The Open University is the largest university in the UK (with approx. 250,000 enrolled students) and is based on distance learning, which means students study at a distance and interact with the university sta (associated lecturers, course team, administrator, IT help-desk, library) mainly through online systems. Thus, the information architecture of the OU consists of a large variety of systems which have web interfaces, produce logs and are centralised within the IT department of the university.

During the data collection phase, participants were recruited through adverts on the intranets, mailing-lists and word-of-mouth. Upon their written consent, the IT team of the OU was noti ed with the participant's identifying details (their computer user-name), to enable them to collect (extract) the CA data from server logs of di erent online systems for a period of 28 days.

Even though OU was collecting user's CA data on various online systems, there was neither any requirement nor any mandate for them to release these data to their users, thus signi cant e orts were required on our part to make all the stakeholders (IT security department, data protection o cer, ethics committee) understand the process of the user study, so that IT could provide us with relevant data in a usable format.

The core of our methodology depended on the UCIAD technology platform [ 7 ] which linked and integrated heterogeneous data from several online systems within OU. Using this underlying platform, a set of GUI tools were developed on top of it in the form of a personal analytics dashboard where a user's activities were displayed in the form of graphical visualisations.

During the personal interview, the participants made use of personal analytics dashboard to view their past activities on various online systems of the OU. Using these visuals as a trigger, the participants were asked questions on how they felt with regards to data licensing, privacy and data protection policies which apply to such information. The personal interview was unstructured and open ended because we wanted to explore if the participant wanted to use the CA data in other creative ways not envisaged by us. Two weeks after the interview, a short online questionnaire (with 3 questions) was sent out to all the participants of the study who had already given their personal interview, this was mainly to gauge any change in their behaviour with regards to the use of OU's online systems. The topic we were investigating had the potential to produce divergent and con icting views, therefore we included a focus group which was designed in a way where participants could resolve their views in relation to others. To make the focus group interesting and challenging, its design was informed by the initial results we obtained from the personal interview. The participants were compensated for their time with a $30 Amazon voucher. The qualitative data from the personal interview was analysed using Grounded Theory [ 4 ] techniques and then triangulated with the results from both the online questionnaire and focus group. The ndings of the study are described and discussed later in another section. 3.2

The user study had 12 participants who had enrolled on a voluntary basis and were regular users of the OU's online systems. Participants broadly fell into four categories of users: post-graduate students (3), academic sta (3), academicrelated sta (3) and administrative/management sta (3). The post-graduate students are PhD students who were located on the main campus of the university. The academic sta included both lecturers and researchers in di erent departments (i.e., Computer Science and Arts). The academic-related sta mainly consisted of technical sta who worked on IT development projects. Administrative and management sta were from di erent departments, including the university library and research school. This selection of participants was intended to re ect the di erent types of usage of the OU's online systems. However, compromises had to be made on the male to female ratio. Hence, there were 4 female participants and 8 males. The participants' age-group approximately ranged between 25 to 55 years of age. For each participant, we collected information regarding their usage of OU websites through web server logs associated with these di erent systems. This required ltering these logs to keep only the data related to the participants of the study. This data collection mechanism was run over a period of four weeks (or 28 days), leading to the 12 datasets (one per participant) that included information about access and requests to OU websites. This information is encoded in a format similar to the one of Apache logs, in a text le where each line correspond to a request to a Webserver, including the following pieces of information: <date-time> <server> <IP of client> <username> <resource accessed> <response code and size> <user agent used (browser)>

This information was collected from 9 di erent servers, which corresponded to the virtual learning environment (6 servers), the intranet, the public website and the student services website of the OU. As expected, information collected for di erent participants varied widely, depending on their roles. 3.3

To realise the study, a data processing and visualisation platform was required to rst process and integrate the data obtained from server logs into easily interpretable and exploitable CA datasets; and secondly, to create an interactive interface, i.e. a personal analytics dashboard, which allowed users to visualise and interact with their own CA data. To process and integrate server logs into CA data, we reused and employed the principles and tools developed as part of the UCIAD project (see [ 7 ] for a summary) which had facilities to: { Convert and integrate the data from their Web server log format into RDF [ 23 ], using the schema provided by the UCIAD ontologies. { Create ontology level de nitions for di erent types of resources and activities which are then used to process and categorise the traces of activities for the di erent users. { Realise additional ad-hoc processing of the data, to improve interpretation and visualisation. For example, geographic location of the user was derived by passing the IP address to external Web services /APIs. Similarly, human readable labels for the user agents (e.g., \Chrome 8") were extracted from complex user agent strings found in the logs. { Create a data endpoint for each of the participants based on the generated and processed RDF datasets. In this case, we used the Fuseki triple store [ 11 ], creating one separate data repository for each participant.

