Aligning Consent with Privacy Promises

Building a proof of concept for a secure multi-party computation database querying platform. Examining the complex interaction between cyber security and digital ethics.

Increased data sharing brings increased privacy risks. New ‘privacy first’ data sharing platforms need to be developed, combined with new ways of communicating privacy properties to allow for genuine consent.

This project aims to build a proof of concept for a secure multi-party computation database querying platform. The proof of concept will implement a limited set of querying options, built on top of either a standard database engine or within a simple file structure.

The data within the database will be encrypted using a partially homomorphic crypto system, likely to be Exponential Elgamal. Well established techniques, including threadhold decryption and Plaintext Equivalence Tests, will be utilised to deliver an initial limited querying option - at a minimum, equality comparisons, with AND clauses. The aim is to both demonstrate the feasibility of such an approach, and to help formulate how such a system can be described to the end user.

The proof of concept will be used as an initial benchmark to evaluate the feasibility of running such a platform at scale, and to prioritise the areas needing most urgent further research and development. Crucially, it will also act as a contrasting approach with which we can evaluate end user comprehension of system privacy properties and capabilities, and how best to communicate those technically complex concepts to the user in such a way as to deliver informed consent.

The project will address the question of “how do we make sure that the consent interface given to the user, and the options presented to them, are accurately reflected in the underlying technical properties of the system?”

Dynamic consent provides research participants with an electronic record of their consent decisions, with an opportunity to review and change these decisions over time. The consent decisions are separated into discrete choices to allow participants to tailor their involvement, to selectively determine how their data are used and by whom.

Managing expectations of participants, researchers and other stakeholders wishing to access and use the data, in terms of what is promised and what is technically possible to deliver, particularly if a participant changes their mind, is vital to build trustworthy and reliable systems. This project will examine different consent options, and map the technical infrastructure required to support their realization.

The dynamic consent decisions will then be tested to determine the technical requirements if a participant should change their mind; for example, if they decide they no longer want a particular sector to be able to access their data, or if they wish to withdraw from a specific type of research. This testing will determine if it is technically feasible to truly support these decisions, or at what point expectations will need to be managed about what is and is not realistically possible, given different platforms.

The project directly addresses the first two of the Institute's declared emerging focus areas: cybersecurity and digital ethics. We examine the complex interaction between the two.

Research Team

Funding

Seed Funding 2018

'Data is a fingerprint': why you aren't as anonymous as you think online, by Olivia Solon, The Guardian, 13 July 2018.

Data security in the spotlight, by Dr Megan Prictor, Dr Jessica Bell and Associate Professor Mark Taylor, Pursuit, 8 April 2018.