Blog

What if people could send legally binding Information Sharing Agreements to businesses

Written by Internet Safety Labs

June 14, 2022

The Research Project 

Part of our work at Internet Safety Labs is to assess the practicalities of safer technology for the mutual benefit of people and businesses. We strive to find the sweet spot where safer tech for people delivers loyalty and efficiency gains for businesses. Thanks to a grant from the IEEE Technical Activities Board Committee on Standards (TAB CoS), we recently had the opportunity to explore such practical considerations regarding the novel ability for people to send legally binding Information Sharing Agreements to businesses through a personal software agent.  

What if people had the ability to assert their own legally binding permissions for data collection, use, sharing, and retention by the technologies they use? The IEEE P7012 has been working on an interoperability specification for machine-readable personal privacy terms to support such an ability since 2018. The premise behind the work of IEEE P7012 is that people need technology that works on their behalf—i.e. software agents that assert the individual’s permissions and preferences in a machine-readable format.  

Our research explored the attitudes of people and one small business toward having the ability for people to send their own legally binding privacy terms to the business. The project entailed building a prototype “Relationship Manager” webservice called, “MyMe2BAgent”, and then performing validation testing with both types of users of the agent: individual users (“Me-s) and the business (“B”). The primary research questions for the validation research were: 

For Me-s:   

  • Do people want the ability to send their own legally binding Information Sharing Agreements (ISA) to service providers
  • Do people want a data management dashboard for managing the personal information that gets shared with all service providers?   

For the business (B): 

  • What was it like to integrate the ability to receive a personal privacy agreement? Is it scalable? Is it something you would want to continue supporting beyond the pilot project?

The Findings 

The following summarizes the key findings from this research (the full report can be found here): 

Is the capability of sending a personal privacy policy/agreement important and valuable to people (Me-s)?  

While the number of participants is too small to generalize, the study identified differing opinions. Of seven respondents, two said they wouldn’t use the ability if they had it available today. Participants rated the importance of the ISA-sending capability rather low. When asked to score their preferences on a 5-point scale (where “5” indicated “extremely important), the average scores were 2.7 and 3.6 across two participant groups. This is surprising as the participants in this study were all tech privacy aficionados. Clearly, additional research is required.  

Multiple respondents noted that enforcement of the Pilot Information Sharing Agreement (PISA, created specifically for the pilot project) is what is really needed to make this capability meaningful. Currently, there is no way to know if an agreement is being upheld. What appears to be most important is ensuring and enforcing the terms of the agreement. 

We suggest that reporting and enforcement of any agreement—including existing Terms of Service provided by B-s—is urgently needed, even before the ability to send personal privacy terms to a business. 

Is a single dashboard to manage Me2B Relationships and the data being shared with vendors important and valuable to Me-s?  

This capability appears to be somewhat more valued by our test population, with an average importance score of 4.3 across six respondents. It seems that Me-s may be experiencing a problem of scale relating to managing their Me2B Relationships, making and that a “one-stop shop” approach would be desirable. One respondent suggested that the Me2B Relationship Manager should also manage passwords. 

From the B’s perspective, what is the greatest challenge?  

Of the funds allocated for the grant, nearly 20% was used in a legal audit of the Pilot Information Sharing Agreement (PISA). Granted, the funding was modest ($10,000), legal fees were high, as this type of legal agreement is entirely novel.  

In order to arrive at an acceptable PISA, we had to assess current and future business and IT processes, to ensure it could sustainably uphold the stated terms. Me-participants said that the PISA felt like it was written for the B and not the Me. And it was, because it’s the B who bears the legal obligations.  

The primary value [for Me-s] of a machine readable privacy policy system is that it would allow for choice between pre-approved policies/agreements. But the allowable policies/agreements will always be highly vetted and amenable to the business and their legal advisors. They have to be in order for a B to sign them. 

Generalized learnings for B-s: 

  • Allowing multiple different privacy policies will be difficult and likely undesirable due to the highly integrated nature of a personal privacy agreement into the business’ legal processes, business processes, and IT systems’ behaviors. Vetting and allowing a particular privacy policy is a major undertaking.  
  • Since businesses must scale their services to potentially millions of customers, supporting, tracking, and complying with several different policies is likely untenable for B-s. The pre-vetted and allowed Information Sharing Agreements will always be aligned to the capabilities, risk tolerances, security practices, and IT system behavior of the company.  
  • While one “Me” respondent desired a real-time negotiated agreement, it seems clear that real-time negotiation of privacy terms is unlikely to be supportable by a business. Every aspect of a business and its IT systems would need to be captured in a machine-readable model to make this approach viable.  
  • From this pilot project, it’s unclear that the agreements must in fact be “machine readable”; they may merely need to be “machine identifiable.” Agreements may not need to be real-time parsed and may never need to be. Rather, the allowable personal privacy policies must have machine-readable unique identifiers.  

Conclusion  

Given the small number of participants in this study, additional research is absolutely necessary. We hope that this project and the learnings derived from it will help the P7012 WG understand the kinds of changes that will be required in order to better empower people, resulting in better Me2B relationships. It will also help them better understand and prioritize key needs and challenges in creating healthier relationships between makers and users of technology.