Each year, January 28 marks Data Privacy Day, an internationally recognized event to highlight the importance of keeping sensitive digital information safe and secure.
As digital technologies continue to pervade society and produce increasingly vast amounts of data, the protection of sensitive information is a growing public concern. Consider a local example: The Daily Cardinal recently reported that in 2023, cybercriminals stole over 160,000 University of Wisconsin System records, some containing personal student information, in the “biggest data theft” of the year.
Fortunately, experts at the School of Computer, Data & Information Sciences (CDIS) are working to better understand the complexities of data privacy and help people take control of their digital lives. To honor Data Privacy Day 2024, we sat down with a group of leading scholars in the areas of privacy, cybersecurity, software engineering, and information ethics to get their insights on the evolution of data privacy, its relevance in higher education, and ways to minimize privacy risks in the information age. The discussion has been edited for length and clarity.
Expert panel:
- Rahul Chatterjee, Assistant Professor, Department of Computer Sciences
- Alan Rubel, Professor and Director, The Information School
- Emilee Rader, Associate Professor, The Information School
- Dorothea Salo, Distinguished Teaching Faculty, The Information School
- Rick Wash, Associate Professor, The Information School
Data privacy is just one element of individual privacy. Why is privacy important broadly?
Alan Rubel
Privacy is important for a number of reasons and in many different contexts. It’s important for pragmatic reasons, like protecting people from being exploited, for example, by protecting health and financial information. But it’s also vital, in very personal ways, that we have the ability to control who has access to information about us so we can effectively engage in a range of social relationships.
Rick Wash
Privacy is strongly related to power and control. By protecting your privacy, you protect your ability to control your own information in making decisions that affect other people. So ultimately, control of your own information helps you control what kinds of power other people have over you.
The first Data Privacy Day took place in 2007, right around the introduction of the iPhone. How has the world of data privacy changed since then?
Emilee Rader
In some ways, it has changed a lot because computation is now everywhere in our lives. We’re constantly interacting with technology, often without even knowing it. And data is constantly generated where computation is happening. As a result, today it’s really hard for people to both use technologies to improve their lives and also understand all the potential data and privacy risks they may be subjected to.
So the ubiquity is new, but as long as computers have existed, people have been collecting and using data to identify patterns and make predictions.
Rahul Chatterjee
Our lives, work, and governments are now much more intertwined with technology and data. In 2007, the iPhone was good for making calls and taking photos; today it constantly measures our physical health, sleep patterns, menstrual cycles, and medicine routines. It knows the location of loved ones or handbags and all financial details, not to mention all the photos and videos we take and share on social media.
Alan Rubel
I’ll add two things. First, the Edward Snowden leaks in 2013 represented a watershed moment for public understanding in this area. The extent of government collection of data and the ways in which it was used really exceeded what most people thought was possible.
Second, it’s not just that data is pervasive, but it’s now quickly and effectively turned around and put to use in directing our attention to a much greater extent. The advent of smartphones and some of the prominent apps accelerated this trend.
Dorothea Salo
I want to fit one more piece into the puzzle, and that’s the data gold rush. In recent years there has been an incredible amount of money poured into collecting, storing, and swapping data about people. There’s an entire economy of data brokers, which exist to sell information about individuals to all comers, with very little regulation.
Given those changes, how can we begin to better protect people’s data privacy?
Rahul Chatterjee
The problem of data privacy and safety is exacerbated when people are in vulnerable situations. At Madison Tech Clinic, we support survivors experiencing abuse via technology by their intimate partners. We help survivors identify “points of compromise” in their digital settings that enable the abuser to exploit technology to harm and control them in order to prevent such abuse from happening again. Our approach, however, is reactive, and I wish we could make people aware of different risks of digital technologies that we use daily and proactively take steps to prevent many potential avenues of abuse.
Emilee Rader
In addition, a promising line of research has looked at how to create a standardized way of presenting information about a company’s privacy practices, similar to a nutrition label that you would find on food. That’s not mandated now, but another action we can take is to encourage the people around us to push elected representatives for stronger privacy protections that would require more transparency about how data is being gathered and used.
Rick Wash
I agree, and there is also a lot that governments can already do, even without federal data privacy legislation. There are laws that can help protect some amount of privacy, and I think we need to enforce those better.
Let’s turn to the higher education setting. How is student data collected and used on university campuses?
Dorothea Salo
It starts with learning analytics, which I like to call the Big Data of higher education. Learning analytics involves standard personal data like demographics, but also behavioral information, for example, about where students are on campus, and the actions they take on Canvas, the online learning management system that UW-Madison students and faculty use.
Ideally, we could use this data to improve student learning by making predictions about things like what courses students might be interested in. But in the process, student data can easily cause risk to students from outside actors.
Alan Rubel
To Dorothea’s point, let me offer another example. Georgia State University’s successful effort to increase retention rates has been attributed to effective use of student data. In that case, there was certainly a lot of data collection going on, but if you look at the program more closely, it was largely a matter of hiring more advisors and doing the critical work that goes into ensuring student success. In other words, it was the people doing the work, not necessarily the data.
My larger point is that we should think first about how to craft great student experiences, then work with the data from there. Rather than coming up with post-hoc rationalizations for data collection, it’s worth considering which data we should be gathering in the first place.
What can students at UW-Madison do to learn more about data privacy and minimize their own risk?
Dorothea Salo
For one thing, they can take my course, LIS 510: Human Factors in Information Security. A lot of the material deals with data privacy issues. Also, helping to shine a light on these issues to other people makes a big difference. The student newspapers are doing some great reporting on cyber threats; I often learn about them from the Daily Cardinal.
Rahul Chatterjee
If we can train undergraduate students early on to develop a security mindset—an awareness of the impact of a software or application in the presence of adversaries—they will likely be better prepared to write secure and safe software when they write code for real-world applications.
In addition to Dorothea’s course at UW-Madison, students can choose from a large number of classes to learn computer security: CS 435 (Intro to Cryptography), CS 542 (Intro to Software Security), CS 642 (Intro to Information Security), CS 763 (Security and Privacy for Data Science), and CS 782 (Advanced Computer Security and Privacy).
Alan Rubel
I think this conversation has shown that privacy issues cut broad and they cut deep. They apply across a range of different domains and facets of people’s lives, and students are really interested in this topic beyond just their own personal data privacy.
We are fortunate that at UW-Madison, there are lots of experts on these issues teaching courses ranging from information security to cyber law to the attention economy. Students won’t have to look too hard to find interested peers and faculty, in the CDIS departments and other units across campus, studying digital privacy from interesting new angles.
Do you have any more general guidance to share for citizens concerned about data privacy?
Emilee Rader
My advice is to try to be a discriminating consumer. Actually take some time to read privacy policies, and use the information in the privacy policies to help inform your decisions.
But more importantly, don’t freak out. If you need to use technology to manage your money, or to get healthcare, you shouldn’t let privacy concerns stop you from doing what’s needed. I say this as somebody who studies privacy: There’s a gigantic rabbit hole that you could go down, and in many situations, it’s just too difficult and time-consuming to be worthwhile.
For more on information security and data privacy research at CDIS, explore our renowned research groups based in the Department of Computer Sciences and The Information School.