We're all more conscious than we were 2 years ago, about how much data is collected about us, and how revealing it can be. The commercial and government direction of travel is clear: more data, more mining, more monetization. And if personal data fuels the information economy, who'd want to stop that? But can we get the economic benefits, without selling our digital souls in the process? - Is there a data equivalent to the ""polluter pays"" principle? And if not, is there an alternative? - Ethical data handling sounds great in principle, but can it be practical? - How can organizations put ethical data handling into practice?

1. The Ethics of
Personal Data Robin Wilton
Technical Outreach Director
Identity and Privacy
wilton@isoc.org
@futureidentity

2. The Internet Society’s mission
To promote the open development, evolution, and use
of the Internet for the benefit of all people throughout
the world.
The Internet is for Everyone
2

3. NORTH AMERICA
LATIN AMERICA/CARIBBEAN
EUROPE
AFRICA
THE MIDDLE EAST
ASIA
The Internet Society’s Global Presence
109
Chapters
Worldwide
72k
Members and
Supporters
146
Organization
Members
5
Regional
Bureaus
18
Countries with
ISOC Offices
3

4. Technical context and practicalities
4

5. “Ethics? I thought this was a techie conference…”
5
What do I mean by ethics, anyway?
Three main models:
• Consequences (a.k.a. consequentialist or
utilitarian)
• Rules (a.k.a. deontological. Yeah, I know…)
• Fairness (a.k.a. Justice… but without the leotards)

6. Shortcomings of two of the models
6
• Consequences
• Asymmetry of power;
• Harm/risk often diluted and hard to quantify
• “Best for whom?” – “balance” vs “optimisation”
• Rules
• Poor for cross-border/cross-culture cases
• Poor if enforcement is lacking
• Enforcement is lacking
• Which leaves Fairness…

7. OK, so what do I mean by Fairness?
7
• Legitimacy
• (Not the same as legality)
• “No surprises” should be a good principle
• Transparency
• “No surprises” should not mean “because we didn’t tell you”
• Openness to scrutiny by third parties (e.g. ToSBack/2)
• Accountability
• A focus on “should we do this?”, rather than “can we do
this?”
• Effective redress in case of failure

8. Ethical data handling
(through the handy lens of IoT)
• IoT and consent
• IoT and autonomy
• IoT and agency*
* … whatever it is that puts a user’s
intentions and preferences into practice

9. Ethical data handling
(through the handy lens of IoT)
• Consent
• Wearables, implants, pre-diagnosis
• Autonomy
• Driverless vehicles
• Algorithms
• Agency
• User agents: scalability and control?
• Insertion into current business models

10. The future is already here…
• IoT gives rise to models and approaches that
undermine human agency
• Non-human agents and autonomous systems are
not ethically neutral
• Devices make it increasingly hard to maintain
“persona separation”

11. The distributed, mediated model opens up new options
• Identity Relationships can be Managed (and not
only by the two parties concerned)
• User agents are a potential answer to scalability
• User agents may help with “consent fatigue”
• User agents could take many forms…

12. Internet Society activities in this area
• Ethical data handling (policy and technical)
• User privacy choices (research project)
• Vectors of Trust initiative
• TosBack/2
• Support for Kantara work on
• UMA
• IRM
• Consent Receipts
• Support for work on attribute lifecycles

13. But…
• Current (risk/compliance) approaches lead to a
check-box mentality
• Practical guidance on ethical data handling is
lacking
• IoT-scale data increases the incentive for
monetization

14. Conclusions
• We should be exploiting Internet architectures
for greater user empowerment
• We should be putting device intelligence to use
on our behalf
• There are viable niches in the data ecosystem
for privacy-enhancing, ethical agents
• We need to draft practical guidelines for
ethical data-handling

15. Thank You
15
Robin Wilton
Technical Outreach Director
Identity and Privacy
wilton@isoc.org
@futureidentity