Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Privacy Requirements and Realities of Digital Public Goods

Geetika Gopi, Aadyaa Maddi, Omkhar Arasaratnam, Giulia Fanti

TL;DR

A systematic assessment of responses from DPGs regarding their protections of users' privacy and preliminary recommendations and suggestions for strengthening the DPG standard as it relates to privacy are presented.

Abstract

In the international development community, the term "digital public goods" is used to describe open-source digital products (e.g., software, datasets) that aim to address the United Nations (UN) Sustainable Development Goals. DPGs are increasingly being used to deliver government services around the world (e.g., ID management, healthcare registration). Because DPGs may handle sensitive data, the UN has established user privacy as a first-order requirement for DPGs. The privacy risks of DPGs are currently managed in part by the DPG standard, which includes a prerequisite questionnaire with questions designed to evaluate a DPG's privacy posture. This study examines the effectiveness of the current DPG standard for ensuring adequate privacy protections. We present a systematic assessment of responses from DPGs regarding their protections of users' privacy. We also present in-depth case studies from three widely-used DPGs to identify privacy threats and compare this to their responses to the DPG standard. Our findings reveal limitations in the current DPG standard's evaluation approach. We conclude by presenting preliminary recommendations and suggestions for strengthening the DPG standard as it relates to privacy. Additionally, we hope this study encourages more usable privacy research on communicating privacy, not only to end users but also third-party adopters of user-facing technologies.

Privacy Requirements and Realities of Digital Public Goods

TL;DR

A systematic assessment of responses from DPGs regarding their protections of users' privacy and preliminary recommendations and suggestions for strengthening the DPG standard as it relates to privacy are presented.

Abstract

In the international development community, the term "digital public goods" is used to describe open-source digital products (e.g., software, datasets) that aim to address the United Nations (UN) Sustainable Development Goals. DPGs are increasingly being used to deliver government services around the world (e.g., ID management, healthcare registration). Because DPGs may handle sensitive data, the UN has established user privacy as a first-order requirement for DPGs. The privacy risks of DPGs are currently managed in part by the DPG standard, which includes a prerequisite questionnaire with questions designed to evaluate a DPG's privacy posture. This study examines the effectiveness of the current DPG standard for ensuring adequate privacy protections. We present a systematic assessment of responses from DPGs regarding their protections of users' privacy. We also present in-depth case studies from three widely-used DPGs to identify privacy threats and compare this to their responses to the DPG standard. Our findings reveal limitations in the current DPG standard's evaluation approach. We conclude by presenting preliminary recommendations and suggestions for strengthening the DPG standard as it relates to privacy. Additionally, we hope this study encourages more usable privacy research on communicating privacy, not only to end users but also third-party adopters of user-facing technologies.
Paper Structure (55 sections, 8 figures, 5 tables)

This paper contains 55 sections, 8 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Contributions
  3. Background and Related Work
  4. The DPG Standard and Questionnaire for Privacy
  5. Related Work
  6. Evaluating the Potential and Drawbacks of DPGs
  7. Incentivizing Privacy Best Practices
  8. Methodology
  9. Methods: Qualitative Analysis of DPG Responses
  10. Analysis
  11. Methods: Detailed Case Studies
  12. Analysis
  13. Qualitative Analysis of DPG Responses
  14. Overall Response Quality
  15. Provided Supporting Material
  16. ...and 40 more sections

Figures (8)

  • Figure 1: Categorizing codes under the four themes we consider during qualitative analysis of DPG responses.
  • Figure 2: Results from qualitative analysis of DPG responses for Overall Response Quality.
  • Figure 3: Results from qualitative analysis of DPG responses.
  • Figure 4: Results from qualitative analysis of DPG responses for Privacy Component Analysis.
  • Figure 5: 3-stakeholder model to facilitate DPG privacy evaluation. The third-party assessment would involve the gray sequence of steps, whereas a self-assessment would require only the single blue step.
  • ...and 3 more figures