 if you want to ask questions to the speaker. Unfortunately, right now I cannot see you if you stand in front of your microphone. Thus, I would kindly ask you to go to either on Twitter or mustadon and use the hashtag rc3r3s or go to Hackend in the IRC, on the channel rc3-r3s. All our numbers and letters. Also, we are streaming on Twitch and YouTube. You can search for our streams by using the remote Rhein-Ruhr stage. Use it one word or three words, whatever you like. You will probably find it. So to go on from here about our speaker, he is studying industrial design in Ithoven and part of his thesis is this talk. And he wants to eliminate privacy from the aspects both of design and development as he is both a designer and a developer. And this talk was presented also at the Dutch Design Week. So give it up for Lai. Right, thank you so much. Let me get right to it. So hi there, as I said, I'm Lai, currently presenting from this man cave in Ithoven, the Netherlands. Software engineer by trades, designer by education. And some of you might wonder what does that mean? Well, it means that I have an interest in a couple of things in the overlap between both of those fields. So there's privacy, there's personal information and there's also user experiences. And simultaneously means I can cherry pick the aspects I like from both fields while also blatantly ignoring all the same practices that have been set in both fields. That will be a recurring theme in this talk. So let's talk about this personal information. I want a short story of my personal information as well and taking control of it specifically. We'll be talking about personal information a lot. So let's consider what personal information is for a brief minute. By law, personal information is any information that is related to you as an individual. It's sort of infectious. See as if your hand that just touched the elevator button is information. And as soon as you touch your face, it's infected. Link to your name, it's personal information. Datapoint link to your IP, it's personal information. Link to a hashed bank account number, it's personal information. It can be connected to you in any way it's considered personal information by law. And what's more to know about personal information on 2020? So we know that governments care little for personal information at this point. We know private corporations care little for personal information, unless we pay for it, that is. In fact, we know our personal information is actively being used to manipulate us. And consequently, we know that about six out of 10 Europeans worry about a lack of control over their personal information. And here, I'll just assume that the remaining four out of 10 haven't been paying attention. So where do you even start? It's very easy to feel sort of overwhelmed by this knowledge that we just ignored. We get into sort of Stockholm syndrome where we still dive into the huge bowl or the infinite Facebook school with a, this is my life now attitude. What did you do last night? Well, I went in the six hour bender last night watching Kim Kardashian's wedding, how the earth is flat and the leads drink baby blood in satanic rituals. It was really inspiring. Well, that's a joke of course, but it says enough about 2020 that this is apparently closer to reality than the self-lacing shoes and flying cars we were promised. So what can I do? We've got all these issues. How can I make a difference? And that is how can we actually do, what can we actually do besides becoming digital elements and casting our devices into the fire? And we as hackers, engineers and private junkies answer this question often somewhat condescendingly. Like, oh sure, it's easy. Just delete your social media accounts, block some ads and trackers, join the Fativerse, petition your members of parliament, maybe write some new antitrust legislation yourself, prosecute the rich elites profiting over data, drive a van filled with magnitude of Facebook data center and walk barefoot across a sea of lava to cleanse your iPhone in Mandoom. I think a better question here is, what can we feasibly do as individual citizens? What can we do to sort of skirt the life of the bending decisions while still making a tangible impact when it comes to the average citizens privacy? And let me do some cheerleading here for specifically the GDPR. I personally think it's a fantastic set of laws that solve some of these problems. And something my dear disagree with me here, like, is it a perfect law? No, sure. Were some of the concepts prior law as well? Yes, of course they were. Has it eradicated big-deck power, fears of the human condition and broad world peace? Not really, but remember that individual aspects of doing something, anything, this is where the GDPR does make a difference. So let's impact this whole thing that we call the GDPR. Not the entire thing, of course, but let's cherry pick precisely the aspects that help me play to its savior complex strengths. Fundamentally, the GDPR is about consent and transparency. So first, there's consent. The idea that you get a say about what happens with your data. And I'm gonna skip any further discussion here. As the state of it is depressing enough as is, so anyone else can go and clean up that mess. Rather, we'll talk about transparency. Transparency is the notion that organizations that process your personal information provide