PICCASO Awards Alumnus Spotlight: Dr Huma Shah

Christina Tueje, one of our esteemed Judges asked Dr Huma Shah a few questions about her dedication to the PICCASO community and her team’s accomplishments since receiving the PICCASO award.

Section image

How a Citizen Science Project Became an International Privacy Governance Blueprint

Meet Huma, Senior Lecturer and Researcher and Best Innovative Privacy Project Award winner in 2022 and proud PICCASO Awards alumnus.

Can ordinary people become extraordinary defenders of digital rights?

Huma teaches AI and AI ethics at Coventry University, focusing on privacy and data minimisation. Her team won the PICCASO award for the EU Horizon2020 Citizen Scientists Investigating Cookies and App GDPR Compliance Project (CSI-COP). They created a quiet privacy revolution in training hundreds of volunteers to check GDPR compliance in websites and apps.

The Journey – Part 1: Can machines deceive us?

This question launched Huma’s PhD in ethics and technology at the University of Reading: "Deception-Detection and Machine Intelligence in Practical Turing Tests. She worked with Professor Kevin Warwick, conducting public Turing test experiments including one at the Alan Turing centenary event at Bletchley.

The event was awarded the Seb Coe London2012 Inspire Mark for Education. For Huma, this experience initiated an unstoppable investigation.

Part 2: How do we tell truth and transparency from trickery in the digital age?

Huma developed an interest in data privacy, Facebook scrutiny and GDPR. In class, she asked students to request their personal data; one found that Facebook retained deleted posts and photos, highlighting that online deletion doesn’t always mean permanent, irretrievable disappearance. The experience prompted Huma to delete her pseudonymous account and shift focus from research to privacy advocacy, demonstrating how education can inspire action.

Part 3: The Grand Grant Proposal

Huma created a grant proposal focused on privacy research and its democratization, which resulted in the EU-funded Citizen Scientists Investigating Cookies and App GDPR Compliance (CSI-COP) project. This initiative trained the public to audit websites and apps for GDPR compliance, helping individuals understand their digital rights.

Amid the challenges posed by the global pandemic (documented in a powerful case study), Huma dedicated three years assembling an international team and recruiting volunteers. She implemented a bottom-up, privacy-by-design public engagement model - beginning with an accessible online course structured around five foundational steps and a ten-question assessment, made available in 14 languages. The course addressed key topics, including:

  • What is the concept of ‘privacy’?
  • What precisely is ‘personal data?’.
  • Online Tracking – how is our personal data extracted online?
  • What are our rights against all the online tracking?
  • Free online privacy audit tools to help protect our personal data and preserve our privacy online.

The Grand Impact

After completing the informal learning and a 10-question test, individuals could join the CSI-COP consortium as Citizen Scientists. By August 2023, over 600 had finished the course, with more than 190 becoming privacy auditors who could confidently check GDPR compliance on websites and apps. The project has contributed to:

  • Policy briefs, public reports, and a platform for developing policy recommendations on information rights, GDPR compliance, and data ethics
  • A classification of digital trackers and cookies, which is now utilized by educators, developers, and regulators
  • A free-to-use database of over 1,000 reviewed websites and apps, used by researchers, students, and privacy advocates throughout Europe
  • Presentations, academic courses, and citizen-driven privacy initiatives inspired by the project
  • Publicly available data management plans and societal impact reports.
  • Academic curricula and advocacy efforts.

The Big, Grand Memorable Night

CSI-COP’s work is increasingly relevant as AI tools pose new privacy challenges. With widespread surveillance and inconsistent consent management practices, the project underscores the need for public action and better privacy governance.

In December 2022, CSI-COP received formal recognition from the PICCASO Award judges. Huma recalls the event, as her team competed with established data protection and technology governance organizations that have global reach, significant resources and regulatory authority. So, winning the award really validated something they had believed all along: that involving the public isn’t just worthwhile-it’s essential.

