital surveillance, the Snowden revelations have shown them the cold light of day and proved Morozov right. But in another sense, Snowden proved him wrong. Snowden is a long-term supporter of the Electronic Frontier Foundation, whose founders and supporters Morozov has previously mocked. Snowden’s revelations, and their reception by digital rights advocates, shows that they were never soft on digital surveillance, by state or industry.

Of course, one might say Snowden’s revelations were the evidence that Morozov needed to finally silence any remaining Silicon Valley cheerleaders. As he said in a recent Columbia Journalism Review interview: “I’m destroying the internet-centric world that has produced me. If I’m truly successful, I should become irrelevant.”

Why DRM is not a technical solution to privacy

Recently I’ve heard a number of people suggest that personal data might be protected using ‘digital rights management’, the same technology that some copyright owners use to ‘protect’ ‘their’ content (apologies for excessive scare-quotes but I think they are necessary in this instance). The idea is that content or data is transferred to the user in a proprietary format (often with encryption), which can only be played or used by related proprietary software or hardware and relevant decryption keys. Thus, in theory, the content ‘owner’ (or the individual data subject, in the privacy protection scenario) is able to ensure the content/data is only accessible to licensed users for a restricted range of uses. In practice, DRM content is invariably cracked and unlocked, after which it can be copied, shared and used without restriction.

I’m sceptical as to whether ‘DRM for privacy’ could ever really work as a purely technical fix to the privacy problem. As far as I can see, the proposals either amount to simple encryption of user data (which certainly has a role in protecting privacy, but has existed for years without being called ‘DRM’), or else they involve some additional policy proposal or trust arrangement which goes beyond the technology and enters into the contractual / legal / regulatory arena.

For instance, a recent DRM-for-privacy proposal from a Microsoft Research engineer Craig Mundie goes something like this. Personal data (e.g. health records) are encrypted before being sent to a third party (let’s say, a medical researcher) for processing. The encrypted package comes with some additional metadata wrapper, explaining the terms and conditions for use, and some kind of consent mechanism so the data processor can express their consent, whereafter the data becomes accessible.

This sounds nice in theory but in order to work, the terms would need to be legally binding and enforceable. Unless there is some sort of audit trail, and a credible threat for non-compliance, there’s nothing to stop the processor simply clicking ‘I agree’ and then ignoring the terms. Encryption only protects the data up to the point at which the data’s terms-of-use clickwrap is ripped open. And if the whole motivation for adopting DRM in the first place was that you don’t trust the entity you’re giving data to, it becomes pointless. Cory Doctorow put it thus;

For “privacy DRM” to work, the defender needs to be in a position to dictate to the attacker the terms on which he may receive access to sensitive information. For example, the IRS is supposed to destroy your tax-records after seven years. In order for you to use DRM to accomplish the automatic deletion of your records after seven years, you need to convince the IRS to accept your tax records inside your own DRM wrapper.

But the main reason to use technology to auto-erase your tax-records from the IRS’s files is that you don’t trust them to honor their promise to delete the records on their own. You are already adversarial to the IRS, and you are already subject to the IRS’s
authority and in no position to order it to change its practices. The presence or absence of DRM can’t change that essential fact.

Talking about encryption, ‘metadata wrappers’ and DRM makes Mundie’s proposal sound like a nice, stand-alone technical solution, but ultimately it relies on further legal, social and technical infrastructure to work in practice. All the encryption does is protect your data while it’s in transit, and all the terms-of-use wrapper does is let them know your preferences. Unless there’s something in current DRM-for-privacy proposals that I have missed – in which case, I’d be very keen to learn more. But I can’t find any more detailed proposals from Mundie or anyone else.

As well as being a little misleading on a technical level, I’m also suspicious about the motivation behind slapping the DRM label onto this proposal. Those who would like protect their business models with DRM have a vested interest in classifying any kind of socially useful technology which vaguely resembles it as such. That way they can refer to ‘enhanced privacy’ as one of the consumer benefits of DRM, whilst sweeping its more damaging aspects under the carpet.

Looking for a cloud I can call my own

Dusk Cloud Mountains, By DeviantArt User Akenator http://akenator.deviantart.com/ under a Creative Commons Attribution 3.0 License

The term ‘cloud computing’ refers to the idea that programs, processing and data storage can be run on a connected remote server rather than happening on your personal computer device. It was coined in the 1990’s by Irish entrepreneur Sean O’Sullivan, but didn’t achieve true buzzword ubiquity until the late 2000’s.

