Ben Wagner on Challenging Online Hate with the Power of Community

Despite considerable efforts, hate speech remains a highly present online phenomenon. This is in no small part because hate speech is so difficult to identify. Hate speech is intersubjective construct, which makes it difficult to scientifically capture and measure. Both from a legal and societal perspectives, the understandings of what constitutes hate speech are widely different. Yet the impacts of hate speech are very real. It has spread throughout public discourse and has real world consequences for the people affected by it. Saying that it is hard to measure and therefore nothing can be done about it, is to abdicate responsibility for a deeply problematic societal phenomenon and to surrender public space to hatred.

In order to respond to this challenge, the Privacy and Sustainable Computing Lab at Vienna University of Economics have partnered with der STANDARD, an Austrian newspaper with one of the largest German-language online communities in the world. In the coming months we will be working closely together with der STANDARD to develop a design-based approach which changes the way the forum works in order to reduce the amount of hate speech in the forums. These design changes focus on strengthening the power of community within der Standard Forums and will be developed in close collaboration with the Forum users themselves.

While we do not believe that this project – or indeed any other technical system – can ‘solve’ or ‘fix’ hate speech, we hope that it may be able to make its appearance less frequent on der STANDARD forums. Also, as there are considerable difficulties in measuring hate speech, we intend to measure different legal, societal and practical aspects of hate speech, while acknowledging that these proxies for hate speech may differ. We also hope that this design-based approach will reduce the reliance on filtering techniques. Such techniques currently constitute one of the main responses to hate speech and are far from ideal. Not only do they frequently catch the wrong types of content, they are also frequently not very effective in preventing the appearance of hate speech more broadly.

At a time when numerous newspapers have decided to shut down their discussion forums, we believe that this project can contribute to strengthening the public sphere online. If we want to prevent this public space from shrinking further, we need better responses to hate speech than content removal. We believe that a design-based approach can contribute to reducing the prevalence of hate speech online by strengthening the power of community.

Soheil Human on EXPEDiTE: Human-centred Personal Data Ecosystems made possible

We are delighted to inform you that Privacy and Sustainable Computing Lab in collaboration with the Institute of Information Systems and New Media (WU Wien) has started the interdisciplinary research project EXPEDiTE. The full title of the project is “EXPloring opportunities and challenges for Emerging personal DaTa Ecosystems: Empowering humans in the age of the GDPR – A Roadmap for Austria“. The Linked Data Lab of the Vienna University of Technology and the NGO OwnYourData are our partners in this project which is funded by the Austrian Research Promotion Agency (FFG). Soheil Human and Dr. Ben Wagner are project leads for EXPEDiTE. Prof. Axel Polleres, Prof. Sarah Spiekermann, and Prof. Gustaf Neumann shape the advisory board of the project. Here is a short description of the project:

In our increasingly digital societies, data is perceived as a key resource for economic growth. Among the highest-valued corporations today, many have business models that are essentially based on data of or about their users. This development has raised serious concerns about individuals’ right to privacy and their ability to exercise control over their own data, as well as about the broader shifts of power between data subjects and data controllers that this development entails. Consequently, European policy makers have passed the General Data Protection Regulation (GDPR), which has imposed stricter regulations on personal data handling practices within the EU.

In parallel, a movement – often associated with the term “MyData” – has emerged in the civil society with the goal to put individuals in control of their personal data. One of the major adoption barriers for such platforms, however, has been the difficulty individuals face in acquiring their personal data from data controllers. The GDPR, which came into effect on March 25, 2018, requires data controllers to provide individuals access to all data they have about them, as well as to facilitate “portability” of that data. These new rights under the GDPR could drive the emergence of “human-cantered” personal data ecosystems, in which individuals’ roles are no longer limited to that of passive “data subjects”, but in which they become active stakeholders that have access to, exercise control over, and create value from their personal data.

However, although the provisions of the GDPR align closely with this vision, it is still largely unclear how they will be implemented by data controllers and whether and how citizens will exercise their digital rights in practice. In the EXPEDiTE project, we will investigate these timely questions, as well as more broadly explore challenges, barriers and drivers for the emergence of human-cantered personal data ecosystems. Furthermore, we will investigate how individuals — once they become able to acquire their personal data – can integrate and analyze it. To this end, we will explore the concept of context-rich personal knowledge graphs that “liberate” data from closed environments, link and enrich it with other available (e.g., open) data, and create insights and value from individuals’ previously dispersed data. Additionally, such graphs have the potential to facilitate innovative products and services without locking individuals into proprietary environments. In this project, we will tackle key technical challenges involved in realizing this vision, including technical interfaces, syntactic and semantic interoperability, and mechanisms that allow users to share data, exercise control over its utilization, and automatically manage consent for the use of their data. The project results will feed into a comprehensive roadmap that will assess the current state of personal data ecosystems in Austria and in the broader international context, synthesize the major challenges and opportunities they face, and outline a path towards human-centered personal data ecosystems.