Tell us a bit about yourself and your current role?
Huma: Interest in the scholarship of Bletchley Park codebreaker and 20th century mathematician Alan Turing, and his idea of exploring machine thinking through an ‘imitation game’ or Turing test, led to undertaking a PhD at Reading University on ‘Deception-detection and machine intelligence in Practical Turing tests’. Turing’s work gave birth to the science of artificial intelligence (AI) in the 1950s. I was lucky enough to gain PhD supervision from the ‘first human cyborg’, British cyberneticist Professor Kevin Warwick with whom I organised public Turing test experiments, including at Bletchley Park on the 100th anniversary of Alan Turing’s birth, on 23 June 2012. Members of the public could chat with hidden humans and machines and try to distinguish ‘which was which’ asking any questions and making a determination based on text-based answers. This event, held in the year of the 2012 London Olympics, gained the London2012 Inspire Mark for Education, a certificate signed by Seb Coe.

I am currently teaching artificial intelligence (AI) and AI ethics in the School of Science at Coventry University. Nascent AI has evolved providing a public understanding of the science through generative AI models. Generative AI poses all sorts of challenges, including protecting personal data when using these systems as ‘AI assistants’ to answer any question, create an image, produce audio or generate a video clip. As part of their computer science, data science or AI studies, students I teach learn why it is necessary to limit the gathering of personal data, sufficient to make an application or device work. For example, a transport app requires location data, but it does not need access to contacts or photos, etc., to make such an app work. In this way, students can actively protect people’s privacy and prevent harms in the event of a cyberattack (e.g. hacked data released on the dark web).

What first drew you to the world of Privacy?
Huma: Research-for-teaching technology ethics revealed the extent to which our privacy is compromised online, for example from third-party tracking in websites and apps. Third-party tracking allows big tech and online advertisers to extract details about you, including the device you used and its location, to visit a website or use an app. In teaching, one activity I set in class in 2019, just after the EU’s general data protection regulation (GDPR) had been enacted in the UK’s 2018 Data Protection Act, was a ‘learning by doing’ exercise. Students learnt about the GDPR’s ‘right to access’ principle. I asked students to use that right, under a ‘subject access request’ to contact an organisation and ask them to disclose what personal information they held on the student. Following that class, a student revealed that they had made a request to Facebook where they held a social media account. In the data file that Facebook presented to this student, under their subject access request, the student found posts and photos that they had deleted in their Facebook account, and that were no longer accessible to them, or their Facebook friends, but, as their Facebook file showed, the deleted information was still stored by Facebook. The student was not provided with any information by Facebook why this social media platform would be holding on to personal data no longer accessible to them or their friends. This was a shock to me and the students who felt intruded. Since then I no longer use the Facebook account I had created (using a pseudonym).

My research and teaching led me to write a grant proposal for a project investigating privacy putting together an international team with an objective to involve the general public in our work. The EU Horizon2020 funding programme, under their ‘science with and for society’ (SwafS) scheme funded the data protection and privacy project, CSI-COP, which ran from January 2020 to August 2023 (https://cordis.europa.eu/project/id/873169).

You won Best Innovative Privacy Project in 2022. What do you think set your work apart?
Huma: Achieving the ‘Best Innovative Privacy Project’ meant a lot to the team behind the CSI-COP project from the nomination I wrote for this award. The award demonstrated recognition for the privacy work being done, and that involving the general public was worthwhile. But it was a big surprise on the award night in December 2022 to learn Coventry University had won ‘Best Innovative Privacy Project’, because the category, as in the other categories, had really strong nominees, including PwC, Nokia, and the Information Commissioner’s Office (ICO), which is the data protection authority in the UK.

At the time I was the scientist directing the research and innovation on an EU funded project, CSI-COP (https://cordis.europa.eu/project/id/873169) which was engaging members of the public to co-investigate compliance of the GDPR in websites and apps. I believe it is the involvement of the public as volunteer citizen scientists, exploring their own Internet usage informally learning about their right to privacy contributing to policy recommendations, that set Coventry University apart from the other nominees in this category. At the time of the award. Coventry University had already produced a short learning guide ‘Your Right to Privacy Online’ in several languages, and the first policy recommendation to the EU (https://cordis.europa.eu/project/id/873169/results).

