All Array of Things Madison Comments
Comments
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
$
%
123
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
Comment IDquotetexttype
Madison Link: https://documents.mymadison.io/docs/array-of-things-privacy-policy
2
1All operational sensor data will be publicly available as open data, owned by the University of Chicago.
Avoid language of "data ownership"—data cannot legally be owned (in the United States). This is not just cosmetic, it's important not to introduce a legally indefensible concept into a document that will (we hope) be a binding understanding of how the AoT will work. The idea that data will not only be owned by someone, by by the University of Chicago particularly, adds a level of political sensitivity that is unnecessary and possibly counterproductive.
annotation
3
2owned by the University of Chicago.stored and published by the University of Chicago.annotation
4
3Make U of C's involvement explicit, and legally definable.
annotation_comment
5
4program operatorsProgram Operatorsannotation
6
5suggest capitalizing "program operators" throughout for clarity and explicitness.
annotation_comment
7
6prototypesHow many?annotation
8
7open access to sensor data
"access" isn't a type of use (the second and third phrases here are). "research on quality and use of public spaces"? "commercialization of knowledge about public spaces"? This sentence could—and probably should—be the core of this document, but it dodges the question by stating a tautology.
annotation
9
8AOTAoTannotation
10
9consistency of style
annotation_comment
11
10These members will be invited based on recommendations from AoT partners and others who work with community groups
Would like to see an open nomination process for some percentage of seats. Yes, it's Chicago, but we're aiming for a _better_ Chicago.
annotation
12
11The program will be evaluated nine months after the second set of prototype nodes are mounted in the City and every 12 months from that time on.
Add a provision to pull the plug. "If a regular evaluation determines that the AoT is unable to meet the goals of the program, or if the program is producing a preponderance of adverse effects, it may be discontinued." (or the like) The public may well be scared at a new level of surveillance/coveillance and reassurances that misuse of the data will be stopped will go a long way towards encouraging acceptance.
annotation
13
12Any images and other data collected by AoT nodes for calibration will be protected by information security controls, and available only to authorized individuals and only for research purposes.What about under subpoena or warrant?annotation
14
13Node locations may be proposed by any individual or group,Presumably a method for doing this will be required in the public web site.annotation
15
14Suggestions that meet selection criteria should be submitted first to the program operators at AoT@uchicago.edu , and will then be reviewed and pre-approved by the EOC if the program operators agree that the criteria has been met.A public suggestion process would be better....annotation
16
15vibrationVibration is sound. Specify: "vibration outside audible frequencies" or the like.annotation
17
16Pedestrian and vehicle movement data will come from computer software analyzing images
Not saying "camera imagery" is misleading. The data that will be gathered IS IMAGES. Pedestrian and vehicle movement information will be inferred from that data. And it is absolutely 100% certain that unless this policy says that imagery will only be used for pedestrian and vehicle movement, then it WILL be used for something else. Using data in creative ways is exactly what data scientists get paid to do. This absolutely must be rewritten.
annotation
18
17
This information is subject to change so not locked in as policy here. The website will have this information as it is finalized. Along with publication of these documents we have published a map of the first wave of ~50 devices.
annotation_comment
19
18This includes, but is not limited to, information
What happens if in a couple of years - we want to look into gun violence prevention, will you program it to look at shootings/firearms? If you add this type of data or any other forms of data that is not currently captured, what is the process of adding (or removing) programming?
annotation
20
19This policy will be reviewed annuallyand open for public comment (similar to Madison and community forums)annotation
21
20
This is a concerning piece of wording and implementation of this proposal. This makes me have to ask about the specific management rules of these images - who has access, how long will they be stored, and how do they get deleted? If these images are never deleted, then the entire PII section of this document is void from a technical perspective. With enough images taken over time, one can find an individual based on their clothing, follow them through each image, and eventually determine where they work and where they live. From there, it's pretty easy to figure out the rest of that person's identity. Blurring out images and license plates is not enough. To me, I think it would be better if a smarter solution could be implemented to where images are not even needed for these metrics (i.e. traffic patterns). I don't know what that solution would be, but I'm more afraid of the potential of future harm to be done with these images more than anything.
annotation_comment
22
21Raw calibration data that could contain PII will be stored in a secure facility
Although most citizens may not care, the technically minded ones would be interested in knowing exactly how this data is secured and encrypted. There are different ways of doing so and being transparent about that is important IMO.
annotation
23
22orandannotation
24
23In order to support economic development, data from approved experimental sensors, installed for specific research and development purposes, may be withheld from (or aggregated for) publication for a period of time in order to protect intellectual property, ensure privacy or data accuracy, and enable the proper calibration of the sensor.
