Protecting Online Data Privacy and Enabling Trust in Connected Technologies

While ongoing technical advances have brought about the powerful digital technologies that now pervade our lives, an often overlooked aspect of these connected systems – the trust users need to have in them – is as important to their effectiveness as their technical attributes.

If users don’t trust how a system will use and protect their identities and data, they will try to avoid or minimize using it, rendering the system’s technical sophistication largely irrelevant.

Data privacy, therefore, is key to the trust we must have in digital platforms in order to use them productively. However, the collection, control, and ownership of personal data today are largely controlled by the providers of products and services, not by the individuals who use them.

The incorporation of universal human values such as Trust, Identity, Privacy, Protection, Safety and Security (TIPPSS) into new technologies is growing in importance as the world becomes more connected and technology-dependent.

Accordingly, the IEEE Standards Association (IEEE SA) is working to incorporate TIPPSS values into the standards development process along with technical issues. The IEEE SA Foundational Technologies Practice, for example, brings together its diverse global stakeholders to identify gaps in the areas of TIPPSS and develop and offer a wide range of resources, activities, and programs to help build trust and security in technology.

Numerous IEEE SA initiatives are under way relating to data privacy and cybersecurity, and many published and developing standards address these and related issues.

For example, the goal of IEEE SA’s Dignity, Inclusion, Identity, Trust and Agency (DIITA) Industry Connections activity is to help provide tools and guidelines to design and develop trust-enabling solutions for all users of technology. DIITA aims at ensuring that the conditions of online access safeguard users’ personal agency and dignity. This activity explores the technical capabilities needed to identify ourselves online in a way that protects our privacy, our right to be forgotten and our off-line ability to have multiple personas; and by identifying potential standardization opportunities that can enable the needs and voices of all.

A key privacy-related DIITA workstream is Privacy and Respect in Virtual and Social Gaming. One output of this workstream will be an industry-guidance document that defines a set of recommended practices for inclusion, dignity, and privacy in online gaming. It includes a descriptive taxonomy to ensure clear and concise communication between stakeholders, and a set of best practices designed to help game developers build more inclusive online communities.

In addition, IEEE SA worked with the IEEE Society on Social Implications of Technology (SSIT) to establish a Standards Committee to develop standards that can benefit from the multi-disciplinary perspective that SSIT brings.

Another focus at IEEE SA is to develop best practices for the use of technology by children, including data privacy considerations. Children are beginning to use technology at a younger age, and the amount of use has increased in recent years. Therefore, it is imperative to develop an ecosystem of inclusive, trustworthy online and offline experiences where children can communicate, play, and learn safely and in a manner that suits their evolving capacities.

Evaluating industry best practices in various aspects, IEEE SA has released the Applied Case Studies for Children’s Data Governance report, which provides real-life examples of technology designed to foster positive, trustworthy, and privacy-preserving interactions for them. Further, the new IEEE Std. 2089-2021 Age Appropriate Digital Services Framework – Based on the 5Rights Principles for Children, provides processes for organizations to make their digital services age appropriate, and it includes steps relating to data privacy.

As a key component of data privacy, cybersecurity touches every facet of our digital lives. But in today’s world there is often a lack of motivation to offer secure technology. This may result either from commercial goals (e.g., the desire to offer products from which user data can be obtained and used by advertisers) or regulatory pressure (e.g., to track certain financial transactions).

IEEE SA’s Meta Issues in Cybersecurity Industry Connections activity seeks to apply IEEE’s approach of advancing technology for humanity to the realm of cybersecurity, to fundamentally improve it. By engaging with technologists in industry, research and government; social scientists; legal scholars; policy makers; economists and others, this activity aims to address and overcome current limitations in cybersecurity approaches.

There are many IEEE technical standards and projects focused on safeguarding privacy and security, while others address societal or ethical viewpoints. Here are some examples:

• IEEE 802E™-2020 – IEEE Recommended Practice for Privacy Considerations for IEEE 802® Technologies. IEEE 802 technologies play a major role in Internet connectivity, yet have the potential to disclose their users’ private information. The purpose of this recommended practice is to promote a consistent approach by IEEE 802 protocol developers to mitigate privacy threats identified in the specified privacy threat model, and to provide a privacy guideline.
• IEEE 2410™-2021 – IEEE Standard for Biometric Privacy. This standard provides for private identity assertion, and includes a formal specification for privacy and biometrics such that a conforming system will meet GDPR, CCPA, BIPA, or HIPAA privacy requirements.
• IEEE P1912™ – Standard for Privacy and Security Framework for Consumer Wireless Devices. This standard will define a privacy scale for data that is defined as personal identifiable information, which is collected, retained, processed, or shared on networked edge, fog, or cloud computing devices. This privacy scale will provide input to assessment tools that developers or users of these applications employ to develop, discover, recognize, or implement appropriate privacy settings for the personal data resident on these devices.
• IEEE 2089™-2021 – IEEE Standard for Age Appropriate Digital Services Framework – Based on the 5Rights Principles for Children. This standard establishes a framework for developing age-appropriate digital services for situations where users are children. The framework centers around the following key areas: a) recognition that the user is a child, b) considers the capacity and upholds the rights of children, c) offers terms appropriate to children, d) presents information in an age-appropriate way and e) offers a level of validation for service design decisions.
• IEEE P2876™ – Recommended Practice for Inclusion, Dignity and Privacy in Online Gaming. This has arisen out of the IEEE SA DIITA Industry Connections activity and is an example of how DIITA can lead to standards development. It defines a set of recommended practices for inclusion, dignity, and privacy in online gaming. It includes a descriptive taxonomy to enable clear and concise communication between stakeholders, and a set of best practices designed to help game developers build more inclusive online communities. A reference model defining common concerns, challenges, and remediation methods across all online games is also included.
• IEEE P2933™ – Standard for Clinical Internet of Things (IoT) Data and Device Interoperability with TIPPSS – Trust, Identity, Privacy, Protection, Safety and Security. There needs to be a set of guidelines and standards to standardize the use of clinical Internet of Things (IoT) devices for precision medicine, data sharing, interoperability, and security, with a goal of improved and measurable healthcare outcomes and protection of patient data. This standard will establish that framework, with the incorporation of TIPPSS principles. It will encompass wearable device interoperability with healthcare systems such as electronic health records (EHR), electronic medical records (EMR), other clinical IoT devices, hospital devices, and with future devices and connected healthcare systems.
• IEEE P7000™ Series – This series is designed to develop and specify ways in which engineers and technologists in many vertical markets can address privacy and other ethical considerations throughout the various stages of system initiation, analysis and design. The recently published IEEE 7000™-2021 Standard, for example, aims to integrate ethical and functional requirements to mitigate risk and increase innovation in systems engineering design and development.

Learn more about IEEE SA’s work in data-privacy and TIPPSS, and get engaged with the IEEE SA Foundational Technology Practice.

• Srikanth Chandrasekaran, IEEE SA Foundational Technologies Practice Lead
• Moira Patterson, IEEE SA Dignity, Digital Inclusion, Identity, Trust and Agency (DIITA) Industry Connections Activity Staff Lead
• Greg Adamson, Chair of IEEE SA Meta Issues in Cybersecurity Industry Connection Activity; Chair of IEEE SA Dignity, Digital Inclusion, Identity, Trust and Agency (DIITA) Industry Connections