truthful information of what they collect and how they process it. Just like in Christopher Nolan's latest movie, transparency can move forwards and backwards. Forwards transparency are the data processing registers and the consent notices. This is what we're going to do to your precious data. Backwards transparency is the look at what you've made me do of personal information. Fortunately, we have a more sexy sounding name for what we can do here. And it's called data rights. So during the GDPR making process, the lawmakers had some fun, the felt generous like Oprah. And as a result, we ended up kind of coincidentally with a set of rights related to our data. There's the right to access your data. There's the right to rectify data that's incorrect. There's right to erase data. If you don't want to have it there, there's right to restrict certain data if you want to, certain data processing. There's right to notification of what it is processed. You have the rights to take the data along with you. And you also have the right to object to data processing practices of your personal information. And these things are pretty powerful. All EU citizens get to enjoy them and they get to exercise them with whomever is processing their personal information. You can basically go up to any organization and say, this is a robbery. I want my data. And they have to comply. Not complying is expensive. Fines are up to either 10 million euros or 2% of global turnover, whichever is more. So not less, that's ridiculous. So when I found this out, I felt like quite the hacker that I was going to be. I'm gonna go out, I'm gonna retrieve all my data and there's no one to stop me. So I did, I actually went out to about 59 organizations to which I sent data requests. And this was all kinds of companies. It's, I send them to big tech, I send them to insurers, banks, dentists, doctors, bakers, hairdressers, public transport companies, basically any company that is in on this whole digital transformation narrative that seems popular today. And this is what that looked like. So this is an actual request in legal mumbo jumbo that allows you to gather your data. And I wanna shout out to my data don't writes, that's a bits of freedom initiative, initiative among others, that helped me generate this mumbo jumbo quite easily and send it out myself. And I sent most of those by email as that was the sort of standard for these kind of things. But for some of them, that didn't pan out as smoothly as I wanted it to. So for some, I actually had to go and print them out, leave my house and put them in a physical mailbox in 2020. I'm not even kidding. In one case, I had to actually physically come over to one organization's headquarters to sign a form and elaborate in person what I was actually doing and why I wanted to do it. And breaking some character here, I actually have to hand it to big tech regarding the amount of engineering hours they've invested into making, requesting data, I have decent experience. They've got this particular thing figured out. So when we're talking about the Apple, Facebook, Spotify, Instagram, LinkedIn, data request platforms, they're actually not that bad. They're the best out of the bunch. But it's the only compliment that I will be giving those kinds of companies during this talk. Because fortunately, those practices were contrasted by almost everyone else doing the worst possible job. At the 30 day mark, which is the legal limit for responding to data requests, about 40% of requests was still unanswered. And still about right now, so I did those in March probably, nine months later, 20% of those requests still remain unanswered. And that's just painful to me. And it doesn't even include like all the back and forth emailing I had to do. The reminders that I actually had requested data, that it's been 30 days, and how almost everyone asked me to send a copy of my passport in plain text email. It was just not great, the experience wasn't great. But then we get to go over the actual responses. And I wanna go to my favorite one first. And this is where a bank send over a mail career to my house, which they announced about a week in advance, who asked for my passport, then checked it, made a copy of it, took that along with him, and then handed me this USB stick. And if it's laying around right here, it's a fun piece of memorabilia. This USB stick contained the data that they sent back to me. And even though I like data being physical a lot as a designer, that must have been a ridiculously expensive operation for them to do, especially as more people start asking for their data. And then on the complete other under the spectrum, I sent out a request to the Dutch tax and revenue service, which returned to me this six-page middle finger, basically flat out rejected my request, unless I made the request very detailed and very specific. And while I expected some corporate backlash, I must admit that it was kind of caught off guard by the whole European government agency being completely hostile to any notion of user data rights. It was kind of off-putting. But then we get to the actual data that I got back. So this is a tiny piece of what I received. I received over 2,200 files covering all parts of the data spectrum. So of course, there's CSV files, there's JSON files, there's XML files. But more often than not, I encountered Excel files, HTML files, JPEG