Informed consent was created in 1946 to protect people – you may have heard of the Nuremberg Code, or Declaration of Helsinki. These documents were drafted to protect people from physical harms caused by unethical medical research. Consent was described as the freedom to voice agreement in an informed, non-coerced way. What this meant, and means today, is that when asking for someone’s consent you must give them information they need to make a decision. If you pressure or coerce someone into making a particular decision, their choice is invalid. The person you are asking consent from must be free to say “no thank you”. These principles stand today, and when we write proposals for new research projects we have to demonstrate that we have an informed consent process in place.

hacker cyber security image

As research moves into digital spaces, so does informed consent. I partnered with the Rare and Undiagnosed Diseases studY (RUDY), an online research platform, to look at consent processes online. I interviewed participants and the research team and found that to really inform research participants, researchers need to build feedback into their research protocols. Even in a sector as highly engaged with safety and security as research, we have problems with consent. 

Consent is often implemented by the letter, rather than the spirit, of the law. We have to think about consent as a conversation that happens over time. So, what is the letter of the Law exactly? The terms “data subject”, “data controller” and “data processor” come from the General Data Protection Regulation (GDPR). You might know what this is – a European Regulation guiding countries towards implementing their own data protection laws. In the UK, we have retained the GDPR as tweaked by the Data Protection Act 2018, which has been updated several times. Two problems that data subjects face online are consent fatigue (we’ve had enough of being constantly asked for “consent” so we choose paths of least resistance) and information overload (our brains are so overwhelmed; we take shortcuts to make our lives easier).

If you have been online today (likely, considering you are reading a blog post!) you will have been faced with cookie notifications. These ask for permission to store information on your device – e.g., your physical location and browsing history. This is all stored as a text file (a cookie) on your machine. This cookie acts like a bookmark, and whoever asked for your consent has bookmarked your behaviours, preferences and any other information they think would be useful to keep on file. Some people argue that cookies are beneficial, serving you advertisements that are relevant to your wants and needs. Let us be clear: cookies are collected for a data processor’s benefit. Sometimes users are held to ransom, in the case of paywalls where you are not allowed to read an article until you say yes to the cookie. Online consent processes do nothing to limit deception, or coercion, of users.

So what do we do about this? Well, we think that Dynamic Consent is a good way to address these issues. Other people are doing truly brilliant work on making privacy policies, and terms and conditions more accessible (check out Terms of Service; Didn’t Read). This work emphasises the real issue at hand: consent practices need to be better, and the people who design and implement them need to do better. Here are your top tips to start building more dynamic consent into the work that you do: 
• Equip people to make a choice without overburdening them with information, 
• Tell them exactly how they can get involved, and build feedback in from the start. 
• Think about how you can learn from your participants, and what they can learn from you.

Bio: Arianna is a Computer Scientist by training, hailing from the Centre for Doctoral Training in Cyber Security. She is particularly focused on information security, data protection, privacy, consent, and responsible innovation.