Who approves the experimental sensors and what criteria will they be using to decide what/who gets approved? Will experimental sensors be allowed to collect PII and store that information on private servers?
annotation
25
24The Array of Things is designed to collect and share data about Chicago's urban environment to support research that seeks will provide insight into city challenges. This includes, but is not limited to, information about temperature, humidity, barometric pressure, vibration, air quality, cloud cover, and pedestrian and vehicle counts and patterns. Pedestrian and vehicle movement data will come from computer software analyzing images.
This paragraph should contain two separate lists. One list describes what data is collected (camera images, raw audio, vibration data, temperature, etc.), and one list describes what data is shared, including the derived features such as pedestrian/vehicle counts.
annotation
26
25Raw calibration data that could contain PII will be stored in a secure facility
Will all raw data that is collected be uploaded to the secure facility? Will some of the raw data be deleted on-site after processing?
annotation
27
26Access to this limited volume of data is restricted to operator employees, contractors and approved scientific partners who need to process the data for instrument design and calibration purposes, and who are subject to strict contractual confidentiality obligations and will be subject to discipline and/or termination if they fail to meet these obligations.Echoing Timothy McGovern's question from above: "What about under subpoena or warrant?"annotation
28
27open dataSpecify what copyright, or a list of possible copyrights, the data will be made available under.annotation
29
28"instrument,""instrument",annotation
30
29"instrument,"Unclear why quotations are being used -- recommend removing quotations.annotation
31
30be transmittedbe encrypted, then transmittedannotation
32
31industry, academia, and not-for-profits
What about groups or individuals who do not fall under any of these categories? E.g., a volunteer group that is NOT a not-for-profit.
annotation
33
32AOTAoTannotation
34
33PShould this be a numbered section header?annotation
35
34This policy will be reviewed annually at a minimum by the program operators and the EOC for needed revisions. Others may request a review of this policy or submit a question to the operators AoT@uchicago.edu. Any proposed changes to the policy will be posted online for public review and comment prior to their incorporation.
The more policies AoT revises policy, and the more of itself it gives, the more daunting the public review task becomes. We all know there's a bright future for AoT, but more imagination towards shaping policy that empowers people to interact with our shared picture of the urban system must occur.
annotation
36
35SRG
It could be nice to see more detail here about how requests to change the software will be evaluated. It's not too hard to imagine privacy issues coming up here.
annotation
37
36
I really like how much thought has been put into the privacy concerns with this project. The way the sensors process the data themselves and delete the all but a tiny fraction of the raw image/sound files is well thought through.
