Ethics and Legal Considerations in Nanotargeting Research

cover
30 May 2024

Authors:

(1) √Āngel Merino, Department of Telematic Engineering Universidad Carlos III de Madrid {angel.merino@uc3m.es};

(2) Jos√© Gonz√°lez-Caba√Īas, UC3M-Santander Big Data Institute {jose.gonzalez.cabanas@uc3m.es}

(3) √Āngel Cuevas, Department of Telematic Engineering Universidad Carlos III de Madrid & UC3M-Santander Big Data Institute {acrumin@it.uc3m.es};

(4) Rubén Cuevas, Department of Telematic Engineering Universidad Carlos III de Madrid & UC3M-Santander Big Data Institute {rcuevas@it.uc3m.es}.

Abstract and Introduction

LinkedIn Advertising Platform Background

Dataset

Methodology

User’s Uniqueness on LinkedIn

Nanotargeting proof of concept

Discussion

Related work

Ethics and legal considerations

Conclusions, Acknowledgments, and References

Appendix

Our research aims to reduce the privacy risks for users due to nanotargeting and to create awareness about how personal data, as defined in the General Data Protection Regulation (GDPR) [1] in the European Union, is different from Personal Identifiable Information (PII). We believe this work is a relevant contribution in the context of the GDPR (and other advanced data protection regulations) as it provides a concrete example extending the vision of what should be considered personal data.

We expected that the combination of location and some professional skills would lead to a high uniqueness probability on LinkedIn. Hence, we took a conservative approach and considered we were managing personal data in our study, and thus, it was subject to the GDPR. We consulted with our institution’s Data Protection Officer (DPO), based in the EU, to ensure compliance with the GDPR. The DPO confirmed that our research has a clear public interest as it aims to improve user privacy and helps to clarify whether the GDPR applies to specific combinations of data items. Therefore, the DPO informed us the legal basis supporting our research is the public interest, one of the legal bases exposed in the GDPR to allow personal data processing.

The only potential unique identifier we could have stored in our dataset was the URL used to access the LinkedIn profile. To protect user privacy, we replaced each profile’s unique identifying URL with a random identifier to prevent anyone from potentially identifying individual users based on the information stored in our dataset. Following the instructions of our DPO, we implemented several security measures to minimize unauthorized access to our dataset. We kept the dataset in a server behind our institution’s firewall and a second self-configured firewall. The server is only accessible from a device connected to our institution’s physical network or VPN. Server access requires having an account and password on the server. Finally, the dataset was encrypted, and only the paper’s authors had the credentials to access the information. We adopted these security measures to safeguard the data from unauthorized access and comply with the requirements of the GDPR.

In summary, this research is closely linked to ethical principles and aims to reduce the privacy risks of users on LinkedIn and enhance the application of the GDPR. Furthermore, we have ensured compliance with the GDPR by following the instructions of our institution’s DPO, who reviewed and approved this research work.

This paper is available on arxiv under CC BY-NC-ND 4.0 DEED license.