arXiv:2012.01813v2 [cs.CR] 9 Feb 2021 Privacy Labeling and the Story of Princess Privacy and the Seven Helpers * Johanna Johansen Dept. of Informatics, University of Oslo Tore Pedersen Norwegian Defense Intelligence School and Bjørknes University College Simone Fischer-Hübner Karlstad University Christian Johansen Norwegian University of Science and Technology Gerardo Schneider Dept. of Computer Science and Engineering, University of Gothenburg Arnold Roosendaal Privacy Company Harald Zwingelberg Unabhängiges Landeszentrumfür Datenschutz Schleswig-Holstein Anders Jakob Sivesind Dept. of Informatics, University of Oslo Josef Noll Dept. of Technology Systems, University of Oslo Abstract Privacy is currently in ‘distress’ and in need of ‘rescue’, much like princesses in the all-familiar fairytales. We employ storytelling and metaphors from fairytales to make reader-friendly and streamline our arguments about how a complex concept of Privacy Labeling (the ‘knight in shining armour’) can be a solution to the current state of Privacy (the ‘princess in distress’). We give a precise definition of Privacy Labeling (PL), painting a panoptic portrait from seven different perspectives (the ‘seven helpers’): Business, Legal, Regulatory, Usability and Human Factors, Educative, Technological, and Multidisciplinary. We describe a common vision, proposing several important ‘traits of character’ of PL as well as identifying ‘undeveloped potentialities’, i.e., open problems on which the community can focus. More specifically, this position paper identifies the stakeholders of the PL and their needs with regard to privacy, describing how PL should be and look like in order to address these needs. Throughout the paper, we highlight goals, characteristics, open problems, and starting points for creating, what we define as, the ideal PL. In the end we present three approaches to establish and manage PL, through: self-evaluations, certifications, or community endeavors. Based on these, we sketch a roadmap for future developments. 1 Introduction The right to privacy is something precious and frail (an integral value appearing in the Universal Declaration of Human Rights 1 ), which we need to take good care of in order not to lose it, much like princesses in fairytales. Just like European royalties, privacy is known to people only as a symbol, but does not have much power in the economy or society; and in its current state it definitely cannot serve the people, but only a few very wealthy and influential actors prosper from its misuse. Loss of privacy has both micro implications, at a personal level (e.g., people being influenced to buy what they do not want or need [Matz et al., 2017], to vote for extremists [Isaak and Hanna, 2018, Berghel, 2018, Stewart et al., 2019], or to develop antisocial behaviour), but also macro implications, at a societal level (e.g., a society living in fear of being watched by surveillance capitalists [Zuboff, 2019] or manipulated on social media [Starbird, 2019, Grinberg et al., 2019]). Privacy is personal and contextual, having social and political ramifications, but most of the population does not see, or understand, even some of its basic implications. The lack of privacy literacy can be partly attributed to commercial entities who often, while profiting from handling data, work hard to keep privacy “out-of-sight [is out-of-mind]” – like a sleeping princess locked in a tower – e.g., telling people infamously “You have zero privacy anyway. Get over it.” 2 [Solove, 2011]. Privacy misapprehension by the population is also due to * We would like to thank associate Torunn Hellvik Olsen for her great inputs during our workshop on this topic held in Oslo, March 2020. 1 The “right to privacy” emerged in the Universal Declaration of Human Rights, adopted in 1948, as one of the fundamental human rights. Shortly after, this right was reaffirmed in the European Convention on Human Rights (ECHR), drafted in 1950. 2 https://www.wired.com/1999/01/sun-on-privacy-get-over-it/ 1