Once the data was processed and made available through data endpoints, the personal analytics dashboard from UCIAD provided the end-user interface to visualise and access these data. Normally, the logs from Web servers are used to produce web analytics (i.e. website usage statistics) and many users are aware of such analytical tools and interfaces associated with web analytics. We were thus motivated to design the personal analytics dashboard so that it used similar visualisation methods, but showed (in an aggregated form) information about the user's visits to various websites. These visualisations include information about the types of activities performed on online systems, the resources accessed, locations of the user at the time of usage, the browsers and operating systems used, the time, etc. Figure 1 shows a screenshot of the dashboard. It is important to also mention that these visualisations are interactive, as they allow the user to de ne lters on the activities (e.g., only show activities realised at a certain location, or at a given time) by clicking on the corresponding chart elements. The core of the user study was the personal interview conducted with each participant to explore their reactions and views on consumer-activity data, rstly as a potential user of the system and secondly in relation to anything that they may discover which was either interesting or worrying as they used the tool. The interview started with a small introduction to the study, and initial questions about the participant's background, including their view on how they used OU's online services and their knowledge of web analytics. After this, each participant was given access to a computer running the UCIAD personal analytics dashboard, which accessed the data endpoint speci cally created for them. As they used and explored the tool, they were asked to answer a number of questions related to the following topics: { Usage of consumer-activity data (\Did you nd anything surprising/interesting in the data?", \Would you like to be given access to this data?") { Data gathering issues (\Where you aware such data was being collected?", \Is there anything in what you see causing you concern?") { Activity data policies (\Who owns the data and how should it be handled?")

The interview was conducted by two project team members: while one member asked the questions (guided/prompted by the usage and exploration of the personal analytics dashboard), the other team member took notes of the interview. Interviews generally lasted between 45 minutes and 2 hours. Each interview was audio recorded and stored in encrypted containers (to protect privacy) and later transcribed for analysis (the transcripts were anonymised before use). 3.5

An online questionnaire was sent to participants two weeks after the initial interviews in order to check whether additional thoughts and reactions would have emerged after the interviews. These questionnaires did not lead to additional insight, except to con rm that the participants had not changed either their views or their behaviour with regards to how they perceived and used OU's online systems. The last phase of the study was the focus group. We included a focus group because all participants were from diverse backgrounds, roles and views, there was value in letting them debate their positions and viewpoints with others in a controlled setting such as a group discussion. To be e ective and yet nish within the allotted time of 90 minutes, the focus group was constructed around a speci c task: the group members had to collaborate with each other and contribute towards writing a business case supporting the deployment of a CA data service at the OU. This business case included two main sections: (i) bene ts of CA data and (ii) obstacles to the deployment of CA data services (which indirectly pointed to privacy and security issues). During the focus group discussion, participants were asked to identify points to add to both these sections, and to react to the points made by others. Each point raised was recorded on a common document (the \draft business case"), which was being projected on a screen for all the participants to see, as a member of the UCIAD team was adding notes to it, so that it was corrected and validated collectively at the time the notes were made. 4

As previously described, CA data is a by-product of the user's interaction with the organisation's online systems. Therefore, one of the fundamental question the user study aimed to answer is whether users will be su ciently interested to request a copy of the data and put it to any use. It was interesting to note that the participants came up with several innovative suggestions as to how they may be able to use their activity data to better themselves:

Self re ection: Some participants of the study saw value in simply being able to re ect on what they do daily, it was more of a self assurance tool to indicate if they were on track with their actions or not: \yeah...it is for self re ection, it can show you if you are on track...that you are not deluding yourself as to what you are actually working on" [P3]. This notion of self-re ection on one's own activities is generally related to the one of lifelogging [ 20 ] (see in particular [ 5 ] that discusses this idea in relation to web interactions).