The main aims of EXPEDiTE can be summarised as follows:

  • This interdisciplinary research project aims to resolve key tensions between providing personalized services and the right to privacy, by envisioning new human-centric personal data ecosystems (PDEs) in which personal data can only be collected and processed under the control of the data subject.
  • While the right to privacy is not new, the European General Data Protection Regulation (GDPR) will considerably contribute to the implementation of this right and provides new opportunities to study the way in which a balance between the right to privacy can be achieved through data portability or the right to access and modify personal data.
  • In this project, we will analyze how GDPR is perceived and implemented in practice, what key barriers hinder its implementation, and how the implementation of GDPR Exploratory Projects can be improved by changing the socio-technical configuration of actors.
  • We will use an interdisciplinary approach to develop a roadmap towards human-centric PDEs in Austria, which describes the current state of personal data processing in Austria, conceptualizes technical requirements of human-centric PDEs, develops the concept of personal knowledge graphs, discusses barriers and challenges ahead of human-centric PDEs, and envisions technological, social, and economic opportunities that human-centric PDEs will bring.
  • Finally, our project will connect Austria – for the first time – to the global MyData movement which aims to empower humans with their own personal data – enabling novel business models, innovative technologies, and R&D projects that not only benefit citizens within and beyond the borders of Austria, but also foster economic growth while respecting the right to privacy.

How the Use of ‘Ethical’ Principles Hijacks Fundamental Freedoms: The Austrian Social Media Guidelines on Journalists’ Behaviour

A guest opinion piece by Eliska Pirkova

The recent draft of the Social Media Guidelines targeting journalists working for the public Austrian Broadcasting Corporation (ORF) is a troubling example of how self-regulatory ethical Codes of Conduct may be abused by those who wish to establish a stricter control over the press and media freedom in the country. Introduced by the ORF managing director Alexander Wrabetz as a result of strong political pressure, the new draft of the ethical guidelines seeks to ensure the objectivity and credibility of the ORF activities on Social Media. Indeed, ethical guidelines are common practice in media regulatory framework across Europe. Their general purpose is already comprised in its title: to guide. They mainly contain ethical principles to be followed by journalists when performing their profession. In other words, they serve as the voice of reason, underlining and protecting the professional integrity of journalism.

But the newly drafted ORF Guidelines threaten precisely what their proponents claim to protect: independence and objectivity. As stipulated in the original wording of the Guidelines from 2012, they should be viewed as recommendations and not as commands. Nonetheless, their latest draft released in June 2018 uses a very different tone. The document creates a shadow of hierarchy by forcing every ORF-journalist to think twice before they share anything on their social media. First, it specifically stipulates that“public statements and comments in social media should be avoided, which are to be interpreted as approval, rejection or evaluation of utterances, sympathy, antipathy, criticism and ‘polemics’ towards political institutions, their representatives or members.”Every single term used in the aforementioned sentence, whether it is ‘antipathy’ or ‘polemics,’ is extremely vague in its core. Such a vagueness enables the inclusion of any critical personal opinion aiming at the current establishment, no matter of how objective, balanced or well-intended the critique may be.

Second, the Guidelines asks journalists to refrain from “public statements and comments in social media that express a biased, one-sided or partisan attitude, support for such statements and initiatives of third parties and participation in such groups, as far as objectivity, impartiality and independence of the ORF is compromised. The corresponding statements of opinion can be made both by direct statements and indirectly by signs of support / rejection such as likes, dislikes, recommendations, retweets or shares.” Here again, the terms such as partisan opinions are very problematic. Does the critique of human rights violations or supporting the groups fighting the climate change qualify as biased? Under this wording, the chilling effect on the right to freedom of expression is inevitable, when journalists may choose to rather self-censor in order to avoid difficulties and further insecurities in their workplace. At the same time, securing the neutrality of the main public broadcaster in the country cannot be exercised by excluding the plurality of expressed opinions. Especially when the neutrality principle seeks to protect the latter.