The term is still vague, despite attempts by the European Union to give it a concrete definition. To me, it simply means that the code I’m using and interacting with is happening on a computer that isn’t in my nearby physical space. But this lack of proximity to the physical location of the code can be worrying. Usually it means it’s happening on a server thousands of miles away that you have no control over. Can you trust that the code is safe, and not working against you? Who else might see your data when it’s stored in the cloud?

Despite these fears, most of us have embraced the cloud, using cloud storage providers like Google and Dropbox and installing mobile apps which store our data and process it remotely. But what is the alternative? One option is to store all your files and run applications on your own hardware. But many applications are cloud-only, and it is hard to make backups and integrate multiple devices (laptop, tablet, phone) without syncing via a cloud. Another is to encrypt all your data before you upload it to the cloud, but this can limit its use (the data needs to be decrypted before you can do anything with it).

A better alternative might be for each of us to have our own personal clouds which we can connect to via our personal devices. Personal clouds would be under our control, running on hardware that we own or trust. They could be hosted on lightweight, internet-connected devices kept in safe, private places – perhaps in a safety deposit box in your home. Or they might be hosted somewhere else – by a hosting provider you trust – and be easily packaged up and taken elsewhere if you change your mind.

Over the last few weeks, I’ve been trying to migrate away from my existing cloud storage providers (including Google Drive, Dropbox and Ubuntu One), and experimenting with running my own personal cloud. I’m trying out various free and open-source personal cloud systems, hosted on my own hardware (an old laptop), or on a hosting provider I trust.

Sceptics may say that this option is beyond the technical capability of the vast majority of users. I’d agree – without experience as a system administrator, it wasn’t simple to set up and maintain. But despite a few teething problems, it’s not as hard as I thought. With a bit of help and some improvements in user experience, running your own server could be within the reach of the average user. Just like the motor car and the personal computer, personal clouds don’t need to be fully understood by their owners.

One day, owning your own cloud might be as common as owning your own home (it would certainly be more affordable). And as personal data plays an increasingly important role in our lives, trusting the hardware it’s housed in might be as important as trusting the roof over your head.

I hope to blog further about my journey towards a personal cloud in the coming weeks and months…

What can innovators in personal data learn from Creative Commons?

“License Layers” by Creative Commons, used under Creative Commons Attribution 3.0 License

This post was originally published on the Ctrl-Shift website.

A few weeks ago I attended the Creative Commons global summit, as a member of the CC-UK affiliate team, and came away thinking about lessons for the growing personal data ecosystem.

Creative Commons is a non-profit organisation founded in 2003 to create and promote a set of alternative copyright licenses which allow creative works to be legally shared, remixed and built upon by others. Creators can communicate which rights they want to keep, and which they would like to waive. These licenses are now used in education, cultural archives, science, as well as in commercial contexts. By creating a set of legally robust, standardised and easy-to-use licenses, the organisation has turned a complicated and costly legal headache into an usable piece of public infrastructure fit for the digital age.

What lessons does this movement have for the management and use of personal data? In one sense, managing content is radically different to managing personal data. Consumers generally want to be able to restrict the publication of their personal information, while creative content is generally made for public consumption from the outset. But despite the differences, there are some striking parallels – parallels which point to possible innovations in personal data.

Just as for creative works, personal data bridges technical, legal and human challenges. Personal data is stored, transferred and transformed by technology, in ways that are not always captured by the legal terminology. In turn, the law is usually too complex for humans – whether they be data controllers or individual data subjects themselves – to understand. Creative commons licenses translate a complex legal tool into something that both humans and machines can understand. There are easy tools to help creators choose the right license for their work, and a simple set of visual icons help users understand what they can do with the work. By attaching metadata to content, search engines and aggregators can automatically find and organise content according to the licenses applied.

There are already pioneering initiatives which attempt to apply aspects of this approach to personal data. One promising area is privacy policies. Much like copyright licenses, these painfully obscure documents are usually written in legalese, and can’t be understood by humans or parsed by computers. Various projects are working to make them machine-readable, and to develop user-friendly icons to represent important clauses – for instance, whether data is shared with third parties. Conversely, if individuals want to create and share data about themselves, under certain conditions, they may need an equivalent easy-to-use license-chooser.

