When I started my Ph.D. in the year 2000 and built a software agent called “Luci” to engage people in online sales conversations I stumbled upon a phenomenon called “The Privacy Paradox” (1). That is, most people I invited to Humboldt University’s Lab to shop for cameras and winter jackets with Luci’s help said that they’d be privacy sensitive, but once engaged with smart little Luci, they forgot all their concerns and answered even the most intimate questions the software agent would ask them. With this observation, my career as a privacy researcher began accompanied by a journey to protect people from losing more privacy online than is in their interest.

Already in the early 2000s it was clear that the Web would not remain as it is. Mark Weiser had published his landmark article on “The Computer of the 21st Century” (1991) in which he describes how computing will weave itself into the fabric of everyday life. I will never forget the moment when I first saw Friedemann Mattern in Berlin giving a talk on “Ubiquitous Computing” and its implications for society. When he demonstrated the MediaCub with computing inside it became clear to me that we would enter a new world; a world of smart homes and services around us as they now slowly merge into our societies.

So, I decided to do my 2nd book at Humboldt University on the subject of privacy & control in Ubiquitous Computing Environments (2). From 2004 to around 2007 I co-operated with the Metro Future Store Initiative and studied hundreds of customers to understand how these would react to different technical architectures embedded in RFID-enabled stores. Only to find one key message: No matter how the technology is designed, customers feel helpless once they find out that they are ubiquitously tracked (3).

I decided to become my own lobbyist for the case of regulatory privacy protection for RFID. I went to Brussels, became part of the working groups set up by the EU Commission in DGConnect on the matter and fought for having proper Privacy Impact Assessments (PIA) for this kind of technology (4). I succeeded and convinced big players in the German industry as well as the RFID industry itself to join my case. Together we fought aggressive US lobby groups to establish “proper” PIAs in Europe. Finally, the PIA Framework for RFID was solemnly signed by the European Commission (see photo) and by various industry groups (4). The Framework became something like a template for later PIAs, such as the one for smart grids.

Signing Ceremony in Brussels at the European Commission’s DGConnect in 2011 for the first transatlantic “Privacy Impact Assessment” Framework

This privacy engagement with the EU Commission led me to later participate in other privacy policy endeavors. I heavily supported the recognition of Privacy Impact Assessments in the European Data Protection Regulation (GDPR) that was then in preparation. And I could convince many regulators that if a company follows a PIA it will end up with a Privacy by Design (5). In the end, both PIAs and Privacy by Design found their entry into the GDPR and I hope that these principles will be taken more seriously in the future than they are respected today where many technologies still seem to serve “Surveillance Capitalism” and build “Networks of Control” (6) rather than complying with these GDPR principles.

I am not sure what the future will bring. I later joined (marginally) the OECD working group that was responsible for the new Privacy Guidelines and served as a privacy expert in the creation of OECD’s Big Data Report (the content of which I only share partially, because I don’t think that Big Data can magically produce “knowledge”… a major weakness of the report and I was always the bad cop when it came to privacy in big data...). Finally, I joined the BRDIGE Project, an effort by US and EU policy makers to bridge the brittle relationship over privacy issues between the US and Europe. But despite this effort of the group, mainly driven by Jacob Kohnstamm, today’s data driven economies make privacy more and more of a rare earth. Let’s see how effectively GDPR can protect European citizens. This is an open question as of now. The potential is here for sure to build privacy-friendly technologies! A recent benchmark report I produced with my WU students shows that companies can compete on privacy. Equally, industry cases like the Privacy by Design case for airport-security scanners demonstrate how privacy-friendly technology can determine the competitiveness of companies. My hope is that through a combination of market forces, privacy regulation and high-court decisions we can e re-establish privacy in Europe’s 21st century. Otherwise, I fear, we will go through a very dark age of unfreedom.

Sarah Spiekermann, Feb 2019

In Corona year 2020 I could not resist and again became active to personally develop a privacy-by-design tool that has assisted DPAss and other policy makers to determine the criteria for a privacy-friendly Corona app. The tool and its criteria can be downloaded here:

Privacy Friendly Corona Virus Tools

I was very happy to see how much in 2020 privacy has been maintained in the German and Austrian Corona app development where the creators and policy makers resisted the brutal digital fencing and surveillance approach that was chosen in some Asian countries. I was sad to see however how much of the initial market take-up failure was blamed on the privacy-sensitivity of the solutions. In truth, privacy has not been the reason for the lack of market take-up. Innovation diffusion typically takes some years. And so it was not surprising that virus apps go through the same cycle. I posted some perspectives on this matter in my standard.at blog:

Handy-App gegen die Infektion: Sollen wir Bürger mitmachen?

Corona-Apps: Eine Frage des Vertrauens

Sarah Spiekermann, Jan 2021

Research Articles referenced in this Section:

1. Spiekermann, S., Grossklags, J. and Berendt, B. (2001) E-privacy in 2nd generation E-Commerce, in: Proceedings of the 3rd ACM Conference on Electronic Commerce EC'01 (Tampa, Florida, USA); ACM Press, 38-46.
2. Spiekermann, S. (2008) User Control in Ubiquitous Computing: Design Alternatives and User Acceptance, Aachen: Shaker Verlag.
3. Guenther, O. and Spiekermann, S. (2005) RFID and Perceived Control - The Consumer's View, Communications of the ACM 48(9), 73-76.
4. Spiekermann, S. (2012) The RFID PIA- Developed by Industry, Agreed by Regulators, in D. Wright and P. De Hert, (ed.) Privacy Impact Assessment: Engaging Stakeholders in Protecting Privacy, Place: Springer Verlag.
5. Spiekermann, S. (2012) The Challenges of Privacy by Design, Communications of the ACM 55(7).
6. Christl, W. and Spiekermann, S. (2016) Networks of Control - A Report on Corporate Surveillance, Digital Tracking, Big Data & Privacy, Vienna: Facultas.