What we need to see: user control over data
Data generated by systems will be under the control of the individual within a framework of legal rights and protections, and minimally generated and even more minimally processed. The individual would be able to gain access and see explanations of all data on devices, in networks, and on platforms.
We want a world where the default of computing is that the individual will be able to prevent data generation in the first place, and then be able to access, process, and delete the data (and request its deletion when it is held by other parties). The exceptions to this are permissible, but subject to tests of being fair and lawful in accordance to consumer and human rights protections. Access to such data is essential, in both raw and meaningful forms, as it is the precondition for verifying, identifying, and challenging any, inaccuracies, misuse and non-compliance, for instance with data protection law.
We would like people to be able to know, and ultimately decide when and how data is being used to understand, judge, and control them and others.
What this will mean
No data about the individual and his/her devices and use of systems should be beyond the reach of the individual. This means that the individual can access, process, and delete data on their devices – and exceptions to this must be justified, be necessary and proportionate. You should be able to see all data generated on your smartphone, or all data created by a smart city about you, and know what that data is, and if you object be able to have it modified and removed. You will then be able to know what data is feeding systems that make decisions about you and others.
Listening and always on devices will limit data collection on device, e.g. recording/processing in buffers only, and provide users with access to all data generated and some controls over the personal data.
Essential reform actions
Industry must ensure our systems and services only generate data that is strictly necessary, and that we have insight into that data and its processing.
Industry and governments must provide people with the means to prevent the collection of usage and pattern data without our knowledge and consent, and provide the means for this data to be collected only when privacy enhancing technologies are being applied and informed consent ascertained or lawful measures in place.
Particularly in environments where individuals are not in direct control over devices that are generating and collection data, regulations and regulators must require companies and governments to limit generation of data, provide details on collection of data from individuals and their devices and use of services, so as to inform the necessary democratic and legal debates that must decide what constitutes as fair and lawful processing.
Industry must ensure that their government transparency reports (on access by law enforcement) include reporting on data that is not under the control of individuals, including requests on device-level data and activities arising from device-level data. As a result, we would like to see more device manufacturers and related service providers issue transparency reports about government access, and governments must lift restrictions on publication of this data so we can know the forces that may shape our technologies and use.