The personal data ecosystem is in need of public, user-friendly, and standardised tools for managing data. The Creative Commons approach shows this can be done for creative works. Can a similar approach work for personal data?

Is Commodify.us an elaborate art joke?

Last week I was sent a link to commodify.us – a new web application where you can upload your data from Facebook, and choose whether to license it directly to marketers or make it available as open data. It’s a neat idea which has been explored by a number of other startups (e.g. Personal.com, YesProfile, Teckler).

Obviously, uploading all of your Facebook data to a random website raises a whole host of privacy concerns – exactly what you’d expect a rock-solid privacy policy / terms-of-service to address. Unfortunately, there doesn’t seem to be any such terms for commodify.us. If you click the Terms of Service button on the registration page it takes you nowhere.

Looking at the page source, the html anchor points to an empty ‘#’ id, which suggests that there is not some problem with the link, but that there was nowhere to link to in the first place; suspicious! If I was serious about starting a service like this, the very first thing I’d do is draft a terms-of-service and privacy policy. Then before launching the website, I’d triple-check to make sure it appears prominently on the registration form.

Looking at the ‘Browse Open Data’ part of the website, you can look at the supposedly de-identified Facebook profiles that other users have submitted. These include detailed data and metadata like number of friends, hometown, logins, etc. The problem is, despite the removal of names, the information on these profiles is almost certainly enough to re-identify the individual in the majority of cases.

These two glaring privacy issues and technical problems make me think this whole thing might just be an elaborate hoax. In which case, Ha ha. Well, done, you got me. After digging a little deeper, it looks like the website is a project from Commodify, Inc., an artist-run startup, and Moddr, who describe themselves as;

Rotterdam-based media/hacker/co-working space and DIY/FOSS/OSHW fablab for artgeeks, part of the venue WORM: Institute for Avantgardistic Recreation

They’re behind a few other projects in a similar vein, such as ‘Give Me My Data‘. I remembered seeing a very amusing presentation on the Web 2.0 Suicide Machine project by Walter Langelaar a year or two ago.

So I registered using a temporary dummy email addresses, to have a look around, but I didn’t get to upload my (fake) data because the data upload page says it’s currently being updated. I tried sending an email to the mailing address moderator ( listed as tim@moddr.net ) but it bounced.

If this is intended as a real service, then it’s pretty awful as far as privacy is concerned. If it’s intended as a humorous art project, then that’s fine – as long as as there are no real users who have been duped into participating.

Data on Strike

What happens to a smart city when there’s no access to personal data?

IMG_20130710_123158
Last week I had the pleasure of attending the Digital Revolutions Oxford summer school, a gathering of PhD’s doing research into the ‘digital economy’. On the second day, we were asked to form teams and engage in some wild speculation. Our task was to imagine a news headline in 2033, covering some significant event that relates to the research we are currently undertaking. My group took this as an opportunity to explore various utopian / dystopian themes relating to power struggles over personal data, smart cities and prosthetic limbs.

The headline we came up with was ‘Data Strike: Citizens refuse to give their data to Governments and Corporations’. Our hypothesis was that as ‘smart cities’ materialise, essential pieces of infrastructure will become increasingly dependent on the personal data of the city’s inhabitants. For instance, the provision of goods and services will be carefully calibrated to respond and adjust to the circumstances of individual consumers. Management of traffic flow and transportation systems will depend on uninterrupted access to every individual’s location data. Distributed public health systems will feed back data live from our immune systems to the health authorities.

In a smart city, personal data itself is as critical a piece of infrastructure as you can get. And as any observer of strike action will know, critical infrastructure can quickly be brought to a halt if the people it depends on decide not to co-operate. What would happen in a smart city if its inhabitants decided to go on a data strike? We imagined a city-wide personal data blackout, where individuals turn off or deliberately scramble their personal devices, wreaking havoc on the city’s systems. Supply chains would misfire as targeted consumers dissappear from view. Public health monitoring signals would be scrambled. Self-driving cars would no longer know when to pick up and drop off passengers – or when to stop for pedestrians.