files, screenshots, PDFs, text files. In some cases, I received data via the mail. So I had to either scan it in myself and then get all the data in. And you can go on and on and on. Like there's a ridiculous amount of returned types of data in here. And while I read JSON fluently, there's also the point of the massive influx of data that made it very hard to grasp what it actually meant to me, all the data that I've retrieved. And I'm not alone here. A couple of scholars went out and requested all of their data in a similar way. One researcher actually ended up getting access to his colleague's data by just spoofing their email address. There was no authentication or check whatsoever. The secretary basically just assumed that the email was valid and sent the whole dump of someone's personal info over to a complete stranger. And they also found that passports are regularly sent back and forth using just plain text email. Particularly, Wong and Henderson found that over half of the responses they got to their data requests did not comply with the machine readability standards that are set forward by the GDPR. But if there's any common ground between all of them and myself is that the process was exhausting, frustrating and ridiculously slow. In fact, it was so poor that I haven't considered using any of my data rights ever since those experiences. It was horrible. So that's why I wanted to myself, can't we do better? And I mean this in an end to end sense. So come into the whole process from regressing your data, to getting it, to viewing it, to storing it, to actually doing something with it, getting insights. All of those things. So that's why I built EON. And EON is pretty simple. It's a desktop application that does exactly this end to end stuff of personal information. So there's the request, there's the archiving, there's the getting insights. And I'll brief you walk you through how that works for a regular user. So first of all, there's this account overview where you add all of your online accounts. So right now you can address Spotify accounts, Facebook accounts, Instagram accounts, your LinkedIn accounts. There are ways of adding other accounts, but I'll get into them later. And as soon as you've added an account, you can start a data request for it. And that basically means that you get a window where you enter your credentials. And then EON will do all the clicks that are necessary for you. And that's it. Your data has been requested. The only thing you have to do is wait for it to complete. And then EON will let you know like, hey, it's been a couple of days. Your data request is complete. It's in now, let's have a look. And when the data request does complete, it just pulls in that data automatically and it stores it safely on your local disk. And this is where you have the opportunity of actually inspecting it. So you can see a small hint of that in the right bottom corner where there's an overview of all the data points that came in from a particular data request. But there's better ways of looking at it. So seeing your data chronologically is one option. There's also a categorical overview where you can just see the different categories of data, which can also view all your data as a graph. And here's where you can more easily inspect what's happening. So you can see the data types, where the data came from, which account, which platform, and the individual data points as well. And I'll give you a demo of that shortly. And then you can actually inspect single data points, individual data points. This is specifically a add interest data point that was in the LinkedIn dump. And once you have that concept of a single data point going, you can actually bring in that right to rectify that we talked about in the beginning. So if you have the data, you can actually say that this is not a data point that I want you to have, and object to it basically. And in EON, you can select a bunch of those data points that you would like to see deleted. And then EON will help you generate an email that will ask the provider in the, again, legal mumbo jumbo, that's right for these kinds of requests, to delete those specific data points. You just open it up in your email clients and send it off. That's basically it. So before I show you that quick demo, I want to introduce you to Olaf. And Olaf has grown quite close to me over the past half year. I've learned that Olaf likes Formula One. He likes football. He's actually a junior football coach over in his birthplace of Feldhoof. And we've grown so close in fact that he felt comfortable that I gather his data and display it publicly for all of you to see. I must admit though that Olaf had little choice in the matter because just like trickle down economics, Olaf isn't real. I fabricated him as an alter ego for me and a set of study participants to work with during the EON development. But you'll get to learn everything about him in this short demo. So let me move quickly out of this presentation and go over to the next screen where you'll see the actual EON application going. So here's this timeline overview where you get to view all of the recent data requests that came in. So specifically there's tiny ones for Instagram where apparently a couple of ad interests got deleted. You can see for instance, if you think those addresses are very interesting, you can browse by them one by one and see where they're