Media neutrality is necessary for the impartial broadcasting committed to the common good. In other words, it reassures that the misuse of media for any propaganda and other forms of manipulation will not occur. Therefore, in order for media to remain neutral, the diversity of opinions is absolutely essential, as anything else is simply incompatible with the main principles of journalistic work. The primary duty of the press is to monitor and to inform whether the rule of law is in tact and fully respected by the elected government. Due to its great importance in preserving democracy, the protection of the free press is enshrined within the national constitutions as well as enforced by domestic media laws. The freedom of expression is not only about the right of citizens to write or to say whatever they want, but it is mainly about the public to hear and to read what it needs (Joseph Perera & Ors v. Attorney-General). In this vein, the current draft of the Guidelines undermines the core of journalism by its intentionally vague wording and by misusing or rather twisting the concept of media neutrality.

Although not legally binding document, the Guidelines still impose a real threat to democracy. This is the typical example of ethics and soft law self-regulatory measures becoming a gateway for more restrictive regulation of press freedom and media pluralism. Importantly, the non-binding nature of the Guidelines serves as an excuse for policy makers who defend its provisions as merely ethical principles for journalists’ conduct and not the legal obligations per sei, enforced by a state agent. However, in practice, the independent and impartial work of journalists is increasingly jeopardised, as every statement, whether in their personal or professional capacity, is subjected to much stricter self-censorship in order to avoid further obstacles to their work or even an imposition of ‘ethical’ liability for their conduct. If the current draft is adopted as it stands, it will provide for an extra layer of strict control that aims to silence the critique and dissent.

From the fundamental rights perspective, The European Court of Human Rights (ECt.HR) stated on numerous occasions the vital role of the press, being a public watchdog (Goodwin v. the United Kingdom). Freedom of press is instrumental for public to discover and to form opinions of the ideas and attitudes held by their political leaders. At the same time, it provides the politicians with the opportunity to react and comment on the public opinion. Therefore, healthy press freedom is a ‘symptom’ of a functioning democracy. It enables everyone to participate in the free political debate, which is at the very core of the concept of democratic society (Castells v. Spain). When democracy starts fading away, weakening the press freedom is the first sign that has to be taken seriously. It is very difficult to justify why restricting journalists’ behaviour, or more precisely, the political speech on their private Facebook or Twitter accounts should be deemed as necessary in a democratic society or should pursue any legitimate aim. The Constitutional Courts that follow and respect the rule of law could never find such a free speech restriction legitimate. It also opens the question about the future of Austrian medias’ independence, especially when judged against the current government’ ambitious planto transform the national media landscape.

When in 2000, the radical populist right Freedom Party (FPO) and the conservative ÖVP formed the ruling coalition, the Austrian government was shunned by European countries and threatened with EU sanctions. But today’s atmosphere in Europe is very different. Authoritative and populist regimes openly undermining democratic governance are a new normal. Under such circumstances, human rights of all of us are in danger due to a widespread democratic backsliding present in the western countries as much as in the eastern corner of the EU. Without a doubt, journalists and the media outlets have a huge responsibility to impartially inform the public on matters of public interest.  Ethical Codes of Conduct thus play a crucial role in the journalistic work, acknowledging a great responsibility to report accurately, while avoiding prejudice or any potential harm to others. However, when journalists’ freedom of expression is being violated, the right to receive and impart information of all of us is in danger, and so is democracy.  Human Rights and Ethics are two different things. One cannot be misused to unjustifiably restrict the other.

How Moments of Truth change the way we think about Privacy

Esther Görnemann recently presented her work at the Lab as part of the Privacy & Us doctoral consortium in London. Her work provides an important perspective on the crucial role that the individual experience of Moments of Truth plays in understanding how human beings think about privacy and how under which circumstances they start actively protecting it. Here is a brief overview of her current research as well as a short introductory video.

During preliminary interview sessions, a number of internet and smartphone users talked to me about the surprising experience when they realized that personal information had been collected, processed an applied without their knowledge.
In these interviews and in countless furious online reports, users expressed concern about their device, often stating they felt taken by surprise, patronized or spied upon.


Some examples:

  • In an interview, a 73-year old man recalled that he was searching for medical treatment of prostate disorders on Google and was immediately confronted with related advertisements on the websites he visited subsequently. Some days later, he also started to receive email spam related to his search. He said “I felt appalled and spied upon” and ever since had begun to consider whether the search he was about to conduct might contain information he would rather keep for himself.