Self improvement: Another interesting bene t for CA data the participants suggested was to improve their use of online resources. This is very closely related to self-re ection and it is an outcome of what they see as \ine ciencies" in their use of the resources. For example, users nd it frustrating not to have bookmarked certain pages they use quite frequently and to have to search for them: \I kind of realised this is not very e ective and every time I need that information about the poster...[I want to] bookmark it, you know...to myself and then I never do...but when you look at something like this...you go like...put some e ort and bookmark it" [P5].

Trace anomalies: Very similar to how application logs have long served the purpose for analyses and tracing error conditions in the software, users nd the CA data useful to trace anomalies in their work pattern. For example, they can trace back their online activities to speci c websites whose security had been compromised: \I can think of an impact around sort of data security and personal security and it being able to ag up... doing something on a browser that might not be so secure as you might want or looking at websites that are actually security risks...to actually be able to go back and track back to say actually did I use that website at that particular time...that's the type of thing that will be useful" [P7].

Promote transparency: In the context of the organisation (the Open University), participants felt that the very act of releasing the CA data to the users would signi cantly improve the organisation's reputation: \if you have a view of the data who is holding, I think it makes...it reassures the users I suppose, this is what the OU [organisation] knows, this is what you know...that in a way quite equal" [P10]. Participants also feel that CA data can provide transparency on a personal level, for example, the users are able to justify or deny their actions using the CA data as evidence: \as long as I am doing my job I don't think its a problem...but I suppose...I am trying to think...my time in Berlin is accounted for so I am quite happy that people know that I was in Berlin" [P4] and \I am not...you know...I am not doing anything that I wouldn't be able to stand up and defend in court if I had to" [P9].

Although these bene ts may not be extraordinary in themselves, it shows that users when given an opportunity to access their CA data, they are likely to nd innovative and creative means to bene t themselves. Given that users are likely to exploit their CA data, we focus on the potential privacy and security risks, both the users and the organisation, are likely to face especially with regards to key questions such as: (1) In what ways will the user's privacy be harmed by this data? (e.g. in case of data leakage); (2) Can the organisation su er any privacy harm? (e.g. if the user voluntarily shares the data on social media) and; (3) What must be done to avoid harms from (1) and (2)? 4.2

First, we describe the privacy risks. While these privacy risks may not be completely new, it does underline and con rm that even in a trusted producerconsumer relationship (as in this case), such privacy threats exist, and it must be addressed.

Image distortion: Distortion seems to be a major concern. Distortion refers to disseminating false or misleading information about an individual [ 24 ]. The user study showed three contributors to distortion: incompleteness, inaccuracy and incorrectness of data. In the interviews, one of the most commonly expressed concern related to the incompleteness of CA data. Some participants felt the indicated usage were skewed and incorrect because it excluded data from several other online sources, and the resulting incomplete picture presented them in negative light. For example, one user had indicated the missing CA data could be misunderstood as them \not working", when in fact their activities had been captured elsewhere which was not included in the study: \I would like to be able to put in my wider browsing history and quite like as well to pull in my calendar schedule of meetings stu like that and just see how much time I actually spent because like I said there times when I in a meeting or out somewhere else...so my use of particular systems or web in general may not appear so intense as perhaps it is... so I quite like to see that" [P9]. The users were worried such incorrect inferences made from incomplete data could hurt their reputation. The second contributor to the distortion threat was the inaccuracy of data, a common example related to the location of the user displayed on the map for each activity. The location of the user was derived from the IP address of the computer used in the interaction, but the location derived through this method was often misleading because the service which interpreted the IP address was grossly inaccurate in speci c cases. In one particular instance, the location pointed to another city the user hadn't visited before, only adding to the fear that, without the user's input, the inferences could be wrong and harmful. The third contributing factor to the distortion threat is incorrect metadata. More precisely it refers to the incorrect classi cation and categorisation used in producing the analytics. When there is a mismatch between how the user and the system have classi ed an activity, it can have negative implications for the user: \it [category/classi cation of activity] would have to be interpreted very carefully. So obviously it might be somebody, some social scientist who might be researching pornographic sites and its impact on society" [P5] ; in this case the social scientist could be mistaken for someone watching and accessing adult material during o ce hours.

