not really known
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 

330 lines
19 KiB

% ****** Start of file apssamp.tex ******
% RevTeX 4.2 Template and Sample
% This file is part of the APS files in the REVTeX 4.2 distribution.
% Version 4.2a of REVTeX, December 2014
%
% Copyright (c) 2014 The American Physical Society.
%
% See the REVTeX 4 README file for restrictions and more information.
%
% TeX'ing this file requires that you have AMS-LaTeX 2.0 installed
% as well as the rest of the prerequisites for REVTeX 4.2
%
% See the REVTeX 4 README file
% It also requires running BibTeX. The commands are as follows:
%
% 1) latex apssamp.tex
% 2) bibtex apssamp
% 3) latex apssamp.tex
% 4) latex apssamp.tex
%
\documentclass[12pt,
reprint,
%superscriptaddress,
%groupedaddress,
%unsortedaddress,
%runinaddress,
%frontmatterverbose,
%preprint,
%preprintnumbers,
nofootinbib,
%nobibnotes,
%bibnotes,
amsmath,amssymb,
aps,
%pra,
%prb,
%rmp,
%prstab,
%prstper,
%floatfix,
]{revtex4-2}
% \documentclass[12pt,article,nofootinbib]{revtex4}
\usepackage{graphicx}% Include figure files
\usepackage{dcolumn}% Align table columns on decimal point
\usepackage{bm}% bold math
%\usepackage{hyperref}% add hypertext capabilities
%\usepackage[mathlines]{lineno}% Enable numbering of text and display math
%\linenumbers\relax % Commence numbering lines
%\usepackage[showframe,%Uncomment any one of the following lines to test
%%scale=0.7, marginratio={1:1, 2:3}, ignoreall,% default settings
%%text={7in,10in},centering,
%%margin=1.5in,
%%total={6.5in,8.75in}, top=1.2in, left=0.9in, includefoot,
%%height=10in,a5paper,hmargin={3cm,0.8in},
%]{geometry}
\begin{document}
\preprint{APS/123-QED}
\title{Analyzing GDPR Sentiment in the United States}
\thanks{Submitted as a PUBL-201 assignment at RIT}%
\author{Jeffery B. Russell}
\email{jeffery@jrtechs.net, jxr8142@rit.edu}
\affiliation{%
Fourth Year Computer Science Student at RIT\\
CUBRC Research Assistant\\
RITlug President
}%
\date{\today}% It is always \today, today,
% but any date may be explicitly specified
\begin{abstract}
Conducting qualitative research is essential in implementing public policy because it enables us to better understand our complex political and social environments.
This research project aims to gain a deeper understanding of American's views on privacy so that we can access what types of GDPR (General Data Protection Regulations) like regulations we should implement in the United States.
We found that although most people said that they would support regulations like the GDPR in the United States, most people added stipulations as to how it got implemented and enforced.
This work calls upon the need to conduct more qualitative research on privacy regulations so that we can find an ideal set of regulations for the United States.
Despite the varying opinions on implementations, the consensus that there is currently an issue with privacy regulations illustrates the urgent need for policy change at the federal level.
\begin{description}
\item[Keywords]
GDPR, Public Policy, Qualitative Research, Data Protections
\end{description}
\end{abstract}
\maketitle
%\tableofcontents
\section{\label{sec:level1}Background}
This study focused on people’s opinions surrounding how their data is being used by websites.
With the recent expose of data scandals like Cambridge Analytica and new regulations being introduced in the European Union, it is a perfect time to start exploring people’s opinions on data collection in the United States.
The goal of this research is to help inform policymakers whether or not we should implement privacy regulations similar to the European Union in the United States.
This research project focuses on the General Data Protection Regulation (GDPR) passed by the European Union (EU) in 2016.
The GDPR is a massive consumer protection law that gives people more control over their personal by restricting how companies are allowed to use and collect personal data.
Since the passage of the GDPR in 2018, seven other countries passed similar regulations and most large technology companies are working on becoming GDPR compliant so they can do business in the EU.\footnote{https://gdpr-info.eu/}
The GDPR is quite intensive, however, I am going to be focusing my research around the following three points in the GDPR:
\begin{itemize}
\item The requirement for active consent to keep storing personal information. (Article 5) \footnote{https://gdpr-info.eu/art-5-gdpr/}
\item The right to request for information being stored about you. (Article 15) \footnote{https://gdpr-info.eu/art-15-gdpr/}
\item Right to be forgotten. (Article 17) \footnote{https://gdpr-info.eu/art-17-gdpr/}
\end{itemize}
\subsection{\label{sec:level2}Research Questions}
\begin{itemize}
\item What are people’s general sentiment towards data collection?
\item In what scenarios would people be most willing to provide personal data to companies? How much does this vary from person to person?
\item Do people believe that companies currently respect and use data collected in ethical ways? If not why?
\end{itemize}
\section{\label{sec:level1}Methods}
This study used two research paradigms to gather data: action research and biographical.