  • A Moment of Truth that made headlines in international news outlets was the story of Danielle from Portland who in early 2018 contacted a local TV station and reported that her Amazon Echo had recorded a private conversation between her and her husband and had sent it to a random person of the couple’s contact list who immediately called the couple back, to tell them what he had received. The couple turned to Amazon’s customer service, but the company was not immediately able to explain the incident. When she called the TV station, Danielle expressed her feelings: “I felt invaded. A total privacy invasion. I’m never plugging that device in again, because I can’t trust it.” While Amazon later explained the incident, saying the Echo mistakenly picked up several words from the conversation and interpreted them as a series of commands to record and send the audio, Danielle still claims the device had not prompted any confirmation or question.  


  • An interview participant recalled how he coincidently revealed that his smartphone photo gallery was automatically synchronized with the cloud service Dropbox. He described his reaction with the words “Dropbox automatically uploaded all my pictures in the cloud. It’s like stealing! […] Since then I’m wary. And for sure I will never use Dropbox again.”

Drawing from philosophical and sociological theories, this research project conceptualizes Moments of Truth as the event in which the arrival of new information results in a new interpretation of reality and a fundamental change of perceived alternatives of behavioural responses.

The notion of control or agency is one of several influential factors that mobilizes people and is key to understand reactions to Moments of Truth.

The goal of my research is to construct a model to predict subjects’ affective and behavioural responses to Moments of Truth. A central question is why some people display an increased motivation to protest and claim their rights, convince others, adapt usage patterns and take protective measures. Currently, I am looking at the central role that the perception of illegitimate inequality and the emotional state of anger play in mobilizing people to actively protect their privacy.


Ethics as an Escape from Regulation: From ethics-washing to ethics-shopping?

I recently had the pleasure of attending a fantastic seminar on 10 Years of Profiling the European Citizen at Vrije Universiteit Brussel (VUB) which was organised by Mireille Hildebrand, Emre Bayamlıoğlu and her team there. As a result of this seminar I was asked to developed a short provocative article to present among scholars there. As there have been numerous requests for the article that I have received over the last few weeks, I decided to publish it here to ensure that it is accessible to a wider audience sooner rather than later. It will be published as part of an edited volume developed from the seminar with Amsterdam University Press later this year. If you have any comments, questions or suggestions, please do not hesitate to contact me:

Ben_Wagner_Ethics as an Escape from Regulation_2018_BW9

Workshop: Algorithmic Management: Designing systems which promote human autonomy

The Privacy and Sustainable Computing Lab at Vienna University of Economics and Business and the Europa-University Viadrina are organising a 2-day workshop on:

Algorithmic Management: Designing systems which promote human autonomy
on 20-21 September 2018 at WU Vienna at Welthandelsplatz 1,1020 Vienna, Austria

This workshop is part of a wider research project on Algorithmic Management which studies the structural role of algorithms as forms of management in work environments, where automated digital platforms, such as Amazon, Uber or Clickworker manage the interaction of workers through algorithms. The process of assigning or changing a sequence of individual to be completed tasks is often a fully automated process. This means that algorithms may partly act like a manager, who exercises control over a large number of decentralized workers. The goal of our research project is to investigate the interplay of control and autonomy in a managerial regime, with a specific focus on the food-delivery sector.

Here is the current agenda for the workshop:


Further details about event registration and logistics can be found here: 

Managing security under the GDPR profoundly



An interview with  Dr. Alexander Novotny:

The EU General Data Protection Regulation (GDPR) requires organizations to stringently secure personal data. Since penalties under the GDPR loom large, organizations feel uncertain about how to deal with securing personal data processing activities. The Privacy and Sustainable Computing Lab has interviewed the security and privacy expert Dr. Alexander Novotny on how organizations shall address security for processing personal data:






Under the GDPR, organizations using personal data will have stringent obligations to secure the processing of personal data. How can organizations meet this challenge?

Organization’s security obligations while processing personal data are regulated under Article 32 of the EU General Data Protection Regulation. Security is primarily the data controller’s responsibility. The data controller is the organization who determines the purposes and means of the processing of personal data. To ensure appropriate security, controllers and processors of personal data have to take technical and organizational measures, the so called “TOMs”. Which security measures are appropriate depends on the state of the art and the costs of implementation in relation to the risk. Organizations are only required to implement state of the art technology for securing data processing. The implementation of best available security technologies is neither a requirement in most cases, nor putting security technologies in place that are still not market-available or pre-mature. Also the nature, scope and context of data processing need to be taken into account. For processing dozens of IP addresses in an educational context, for example, different protection is adequate than for processing thousands of IP addresses in a healthcare context. For identifying reasonable TOMs, also the purposes of processing and the risks for the rights and freedoms of natural persons need to be considered.

