Privacy Experiment #4 ====================== Goal: Determine if Verily's Project Baseline is a data-harvesting scam or legitimate clinical study. Questions: Q. Is Google / Alphabet / Verily collecting highly sensitive data for reasons that have less than a 0.1% chance of occurring? Q. What personal information, if any, is shared with third parties? Q. What is the risk of individuals being harmed based on quantifiable evidence (discrimination, phishing, ad-targeting, unsupervised medical diagnoses and treatments, etc.) Q. How is Project Baseline NOT subject to HIPAA, as Verily claims? Q. How does it compare with known data-harvesting scams such as: https://beginatzero.com/apex-focus-group-job-listing-review-red-flags-that-will-help-you/? Q. How does it compare with legitimate clinical research studies? Metrics: # registrants # studies applied for # studies accepted # services or referrals given # cookies proliferated # pharmaceutical ads detected Proposed Methodology: 1. Register as a participant on Verily's Project Baseline platform. 2. Submit a mix of accurate and false personal data elements as unique markers in your profile. 3. Apply for studies to participate in. 4. Capture screenshots of all information submitted to Verily and third-parties. 5. Build a data model on data collected by researchers as training data, for use in generating simulated profiles, and predicting outcomes. 6. Investigate all third-parties relationships and data-sharing practices of Verily, and compare evidence gathered with all policy claims and public statements by Verily and their third-parties. 7. Compose and disseminate questionnaires to Verily and their third-parties for analysis and comparison with evidence collected by researchers. Governance: 1. Establish an Advisory Board of reputable experts in relevant domains to oversee the project objectives and methodology, and provide pro-bono advice to researchers. 2. Advisory Board members will be known and used as references to assure research participants and relevant authorities that ethical and quality control guidelines were established and evaluated. 3. Members of this Advisory Board should include attorneys, privacy professionals, healthcare providers, data scientists, risk analysts, medical clinicians with experience leading CAPA trials, sociologists, and cybersecurity experts. 4. Advisory Board members decide whether to continue, terminate, refer, or publicize the results of this research. Research Participants: 1. Researcher's identities shall not be disclosed in any reports or data collected. 2. Researcher's identities MAY BE KNOWN AND VERIFIED by Idology, Verily's third-party authentication service. 3. Any personal information collected by the researcher will stay in their possession. 4. For quality control purposes, researchers should check their evidence and attest the information is correct. 5. Whenever possible, all questions related to personal data will be provided to researchers in advance. 6. Researchers are encouraged to keep their participation confidential until date of publication. 7. Researchers can leave the project at any time, and can elect which tasks and studies to participate in. ** IMPORTANT NOTICE ** Some studies such as clinical depression are extremely sensitive and intrusive. Researchers choose which studies to participate in and what answers they choose to submit. Answers submitted for some studies should be done in consultation with a licensed physician or qualified mental health professional, to help with submitting "vanilla" control profiles with no physical illness, history of mental illness or substance abuse. Timing: Aiming to start April 10 with a minimum of 12 Researchers and 4 Advisory Board Members, and publish results by June 10. How to Participate: Review the preliminary research (Iterations #1-3) here: https://privacyportfolio.com/exp4/page1.html Contact Craig Erickson by phone or email to discuss questions or concerns. If interested in serving on the Advisory Board, please give your consent to share your name with other potential board members. We will attempt to meet by videoconference initially to determine what, if anything, should be done with this research project. Craig Erickson, CISSP CISA Data Protection Officer PrivacyPortfolio (510) 330-8638