Unwanted disclosure: Disclosure involves the revelation of an individual's true information to others impacting her reputation [ 24 ]. Even if the data was distorted, its impact is limited when the data is not shared with others: \it's ne because I am looking at it [data] and I know how to interpret it, if somebody else looked at this...like you didn't know why I spent so much time on the eBook thing...yeah, I don't like the idea that people can simply look at it and interpret it in the way it wasn't correct" [P3]. It's understandable that users are worried that the incorrect inferences could be viewed by individuals within the organisation or elsewhere who can make decisions that are detrimental to the user's interest \it can be quite misleading judging from this...this isn't my work, this isn't in my working day and if people are going to be basically making decisions based on this...yeah... it makes me nervous" [P4]. The point here is that the users understand the context of their work and their activities and expect to be able to interpret them. The underlying concern however is that if this data is accessible to others (within the organisation or outside), they might misjudge the user's reputation based on the partial data.

Re-identi cation: Identi cation refers to linking information to particular individuals [ 24 ]. Whether the inferences are accurate or not, generally users don't seem to be overtly concerned if the CA data is anonymised, but it does cause concern if they can be identi ed or the inferences can be associated with them on an individual basis: \I don't mind if it is aggregating vast data...its perfectly sensible in my book but its when they are drilling down on into individual usage or even individual departments usage then I'll get a little bit more nervous I think." [P4]. Although the data is anonymised, there is always a possibility that the users might be identi ed through triangulating with other datasets.

Opaqueness of passive data collection: Exclusion is failure to provide individuals with notice and input about their records [ 24 ]. Currently, organisations provide privacy notices when personal data is being collected but it is usually in general terms and, as such, they are not obliged to speci cally mention the nature of CA data their online systems generate. Although organisations may be highly trusted and may even be seen in favourable light, there is an implicit expectation that the organisation would be as open and transparent as possible: \in principle I don't have a problem but I guess just thinking about it...yeah...who is collecting the information for what purpose...I think I'd want to be made aware of that...before the information is collected not afterwards...just nothing...apart from being kept in the picture" [P4]. At this stage it is not very clear if the users will change their behaviour after being made aware of data collected by their online interactions, but nevertheless they would like to be noti ed.

Insecurity from compromised infrastructure: Insecurity is failure to protect personal data [ 24 ]. Assuming organisations decide to make the CA data available for the users to download, this would require special secure channels to be opened. However, it still entails a risk where malicious attackers may obtain a copy of the data: \yes, it would nice to have access to it, I'll be interested but if you set-up a system like that you open a gate, no matter how secure it is...there's a risk people who should not see...I mean other people will be trying, someone might break-in or whatever" [P2]. Organisations spend a lot of their resources in securing their infrastructure, the risk may be lower when compared to how users will be able to protect their copy of CA data once it has be retrieved from the organisation's system. In this respect, the user is far more vulnerable for attacks and data leakages through loss of storage devices or laptops.

Breach of personal and organisation's con dentiality: Breach of condentiality is unauthorised revelation of con dential information resulting in loss of trust [ 24 ]. The CA data not only contains references to the user but also holds information about the organisation, which can be exploited by the user (e.g. disgruntled employee) to damage the organisation's reputation: \what you wouldn't want to happen is say if you were the employer that we make this available to people and suddenly they nd a way to use to the detriment of the organisation." [P8], especially in cases where the users decide to upload the content on to social networking services. This would breach the trust the organisation has on its employees.

3rd party exploitation of data: Secondary use is the use of data for purposes unrelated to the purposes for which it is collected [ 24 ]. During the study, many of the users were not aware of their data being collected by external third party services such as Google analytics [ 12 ]. While Google Analytics aggregates data from several users of particular online systems to provide usage statistics, they also exploit the data they gather for their own purposes, to create user pro les which can help them in targeting advertisements. In the study, not many of the users were aware and wanted Google to collect their data, although some of them, without being fully aware of the consequences, had added Google Analytics to their project web page/websites. Third party use of CA data can only be external, since users cannot be expected to be able to develop tools to process the raw CA data and will be dependent on third party services to analyse these data. In such a scenario, the CA data which contains information provided by the organisation about the user's activities might be used for purposes not intended by the user or the organisation. This therefore constitutes a potential privacy risk for both of them. 4.3