How can the level of risk for the rights and freedom of natural persons be measured?

The GDPR outlines that the likelihood and the severity of the risk are important factors: the wording in Article 32 of the GDPR points to traditional risk appraisal methods based on probability and impact. These methods are commonly used in IT security already today. Many organizations therefore have classification schemes for likelihood and severity. Often, they categorize these two factors into the classes “low”, “medium” and “high”. Little historic experience in terms of likelihood and severity of security incidents is available. Without such experience, it is very difficult to meaningfully apply rational risk scales such as scales based on monetary values. Also, the ENISA recommends a similar qualitative risk assessment method in its 2017 handbook on the security of personal data processing. What data controllers need to keep in mind is especially the risk for the data subject in the first place and not the organization’s own risk. Thus, organizations have to take a different viewpoint, in particular organizations that have done a risk assessment with regard to an ISO 27001 information security management system already. These organizations need to amend the risk assessment by the viewpoint of the data subject.

What are these so-called TOMs?

Examples on technical and organizational measures are given in Article 32 of the GDPR. The regulation names pseudonymization and encryption of personal data as well as the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. Organizations need the ability to restore the availability and access to the personal data in the event of a physical or technical incident. Also, a process for regularly testing and evaluating the effectiveness of technical and organizational measures is required. Recital 78 of the GDPR refers to additional measures such as internal policies, for instance. What is remarkable here is that TOMs do not only aim to keep personal data confidential and correct. TOMs also target the availability and access to personal data as well as the resilience of IT systems that are used to process personal data. Availability and resilience of IT infrastructure is one of the traditional IT security goals. But from the viewpoint of data protection it has not been given high priority so far. Hence, organizations have to further integrate their data protection efforts with IT security in order to tackle these requirements set out by the GDPR.

How can a controller be sure that the identified and implemented TOMs are actually appropriate?

This is a question that is often asked by organizations complaining that the guidance provided by the GDPR is overly vague and legal certainty is low. With regard to this question of appropriateness a clash of cultures is often witnessed: on the one hand, technicians responsible for the implementation of the TOMs and, on the other hand, lawyers having an eye on GDPR compliance follow different approaches. Technicians are used to predetermined instructions and requirements. They take a very technological viewpoint and often desire that competent authorities issue specific hard facts lists of TOMs. In contrast, lawyers are used to structurally apply legal criteria for appropriateness and adequacy to real world cases. Instead of relying on predetermined lists of TOMs, organizations are now required to think in terms of what is best for the data subjects and for themselves when it comes to data security. Of course, predefined lists and templates of TOMs can be helpful to enlighten the state of the art. But organizations are required to make up their own minds which TOMs are particularly appropriate for them. This is particularly reflected in Article 32 of the GDPR. It states that the nature, scope and context of data processing need to be taken into account to determine appropriate TOMs.  To increase legal certainty for organizations, they are well advised to write down their particular approach on the selection of TOMs. If organizations comprehensively document their risk-based reasoning about which TOMs they implement to address the identified risks they will likely be safe in front of the law.

What can we understand under regularly assessing and evaluating the effectiveness of TOMs?
Practically this means that controllers need to operate a data protection management system (DMS). Within the scope of such a DMS, regular audits of the effectiveness of the implemented TOMs need to be conducted. Organizations can integrate the DMS into their existing information security management system. With such integration, they can leverage the continual improvement process that is already in place with established management systems. Also, the DMS  supports the required process of regularly testing and evaluating the effectiveness of TOMs.

About the interviewee:

Dr. Alexander Novotny is an information privacy and security specialist. He has been researching on privacy and data protection since the first proposal of the EU commission on the GDPR in 2012. He works as an information security manager for a large international enterprise based in Austria. He holds certification as a data protection officer, is lecturing on IoT security and advising EU-funded research and innovation projects on digital security and privacy.




2 days to GDPR: Standards and Regulations will always lag behind Technology – We still need them… A Blog by Axel Polleres

In the light of the near coming-into-effect of the European General Data Protection Regulation (GDPR) in 2 days from now, there is a lot of uncertainty involved. In fact, many view the now stricter enforcement of data protection and privacy as a late repair to the harm already done, in the context of recent scandals such as the Facebook/Cambridge Analytica breach, which caused a huge discussion about online privacy over the past month, culminating in Mark Zuckerberg’s testimony in front of the senate.

“I am actually not sure we shouldn’t be regulated” Mark Zuckerberg in a recent BBC interview.