comment
38
374.3 Node Locations
Can more sensors be placed in the north near O'Hare? [Resident Question from 6.14 Public Meeting. See Notes: bit.ly/614notes ]
annotation
39
383 Governance BodiesWho is in charge of this project? [Resident Question from 6.14 Public Meeting. See Notes: bit.ly/614notes ]annotation
40
393 Governance Bodies
Tell us more about the partners involved in this work - specifically SAIC & Smart Chicago [Resident Question from 6.14 Public Meeting. See Notes: bit.ly/614notes ]
annotation
41
404.6 Education
When will the Lane Tech Curriculum be available to everyone? [Resident Question from 6.14 Public Meeting. See Notes: bit.ly/614notes ]
annotation
42
41
Is the camera in the sensors used for public safety purposes? [Resident Question from 6.14 Public Meeting. See Notes: bit.ly/614notes ]
comment
43
42
Why is this meeting (the 6.14 public meeting) happening in Pilsen? [Resident Question from 6.14 Public Meeting. See Notes: bit.ly/614notes ]
comment
44
43
Is this [AoT] happening in other places or cities? [Resident Question from 6.14 Public Meeting. See Notes: bit.ly/614notes ]
comment
45
444.5 Node Capabilities
How might the project/sensors change? [Resident Question from 6.14 Public Meeting. See Notes: bit.ly/614notes ]
annotation
46
45
Charlie mentioned a hypothetical about counting dog walkers during the 6.14 Public Meeting — Could you potentially catch people who didn't pick up after their dogs? [Resident Question from 6.14 Public Meeting. See Notes: bit.ly/614notes ]
comment
47
464 Information Collection, Use, and Sharing
What's the purpose of collecting the nonpublic raw data/images? [Resident Question from 6.14 Public Meeting. See Notes: bit.ly/614notes ]
annotation
48
474 Information Collection, Use, and Sharing
Why collect multiple images at different times? [Resident Question from 6.14 Public Meeting. See Notes: bit.ly/614notes ]
annotation
49
48
What about measuring cancer-causing chemicals? [Resident Question from 6.14 Public Meeting. See Notes: bit.ly/614notes ]
comment
50
49
Include communities in this project [Resident Comment from 6.14 Public Meeting. See Notes: bit.ly/614notes ]
comment
51
504.3 Node Locations
Can communities influence the placement of sensors? [Resident Question from 6.14 Public Meeting. See Notes: bit.ly/614notes ]
annotation
52
51
A recommendation for AoT to work with the Pilsen Alliance [Resident Comment from 6.14 Public Meeting. See Notes: bit.ly/614notes ]
comment
53
52
Will all of the sensors be placed at the same height? [Resident Question from 6.14 Public Meeting. See Notes: bit.ly/614notes ]
comment
54
53Why aluminum for the sensors? [Resident Question from 6.14 Public Meeting. See Notes: bit.ly/614notes ]comment
55
544.3 Node Locations
Can a homeowner elect to have a sensor installed on their property? [Resident Question from 6.14 Public Meeting. See Notes: bit.ly/614notes ]
annotation
56
55
What kind of computers are in the sensors? [Resident Question from 6.14 Public Meeting. See Notes: bit.ly/614notes ]
comment
57
564.3 Node Locations
Isn't there a research trade-off between having the sensors paced around the city randomly vs. having them placed around the city strategically? [Resident Question from 6.14 Public Meeting. See Notes: bit.ly/614notes ]
annotation
58
57
Has the national weather service shown interest in this work? [Resident Question from 6.14 Public Meeting. See Notes: bit.ly/614notes ]
comment
59
58
Can law enforcement authorities require you to store data you wouldn't have stored? [Resident Question from 6.22 Public Meeting. See Notes: bit.ly/622notes ]
comment
60
59
What will you do about clogged optical lenses or sensors? [Resident Question from 6.22 Public Meeting. See Notes: bit.ly/622notes ]
comment
61
603 Governance Bodies
What independent body audits and controls deletion of data? [Resident Question from 6.22 Public Meeting. See Notes: bit.ly/622notes ]
annotation
62
61
Would Array of Things data result in isolating/segregating/overemphasizing certain areas of the city--particularly if it’s sliced and diced? [Resident Question from 6.22 Public Meeting. See Notes: bit.ly/622notes ]
comment
63
624 Information Collection, Use, and Sharing
With the recording of PII, will we be able to make out specific things in the pictures? Berman says some info will not be released to the public. Who is going to have access to this data? For example, the NSA? [Resident Question from 6.22 Public Meeting. See Notes: bit.ly/622notes ]
annotation
64
63
If the images chosen to train the cameras are random, what value does that have to a scientist? [Resident Question from 6.22 Public Meeting. See Notes: bit.ly/622notes ]
comment
65
64
Wouldn't it be cheaper just to ask the neighbors if there's standing water than to have a sensor? [Resident Question from 6.22 Public Meeting. See Notes: bit.ly/622notes ]
comment
66
65
What's the process for addressing issues that sensors might detect? Where I work, people don't call 311 because nothing happens. [Resident Question from 6.22 Public Meeting. See Notes: bit.ly/622notes ]
comment
67
664.4 Node Security
How is the internet part of the device protected? [Resident Question from 6.22 Public Meeting. See Notes: bit.ly/622notes ]
annotation
68
674.4 Node Security
Would the cellular company have access to the data? [Resident Question from 6.22 Public Meeting. See Notes: bit.ly/622notes ]
