Huma Shah is an Assistant Professor and Researcher in AI at Coventry University in the UK. She is a passionate defender of online privacy. She is currently directing the science on the EU-funded CSI-COP project. This aims to raise awareness of citizens’ right to privacy online, and to mobilise citizen scientists from across Europe and beyond to investigate the different types of trackers in websites and apps. Along with the rest of the CSI-COP project team, Huma provides expert knowledge, training and support on the topic to students she teaches, and to a variety of audiences through her invited talks. Online privacy is relevant to many stakeholders: academics, teachers, researchers, journalists and a wealth of others.
Sally Reynolds: Why do you think it is so important for all of us involved in Citizen Science to be more vigilant when it comes to the management of our online privacy?
Huma Shah: Great question. Two days ago, in discussion over a new sub-contract in CSI-COP, a procurement executive was sharing how she sometimes sees ads on web pages she visits relating to topics of conversations she’s had with her husband! That’s thanks to those listening-in algorithms in our smart devices!! I think philosopher Nigel Warburton captures the issue very well: “From the moment you check your phone in the morning you are losing privacy: Corporations around the world are recording what time you woke up … without your permission, or even your knowledge, tech companies are harvesting your data – your location, your likes, your habits, your fears, your diseases, your politics – and sharing amongst themselves” (inside cover sleeve of Hertford College-Oxford University academic Carissa Véliz’s 2020 book Privacy is Power: Why and How You Should Take Back Control of Your Data).
It is important to realise that, when we share our data we might also be sharing data about others such as members of our family, friends, colleagues, including children, without necessarily their permission or knowledge.
S.R.: What types of common mistakes are made regarding the protection of online privacy when it comes to the collection, management, storage and sharing of data in citizen science projects?
H.S.: It is less of a mistake and more the limited knowledge we have on how to design data collection to ensure data protection occurs throughout the process, from pre-collection to collection, to analysing, to reporting on, and to storage. Implementing data anonymization will help to ensure that the data cannot identify a person (people alive under the general data protection regulation – GDPR) in case of a data breach (cyberattacks are a real risk, two of CSI-COP partner organisations suffered a cyberattack in 2021).
Additionally, consideration around who needs access to what collected data will assist in deciding who the collected data should be shared with. Saving/storing the data in strong password protected files, with the passwords known to only those who need to see and evaluate the data, can further assist in protecting data collected in citizen science projects.
S.R.: Are those involved in Citizen Science projects as participants particularly vulnerable when it comes to online privacy and, if so, why?
H.S.: I cannot say, since I am not aware of data on this. What I do suggest is, in citizen science projects we can apply privacy-by-design in tools and artefacts created specifically to engage members of the public. For example, if we are creating a citizen science project website, we can develop it without tracking technologies – do we need to give access to our project website visitor data to online advertising companies (AdTech), who are third parties unconnected with the project? If we are creating apps for citizen science projects, do those apps need third-party trackers? Are we even aware that citizen science projects could be making volunteer participants vulnerable to tracking by third parties, because our citizen science project websites and apps have tracking cookies embedded in the software development environment? These are questions citizen science practitioners can consider even at the nascent stage of proposal preparation.
It is important to realise that, when we share our data we might also be sharing data about others such as members of our family, friends, colleagues, including children, without necessarily their permission or knowledge.
S.R.: What are the main barriers do you think when it comes to raising awareness of online privacy?
H.S.: People are aware of online privacy issues. Internet users see an assortment of cookie banners, or even cookie walls between them and the content of a website, when they navigate around the web. The harm from online tracking is not visceral like COVID-19 or climate change. Yes, we might be annoyed when we see ads on web pages after we have searched for some information, or some product to purchase, so we roll our eyes at the Big Techs, but we carry on because the Internet is an amazing place to learn new things, and more.
We don’t always see the harm it is doing, unless there is a data breach and we learn that our personal data is to be found among the data shared by hackers on Internet. That might have consequences requiring changes in passwords for various online platforms, or worse, we learn our bank account has been accessed with funds stolen due to a breach.
Just this year, 2021 we learnt over 500million Facebook users had their personal data (names, phone numbers, location information and more) leaked from Facebook and published on the web. The data taken from Facebook could be used by malfeasant actors to impersonate people and commit fraud. So unless it hits us, we tend to put up with those annoying cookies due to the convenience of accessing information on the web.
S.R.: What do you believe are the most fundamental steps to be taken regarding online privacy by those responsible for promoting as well as setting up and managing Citizen Science projects do?
H.S.: In question 3 above I mentioned how citizen science projects that create tools and technologies, to engage members of the public in data collection activities, can start from the basic principle of privacy-by-design, or data-ethics. Of course, more effort is required, and it might cost a little more to create a no-tracking website. And yes, you will lose out on some website visitor data, but this is also a chance for citizen science project teams to think innovatively about how to capture data that is necessary for the project while protecting volunteers’ data throughout their time with the project, and beyond.
S.R.: What types of services, tools and advice does CSI-COP offer the Citizen Science community?
H.S.: CSI-COP project is live offering advice on how to increase trust with potential citizen scientists by creating citizen science project websites that are more GDPR compliant. We are also developing tools as we progress through CSI-COP’s life. One of the ‘tools’ we have already created is a free informal education course, ‘Your Right to Privacy Online’ over five easy-to-follow steps that can be completed one step at a time whenever time is available, or in half-a-day. The course is currently available in nine languages from CSI-COP website page here: https://csi-cop.eu/informal-education-mooc/
The course is also available in English from the EU-Citizen.Science platform MOOC page here: https://moodle.eu-citizen.science/.
The five-step course provides the latest knowledge on privacy, personal data, how our data is tracked online through various tracking technologies (e.g. digital cookies; digital fingerprinting; email pixels), but also practical skills in protecting our data online after becoming aware of our rights to privacy. A CSI-COP certificate is available to members of the public who complete a ten-question test after completing ‘Your Right to Privacy Online’ course. The test is contained in the course document.
We have also been organizing online, and where allowed subject to COVID-19 restrictions, face-to-face half-day informal education workshops. Coventry University recently held an online workshop on 26 October. Our partner in Greece, UPAT, held a face-to-face workshop in Athens on 21 November and they are hosting another in Patras on 15 December. Coventry University’s first face-to-face workshops will be hosted in Coventry city library in January, again subject to any COVID-19 restrictions.
We don’t always see the harm it is doing, unless there is a data breach and we learn that our personal data is to be found among the data shared by hackers on Internet.
CSI-COP shares its research findings through its publications and resources on the project website’s News and Events page, and on the free Zenodo platform: https://zenodo.org/search?page=1&size=20&q=CSI-COP .
We also contribute articles for other projects, or relevant publications. A CSI-COP article is to appear in the January-February 2022 issue of the International Teacher Magazine (ITM). The article, ‘The cookie Jar’ is already available online here: https://consiliumeducation.com/itm/2021/11/15/the-cookie-jar/
CSI-COP will be producing its first societal impact report in early 2022. We have already published CSI-COP’s first policy brief, it is available from Zenodo here: https://zenodo.org/record/4672515#.YapjILqnw2w
Thank you so much for this opportunity, may I just close with CSI-COP’s aim, to nurture privacy champions to help us lobby for better compliance of GDPR. And also to inform about CSI-COP’s final public tools that the project will co-produce with citizen scientists by its conclusion in 2023: i) a taxonomy of digital trackers found in websites and in apps, and ii) an online searchable repository of online trackers.
Happy holidays!
Huma