Like for most of us, my first reaction to this statement was a feeling of ridiculousness, that in fact it is already far too late and that while such an incident as the Cambridge Analytica scandal was foreseeable (as for instance indicated by Tim Berners-Lee’s reaction to his Turing award back in 2017 already). So many of us may say or feel that the GDPR is coming too late.

However, we see another effect of regulations and standards than sheer prevention of such things happening: cleaning up after the mess.

(Source: uplodaded by Michael Meding to de.wikipedia)

This is often the role of regulations and also, likewise in a similar way the role of (technology) standards.

Technology standards vs legal regulations – not too different.

Given my own experiences on contributing to the standardisation of a Web Data query language, SPARQL1.1, this was very much our task: cleaning up and aligning diverging implementations of needed additional features which have been implemented in different engines to address user’s needs. Work in standards often involves compromises (also a parallel to legislation), so whenever being confronted with this or that not being perfect in the standard we created, that’s normally the only response I have… we’ll have to fix it in the next version of the standard.

Back to the privacy protection regulation, this is also what will need to happen, we now have a standard, call it “GDPR 1.0”, but it will take a while until its implementors, the member states of the EU, will have collected enough “implementation experiencee” to get through suggestions for improvements.

Over time, hopefully enough such experience will emerge to recollect best practices and effective interpretations of  the parts of the GDPR that still remain highly vague: take for instance, what does it mean that “any information and communi­cation relating to the processing of those personal data be easily accessible and easy to understand” (GDPR, recital 39)

The EU will need do continue to work towards GDPR1.1, i.e. to establish best practices and standards that clarify these uncertainties, and offer workable agreed solutions, ideally based on open standards.

Don’t throw out the baby with the bathtub

Yet, there is a risk: voices are already raising that GDPR will be impossible to execute in its full entirety, single member states try already to implement “softened” interpretations of GDPR (yes, it is indeed my home country…), or ridiculous business model ideas such as GDPRShield, are mushrooming to e.g. exclude European customers entirely, in order to avoid GDPR compliance.

There are three ways the European Union can deal with this risk:

  • Soften GDPR or implement it faintheartedly – not a good idea, IMHO, as any loopholes or exceptions around GDPR sanctions will likely put us de facto back into pre-GDPR state.
  • Stand with GDPR firmly and strive for full implementation of its principles, start working on GDPR1.1 in parallel, that is amending best practices and also technical standards which make GDPR work and help companies to implement it.

In our current EU project SPECIAL, which I will also have the opportunity to present again later this year at MyData2018 (in fact, talking about our ideas for standard formats to support GDPR compliant, interoperable recording of consent and personal data processing), we aim at supporting the latter path. First steps to connect both, GDPR legal implementation and working on technical standard, towards such a “GDPR1.1”, supported by standard formats for interoperability and privacy compliance controls, have been taken in a recent W3C workshop in my home university in Vienna, hosted by our institute a month ago.

Another example: Net Neutrality

As a side note, earlier in this blog, I mentioned the (potentially unintended) detrimental effects that giving up net neutrality could have on democracy and freedom of speech. In my opinion, net neutrality is the next topic we need to think about in terms of regulations in the EU as well; dogmatic rules won’t help. Pure net neutrality is no longer feasible, it’s probably gone and a thing of the past, where data traffic was not an issue of necessity. In fact, regulating the distribution of data traffic may be justifiable by commercial (thanks to Steffen Staab for the link) or by even non-commercial interests. For instance optimizing energy consumption: the tradeoffs need to be wisely weighed against each other and regulated, but again, throwing out the baby with the bathtub, as now potentially happened with the net neutrality repeal in the US should be avoided.

Javier D. Fernández – Green Big Data

I have a MSc and a PhD degree in Computer Science, and it’s sad (but honest) to say that in all my academic and professional career the word “privacy” was hardly mentioned. We do learn about “security” but as a mere non-functional requirement, as it is called. Don’t get me wrong, I do care about privacy and I envision a future where “ethical systems” are the rule and no longer the exception, but when people suggest, promote or ask for privacy-by-design systems, one should also understand that we engineers (at least my generation) are mostly not yet privacy-by-design educated.

That’s why, caring about privacy, I like it so much to read diverse theories and manifestos providing general principles to come up with ethical, responsible and sustainable designs for our systems, in particular where personal Big Data (and all the variants, i.e. Data Science) is involved. The Copenhague letter (promoting open humanity-centered designs to serve society), the Responsible Data Science principles (fairness, accuracy, confidentiality, and transparency) and the Ethical Design Manifesto (focused on maximizing human rights and human experience and respect human effort) are good examples, to name but a few.

