Two years ago, I published a paper on Privacy Points as a novel approach to data protection. The idea stems from ecological impact assessments and emission trading. In short, you use metrics to assign point values to changes in IT systems affecting privacy of users. The level of data protection could then be given as a number of points per user. That way, you could more easily assess deterioration or improvement for individual users, groups of users, specific companies, classes of services, sectors etc. Regulation could give a target of „privacy points“ that must be achieved, giving flexibility to service providers to achieve the desired number of privacy points choosing the most cost-effective methods. The approach already works for building codes in Germany where you assess the ecological value of an area affected by contruction. You measure the value before construction and after construction using „eco points“. If the difference is negative, the builder must compensate for the missing eco points by improving an area, e.g. from simple grass to fruit trees.
At the time of the original paper, I collaborated with Ph.D. student Lisa Rajbhandari who contributed her expertise on privacy metrics. I picked up on the topic again earlier this year. Currently, four students from the Master in Computer Science programme of HTWG Konstanz do research on Privacy Points in a team project. They extended the original approach by surveying almost a hundred potential privacy/security metrics, talked to experts in the field of privacy as well as building regulation, and are writing a report consolidating their findings. They apply the privacy points approach in a case study on a messaging service: WhatsApp. The final report is due in Spring 2015, and I look forward to see how the idea will have developed to an applicable method.