\subsection{\label{sec:level2}Action Research}
Co-interpretation interviews were used in this study to pull out information from people that have not thought about privacy protection laws before. This method is particularly useful because by using co-interpretation in interviews, we are able to describe what GDPR is to people while learning about their views on privacy regulations. Although most people may have heard about GDPR, relatively few people actually know what is in the law.
We used Applied Action in conjunction with the Critical Humanism framework to analyze and learn each person's truth.
Critical Humanism falls on the radical change and subjective views spectrum.
We chose this Critical Humanism because we are seeking to pull out varying viewpoints from people and enact change with them.
Six people, were interviewed with co-interpretation. Each interview took roughly twenty minutes to conduct. People from the two groups were chosen for interviews. The first group was versed in technology and the other group was less versed. This was done to see if there were any notable differences between the two groups.
The interview template used can be found in appendix \ref{appendix:a}.
Since this is following the action research paradigm, an unstructured interview process allowed us to better probe the interviewee and pull out relevant information.
The interview template contains the major questions being asked and common probing questions to go along with each question.
\subsection{\label{sec:level2}Biographical}
Since research was conducted at the Rochester Institute of Technology (RIT)\footnote{https://rit.edu}, we were in a unique position to conduct biographical interviews with people that have had experience with data protection.
Conducting interviews with professionals is essential to understanding privacy regulations because they are able to provide historical context and unique insights into the situation.
Respondents for biographical interviews were selected based on their knowledge in the field.
Since biographical interviews were very in-depth, only two interviews were conducted and each interview took roughly a half-hour.
An interview template can be found in appendix \ref{appendix:b}.
The interview template contains the major questions being asked and common probing questions to go along with those questions.
The goal of this interview format is to get familiar with the subject’s professional career and experience working with personal data and understand how that may have shaped their views on GDPR.
\section{\label{sec:level1}Findings}
The findings of this study is broken apart into several categories: privacy and social media, implementation, and privacy culture.
Field notes taken during the interviews can be found in appendix C.
\subsection{\label{sec:level2}Privacy and Social Media}
Most people interviewed to some degree used social media.
What was interesting was that the level of concern for privacy had little baring on how people used social media; however, there was a few notable exceptions with people who were extremely technologically versed and worried about privacy.
Half the respondents share the sentiment of "I care but, I've given up".
Although most people want to retain their privacy, they are willing to give it up for the pleasures that social media and other web sites give.
Interesting perspectives were brought up when discussing what people are willing to post on internet.
People were more willing to post "edgy" content when there was nothing personally identifiable on the website. For example: people are more willing to post political and more controversial/raunchy content on social media platforms like Reddit\footnote{reddit.com is a basic form like social media site where users identified by usernames post content} which only uses a username.
Platforms like Linkeden\footnote{linkedin.com is a social networking site aimed at finding job opprotunities} and Facebook\footnote{facebook.com is a very popular social media website} garner more respect because they directly relate your profile to your real name.
That is not to say that Facebook has more prestige (one respondent called Facebook a dumpterfire) but, there is something to say with people's comfort with posting content when it is directly linked back to them.
\subsection{\label{sec:level2}Implementing GDPR}
After explaining GDPR to the respondents, they all agreed that the general goals of the GDPR are good.
However, nearly none of the respondents fully agreed with all the technicalities of the law.
The people that had familiarity with the privacy field actually said that the law does little to fix the issue that we are currently facing.
Although most companies are trying to implement the law, in many cases it is just a Terms of Service (TOS) change -- not much is changing under the hood.
One person in specific was worried that even if this law did get implemented, it would just become a "golden skeleton" -- something that makes more money than the fines are worth if they got caught.
This brought up another discussion centered around how we should implement a law like this when major technology companies yield so much power.
Another major point of discussion was how to implement the right to be forgotten segment of GDPR.
Everyone interviewed agreed that companies should be required to delete all account data from their systems when requested.
I interviewed one person that was actually responsible for implementing right to be forgotten at Intuit\footnote{Intuit is a company that produces financial software}.
This person thought that having companies comply with these requests should be manageable.
Although most companies are currently self implementing GDPR regulations, he believes that there will soon be a unified system that companies can use to make data privacy-compliance easier.
The right to be forgotten prevision starts to get more debated when you ask people where they draw the line.
Most people believed that anything they uploaded they should be able to take down under this prevision.
People were more split over whether or not things that other people upload about them should be able to get taken down.
Two respondents were worried that people would abuse this feature and use it to delete bad things from them on the internet-- this would turn the internet into a place with less consequences.
Data removal was another boiling point of discussion.
In an ideal world all your data would get deleted and no bad externalities would come of that.
Consider this: what if your data was previously used to generate meta data or used in a machine learning algorithm?
At that point it is nearly impossible to fully remove yourself from their system -- you have left an everlasting fingerprint in a vastly complex mathematical system.
Most people interviewed were fine with the idea of having non-identifiable meta data from them lingering in a companies' database.
One person noted: "nothing ever gets fully forgotten on the internet".
Even after removing personally identifiable information, recent research has shown that it is not that difficult to de-anonymizing that data if given enough of it\footnote{ Narayanan, Arvind; Shmatikov, Vitaly. Robust De-anonymization of Large Sparse Datasets}.