Acknowledging that these are inspiring works, an engineer might find the aforementioned principles a bit too general to serve as an everyday reference guide for practitioners. In fact, one could argue that they are deliberately open for interpretation, in order to adapt them to each particular use case: they point to the goal(s) and some intermediate stones (i.e. openess or decentralization), while the work of filling up all the gaps is by no means trivial.

Digging a bit to find more fine-grained principles, I thought of the concept of Green Big Data, to refer to Big Data made and use in a “green”, healthy fashion, i.e, being human-centered, ethical, sustainable and valuable for the society. Interestingly, the closest reference for such term was a highly cited article from 2003 regarding “green engineering” [1]. In this article, Anastas and Zimmerman inspected 12 principles to serve as a “framework for scientists and engineers to engage in when designing new materials, products, processes, and systems that are benign to human health and the environment”.

Inspired by the 12 principles of green engineering, I started an exercise to map such principles to my idea of Green Big Data. This map is by no means complete, and still subject to interpretation and discussion. Ben Wagner and my colleagues at the Privacy & Sustainable Computing Lab provided valuable feedback and encouraged me to share these principles with the community in order to start a discussion openly and widely. As an example, Axel Polleres already pointed out that “green” is interpreted here as mostly covering the privacy-aware aspect of sustainable computing, but other concepts such as “transparency-aware” (make data easy to consume) or “environmentally-aware” (avoid wasting energy by letting people run the same stuff over and over again) could be further developed.

You can find the Green Big Data principles below, looking forward for your thoughts!

12 Principles of Green Engineering

12 Principles of Green Big Data

Related topics

Principle 1

Designers need to strive to ensure that all material and energy inputs and outputs are as inherently non-hazardous as possible.

Big Data inputs, outputs and algorithms should be designed to minimize exposing persons to risk.

Security, privacy, data leaks, fairness, confidentiality, human-centric

Principle 2

It is better to prevent waste than to treat or clean up waste after it is formed.

Design proactive strategies to minimize, prevent, detect and contain personal data leaks and misuse.

Security, privacy, accountability, transparency

Principle 3

Separation and purification operations should be designed to minimize energy consumption and materials use.

Design distributed and energy-efficient systems and algorithms that require as little personal data as possible, favoring anonymous and personal-independent processing.

Distribution, anonymity, sustainability

Principle 4

Products, processes, and systems should be designed to maximize mass, energy, space, and time efficiency.

Use the full capabilities of existing resources and monitor that it serves the needs of individuals and the society in general.

Sustainability, human-centric, societal challenges, accuracy

Principle 5

Products, processes, and systems should be “output pulled” rather than “input pushed” through the use of energy and materials.

Design systems and algorithms to be versatile, flexible and extensible, independently of the scale of the personal data input.



Principle 6

Embedded entropy and complexity must be viewed as an investment when making design choices on recycle, reuse, or beneficial disposition.

Treat personal data as a first-class but hazardous citizen, with extreme precautions in third-party personal data reuse, sharing and disposal.

Privacy, confidentiality, human-centric

Principle 7

Targeted durability, not immortality, should be a design goal.

Define the “intended lifespan” of the system, algorithms and involved data, and design them to be transparent by subjects, who control their data.

Transparency, openness, right to amend and to be forgotten,


Principle 8

Design for unnecessary capacity or capability (e.g., “one size fits all”) solutions should be considered a design flaw.

Analyze the expected system/algorithm load and design it to meet the needs and minimize the excess.

Sustainability, scalability, data leaks

Principle 9

Material diversity in multicomponent products should be minimized to promote disassembly and value retention.

Data and system integration must be carefully designed to avoid further personal data risks.

Integration, confidentiality, cross-correlation of personal data

Principle 10

Design of products, processes, and systems must include integration and interconnectivity with available energy and materials flows.

Design open and interoperable systems to leverage the full potential of existing systems and data, while maximizing transparency for data subjects.

Integration, openness

Interoperability, transparency

Principle 11

Products, processes, and systems should be designed for performance in a commercial “afterlife”.

Design modularly for the potential system and data obsolescence, maximizing reuse.

Sustainability, Obsolescence

Principle 12

Material and energy inputs should be renewable rather than depleting.

Prefer data, systems and algorithms that are

open, well-maintained and sustainable in the long term.