annotation
69
684.2 Transparency
Are the algorithms for image recognition going to be publicly available in a repository? [Resident Question from 6.22 Public Meeting. See Notes: bit.ly/622notes ]
annotation
70
69Are example data sets available? [Resident Question from 6.22 Public Meeting. See Notes: bit.ly/622notes ]comment
71
702 Technical Objectivesannotation
72
71
The Chicago Architectural Foundation was thinking about using data from smartphones: were you thinking of partnering with them for data collection? [Resident Question from 6.22 Public Meeting. See Notes: bit.ly/622notes ]
comment
73
72
Question 1: Please tell us your thoughts or feedback on the Array of Things Governance & Privacy Policy. Response 1: Please If and when the project closes how will PII be properly disposed of so that it will not later be leaked? [Source: Wufoo Form Entry 1. See bit.ly/AoTWufoo ]
comment
74
73
Question 1: Please tell us your thoughts or feedback on the Array of Things Governance & Privacy Policy. Response 1: I think information sharing should be limited carefully. No data should be downloaded to individual personal devices. This sounds a lot like big brother. If the data is there somebody will access and use it. [Source: Wufoo Form Entry 2. See bit.ly/AoTWufoo ]
comment
75
74
Question 1: Please tell us your thoughts or feedback on the Array of Things Governance & Privacy Policy. Response 1: I'm agin it. It will be violated. Do I trust James Clapper? Why should I trust Charlie Catlett? The public has not been given the opportunity to approve or disapprove of this venture beforehand, as is the case with the Internet of Things as a whole. But the numbert of people for and against this initiative is ultimately irrelevant, since there is always a sizable contingent which is trained to will its own domination. Metadata will carry the day and the undeniable benefits such a system as the Array of Things is capable of will be more than offset by its drawbacks. This major advance within the paradigm of the Electronic Panopticon world-as-prison should be opposed by every free-thinking individual. /// Question 2: Do you have any remaining questions about the Array of Things project or the Governance & Privacy Policy? Response 2: My only question is how can I avoid it? [Source: Wufoo Form Entry 3. See bit.ly/AoTWufoo ]
comment
76
75
Question 1: Please tell us your thoughts or feedback on the Array of Things Governance & Privacy Policy. Response 1: The public meeting last week was very informative. I see no problems with on the governance and privacy policy. Seems like all areas are covered in the policy. Would like to see more information and contact information for the project team leaders. There is no one person to contact managing the project. Many of the groups involved in the project need to clean up their web sites and ways to contact and/or call to speak to a live person. The project will be very good for urban planning and community problem solving. Our organization would like to participate in the next assignments of AoT monitors on the Northwest side of Chicago. We are currently reaching out to Northside universities (i.e. Loyola and North College Prep High). Please keep up in the loop of information and we would like to schedule a meeting in out community to talk about the project. Hope to hear from you soon. Dr. Donald W. Walsh Indian Woods Community Association (www.indianwoods.org) FAiR (www.fairchicago.org) /// Question 2: Do you have any remaining questions about the Array of Things project or the Governance & Privacy Policy? Response 2: 1) How do we submit an official request to participate in the project as a community organization? 2) Can you make a presentation in our community if we coordinate the locations, invites, etc...?) 3)FAiR has a group of experts that would like to speak to the project lead persons. How do we coordinate that? 4) Can you please send me the full contact list of the persons managing the project? [Source: Wufoo Form Entry 4. See bit.ly/AoTWufoo ]
comment
77
76
Question 1: Please tell us your thoughts or feedback on the Array of Things Governance & Privacy Policy. Response 1: It is the following section which casues me the most concern: "The Array of Things technology is designed and operated to protect privacy. PII data, such as could be found in images or sounds, will not be made public. For the purposes of instrument calibration, testing, and software enhancement, images and audio files that may contain PII will be periodically processed to improve, develop, and enhance algorithms that could detect and report on conditions such as street flooding, car/bicycle traffic, storm conditions, or poor visibility. Raw calibration data that could contain PII will be stored in a secure facility for processing during the course of the Array of Things project, including for purposes of improving the technology to protect PII. Access to this limited volume of data is restricted to operator employees, contractors and approved scientific partners who need to process the data for instrument design and calibration purposes, and who are subject to strict contractual confidentiality obligations and will be subject to discipline and/or termination if they fail to meet these obligations." Of course the question becomes how does the public verify precisely who has such access to the PII data? Will access parameters be modified over time? Specifically, what assuramces can one gain that the Chicago Police Depertment, NSA, or other agencies will not have access to this data? /// Question 2: Do you have any remaining questions about the Array of Things project or the Governance & Privacy Policy? Response 2: Many. [Source: Wufoo Form Entry 5. See bit.ly/AoTWufoo ]
