Any thoughts on Privacy Flag?


#1

I stumbled upon a reference to privacyflag.eu, apparently an EU research project on privacy. They are

developing a set of tools to enable citizens to check whether their rights as data subjects are being respected, and tools and services to help companies comply with personal data protection requirements.

They have released a Chrome add-on and an Android app to help people with privacy.

Sounds good, but…

  • They talk about their innovative UPRAAM methodology, which seems unknown to the greater internet. I can’t find information on what it actually means.
  • What do I find is frequent use of crowdsourcing and other buzzwords without specifics of how e.g. crowdsourcing would help or how it is to be used.
  • Their Privacy Guide is a grab bag of private browsing, ad blockers, encryption, and two-factor authentication. Some of the text seems copied verbatim from privacytools.io. To be fair, the advice is not all bad, it just does not form a cohesive whole. And it puts the responsibility on individuals with no mention of the systemic problems.
  • Their Threat Observatory collects what looks like somewhat arbitrary metrics too me. It can only be viewed by allowing Google to execute code on my computer :frowning: (Their pages generally pull in Facebook, Twitter, Google and analytics, but seem to function without these.)

Anyone here who knows more? Is this just what EU projects look like? Lofty goals and no details… (I hope not.)

Anyone here who has tried Privacy Flag’s app? (Not using Android or Chrome myself.) Are we supposed to “crowdsource” by voting/rating sites based on how we feel about their use of personal data?


#2

I’ve no idea about Privacy Flag specifically, but it doesn’t sound great. I mean, if they’ve got Google analytics on their page then could they really know what they’re talking about?!


#3

No, that was what I thought too, seeing the analytics and social-share stuff :frowning:


#4

From their News section, it seems they are on tour to tell the world about the project.

I grabbed a presentation PDF from Infocom World 2016 Greece (don’t have the link right now). It contains a lot that is hard to interpret without the speaker, as is often the case. Not their fault, just the nature of things, having just the slides.

Some snippets:

Conceptual Position
Enabling Crowd-sourcing based privacy protection for smartphone applications, websites and Internet of Things (IoT) deployments.

Their main Privacy Flag platform lists CROWD both as End-users and as Evaluators.

UUPRAM
Universal Privacy Risk Area Assessment Methodology

  • Universal & Generic
  • Reliable & Effective
  • Democratizing Privacy Legal & Technical Requirements

That would be no small feat.

Objectives _(1)

  1. Develop a highly scalable privacy monitoring and protection solution based on:
  • Crowd sourcing mechanisms to identify, monitor and assess privacy-related risks.
  • Privacy monitoring agents distributed on users’ smart phones and web browsers, to identify privacy threatening activities and applications.
  • Universal Privacy Risk Area Assessment Tool and methodology tailored on European and international legal norms on personal data protection and data ownership;
  • Personal Data Valuation mechanism for citizens;
  • Privacy enablers for citizens to retain control over their privacy with optimized anonymisation techniques against traffic monitoring and finger printing; [emphasis mine]
  • User friendly interface informing the users and raising citizen awareness on their privacy risks when using a smart phone application or visiting a website

How technically feasible is that?

Main Components _(1)
Privacy monitoring agent: software to be deployed on users’ devices for monitoring and detecting suspicious application or website behaviour.

  • It will perform a local check on sensitive functions and data transmissions in order to inform the end-user on identified risks and level of risk.
  • It will inform the user about any identified risk and may share information on suspicious applications or websites with the common knowledge database.
  • Any information transfer will be full anonymized and will exclude and filter out any personal data.

Privacy enablers ensuring that the user of the platform cannot be identified -or tracked- when connecting to the platform or to other web services.

  • Inter-alia, it will ensure that transmitted data can be fully secured and anonymized, addressing among others IP and MAC tracking (through translation and proxy mechanisms), as well as unwanted GPS location transmission.

Privacy Risk Alert tool enabling any user to launch an alert on any suspicious application, website or unusual deployment of IoT devices [emph. mine] in a smart city that could constitute a risk on privacy.

  • The list of alert will be made available to the crowd for risk evaluation process by volunteers and/or experts. This alert tool will enable to rank and prioritize the applications according to the users priority concerns.

Sounds good, if difficult to achieve.

Exploitation Plan
Setting up a dedicated legal entity to promote privacy

Business Model
In principle, Privacy Flag will use a dual business model:

  • Free evaluation tool for the crowd: No sales revenue stream are planned on the tools developed by the project in order to enable a large adoption and to make the service freely available to the public.
  • Paying services for interested companies: Privacy Flag will propose paying services for in depth privacy risk audits, recommendations and potential labelling for interested companies.

Competition, differentiation and competitive advantages

Financial projections
We plan to generate most revenues from services and consulting, with potential complementary incomes from selective advertisements. [emph. mine]
Privacy Flag has a huge potential to be downloaded by end-users.

Uh-oh…


#5

Perhaps nothing wrong with the objectives etc, but I don’t get a good feeling from this… Maybe I’m just grumpy and there will be tangible results to prove the project is worth the EU funding.