Privacy protection: the CNIL - Inria European Privacy Award changes the game

Date:
Changed on 30/10/2019
The 4th edition of the CNIL-Inria European Privacy Award was launched at the end of May, and computer science researchers have until 6 September to submit their best papers on personal data and privacy protection. The aim: to raise awareness among the scientific community, but also in society and the world of politics on an issue that concerns them directly. We met with the two co-chairs of the competition jury, Nataliia Bielova (Inria) and François Pellegrini (CNIL).
Vie privée
Inria / Photo S. Erôme

The more researchers develop effective protection systems, the greater our ability to enforce the law will be

François Pellegrini

co-chair of the CNIL-Inria European Privacy Award

Do you think privacy protection has become a subject for computer science researchers in its own right?

Nataliia Bielova: Yes, because privacy is at the intersection of big societal and legal issues and technologies: cybersecurity, data processing, software development, interfaces, machine learning, etc. It is a vast scientific field and there are a large number of teams working on it, especially in Europe. In secondary schools, there is no privacy protection yet. However, teachers are taking an interest in the field and they are raising their level of competence. 

François Pellegrini: I can't say that the amount of research is increasing. On the other hand, it is certain that the topic is being sustained by growing media coverage and a strong legal framework, the GDPR*. In addition, it's not just theoretical - this is a real practical issue that involves science, regulations and ethical questions. Certainly a context is mobilising people. Biometrics, for example, raises questions about data acquisition technologies, data retention times, the rules on access to data and their use, etc. 

* GDPR stands for General Data Protection Regulation

Has the entry into force of the GDPR altered things for researchers and States?

Nataliia Bielova: It is a historic step that is transforming the entire ecosystem. Because it requires that existing tools be brought into compliance and that compliance be demonstrated, the GDPR has created a huge demand that public and private research, in Europe and beyond, will be drawn in to fill. This regulation has raised the bar quite high, and companies have a lot to do to meet the GDPR requirements. On the other hand, there are still some grey areas, violations that are difficult to prove: it's fertile ground for further research. 

François Pellegrini: In the beginning, the GDPR led to protests from companies, which claimed it would kill their businesses. The same arguments were used when the first environmental laws came in. In reality, the GDPR has been a wake-up call and has released a wave of energy. In two years, it has become a worldwide trend. TheUSA, for example, is considering a similar federal law. As for researchers, they have an objective interest in innovating in this context.

As co-chairs of the competition jury, what do you think is the significance of this CNIL-Inria Award?

Nataliia Bielova: It shows that when it comes to security and privacy protection, it is possible to conduct research on a very wide variety of subjects. For example, the first three editions rewarded articles on proof of identity, privacy protection integrated from the design of the software ( “privacy by design”)and a technique for tracking web users, “browser fingerprinting”.

Another consideration is that public research has the legitimacy to award a prize like this. Private interests do not influence it and it can reveal what is often hidden.

François Pellegrini: I don't know of any equivalent in the awards world, that is, a prize awarded by a regulatory authority. The CNIL wishes to reward things it sees as relevant, to encourage vocations and recognise the importance of this field of science, so that in the end people can have technical solutions that respect the law and therefore their rights and freedoms.

The competition rules specify that the work presented must be accessible to non-scientists. Why was this criterion included?

Nataliia Bielova: Researchers are free to choose whether to make their work accessible to general public or not. But we want to encourage them to raise the public's awareness about privacy issues and to change the attitude of the public. In an ideal world, computer systems would be intrinsically protective. Users would not even have to configure their own preferred privacy settings. In real life, they are lost in a maze of choices they do not master or they become victims of attention distraction techniques ("dark patterns") that lead them to believe they are protected while they are not.

François Pellegrini: This is a societal issue that concerns us all, but about which most people know very little. The more we highlight innovative solutions that are easy to understand, the more we reveal the underlying security problems.

Can researchers change public policy and regulations?

Nataliia Bielova: In the United States, there has been a prize called Privacy Papers for Policymakers for ten years that expressly addresses this issue. Personally, I was struck by a reflection made by some MEPs to whom I was presenting certain web tacking techniques a couple of years ago: "We should listen to researchers more often." I am convinced that we can be game changers.

François Pellegrini: The more researchers develop effective protection systems, the greater our ability to enforce the law will be, by making sure there is no place for less protective systems any more.