The research Dr Alex Kharlamov and I have been doing at UWE in partnership with colleagues at other institutions has been focused on personal data.
In the first major piece we developed the Hub of All Things. This is a place where you can store all your personal data. What we developed is a personal data micro-server; a platform that allows you to store, analyse and send out data, giving individuals more control over their digital labour. My research relates to how personal data from the home might help inform business models. IoT (Internet of Things) provides an opportunity to gather direct data from the home on how we use products and services.
We gave a group of people different IoT devices and they allowed us access to their data. We analysed what resources there are in the home and created four categories of associated ways they can be measured, which we named use visibility measures; depletion measures, consumption measures, experience measures, and interaction measures. So, if we consider a tin of beans, it is a depletion resource with a very long shelf life. The home owner may have several tins in their cupboard.
The supplier currently has no visibility of the number of tins in storage or the rate and time of consumption. With the power of the IoT and user permission, it would be possible to track this and replenish in a smart way such that when a tin is consumed another is automatically delivered. This changes the business model for the retailer and the nature of the resource moves from depletion to consumption. It also offers possibilities for more sustainable supply.
IoT data allows us to see how a resource is used. For example, does the homeowner microwave or stove heat the beans, how are they used in combination with other foods, what times of day are they consumed and by whom? Access to such detailed data reveals opportunities to create new offers and for the provider to engage in dialogue with the homeowner to improve their experience.
However, data sharing at this level raises concerns about privacy and vulnerability. Our current research is addressing this important issue.
We started researching in the domain of medical data, as we perceive this as the most sensitive data and the principles of privacy and confidentiality are paramount. With medical data, we have found that people do evaluate the risk and benefit of sharing.
However, we find that the majority of patient’s share their medical data. Some of the possible interpretations of this finding is that individuals neglect the potential risk or over-estimate the potential benefit. Another possible interpretation is that patients do not fully understand the implications of sharing and quite how many people can access it. There is more work to be done here.
In a different study, we focused on assessing perceived individual vulnerability towards sharing personal data. We find that people overestimate the likelihood of rare types of data loss and underestimate of the most common and most likely types of data loss. When it comes to data relating to their finances (credit card or bank account details) or account access (passwords to different websites, or social media) people are rightly careful.
This was met with challenges as we found that individuals tend to be generally risk-taking, and do not feel vulnerable with regards to their identity data, email address, affiliation, etc. Identity data can be used to masquerade as someone else and causes one of the most common and eminent threats today. .
Our latest work seeks to measure individual risk-taking and risk perception for data, and we created a psychometric scale Cyber-Domain-Specific Risk-Taking Scale (CyberDOSPERT). Institutions tend to judge and model data loss from a financial point of view. Our findings show this differs from consumers who do not assess their information privacy from a financial point of view, but rather from an ethical standpoint.
The work suggests modelling risk associated with consumer data loss purely on financial terms is wrong and models needs to factor in the ethical judgements made by the consumer in the case of data breach.