Cyber security

Taking back privacy control

We need better control over our personal data if we are to keep hackers and commercial interests from knowing our every move. DTU plays an important role in a large EU-funded research project developing a digital vault that lets you manage who has access to your personal data.

Photo: Colourbox

Thursday 05 January 2023

Sole Bugge Møller

Most of us are aware that large tech companies such as Google, Facebook, Apple, Microsoft, Twitter, Netflix and Spotify have massive amounts of data about our online behaviour, so they almost know us better than we do. But who else has access to your personal information? It’s almost impossible to know, and a new EU-supported project in which DTU is involved wants to change that.

“The problem is that our data is everywhere, and it is difficult to find out which companies have access to it and have sold it on. We want to make it all more transparent," says Weizhi Meng, associate professor in cyber security at DTU Compute.

DataVaults can be seen as a digital safe where you can store your personal data and control who has access and when. You are notified when companies, authorities or others access your information, and the platform can assess the risks associated with sharing your information in various contexts.

Personal data such as your age, gender and address may seem entirely innocent, but if all those details fall into the wrong hands, it can have serious consequences.

"In a digitalized world, personal data is the most important asset. If your data has been leaked, hackers can use it to create a false identity of you. They can potentially create fake passports or credit cards in your name or send you targeted phishing emails based on what they already know. That is why it is so important to protect our personal data,” says Weizhi Meng.

Businesses are still challenged by GDPR

It’s impossible to discuss data privacy without mentioning GDPR. The EU's legislation on the protection of personal data shook the IT world when it was introduced in 2018 and is still a cause of confusion to many companies. DataVaults can help not only individuals but also companies that can use the platform to collect information in a secure and legal manner about everything from employees to customers and business partners.

"It’s a big challenge for many companies to comply with GDPR. They don't know how to implement the GDPR guidelines because it's very complicated,” says Weizhi Meng.

A survey by the Council for Digital Security has shown that almost half of all small and medium-sized companies are challenged by the legal requirements for personal data protection, and 67% believe it is difficult to assess how data can be used ethically.

"There is no doubt that it has been an uphill battle for the vast majority of companies," says Henning Mortensen, chairman of the Council for Digital Security.

Most recently, the so-called Schrems II ruling in the EU has created uncertainty. In practice, it makes it problematic for businesses to use American cloud services and platforms, such as Google Analytics, because they may transfer personal data to their parent company in the US which is against GDPR regulations.

"It’s a huge problem for all companies and also authorities, which can make GDPR regulations a major barrier for them. At best, it is unclear what to do when using international services, especially cloud services, and at worst, they cannot use them at all," says Henning Mortensen.

That’s why he welcomes an initiative like DataVaults.

"There is clearly a need for solutions that can collect data in a way that protects our personal data. It could help create a greater willingness to make one's data available for public benefit," says Henning Mortensen.

Facts

GDPR regulations

  • The EU’s General Data Protection Regulation was passed in 2016 and went into effect in 2018.
  • Gives all EU citizens the right to control who has access to their personal data and to be notified on which personal data any given company has on them.
  • Since then, several countries such as Brazil, Japan, South Africa and South Korea have passed similar data regulations, whereas the UK has kept the GDPR regulations after leaving the EU.
  • Violations may be punished with fines up to 20 million euros or four per cent of the company's annual turnover.
  • Currently, the EU has issued around 1400 fines totaling 2,4 billion euros according to GDPR tracking service Enforcement Tracker. The biggest fine has been given to Amazon in July 2021 totaling 746 million euros – Amazon has appealed the verdict.
     

Privacy-friendly big data

In essence, DataVaults wants to build up our trust so we can confidently share data without fear of it being misused. There is great potential in big data, where large data sets are used to see new connections, but it must be done responsibly. One of the project's partners is the French healthcare platform Andaman7, which uses DataVaults to collect data on patients that they use for clinical research.

"If you want to look at how many people suffer from a certain disease, we can collect the results but anonymize the individuals," says Weizhi Meng.

Similarly, a Spanish solar cell manufacturer participates in the project and uses DataVaults to obtain data on users' electricity consumption to predict the demand for electricity at different times of the day.

But DataVaults also wants to give back the financial incentives to us. Whereas Google and Facebook bring in billions of ad dollars from harvesting our data, users of DataVaults can be rewarded for sharing their data. It could be monetary, but also as the Italian municipality of Prato is doing by rewarding residents who share their cultural preferences and habits with tickets to a performance for instance.

However, DataVaults cannot do anything about the information we have already freely given away.

"We can protect the data in the DataVaults, but if Google and Facebook already have it, then there is not much we can do," says Weizhi Meng.

Future solution

After three years, the DataVaults project is coming to an end, and the platform’s beta version is now ready. Long term the hope is that the EU or another authority will be interested in taking ownership of the platform, as it requires consumer trust and resources to handle the personal data of potentially millions of people.

“The more people using DataVaults, the better it will be. When it comes to big data, it obviously works best with as many users as possible," says Weizhi Meng.

In the future, the pressure on our personal data will only increase, and the DTU associate professor believes that, although GDPR is a good start, there is a need to continue to improve the rules and solutions within the protection of personal data.

“It will only become more important in the future. Suppose we enter the era of the metaverse (virtual worlds in 3D), then personal data becomes the top priority. When everything becomes digitalized, those who have data can control everything,” says Weizhi Meng.

Facts

About DataVaults

DataVaults is a large project with 17 partners from nine EU countries. It has received funding of 7.6 million euros, the majority of which comes from the EU's research and innovation programme.

DTU is responsible for ensuring that the information is stored securely by developing a blockchain solution for DataVaults so it can always be tracked who has changed the data and when. DTU is also responsible for implementing crypto processors with Trusted Platform Module.

Read more on datavaults.eu

Topic

Cyber security

Denmark is at the forefront when it comes to the use of technology and digital solutions. This brings about great opportunities – but also makes Denmark an obvious target for IT crime. Consequently, there is a great need for research and training in cyber security to ensure that technology continues to create value for people.

 

Read more in DTU's cyber security topic.

Contact

Weizhi Meng

Weizhi Meng Associate Professor Phone: +45 45253068

Systems and data security Software and programming Telecommunication IT systems Data analysis