A METHODOLOGICAL APPROACH TO PRIVACY BY DESIGN WITHIN THE CONTEXT OF LIFELOGGING TECHNOLOGIES.

• Author: Mihaildis, Alex

1. INTRODUCTION (1,2)

   By 2050, the number of people aged 60 and older will more than double from its current levels, reaching around 2 billion. (3) Population aging is a global phenomenon and governments around the world are seeking ways to meet the increasing demands placed on their public health systems, as well as medical and social services. One area of particular concern is how to address chronic illnesses, injuries, and disabilities in a cost-efficient manner while, at the same time, respecting the needs of the frail and the sick, as well as their caregivers.

   Lifelogging is one technology that holds promise to manage some of the concerns raised by population aging. Lifelogging, also known as "quantified self, "wearable computing," or "personalized informatics," refers to "the practice of gathering data about oneself on a regular basis and then recording and analysing [sic] the data to produce statistics and other data." (4) This technology is possible because of the concurrent development of sensor technology, data transmission, and storage technology alongside new search and artificial-intelligence techniques. (5) Generally, it involves the mining or inferring of valuable knowledge about life activities and human health through the seamless and ubiquitous collection of data uncovered in everyday life. (6)

   Within the healthcare context, lifelogging can be utilized for a number of different purposes such as to predict and prevent disease, provide personalized healthcare, offer wellness monitoring for chronic conditions, and give support to formal and informal caregivers. (7) By utilizing a multiplicity of sensor-based systems, often found within the home environment or worn by the individual, these technologies are able to assist older, frailer, or chronically sick individuals to maintain their physical fitness, nutrition, social activity, and cognitive engagement, so they can function without institutional assistance for longer. (8) The advent of these technologies marks a shift towards the point where the home will begin to replace the hospital as a locus for healthcare innovation. (9)

   Although lifelogging technologies offer major opportunities to improve efficiency and care in the healthcare setting, there are many aspects of these devices that raise serious privacy concerns that can undercut their use and further development. (10) For example, third parties can be logged without their knowledge or consent leading to the unwanted collection of image, speech or location data, raising concerns about serendipitous monitoring of individual behavior and ubiquitous surveillance." Even where an individual consents to the use of lifelogging technologies, there are still concerns that her personal data will be used and shared in unanticipated ways that are harmful or distressing, particularly by those outside of her circle of personal care. (12) Additionally, there are privacy issues related to memory augmentation, and what Anita Allen describes as "pernicious memory" made possible through lifelogging technologies that collect data in a 24/7, ambient and indefinite manner. (13) It is also worth mentioning that lifelogging tools without proper security and authentication systems are vulnerable to attacks that not only put an individual's personal information and reputation at risk, but can also threaten her health and well-being. (14)

   One way to manage privacy concerns raised by lifelogging technologies is through the application of Privacy by Design, an approach that involves the transformation of legal rules, namely those that appertain to privacy and data protection, into information systems. (15) This approach presupposes that there are guidelines or methodologies for reliably embodying values like privacy into software systems. (16) Current approaches to Privacy by Design, however, lack methodological rigor, and some have even been described as "mere Band-Aids, after the fact applications of either security controls or notice/choice controls." (17) The result is that Privacy by Design, in its current incarnation, is much "more a concept than a technique." (18)

   This paper will explore ways to develop a Privacy by Design methodology within the context of Ambient Assistive Living (AAL) technologies like lifelogging. It will set forth a concrete, methodological approach towards incorporating privacy into all stages of a lifelogging system's development. The methodology begins with a contextual understanding of privacy, relying on theoretical and empirical studies conducted by experts in human-computer relations. It then involves an analysis of the relevant black-letter law. A systematic approach as to how to incorporate the requisite legal rules into lifelogging devices is then presented, taking into the account the specific design elements of these kinds of systems.