coming from. By and large, they're coming from LinkedIn in this case. And this is that graph overview for Olaf specifically. So here you can see the Facebook, LinkedIn, Spotify and Instagram platforms and how those data types are related to them. So for instance, LinkedIn and Facebook both have extensive place of residence type data points for Olaf. So the Olaf I came up with basically. And when you go out and click a specific data point, you can just delete it and then find the generated email quite easily over here. So that's it for the short demo. Let me come back to here and then start answering the hard questions. So now that you've seen everything, your original question should be how does this all work? And remember that thing I said about disregarding sane engineering practices? Well, if you are an engineer that really cares about native software practices, this is probably the moment where you wanna step out and mute the stream for a couple of minutes because I will not only promote, but defend and actively encourage practices that will, by those people, will probably be decried as heretical. So while we wait for them to leave, I'll reveal that basically for Eon, everything is electron. It's TypeScript, so that's JavaScript, almost all the way down. And for those not in the know, Electron basically packages the web browser Chrome into a desktop application. While it's not a new idea, Electron in my opinion is the first mature attempt at doing so. And it's consequently used by a lot of applications that you use on a daily basis. So think Microsoft Teams, for instance, which we have been locked into for the last couple, for this year, this last year. And there are a couple of reasons for using Electron in this project specifically, and I'll tell you about them. So first of all, there's the Electron browser APIs. So we do a lot in the background to make sure that the user doesn't have to do anything. And as all the platforms are basically front-end only, so they don't expose any APIs, we just default to making clicks on behalf of the user. So we open up this window, the user enters their credentials, and then basically we just use this browser window to make clicks for them. So we click the specific button sequences and pages to get that data request going and actually download it in the end. And this means we don't have to do any password storage magic whatsoever, we can just rely on native browsers. And that means we use existing flows without complicating stuff for ourselves. And then there's the developer experience and the prototypability of an Electron application. So on the right here, you see a base implementation of Instagram provider. So this is basically the code that does all the clicks and pulls in the data. And the whole thing that does all of it is about 200 lines, most of which is boilerplate. And since it's plain old type script, a lot of people can get involved quite easily. The bar threshold is very, very low. And then again, the application runs at whatever platform you can throw at it. So it goes through Windows, macOS, whether it's Intel, Apple Silicon, it can do Raspberry Pis, it can probably even do your Homecook PSD distro if you wanted to. There's no platform specific code in EON yet. So all the platformers benefit from the same changes immediately. And then the last one, which is probably the one I will be crucified for, but I'm sticking up for it. The web has superior close platform user experience. There's the rich DOM, there's react parents that make creating a recognizable accessible UI from scratch exceedingly easy. For the Rockbase view, I just used side escape.js to prototype it in literally a couple of hours. You can't beat it with native stuff. Everything's modular. You build a data retriever on the left side, about 200 lines. And then you can just use a JSON defined schema to pick out the data points from all the returned files and the data types that are associated with them. And because all the data is local, as time moves on, scams schemas get better. And EON is able to show you more of the data that you already have. Lastly, emails modular too. So we've currently got a Gmail integration that actually reads out some email for you, but we can use this to send out email as well. So if an organization isn't already covered by EON, we can basically just send out an automated email to them. And when they don't reply, start spamming them with reminders. This works for data request removal, of data removal requests as well. So if you wanna delete data, we can just automate a process as well. And we can make all of that a lot more inclusive. Last but not least, where does all the data go? It's basically a local Git for post-storing. So we use native LibGit too, and it doesn't make storing subsequent data requests super efficient in terms of storage capacity. It also makes it really easy to div the changes between various states of what is essentially your identity. Everything's open source. So you can go over to EON.technology to get started with it. There's some docs there and we're also on GitHub. Contributions are warmly welcomed. If you wanna take for a spin, just let us know you're free back as well. So GitHub issues is definitely open for that. Or if you wanna help out, then come into GitHub and we'll figure something out. And one thing I wanted to highlight as well, while EON has the potential of