Accountable systems: accountability that is as scalable as the growth of personal information about each of us

Danny Weitzner has been thinking about ‘accountability at scale’ for some time.  Along with Tim Berners-Lee he founded the Decentralized Information Group in MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL).

In a new blog “Real Privacy Tools for Big Data” for IAPP’s Privacy Tech, Danny writes that:

“A new approach to privacy management is necessary in order to enable organizations to handle data at scale and simultaneously remain consistent with the high standards of privacy protection.”

He then goes on to set down in his blog “four key features necessary for any information accountability solution:

  1. Common and simple language to create data use rules. Data users and privacy professionals should be able to create and implement rules, without the need for IT support. Changes must also be easy to make and apply automatically to all data. A change in government regulation need not cause major disruptions to the business line owners.
  2. Shared repository of policies and rules that apply to data held across the organization.
  3. Automated, real-time reasoning of data usage against these rules. Manual, point-in-time, procedural audits are not sufficient anymore, no matter how automated the audit reporting might be.
  4. Continuous monitoring and reporting. If privacy adherence exceptions arise, real­-time alerts should be accompanied by an easy-to-understand explanation of why the behavior in question is inappropriate. Privacy professionals should be able to view compliance status at any point in the monitoring.”

Any discussion about Digital Enlightenment will have to consider ways of effective, enforceable, scalable Information Accountability.  CSAIL is making a valuable contribution to developing it.

4 thoughts on “Accountable systems: accountability that is as scalable as the growth of personal information about each of us

  1. digitrusteu March 7, 2015 / 2:55 pm

    A laudable initiative indeed. However, these four point are unfortunately not extremely clear to me:

    Has each company its own shared repository or will we have a standard repository with each company making his own (law compliant) choice from it?

    What does automated, real time reasoning of data usage against these rules mean. How good will it be? Can I trust it?

    Continuous monitoring and reporting to whom and when. Should I expect masses of reports on the use of my data? Or is it only logging for auditing at some stage?

    Like

    • malcolmoz March 7, 2015 / 11:34 pm

      I think the main point of Danny’s work here is to establish the need for automated, scalable accountability processes to match the explosion in the amount of data (including metadata) that is collected on identifiable individuals, how is it used and analysed and with whom is it shared and with what is it combined. This level of accountability is beyond human capability so needs automating. To me, that is the main point of this initiative.

      Who sets the accountability standard, who runs the test (and are they in turn accredited in some way), to whom is the accountable entity actually accountable, how are any errors or violations corrected, enforced and how is any redress provided are all essential elements in the design, be it NZ, AU, EU, US, Japan, Korea, China, global, regional or anywhere else. Whether it is the 1995 EU Directive, the draft EU data protection regulation, the US President’s draft bill of rights, scalability is the question every time. The data and processes behind the tracking of current levels of digital activity are already beyond any current accountability processes and IoT hasn’t even got started yet in any serious way.

      To reiterate: the first thing to do is to recognise that new ways of delivering accountability are needed, which is why I like the challenge thrown out by Danny and his effort at answering his own question. And I know he is open to any challenge for improvement!

      Like

  2. TCole1066 March 7, 2015 / 3:42 pm

    This still begs the question: Who ist responible for setting and enforcing the rules? Whose rules, anyway? America’s? China’s? Saudi Arabia’s? And who will protect us from our protectors?

    Like

  3. digitrusteu March 7, 2015 / 4:51 pm

    Indeed. Who sets and enforces the rules does not seem a popular question in the US. And if they talk about it it is usually selfregulation (and self enforcement?)

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s