Privacy Risk Scoring for User-Facing Enterprise Web Applications: A Machine Learning Model for Sensitive Data Exposure Detection

Abstract

The current article examines the regulating factors of analytics, particularly about citizen behaviors and transactions, which are contingent upon the operational realm of an organization (corporate, public sector/government, or academic). We contend that ambitions and purposes vary per domain, despite digital spaces increasingly converging these domains. We assert that citizens' expectations and implicit consent for data exploitation need the perception of a fair balance of advantages, which must be visible and justified to the public. We emphasize that in the corporate domain, the majority of analytics does not pertain to identification, targeted marketing, or direct engagement with individual people; rather, it facilitates strategic decision-making, with the data being effectively anonymized. We examine the nature of models used in analytics via three domains, including 'black-box' modeling that is beyond human verification, and the need of monitoring the provenance and functionality of these models. We also analyze the recent development of personal data, whereby some behaviors or tokens that identify people (unique but non-random) are partly and collectively held by other interconnected persons. We evaluate the capacity of strongly and weakly regulated industries to enhance access or inhibit innovation. We advocate for explicit and comprehensive definitions of 'data science and analytics', steering clear of the restrictive assertions made by individuals in certain technical sub-sectors or sub-themes. Ultimately, we analyze instances of unethical and abusive conduct. We advocate for the imposition of ethical duty on professional data scientists to prevent future misuse.