Data Portability as a Tool for Audit

ABSTRACT Pervasive systems are almost omnipresent in their collection and processing of personal data. Understanding what these systems are doing is essential for trust, and to ensure that data being collected are accurate. Auditing these systems can help to determine the accuracy of these data. Such audit may take place internally by systems designers, but external audit is important for accountability. In this paper we explore whether users can conduct their own external audit of the systems with which they interact. In particular, we use the Right to Data Portability afforded to data subjects through the General Data Protection Regulation. Using fitness trackers, we collect and upload running data to a set of data controllers. By using data portability to then obtain a copy of our data, we compare the data held by the controllers with our ground-truth data. We find some inaccuracies in the data, but also that audit can be impeded by insufficient explanations from data controllers.