When implementing GDPR about half the respondents agreed that defining what counts as non-identifiable information would be crucial.
\subsection{\label{sec:level2}Privacy Culture}
An interesting point that this research brings up is the culture around privacy in the United States verses countries in the European Union.
Historically the United States has viewed privacy as something that we simply signed away for the convenience of using a service.
This is in juxtaposition to the way that European countries view privacy; in Europe privacy is a human right.
All research respondents agreed with this assessment; one respondent that was a half German citizen mentioned that privacy protection is a part of their constitution.
When asked whether or not this bill would take footing at a national level, most respondents said that this would become a partisan issue.
\section{\label{sec:level1}Discussion}
Moving forward with this research it is essential that we conduct surveys at a larger scale to see if stronger privacy regulations would take hold in the United States.
It is important to note that everyone interviewed for this survey lived in Rochester and that everyone except for two people either attended or worked at RIT.
When conducting future research it would be imperative that we extend our demographics.
Although most people interviewed favored more stringent privacy regulations, it is important that we also research the wider economic market surrounding privacy regulations in the United States.
Understanding the business interests of data privacy is quintessential to assessing what public policies gain momentum in congress.
The finding that most people had a few caveats with GDPR suggests that a modified version of it would be necessary in the United States.
A future avenue of research for this project would be to analyze the roll-out of California's Consumer Privacy Act (CAPPA)\footnote{“California Consumer Privacy Act (CCPA).” State of California - Department of Justice - Office of the Attorney General. N.p., 10 Feb. 2020. Web. 24 Feb. 2020.}.
\appendix
\section{Action Research Interview Script}
\label{appendix:a}
\begin{itemize}
\item How much do you use the internet?
\begin{itemize}
\item Where do you spend your time online?
\item Are you active on social media?
\item Do you use the internet as a part of your job?
\end{itemize}
\item Are you ever concerned about putting your personal information on the internet?
\begin{itemize}
\item What do you consider personal data?
\item How often do you share personal data?
\item Do you ever think twice before agreeing to a EULA?
\item Are there some sites that you would never give your personal data to?
\item What companies do you trust the most with your data?
\end{itemize}
\item Have you ever heard about the General Data Protection Regulation (GDPR)? (if no explain what it is)
\begin{itemize}
\item Where did you hear about it?
\item What do you know about it?
\item What do you think about it?
\end{itemize}
\item GDPR includes a provision that requires companies to have active consent to keep storing personal information on someone. Does that sound reasonable?
\begin{itemize}
\item Do you remember receiving a wave of emails about a year ago about an update to their terms of service (TOS)?
\item Would you be okay with certain companies having personal information on you like name, gender, sexual orientation, email, without you knowing about it?
\item Are there any exceptions where a company should have access to your data without your knowledge or consent?
\begin{itemize}
\item Government?
\item Health industry?
\item Research?
\end{itemize}
\end{itemize}
\item What would you think of the “right to be forgotten”? (if no explain what it is)
\begin{itemize}
\item Do you think this is feasible to implement?
\item Does this infringe upon freedom of speech?
\end{itemize}
\item Would you want to see GDPR policies take place in the United States?
\begin{itemize}
\item Do you see this having more support or less support than it did in the European Union (EU)?
\item Would you agree that in America we put privacy at the burden of the consumer where in Europe they view privacy as freedom?
\end{itemize}
\end{itemize}
\section{Biographical Interview Script}
\label{appendix:b}
\begin{itemize}
\item Could you tell me a bit about your professional career in the field of x
\begin{itemize}
\item How much did you work with personal data?
\item What privacy regulations were you aware of?
\item What privacy regulations were you aware of?
\begin{itemize}
\item Did this change over time?
\end{itemize}
\end{itemize}
\item How much do you use the internet?
\begin{itemize}
\item Where do you spend your time online?
\item Are you active on social media?
\item Do you use the internet as a part of your job?
\end{itemize}
\item Are you ever concerned about putting your personal information on the internet?
\begin{itemize}
\item What do you consider personal data?
\begin{itemize}
\item How often do you share personal data?
\end{itemize}
\item Do you ever think twice before agreeing to a EULA?
\item Are there some sites that you would never give your personal data to?
\item What companies do you trust the most with your data?
\begin{itemize}
\item Why?
\end{itemize}
\item Do you think that your profession affected the way in which you handle your own personal data?
\end{itemize}
\item Have you ever heard about the General Data Protection Regulation (GDPR)?
\begin{itemize}
\item Where did you hear about it?
\item What do you know about it?
\item What do you think about it?
\begin{itemize}
\item Are you familiar with the right to be forgotten provision of the law?
\end{itemize}
\item Do you think that a law like GDPR would gain support in the United States?
\begin{itemize}
\item Who would push back?
\item What are the cultural differences?
\item Would people in your field of x have varying opinions on GDPR than regular consumers?
\end{itemize}
\end{itemize}
\end{itemize}
\section{Field Notes}
\bibliography{apssamp}% Produces the bibliography via BibTeX.
\end{document}
%
% ****** End of file apssamp.tex ******