greatly increasing what little user experience there is currently in data rights, when it comes to data rights, it takes two to Tango. So there's you and the organization that you're whipping into actually retrieving your data for you. And given that, I wonder whether we can make a similar leap forward for organizations as well, as this will massively increase the user experience for a regular user. So this is where the open data rights API comes in. The premise is very simple. Every organization exposes a single endpoint for user exercisable data rights. Third-party applications can then implement that endpoint and do data rights work on behalf of their users. This could be EON, but it could just as well be any other front end. It doesn't really matter as long as there is the single point of entry. And this makes all the front ends for exercising data rights modular in the end. This is sort of double whammy. EON makes it easier to get a complete picture of your data while organizations can rely on the already existing front end for all their data rights stuff. There's no need to homebrew it as an organization. So the first proposal for that is already available. So it's in api.opendata rights.org. And I encourage you to go have a look and comment on it. All of that stuff is based on open source and well-known and implemented standards as well. So there's OAuth for authentication and there's schema.org for data typing stuff. A demo implementation of the open data rights API is available on demo.opendata rights.org. It just as well as the EON implementation of it. So if you want to take it for a spin, you can just plop that URL into EON and it will actually let you pull in some fake data. I was supposed to show you a demo but in a few of time, I will shortly skip it. All that stuff is open source and available as well. So either on whitepaper.opendata rights.org or on GitHub specifically. Contributions are again welcomed. So come and have a look if you're interested in that sort of stuff. So with all of this work having been presented, it's probably time to come to a final conclusion. And I would like to propose the following. Like I want to start out with the definition that Matthias von Kahn and I wrote about a year ago about how the concept of privacy and user experience are intertwined. Making privacy work means getting the details right for a wide range of users. I believe getting it right makes a difference between control over a data being technically in place versus actual meaningful control. So when it comes to making privacy work, we need to negotiate design, technology, and legislation very well. Let's bring those forces closer together in the future. And in that vein also let's consider EON as basically an SDK for data rights but now incorporating user experiences and a basis for compliance. If we get that balance right, organizations and citizens stand the game. So in that privacy week's vein, we could apply this better and even more broadly. Reusable modules that get the technology, legislation and user experience just right when it needs to be. If you can't think of a place where this concept of standardization is more needed, it's probably time to think again. And I won't delve any deeper into that. That's it. Thank you very much for listening. Thanks to all the people that have made this journey possible. Those at the Eindhoven University of Technology at SIRV at Bülow-Mürtt-Gedingen and also a shout out to all the RCA3 volunteers making all of this stuff work during their Christmas holidays especially at this horrible times. Particularly the folks over at the remote Rhein-Gruhe stage in Monheim for providing with this stage. Cheers and thank you. Thank you very much for this excellent talk. I was muted apparently. Yeah, no worries. So yeah, there are... Let's go straight to the questions. I really like the talk by the way and the really awesome project. I will probably personally look at it. So the first question is in terms of the GDPR asked from FF. What exactly is machine readability? Is it digital, AOCR compatible font or something else? Yeah, and that's quite a difficult thing. So the GDPR does have some guidelines for it but I don't think it goes a lot further than machine readability. And this is where the law and technology are kind of off from each other. So in particular that's papers. So that's Wong and Henderson if I'm right. Data file machine readable as actually being able to get data points in a JSON CSV-like format. And yeah, that didn't pan out greatly for them. So at least what I expect is if there's data in sort of structured format that I receive in a structured format rather than printed out on a piece of paper and then I have to enter it into Excel or whatever database myself. I would say that that's the low bar. Thank you very much for that. Over in the RC, Irgenpwea61 asks, if your project, if EON is open for contribution is there already a standardized guide for implementing a new online services implementing new online services for data requests? Yes, so there's docs available. So if you go over to docs.eon.technology I've made a short guide into like how this process sort of works. So basically I call it a provider. So that's the piece of code that gets the data actually is a standardized class with a couple of methods that do that kind of work. And the fortunate thing is like the available the examples