comment
78
77
Question 1: Please tell us your thoughts or feedback on the Array of Things Governance & Privacy Policy. Response 1: Hello there, I've been following AoT for the past two years. Happy to have the opportunity to share my thoughts. Thank you! 1. I have concern for how AoT envisions managing the tricky nature of feedback from the data, and how key variables and interactions will be chosen to formulate a picture of the urban system . . . could new variables chosen to model policy and decision making compromise privacy ? 2. We all know cities are a complex system that constantly evolves, so will AoT's foundational pillars of privacy do the same ? How could this public concern be quieted ? 3. How could AoT's blend numerical data and qualitative methods to more holistically craft future privacy policies ? [Source: Wufoo Form Entry 6. See bit.ly/AoTWufoo ]
comment
79
78
Question 1: Please tell us your thoughts or feedback on the Array of Things Governance & Privacy Policy. Response 1: In the wake of the pullback on current capabilities of the Array, one is still left with the concept of function creep. When new technology is introduced for a stated purpose, this purpose may not be the only purpose the technology is capable of. In other words, the capability profile of the apparatus in question is capable of a high degree of plasticity as viewed over time. [Source: Wufoo Form Entry 7. See bit.ly/AoTWufoo ]
comment
80
79
Question 1: Please tell us your thoughts or feedback on the Array of Things Governance & Privacy Policy. Response 1: The Future of Privacy Forum (FPF) is a think tank seeking to advance responsible data practices and is supported by leaders in business, academia and consumer advocacy. (The views herein do not necessarily reflect those of the Advisory Board or supporters of FPF). We would like to thank the Array of Things (AoT) project for this opportunity to provide feedback on the proposed Governance and Privacy Policies, and to engage with the broader Chicago and smart city communities. We applaud the AoT’s commitment to building a transparent and responsive program. While this initial privacy policy proposal provides a useful starting point, we urge the AoT’s Security and Privacy Group and Executive Oversight Council to expand or revise it in several ways to better achieve its goals of balancing privacy, transparency, and openness. 1. The Privacy Policy should reflect a FIPs-based framework. The Fair Information Principles (FIPs) are “the framework for most modern privacy laws around the world”and NIST recommends that in order to “establish a comprehensive privacy program that addresses the range of privacy issues that organizations face, organizations should take steps to establish policies and procedures that address all of the Fair Information Practices”(http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf). The current AoT Privacy Policy addresses some, but not all, of these principles. In a more robust FIPs-based Privacy Policy, we would also expect to see meaningful details regarding: - What rights or mechanisms, if any, individuals might have to access, correct, or request the deletion of their PII? - What mechanisms, if any, provide individuals with redress regarding the use of their PII? - In addition to discipline and confidentiality promises, what accountability controls (such as employee training, vendor audits, or data use agreements) will help ensure employees, contractors, and approved partners with access to PII comply with the privacy policy. - How long will PII be retained, how PII will be disposed of after it is no longer reasonably necessary for the purposes for which it was collected, and how PII will be treated if the AoT program dissolves or transfers ownership. - How and when PII will be deleted or de-identified. - How the program operators will respond to requests from local, state, or federal civil or law enforcement agencies to access PII (such as when presented with a warrant or subpoena) and to what extent PII is subject to Freedom of Information Act disclosure requests. - Information on how to contact AoT officials regarding any privacy or data security breaches. - How will PII be secured through appropriate administrative, technical, and physical safeguards (such as encryption at rest and in transit, local processing or storage, etc.) against a variety of risks, such as data loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure. - What mechanisms, if any, are available for individuals to exercise control or choice over the collection of PII (e.g., could individuals turn off their phones or participate in an opt out to avoid certain kinds of tracking?) - How the AoT minimizes the collection of PII. Importantly, given the significant amount of information that residents of and visitors to Chicago might be expected to digest, a layered privacy notice highlighting key points would be appropriate. Additional notifications, such as public signage on or around AoT nodes or just-in-time mobile notices pointing to the full privacy policy might also help provide meaningful notice. 