Privacy regulators are embracing privacy by design as never before. This is the idea that “building in” privacy throughout the design and development of products and services achieves better results than “bolting it on” as an afterthought. In the US, a very recent FTC Staff Report makes privacy by design one of three main components of a new privacy framework. According to the FTC, firms should adopt privacy by design by incorporating substantive protections into their development practices and implementing comprehensive data management procedures; the latter may also require a privacy impact assessment (PIA) where appropriate. In contrast, European privacy officials view privacy by design as also requiring the broad adoption of Privacy Enhancing Technologies (PETs), especially PETs that shield or reduce identification or minimize the collection of personal data. Despite the enthusiasm of privacy regulators, privacy by design and PETs have yet to achieve widespread acceptance in the marketplace. One reason is that Internet firms derive much of their profit from the collection and use of personal data and may be unwilling to build in privacy if it disrupts profitable activities or new business ventures. Nor does the available evidence support the view that privacy by design pays for itself (except perhaps for a small group of firms who must protect privacy to maintain highly valued brands and avoid reputational damage). At the same time, the regulatory implications of privacy by design remain murky at best, not only for adopters but also for free riders. This Article seeks to clarify the meaning of privacy by design and thereby suggest how privacy regulators might develop appropriate incentives to offset the certain economic costs and uncertain privacy benefits of this new approach. It begins by developing a taxonomy of PETs, classifying them as substitutes or complements depending on how they interact with data protection or privacy laws. Substitute PETs aim for zero-disclosure of PII, whereas complementary PETs enable greater user control over personal data through enhanced user controls. Next, it explores the meanings of privacy by design in the specific context of the FTC’s emerging concept of “comprehensive information privacy programs.” It also examines the activities of a few industry leaders, who rely on engineering approaches and related tools to implement privacy principles throughout the product development and the data management lifecycles. Building on this analysis and using targeted advertising as its primary illustration, the Article then suggests how regulators might achieve better success in promoting the adoption of privacy by design by 1) identifying best practices in privacy design and development, including prohibited practices, required practices, and recommended practices; and 2) situating best practices within an innovative regulatory framework that a) promotes experimentation with new technologies and engineering practices; b) encourages regulatory agreements through stakeholder representation, face-to-face negotiations, and consensus-based decision making; and c) supports flexible, incentive driven safe harbor mechanisms as defined by (newly enacted) privacy legislation.

Regulating Privacy by Design

The sixth annual Workshop on Privacy Enhancing Technologies (PET) was held in Cambridge, England, from 28-30 June 2006.

Privacy Enhancing Technologies

Artificial intelligence (AI) fosters economic growth and opens up new directions for innovation. However, the diffusion of AI proceeds very slowly and falls behind, especially in comparison to other technologies. An important path leading to better adoption rates identified is trust-building. Particular requirements for trust and their relevance for AI adoption are currently insufficiently addressed.,To close this gap, the authors follow a qualitative approach, drawing on the extended valence framework by assessing semi-structured interviews with experts from various companies.,The authors contribute to research by finding several subcategories for the three main trust dimensions ability, integrity and benevolence, thereby revealing fundamental differences for building trust in AI compared to more traditional technologies. In particular, the authors find access to knowledge, transparency, explainability, certification, as well as self-imposed standards and guidelines to be important factors that increase overall trust in AI.,The results show how the valence framework needs to be elaborated to become applicable to the AI context and provide further structural orientation to better understand AI adoption intentions. This may help decision-makers to identify further requirements or strategies to increase overall trust in their AI products, creating competitive and operational advantage.

Can we trust AI? An empirical investigation of trust requirements and guide to successful AI adoption

http://manuscript.elsevier.com/S0360132322003699/pdf/S0360132322003699.pdf

Increased airborne transmission of COVID-19 with new variants, implications for health policies

/pdf/machinelike-or-humanlike-a-literature-review-of-3ykq7eo3bn.pdf

Machinelike or Humanlike? A Literature Review of Anthropomorphism in AI-Enabled Technology

One for all, all for one: Social considerations in user acceptance of contact tracing apps using longitudinal evidence from Germany and Switzerland

Organizations pursuing data-driven business models (DDBM) rely on processing user data to improve and provide their services. However, collecting personal information is often criticized by consumers due to concerns about the potential misuse of such data. While these two interests stand in an unsolved conflict and organizations need to balance these interests advances in the field of privacyenhancing technologies (PETs) promise a resolution to achieve both goals simultaneously. Yet, organizations barely use PETs within their DDBMs. Based on the TOE framework, we review the literature on barriers of PET adoption to shed light on the unsolved question why organizations resist adopting PETs. We reflect the state of research on the trade-off between creating value using data and information privacy. We particularly find that multiple research streams call for the organizational adoption of PETs. Nevertheless, the main barriers we identified are unclear economic impact as well as the lack of relative advantage of PETs.

Privacy-sensitive Business Models: Barriers of Organizational Adoption of Privacy-Enhancing Technologies

Recent advantages in artificial intelligence (AI) research allow building sophisticated models to advise users in various scenarios (e.g., in financial planning, medical diagnosis). For companies, this development is relevant since it allows scaling of services that were not scalable before. Nonetheless, in the end, the user decides whether he/she uses a service or not. Therefore, we conducted a survey with 226 participants to measure the relative advantage of AI-based advisory over human experts in the context of financial planning. The results show that the most important advantage users perceive is convenience, since they get easy and instant satisfaction of their informational needs. Furthermore, the effectivity of eleven measures to increase trust in AI-based advisory systems was evaluated. Findings show that the ability to test the service noncommittal is superior while the implementation of human traits is negligible.

Promoting Trust in AI-based Expert Systems

Research on IS security behavior regularly identifies individuals’ personal characteristics as the reason why users refrain from adequate safeguarding techniques and ignore recommended security responses. This study aims to extend this body of literature, and sheds light on the concept of security fatigue: hereby, users receive numerous message cues reporting recent security risks and recommending certain response behaviors. However, instead of fostering awareness among individuals, users are too exhausted to follow these security recommendations. This setback may result in a lack of adequate response behavior and personal information systems being vulnerable to future threats. This paper builds on the theory of self-regulation, which is essential for successful risk avoidance behavior, as well as the concept of ego-depletion resulting from a high amount of self-regulatory activities. A measurement instrument for security fatigue is adopted, based on self-regulatory theory. Perceived information overload and locus of control are further tested to determine the level of security fatigue. In two consecutive online surveys, we pre-test the validity of the context adapted scales. Conducting a follow-up study to validate our conceptual research model, we conclude that subjective information overload is the most critical cause of security fatigue and a lack of adequate security behavior.

Christian M. Olt

Papers

One for all, all for one: Social considerations in user acceptance of contact tracing apps using longitudinal evidence from Germany and Switzerland

Privacy-sensitive Business Models: Barriers of Organizational Adoption of Privacy-Enhancing Technologies

Promoting Trust in AI-based Expert Systems

Weary of Watching Out? - Cause and Effect of Security Fatigue

Promoting Trust in AI-based Expert Systems