   At the outset, however, it should be made clear that this methodology is not the Holy Grail; an end-all solution to the urgent and serious privacy problems produced by lifelogging technologies utilized in the healthcare context is unlikely, at least for some time to come. It is equally unlikely that the approach set forth herein will be singularly acceptable to a wide audience, particularly given the extensive debate, discussed more below, surrounding whether, and to what extent, privacy laws can be engineered or automated. (19) Rather, the main goal of this work is to review, critique, and synthesize current, more general approaches to Privacy by Design and offer a humble, slightly more precise, path forward for the people on the ground who are struggling with how to embed legal rules concerning privacy into these tools in a coherent and systematic way. (20) In other words, this methodology offers a pragmatic means through which multiple stakeholders can come together, share their knowledge and create functional lifelogging devices that respect privacy, at least (hopefully) more so than those currently on the market.

2. THE CONCEPT OF PRIVACY BY DESIGN

   Privacy by Design is "the philosophy and approach of embedding privacy into the design specifications of various technologies." (21) It can be more precisely defined "as practical measures, in the form of technological and design-based solutions, aimed at bolstering privacy/data protection laws, better ensuring or almost guaranteeing compliance, and minimizing the privacy-intrusive capabilities of the technologies concerned." (22) It involves the coordination of multiple stakeholders such as engineers, managers, lawyers, policymakers, psychologists, end-users, and executives within an organization and asks them to share responsibility for achieving privacy goals. (23) In this way, Privacy by Design can be seen as embracing a proactive approach to law that seeks to grapple with concerns about emerging and disruptive technologies by anticipating and addressing privacy problems before they can occur. (24)

   The General Data Protection Regulation (GDPR) has recently designated Privacy by Design as a core requirement and recognizes that it is a vital tool for the protection of privacy. (25) Here, it must be emphasized that Privacy by Design has hitherto not been considered a separate legal obligation in European law, but as a mechanism that can be used to achieve the aims of privacy laws. (26) The transformation of the concept from a voluntary tool to a mandatory legal requirement is a recognition of the fact that embedded legal rules are necessary to ensure compliance with policy decisions and legislation surrounding privacy and data protection. (27)

   In 2010, Ann Cavoukian, Information and Privacy Commissioner of Ontario, declared that Privacy by Design is based on seven foundational principles: proactive not reactive; privacy as the default configuration; privacy embedded into the design; privacy as additional (not reduced) functionality; end-to-end data security; visibility/transparency; and respect for the privacy of the individual user. (28) Over time, however, these principles have been subjected to criticism. For example, Dag Wiese Schartum refers to them as "slogans" rather than "analytic lines of actions" and states, "their values are quite limited as process description and recipe of how to attain privacy by design successes." (29) In his research, Schartum emphasizes the need for a clear method to make good privacy designs for information systems. (30) Likewise, Deirdre Mulligan and Jennifer King lament the lack of methods and tools to aid in translating privacy into design. (31)

   In the engineering realm, the concept of Privacy by Design also faces substantial criticism. Cathal Gurrin contends the concept lacks detail about how to actually implement it in practice, especially while meeting the functional requirements of the system under development. (32) Sarah Spiekermann echoes Gurrin, stating that the concept of Privacy by Design presents "immense challenges" and suggesting that the lack of an agreed-upon methodology to support the systematic engineering of privacy into systems is a central problem. (33) Majed Alshammari and Andrew Simpson painstakingly list specific challenges to engineering Privacy by Design such as the complexity and variability of privacy issues, the variability of privacy issues and a lack of systematic methods that identify privacy concerns in a meaningful manner. (34)

   In the United States, the Federal Trade Commission (FTC) has issued guidelines emphasizing the importance of consumer choice and transparency in data practices. (35) In a nod towards Privacy by Design, it calls for "[c]ompanies [to] incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy." (36) In the European Union, Recital 78 of the GDPR offers engineers the following advice: use techniques like data minimization and pseudonymization. (37) There can be no doubt, however...