2. More meaningful technical details within the Privacy Policy would improve trust and transparency for the wide array of stakeholders interested in assessing the program’s privacy and security promises and practices. The AoT’s Privacy Policy is relevant not just to the citizens and communities of Chicago but also a wide range of civil society organizations; other local, state, and federal government officials; academics; potential vendors or research partners; technologists and privacy professionals; and the media. Accordingly, we recommend that the Privacy Policy further expand or clarify: - Distinguishing clearly between PII and sensitive data collected by the AoT. The Privacy Policy states that because of their “potential sensitivity,”location information, electronic device identifiers, or vehicle license plate information should be regarded as PII. This conflates between the concept of PII and that of sensitive data, missing the clear consensus among regulators and privacy experts that regardless of sensitivity, these data fields are PII. (See e.g., NIST Report on De-Identification, http://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf; FTC Director Jessica Rich on persistent device identifiers https://www.ftc.gov/news-events/blogs/business-blog/2016/04/keeping-online-advertising-industry; Shades of Gray: Seeing the Full Spectrum of Practical Data De-Identification, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2757709). In privacy nomenclature, describing data as PII typically means that the data can be linked to an identifiable individual, whereas considering data “sensitive”typically signals that the data will be treated to a higher standard of privacy protection. In order to avoid confusion, we suggest clarifying these terms. - When audio or image files may contain PII, what specific kind of PII is collected. There is a stark difference in privacy impact between software used to simply detect faces (facial detection) and software capable of identifying individuals in photos via biometric templates (facial recognition). A similar distinction is made between speech detection and speech recognition capabilities. Given the general public unease about loss of anonymity and privacy in public spaces, it is key to clarify what technologies are being used in this context and what capabilities they have for processing PII. This will help allay fears regarding the use of PII from image and audio files captured in public spaces. - How the AoT will ensure adequate de-identification for data made public through the City’s data portal. Open data enables important scientific research and urban innovation. Given the AoT’s intent to make its data available freely, it must implement the strongest possible protections against the intentional or inadvertent re-identification of any individuals within the data set. AoT should clarify publicly how it will ensure that the risk of re-identification is sufficiently low that individual privacy can be guaranteed. What is the acceptable threshold for re-identification risk, and how is it calculated? Will the AoT use differential privacy solutions? How will AoT handle the de-identification within image or audio files as opposed to structured textual data? Will any legal controls or commitments (such as agreements to not attempt to re-identify data) be required before accessing de-identified data? While not expected to publish every detail of its de-identification strategy or lock itself into a particular set of practices, the AoT should make known important parameters to increase trust and transparency. 3. Additionally, FPF recommends that all smart city initiatives, including the AoT, implement a variety of other organizational and technical measures to safeguard personal data, including: a. Mapping data flows, including where data is collected and how it is used throughout the entire AoT ecosystem. b. Classifying data according to sources, identifiability, sensitivity, and uses. c. Documenting processes and procedures for sharing data with third parties and monitoring vendors, including data use agreements, audit and standard contractual terms, and transparency about how and by whom scientific partners are “approved.” d. Safeguards to protect against unfair or discriminatory uses of data. e. Identifying what data sets are owned by which stakeholders, and any relevant copyright, licensing, or access provisions. f. Documenting risk-benefit assessments and structured ethical review processes for evaluating new research or uses of PII. (See, e.g., https://fpf.org/wp-content/uploads/FPF_DataBenefitAnalysis_FINAL.pdf) Thank you again for this opportunity to comment. [Source: Wufoo Form Entry 8. See bit.ly/AoTWufoo ]
comment
81
80