We ventured out into the streets of Oxford to see what ‘the public’ thought about our sensational predictions, and whether they would join the strike. I had trouble selling the idea of a ‘data co-operative’ to sceptical passengers waiting at the train station, but was surprised by the general level of concern and awareness about the use of personal data. As a break from dry academic work, this exercise in science fiction was a bit of light relief. But I think we touched on a serious point. Smart cities need information infrastructure, but ensuring good governance of this infrastructure will be paramount. Otherwise we may sleepwalk into a smart future where convenience and efficiency are promoted at the expense of privacy, autonomy and equality. We had better embed these values into smart infrastructure now, while the idea of a data strike still sounds ridiculous.

Thanks to Research Council’s UK Digital Economy Theme, Know Innovation and the Oxford CDT in healthcare innovation, for funding / organising / hosting the event. More comprehensive coverage can be found over on Chris Phethean’s write-up.

Nudge Yourself

It’s just over five years since the publication of Nudge, the seminal pop behavioural economics book by Richard Thaler and Cass Sunstein. Drawing from research in psychology and behavioural economics, it revealed the many common cognitive biases, fallacies, and heuristics we all suffer from. We often fail to act in our own self-interest, because our everyday decisions are affected by ‘choice architectures’; the particular way a set of options are presented. ‘Choice architects’ (as the authors call them) cannot help but influence the decisions people make.

Thaler and Sunstein encourage policy-makers to adopt a ‘libertarian paternalist’ approach; acknowledge that the systems they design and regulate inevitably affect people’s decisions, and design them so as to induce people to make decisions which are good for them. Their recommendations were enthusiastically picked up by governments (in the UK, the cabinet office even set up a dedicated behavioural insights team). The dust has now settled on the debate, and the approach has been explored in a variety of settings, from pension plans to hygiene in public toilets.

But libertarian paternalism has been criticised as an oxymoron; how is interference with an individual’s decisions, even when in their genuine best interests, compatible with respecting their autonomy? The authors responded that non-interference was not an option. In many cases, there is no neutral choice architecture. A list of pension plans must be presented in some order, and if you know that people tend to pick the first one regardless of its features, you ought to make it the one that seems best for them.

Whilst I’m sympathetic to Thaler and Sunstein’s response to the oxymoron charge, the ethical debate shouldn’t end there. Perhaps the question of autonomy and paternalism can be tackled head-on by asking how individuals might design their own choice architectures. If I know that I am liable to make poor decisions in certain contexts, I want to be able to nudge myself to correct that. I don’t want to rely solely on a benevolent system designer / policy-maker to do it for me. I want systems to ensure that my everyday, unconsidered behaviours, made in the heat-of-the-moment, are consistent with my life goals, which I define in more carefully considered, reflective states of mind.

In our digital lives, choice architectures are everywhere, highly optimised and A/B tested, designed to make you click exactly the way the platform wants you to. But there is also the possibility that they can be reconfigured by the individual to suit their will. An individual can tailor their web experience by configuring their browser to exclude unwanted aspects and superimpose additional functions onto the sites they visit.

This general capacity – for content, functionality and presentation to be altered by the individual – is a pre-requisite for refashioning choice architectures in our own favour. Services like RescueTime, which blocks certain websites for certain periods, represent a very basic kind of user-defined choice architecture which simply removes certain choices altogether. But more sophisticated systems would take an individuals’ own carefully considered life goals – say, to eat healthily, be prudent, or get a broader perspective on the world – and construct their digital experiences to nudge behaviour which furthers those goals.

Take, for instance, online privacy. Research by behavioural economist Alessandro Acquisti and colleagues at CMU has shown how effective nudging privacy can be. The potential for user-defined privacy nudges is strong. In a reflective, rational state, I may set myself a goal to keep my personal life private from my professional life. An intelligent privacy management system could take that goal and insert nudges into the choice architectures which might otherwise induce me to mess up. For instance, by alerting me when I’m about to accept a work colleague as a friend on a personal social network.

Next generation nudge systems should enable a user-defined choice architecture layer, which can be superimposed over the existing choice architectures. This would allow individuals to A/B test their decision-making and habits, and optimise them for their own ends. Ignoring the power of nudges is no longer a realistic or desirable option. We need intentionally designed choice architectures to help us navigate the complex world we live in. But the aims embedded in these architectures need to be driven by our own values, priorities and life goals.