Privacy Myth 1 - We Are Not Collecting Personal Data

Several years ago I parked my car into a car park. When collecting my car and driving out, I was surprised that I didn’t have to insert my parking token that I had just used to pay my parking fee. The barrier opened automatically, as if it magically knew I had paid. I quickly understood the ‘magic’ involved: there was a camera scanning the license plates of all cars entering and leaving the car park. The paper parking token I was given upon entry actually had the license plate of my car printed on it: that’s how my payment was linked to my car, and that’s how the barrier could tell I paid. Is the company responsible for maintaining the car park correct when it claims it is not collecting personal data?

(This is the first myth discussed in my book Privacy Is Hard and Seven Other Myths. Achieving Privacy through Careful Design, that will appear October 5, 2021 at MIT Press. The image is courtesy of Gea Smidt.)

Add friction to counter WhatsApp fraud

WhatsApp fraud, where criminals try to embezzle money from credulous, vulnerable victims, is rampant. Part of the problem is that with internet banking and especially banking apps, transferring money is a breeze. Here I discuss some methods that could help to protect potential victims, by adding some purposeful friction.

Using revocable privacy to mitigate the risk of false accusations

Every year I teach a privacy seminar, where groups of students pick a topic, to present in class and to write a paper about. Sometimes students pick revocable privacy, one of my research topics. This year, a group of students again did, and while studying it articulated a very interesting reason why revocable privacy is a useful construct. The impact of a false accusation may deter people from voicing the accusation at all. And using revocable privacy approaches may mitigate this.

The European Digital Identity framework

Two weeks ago the European Commission announced their proposal for a European Digital Identity framework. The proposal is actually an amendment of the eIDAS regulation from 2014. Here are some initial observations and recommendations.

Apple’s Private Relay. A first step towards Mixing for the Masses

Yesterday Apple announced a new privacy protecting service: iCloud Private Relay. Very roughly speaking it appears to be a VPN seasoned with some poor man’s mix networking, hiding your IP address from the websites you visit, while Apple doesn’t learn which sites you are visiting. I think Private Relay is a very pragmatic approach that offers a significant privacy improvement to users of any online service, albeit only to those users that have an iCloud+ subscription. But taking this idea a small step further, pushing it down the stack and implementing at the Internet layer itself, the privacy of all Internet users would be protected.