from Facebook, Spotify, Instagram and all that sort of stuff are available. So you can basically just model it on that, try it out locally and then if it works for you contribute it in a pull request I will be very happy to take any of those. Okay, let's hope that they contribute to your project and add more possibilities to stick it to the big tech as you did put it. So there is a new question from the IRC. What is in development for the future of IAN? So what are the prospects? What are you looking forward to? Yeah, so like I can look at it very bluntly in terms of features. So I think for IAN there's still of course lots to do. So better automation making it easier to get to these organizations that haven't yet automated some aspects of doing data requests. So that's where that email stuff comes in getting some extra services in getting it a bit more user friendly. I've spoken to a lot of people who've used it who for instance like some more contexts like after this huge amount of data like will you tell me what I should particularly be looking at that's probably an interesting one. But more broadly speaking I think specifically the open data rights API has some promise at looking at the industry from a bit of a larger perspective. So I would love to see if we can implement that somewhere basically anywhere and take it further from that. I think the open source community can be very helpful in that regard. I would love to see some standard established such as the open data rights API to make all of that stuff just a little bit easier. So that's what I want to be working towards. Sure, sounds like a good way to go. And since we don't have any more questions so reminder if you want to ask your questions you can either tweet them or toot them at hashtag rc3r3s or go over to our RC on Hackand rc3-r3s. So one question I have you seem to have gone through quite the adventure by requesting your own data. What kind of data do you request from a bakery? Yeah, that's the funny thing, right? So of course the doctor and the dentist sort of make sense. I think for me a specific one was my hairdressers actually. And yeah, like you wouldn't expect them to have any data but nowadays like all of those small little retail shops have CRM systems. So if you do some business with them on the regular you're probably in one of those systems and there's probably data collected about when your appointments are or your email address or they which is very helpful by the way they sent me actual meeting requests via email. I love that feature but it requires them to store some data as well. So I was just curious why they would get back but I didn't manage to get through them. So I never got to find out. That's the pity but like in this day and age I don't think there are lots of companies left that don't store any personal information. Yeah, sure. I mean even if it's the hairdresser that notes your number down when you make the appointment, right? Yeah, exactly. Even that's personal data. So there's also another question again from Egenvea61. Will there be a one button to send every company a please delete all my data requests? Oh that could be. Like do you want it? That's the question. I mean since they're asking so many questions I think that they might contribute it. It would be really interesting also to classify the data maybe to say I want every tracking data deleted but like my personal data like my name and so on you can keep that. Yeah that would be also interesting. Also there is a question from our moderator or from RC. I don't know somebody called Mod anyway. What kind of data do you request from a bank? Oh from a bank. Oh I need to dig deep to get into actually so it's this USB stick which I used for Tiki which is the service for doing basically peer-to-peer small-scale paybacks to friends and whatever. I can't recall specifically what data I got back but there's lots of data that banks gather and like your transaction details will be the least of your worry probably because banks also do your insurance so they collect information probably on your age, your health, your occupation all that sort of stuff that makes it easier for them to tailor their prices, products etc to your kind of stuff. Okay so our time is running short and we have one final question from web user 238. Are there any common traits about the 20% companies that haven't replied? Size, sector etc. Yeah so as I said this is one of the areas that the big tech companies do have everything put together so I got space requests from every one of them except Facebook I don't have a count there anymore and they claim they didn't have any data but there's no way for me to figure out so that's also still a problem and then yeah like the non-request like I mentioned my hairdressers I just didn't get to the right person in time and I didn't have the time and effort to actually dig down to that rapid hole but it's usually like the smaller end of the spectrum as the larger companies do have some fear for the fines they might find themselves getting so at least there's some sort of compliance department over there. Okay so I think that's it thank you very very much for your talk I'm sure people will find you on the interwebs to communicate you, do pull requests you hurt him people go and make this thing a standard and again thank you very much and yeah off to back to the break. Bye bye. Cheers, thanks.