At a higher level, organisational privacy policies govern how the data is collected, processed and to what use it will be put to. It relates to ownership and licensing of data, here ownership is concerned with controlling who can change the access permissions and usage rights on the data. The owner who holds the ownership rights may allow other entities to access and use the data by issuing a license (i.e. terms and conditions for use). The CA data may reside in the organisation or the user's domain (or both) and privacy risks apply di erently depending on who has control over the data. For an e ective access control policy, the access rights and ownership rights have to be clearly de ned. However, in the study we found that users have no clear consensus on ownership rights that should be applied to CA data. Here we brie y describe the three potential models participants relate to:

(1) The organisation owns the data: Currently, this is seen as the default model. The organisation create the data, therefore they retain the rights and exploit the data as their own asset, and some user's acknowledge and support this position: \I think the OU owns it...its the University's data, its information about me but University compiled it and they must own it...as an individual I don't own the data, I am in that camp...some people may say they generated the data, no [they] didn't, the University happened to collect the data of my usage, I didn't create the data" [P8]. Since the organisations are constrained by the DPA which speci es under what conditions the data can be used without having to obtain consent from the user, delivering CA data would e ectively mean issuing a license to the user to not only access their own data but also use it in ways they deem t. The CA data not only contains details about the user but also of the organisation. Assuming organisations redact the CA data before releasing it, there is always the risk that some con dential information can be triangulated through other means. It is therefore in the interest of the organisation to impose restricted licensing conditions that make it di cult for the CA data to be aggregated and used in ways that are determental to its reputation. This of course raises an important question - what type of restrictions should the organisation be allowed to impose on the released CA data, given that users will want to exploit its bene ts? The majority of study participants indicated that they would expect the organisation to impose strong limitations on the use of the data (e.g., it could not be shared or it could only be accessed through the tools provided by the organisation).

(2) The user owns the data: The second model represents a radical shift from the default model described above. In this model, the participant's suggestion is for the users to have full rights over the CA data once it is transferred to the individual: \if the data is given back to me then I'd expect I am the owner of it...that the people who had originally collected that data have passed the ownership to me to do what I like" [P7]. The participants reason that, since the CA data represents personal information, it is only natural for the individual to be in control of its use. One major implication of this approach is that the organisations by default will not have the right to either access or exploit the CA data in any form, unless it has been explicitly licensed by the user. Therefore, the important question here is - what type of restrictions should the user be allowed to impose on the organisation's use of CA data? Allowing users to impose conditions could make it more complex for organisations to genuinely use the CA data to improve their online services and, as a consequence, make the collection of CA data irrelevant and counter-productive for organisations.

Another reason to transfer the ownership to the user is that the DPA indicates that personal data might not be kept by an organisation for longer than necessary for the intended purpose. Since organisations keep CA data for a short period (at the OU, the data is kept for 7 consecutive days) and then deleted, one possible approach would therefore be to transfer the data together with its associated rights to the user after this retention period. From a practical perspective, this would also represent a convenient arrangement, as users could simply `opt-in' for their CA data to be sent to them at the time it is deleted from the organisation's systems. Of course, this would still imply that the organisation would lose control once the data has been transferred to the user, and \non detrimental use/con dentiality" clauses might be attached to the delivery of CA data.

(3) Shared data ownership: The third suggestion is for a hybrid approach where both the organisation and the user are considered as co-owners of CA data. This means that both will have full access to the data, but would be prevented from using them in ways that could be detrimental to each other. Study participants proposed this to be an appropriate model: \it is shared data almost isn't it, like pay scales and salaries and things...that is OU data as well...as to what they pay their sta , so its not just mine to do whatever I want...its like a shared ownership" [P3]. The legal implementation of such an arrangement could be rather complex, or on the contrary it might be simpler than anticipated. For example, the organisation can comply with the DPA just as they do when the CA data in their domain, while at the same time, the users can be bound to con dentiality agreements with the organisation, thus preventing them from widely distributing these data. In any case, new terms and conditions will have to be drawn, so the important questions are: what are these joint terms and conditions? Will there be any exibility in negotiating them? How will con icts be resolved?

We found that there was no clear consensus among the participants on any of these ownership and licensing models described above. We also found that participants were not in position to articulate and elaborate on the terms and conditions that might entail in each of the three models so that both, users and organisations, can mutually bene t from the use of CA data. 5

Thanks to Dr. Mathieu D'Aquin for his signi cant contribution in realising the user study and his useful insights on post study analysis. The study was partly achieved thanks to funding from JISC for the UCIAD (User Centric Integration of Activity Data) project { see http://uciad.info for details.