Question 1: Please tell us your thoughts or feedback on the Array of Things Governance & Privacy Policy. Response 1: At the Symposium on Usable Privacy and Security 2016, held last week (June 22-24, 2016) in Denver, Colorado, a group of privacy and security researchers looked at the Array of Things project and its current documentation. The short report below is a compilation of their feedback. Overall, we appreciated the thought and care given to privacy and security throughout the proposed documents and the Array of Things project. Having a period of public comment, an open and thoughtful process for selecting new node locations, and an AoT Security and Privacy group are steps that lead to practical privacy for the people of Chicago. That said, we have comments on a few areas of the document that we hope you will consider. PII in the open data set In the privacy policy, you say “PII data, such as could be found in images or sounds, will not be made public.” What is the process for deciding what is PII and removing it? Removing all PII from this data set may actually be fairly difficult and error prone, and there may be a lot of PII, especially if video captures faces or license plate numbers. You should determine what will be involved in doing this and perhaps revise the language in the privacy policy to set more realistic expectations. Is there a way for people who believe their PII has been shared to have it removed? Currently there is no contact information in the Privacy Policy, and thus no way for people to remove or correct information they believe is inaccurate or wrongly shared. If sound recordings are going to be made, it is important to make sure this is in compliance with the Illinois wiretapping law. Notice The current policy document has no specifics on how notice will be provided to residents of node areas or visitors who happen to drive or walk through the range of a node. We believe significant thought needs to be given to how to notify people that they are in area/range of a node and their data is being collected. This will also allow them to find out what choices they have in removing their PII or other data from an open repository. We hope that consideration will be given to notice, including: What languages will the information be presented in? What technologies will be used (e.g., a sign, a short link, a QR code, some sort of mobile notification scheme, an app to show which streets are covered by these nodes) The format and display of the information itself (e.g., a street sign, at what height, using what set of color schemes or logos that relates to the project) Is there any effort made to allow people with low-literacy rates or vision-impairment to have access to this material? How updates to the project’s policies and notices can be communicated to people who walk or drive through the range of a node A plain language (non-legalese) version of the privacy policy should be made accessible to the public Notices should include contact information for the Privacy Officer or similar role responsible for managing privacy issues on the project Data Use / Purpose In most privacy policies, it is important to explain what collected data will be used for. While much of the data collected as part of this project will be made public (through the open data repository) and then can be used for nearly anything, it is still important to explain potential data use to participants. This should include, at least: A description of how each data type collected will be anonymized and aggregated. Specific examples that show how each data type could potentially be used. What sorts and format (i.e., aggregated versus specific data items) of data the annual report will include. Consideration of establishing a use policy for the open data set, or setting up guidelines for how to respond in the event that open AoT data is used by other parties for malicious or discriminatory purposes. Notice regarding whether the data will be used by law enforcement for any purpose. Annual Report While it is commendable that the AoT group has declared that the policy will be reviewed annually, we would recommend that the review include more specification (What sources of data will be reviewed? How can the community participate? Will this include potential breaches, violations of policy, and/or public complaints?), as well as address the need for evaluation, specifically: is the project meeting its stated goals? Who will review the project for compliance with its stated policies, and how will this review be conducted? How will the annual report be distributed to the public? Small edits to the language “Collection may include but is not limited to” or “other biometric data” are phrases that should be avoided. While they may be standard legalese for privacy policies, given your project’s spirit and values, we recommend that you strive for openness and transparency. You should do your best to explicitly describe all data collected and the purpose of collecting them. If more types of data are collected in the future, then the descriptions and explanations should be updated. Prepared by SOUPS 2016: Lorrie Faith Cranor, Carnegie Mellon University* Alain Forget, Google Patrick Gage Kelley, University of New Mexico Jen King, UC Berkeley Sameer Patil, New York University / Indiana University Florian Schaub, Carnegie Mellon University / University of Michigan Richmond Wong, UC Berkeley *Lorrie Cranor is currently on leave from Carnegie Mellon University, serving as Chief Technologist at the US Federal Trade Commission. These are her own views and do not necessarily represent the views of the Commission or any Commissioner. [Source: Wufoo Form Entry 9. See bit.ly/AoTWufoo ]
comment
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...
 
 
 
Sheet1