"Why we should all change our online selves into 'John Doe'"
We as users are turning into data providers rather than consumers. All the data that we share via social media or give to online services such as purchasing, is stored somewhere … And sadly, some of that data is literally out in the open. Zeki Erkin explains why we should all care about protecting our privacy and why cryptography is the way forward.
‘Posting stuff on social media is like going out to your town’s main square and shouting all your life choices through a megaphone. That’s just what you are doing. You put something online but usually do not set proper controls about who sees it and how it is transmitted to other parties. Everything you do online can perfectly identify you. In the offline world, you probably have a slightly different identity at work than when you are with friends. You choose what information you share and with which person. It’s under your control. Privacy is just that. But in the online world this concept of privacy has not been completely comprehended.’ – Zeki Erkin, TU Delft
So how did the concept of privacy change?
‘Everybody is using online services. Online banking, dating, shopping, we use social media, etc. We have turned into sources of data. Whatever you do or whatever websites you may visit, what you buy, what you read, what you like or post on social media, that is all data which is used to come up with new businesses and better algorithms, mostly aiming for you to spend more money.’
But that's just the online economy, right?
‘Your information usually does not stay with the company that provided the service. If you are OK with the privacy agreement written in tiny font or say ‘yes’ to cookies, the company might have the incentive to sell your data to third parties. Whatever you post on social media is the property of that social media provider for example. To be honest, you don’t really have the option to say ‘no’ either. It’s not like they can offer you a minimal service in that case. Also, your information is stored on foreign servers, and laws in other countries may allow a foreign government access to that information.’
How has this loss of privacy become normal to us?
‘In the past, the internet was used for emails, and people and companies had very primitive, static websites. Now almost everything is done digitally: there is an app for everything and we store our personal documents online; for example, using cloud services. Even hospitals are storing our medical records digitally, which is beneficial if done properly. Things that used to be physical are now digital. Teenagers today, born in the new millennium, have grown up with smart phones. The generations to come will be even more digital. It is really important that we start protecting the privacy of the next generation. To me, privacy is one of the most important human rights. It is also closely related to security. You cannot achieve security without privacy and vice versa. If you give up your privacy, you lose your security.’
'If you give up your privacy, you lose your security'
What might happen if our privacy is not protected?
‘Most people know that posting pictures of tropical beaches on social media while you are still there is an open invitation to burglars. But even if you post them afterwards, many people can see your lavish lifestyle and charge you more for their services. And what about the results from your running app that you happily shared on social media? What if your insurance company analyses that data and decides not to cover physiotherapy for your busted knee. Or, how about the current research on detecting heart-related health problems using advanced image-processing techniques. A few minutes of video is sufficient! Such technology is still under development in the lab, but who knows what kind of information we are leaking by putting images and videos online everyday. Someone may use that ‘cute’ selfie or video you posted for another purpose in the near future.’
Can we protect our privacy while still posting those selfies?
‘We should be in control, we should limit the leakage of information about individuals, and to do that we should increase awareness in society. And for other services that rely on user data – which we don’t even realise – we can use science and technology. My research line is about continuing to use the online services that we have grown to love, but without allowing the service provider to have complete access to privacy sensitive data.’
'My research line is about continuing to use the online services that we have grown to love, but without allowing the service provider to have complete access to privacy sensitive data'
How can you help us become this online John Doe?
‘The whole idea is to process privacy sensitive data through encryption. So, you will be known as John Doe to the service provider. They will work in the dark. The companies will continue doing exactly what they promise to do, but will not be able do anything else with your data. They will follow the recipe you are familiar with to provide the service they are supposed to, but they will not see the data and the results of their services; for example, they might suggest new books without seeing your book collection. We will hide your data even from the service providers.’
Cryptography has been around for a while. Why hasn't this been done before?
‘Using cryptography in privacy enhancing technologies is computationally expensive. That is also the challenge in my research. The initial idea is about 35 years old but hasn’t been feasible so far. We simply did not have the computational resources. TU Delft is the perfect place to do this kind of research. We have expertise in multimedia processing, particularly signal processing. Think about biometric data processing or speech recognition. We have amazing people here in this building. They design speech recognition systems. Using our existing signal processing background we can design a new system using crypto in such a way that Siri can suggest the best restaurants in your area without Apple knowing where you are. So, this is a very nice example of multidisciplinary research and we are adding crypto to it. In this, TU Delft is unique.’
'So, this is a very nice example of multidisciplinary research and we are adding crypto to it’
Will the service providers embrace his new privacy enhancing technology?
‘At the moment, many companies store data in a database after encryption to protect them from hackers. But this has proven to be insufficient on several occasions. Employees can make mistakes: use a simple password, leave the hard drive at a bar or just steal and sell the data. What we are aiming for is to protect data even from the service provider using advanced tools of cryptography. Of course, there will be unwillingness on the part of companies. This solution limits their capability to process or sell data. However, it is also beneficial for them. So, we are actually helping them. For example, as of May 2018 there will be a new EU regulation on data protection. If sensitive data is leaked, the company can be fined up to four percent of its worldwide turnover. That is why I am expecting a boost in privacy research very soon. At the moment, companies are reluctant because there are no consequences and no one is demanding better privacy protection. What I hope is that companies and individuals will come to care about protecting privacy. That is the whole idea. People should know how and when their data is being processed and for what purposes.’
‘What I hope is that companies and individuals will come to care about protecting privacy. That is the whole idea. People should know how and when their data is being processed and for what purposes’
Text: Marieke Roggeveen
Photo: Mark Prins