Can you share a bit about the initiative, project, or impact that led to your award? What challenges did you face while working on that and how did you overcome them?
Huma: The citizen-science-driven CSI-COP project (https://csi-cop.eu/), which ran between January 2020 and August 2023, implemented a bottom-up, privacy-by-design public engagement action to firstly create a simple-to-follow five step guide (MOOC: https://csi-cop.eu/informal-education-mooc/) on rights to privacy. The five steps are: 1) What is the concept of ‘privacy’?; 2) What precisely is ‘personal data?’; 3) Online Tracking – how is our personal data extracted online?; 4) What are our rights against all the online tracking, and 5) Free online privacy audit tools to help protect our personal data and preserve our privacy online. Following this free informal learning, individuals who completed the MOOC with its 10-question test, and wanted to progress as citizen scientists joined the CSI-COP consortium. One-to-one practical training provided the opportunity to gain technical skills as online privacy auditors investigating beneath websites and apps to find whether the GDPR was complied with. At the time of the award over 280 individuals had completed the MOOC in one of its languages, the number had increased to over 600 by the end of the project in August 2023. Over 190 of MOOC completions were inspired to became CSI-COP citizen scientists.

One of the main challenges in CSI-COP was converting interested individuals who had completed the MOOC to becoming citizen scientists. COVID-19 pandemic had emerged shortly after the start of the project necessitating lockdowns across the world requiring working and learning from home. Hence volunteering in CSI-COP felt like more ‘home-working’ taking time away from what little of leisure activities were permitted due to restrictions on mobility. Another major reason individuals gave for not becoming citizen scientists was a real apathy to finding out how much of their internet activity was being surveilled. The challenges to conducting a citizen science privacy and data protection during a pandemic were recorded in a published case study ‘Force majeure impact on citizen science: Perspective from an EU funded project’ which is available as open-access from the ORE platform here: https://open-research-europe.ec.europa.eu/articles/5-59 and also on Zenodo open-access platform here: https://zenodo.org/records/15193363

Nonetheless, the invaluable contributions from CSI-COP’s citizen scientists produced a Taxonomy/classification of the different types of digital tracking devices (including third-party tracking cookies), in a report which can be read online or downloaded from CSI-COP website results page here: https://csi-cop.eu/project-results/taxonomy-of-cookies-and-online-trackers/

In addition to other project results, a free-to-search Repository of investigated websites and apps by CSI-COP researchers and the project’s citizen scientists is available for research by students, researchers and other privacy stakeholders from the CSI-COP website here:

Have you shared any learnings from your award-winning work with colleagues or wider network? If so, how?
Huma: CSI-COP’s award-winning work has been shared widely and continues to be relevant since artificial intelligence tools add further challenges to maintaining our privacy online. CSI-COP’s Repository is one of the project’s results that is used in teaching and in invited talks. Students and researchers can explore the Repository and compare a stored investigation of a website or app to find if there are any changes, for example, whether there were any third-party trackers found during CSI-COP still present beneath, to track or have they been removed.

Many other learnings from CSI-COP’s award-winning work include i) data management plans, ii) policy recommendations and iii) societal impact reports that are accessible from different platforms: CSI-COP’s privacy-by-design project website (https://csi-cop.eu/) , the EU CORDIS portal (https://cordis.europa.eu/project/id/873169/results), and Zenodo open-access platform (https://zenodo.org/search?q=CSI-COP&l=list&p=1&s=10&sort=bestmatch). In addition to written reports, CSI-COP findings were shared in public events, including in Memento Museum in Auch, South of France, in the Sziget Festival in Budapest, Hungary, as well as in CSI-COP partner countries for local communities.

CSI-COP findings continue to be shared and are being used as the foundation for other activities. For example, in a recent public panel on ‘Do you know your AI from your Generative AI?’ which covered data protection and online privacy in the event hosted by Coventry University in May 2025 funded by the Manchester University-led Sprite+ project on trust, privacy, identity security and engagement.

Privacy issues are not going away. With generative AI, privacy has become further difficult to preserve with text and audio generators planned for embedding in children’s toys (see OpenAI and Barbie-maker Mattel team up to bring generative AI to toymaking, other products | TechCrunch ). Initiatives such as PICCASO Privacy awards provide a great opportunity for researchers and activists working in privacy to showcase their work and to involve the public raising awareness of new and emerging technology threats so helping to act in preserving our privacy.

PreviousNext
Profile picture
Cancel
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save