Integration, openness

Interoperability, sustainability


[1] Anastas, P. & Zimmerman, J. 2003. Design through the 12 principles of green engineering. Environmental Science and Technology 37(5):94A–101A

Axel Polleres: What is “Sustainable Computing”?

Blog post written by Axel Polleres and originally posted on

A while ago, together with colleagues Sarah Spiekermann-Hoff, Sabrina Kirrane, and Ben Wagner (who joined in a bit later) we founded a joint research lab, to foster interdisciplinary discussions on how information systems can be build in a private, secure, ethical, value-driven, and eventually more human-centric manner.

We called this lab the Privacy & Sustainable Computing Lab to provide a platform to jointly promote and discuss our research and views and provide a think-tank on how these goals can be achieved, also open to others. Since then, we had many partially heated but first and foremost always very rewarding discussions, to create mutual understanding between researchers coming from an engineering, AI, social sciences, or legal background, on how to address challenges around digitization.

Not surprisingly, the first (and maybe still unresolved) discussion was about how to name the lab. Back then, our research was very much focused on privacy, but we all felt that the topic of societal challenges in the context of the digital age need to be viewed broader. Consequently, one of the first suggestions floating around was “Privacy-aware and Sustainable Computing Lab“, emphasizing on privacy-awareness as one of the main pillars, but with the aim for a broader definition of sustainable computing, which we later shortened to just “Privacy & Sustainable Computing Lab” (for merely length reasons, if I remember correctly, my co-founders to correct me if I am wrong 😉 ).

Towards defining Sustainable Computing

On coming up with a joint definition of the term “Sustainable Computing” back then, I answered in an internal e-mail thread that

Sustainable Computing for me encompasses obviously: 

  1. human-friendly 
  2. ecologically-friendly
  3. societally friendly 

aspects of [the design and usage of] Computing and Information Systems. In fact, in my personal understanding these three aspects are – in some contexts – potentially conflicting, but resolving and discussing these conflicts is  one points why we have founded this lab in first place.

Conflicts add Value(s)

Conflicts can arise for instance from individual well-being being weighed higher than ecologic impacts (or vice versa), or likewise in how much a society as a whole needs to respect and protect the individual’s rights and needs, and in which cases (if at all ever) the common well-being should be put above those individual rights.

These are fundamental questions in neither of which I would by any means consider myself an expert, but where obviously, if you think them into design of systems or into a technology research agenda (which would be more my home-turf), then it both adds value and makes us discuss values as such. Conflicts, that is, making value conflicts explicit and resolving conflicts about the understanding and importance of these values is a necessary  part of Sustainable Computing. This is why Sarah suggested the addition of

4. value-based

computing, as part of the definition.

Sabrina added, that although sustainable computing is not mentioned the ideas herein, the notion of Sustainable Computing resonates well with what was postulated in the Copenhagen Letter.

Overall, we haven’t finished the discussion about a crisp definition about what Sustainable Computing is (which is maybe why you don’t find it yet on our Website), but for me this is actually ok: to keep this definition evolving and agile, to keep ready for discussions about it, to keep learning from each other. We’ve also discussed sustainable computing quite extensively in a mission workshop in December 2017, to try to better define what sustainable computing is and how it influences our research.

What I learned mainly is that we as technology experts play a crucial role and carry responsibility in defining Sustainable Computing: by being able to explain limitations of technology but also as advocates of the benefits of technologies, in spite of risks and justified skepticism, and by helping developing technologies to minimize these risks.

Some Examples

Some examples of what falls for me under Sustainable computing:

  • Government Transparency through Open Data, and making such Open Data easily accessible to citizens – we try to get closer to this vision in our national research project CommuniData
  • Building technical infrastructures to support transparency in personal data processing for data subjects, but also to help companies to fulfill the respective requirements in terms of legal regulations such as the GDPR – we are working on such an infrastructure in our EU H2020 project SPECIAL
  • Building standard model processes for value-based, ethical system design, as the IEEE P7000 group does it (with involvement of my colleague Sarah Spiekermann).
  • Thinking about how AI can support ethics (instead of fearmongering the risks of AI) – we will shortly publish a special issue on some examples in a forthcoming volume of ACM Transactions on Internet Technologies (TOIT)
  • Studying phenomena and social behaviours online with the purpose of detecting and pinpointing biases as for example our colleagues at the Complexity Science Hub Vienna do in their work on Computational Social Sciences, understanding Systemic Risks and Socio-Economic Phenomena

Many more such examples are hopefully coming out of our lab through cross-fertilizing, interdisciplinary research and discussions in the years to come…