A Customizable Reputation-based Privacy Assurance System using Active Feedback

People are often required to disclose personal identifying information (PII) in order to achieve their goals, e.g. when accessing services, obtaining information and goods, etc. Being able to say with absolute certainty that another party can be trusted to properly handle personal data with today's technology is probably unrealistic. Feedback solutions based on reputation mechanisms can address aspects of trust and assurance in relation to how personal data is managed by an enterprise. However they usually rely on subjective feedback which is based on empirical experiences, and typically they do not allow individuals to systematically track and manage their specific experience. In this paper we propose an approach that enables people to monitor the status of their personal data which they have previously shared with an enterprise, service provider or other organization - under specific conditions previously negotiated - and actively gather information on how adequately the management of these data meets their personal expectations. Ongoing monitoring and notification, and the ability of the client to form a simple record of past interaction, provides the client with greater confidence and assurance in situations where they need to share personal sensitive information with organizations they would otherwise not be able to claim they trust. This feedback process is based on conditions that are specific to the process of sharing PII and provides the client with assurance that an enterprise is a) capable and b) actually fulfilling PII processing preferences that are agreed at the time the data is disclosed, and which ultimately enables the client to form an opinion about the service provided. We present the principles of our approach and architectural components that support a practical implementation. This is work in progress and the research is on-going, carried out in the context of PRIME