Jasmine McNealy, Fellow – Berkman Klein Center for Internet & Society; Assistant Professor – University of Florida

Threat Index: helping users assess personal data risk

Users must be able to understand the risk associated with personal data collection

 
 

problem

Consent is often used the framework for whether a user has adequate control over the collection, use, and access to their personal data. But users often consent without understanding the risks to their personal data. What’s more, much of the time, users do not have a true understanding of all the data at risk or the organizations able to access it. Therefore, any consent obtained is not meaningful consent because users do not have a clear idea of what can or will happen with their data.

solution

This system informs the user about the data that may be collected and the associated level of risk. This means, from the outset, the user is provided with a menu of the personal data that may be collected and the “threat-levels” associated with this data. From this menu, users may choose the personal data that an organization is allowed to collect. But this is not the end of user choice. From there, the user is shown a similar menu of the possible uses of the personal data, the organizations that may have access to it, as well as the threat levels related to these. The user may then make choices related to these explanations.


The overall theme related to this concept considers many of the overarching data protection principles as expressed in the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other emergent privacy legislation connected to user choice, control, and explainability.

WHO IS THIS FOR?

This system is for all users who use data-gathering websites or mobile applications. This functionality could be implemented as a browser and/or settings extension and would function as an alert to users who have recently downloaded an app or navigated to a new site.

Scenario

Dali downloads the latest popular mobile game to her phone. Once she taps the the game’s thumbnail, a notice from settings pops up showing her a menu of the data the app will want to collect and the threat level associated with each kind and combination of data.

The data menu shows the user the kinds of data an app needs, the kind it wants, and the kind that may be made accessible to 3rd parties along with the related threat level.

The data menu shows the user the kinds of data an app needs, the kind it wants, and the kind that may be made accessible to 3rd parties along with the related threat level.

Swiping left allows her to choose which data she allows the app to access. Another swipe left will provide an idea of any third-party organizations who may have access to her data. A last swipe would allow her to choose the data she allows the app to use.