Any user of online services is left with the uncomfortable reality of not knowing who controls their personal information, and the use it has been given. As handily mentioned by Chris Skinner, these days we find “discussions around data ownership and privacy, in discussions about almost anything really. When will I own my data? When will I have my own identity? How can I take control of me away from banks, corporations and governments and give it to me?“ (Chris Skinner’s Blog, April 2019)
And yes, people want control of their personal data back. At least they want, and deserve, to know how it’s used and by whom it’s accessed. This is understandable, since it is known personal data has repeatedly been packaged and commoditized to be sold to the highest bidder.
The thing is, banks, corporations, and governments are not evil creatures who just want to grab onto as much data as they can for no reason, but are rather diligently working to provide better services for more people. They want to offer new products, which requires scalable user data acquisition. So, the solution is not just to “give data back to its owners”, but to find a partner which will ensure the collected data is handled properly and kept secure, which will empower its users by giving them control of who can access their data and how.
Uncertainty in the Cloud
One of the key issues with data privacy pertains to the quality of the data. Generally speaking, the user-generated data or personally identifiable information that we feel most sensitive about, is of very poor quality. It makes companies want to gobble up any and all the information they can possibly find on the users, in the hope that the additional information is going to help them target those individuals that are able and willing to buy their product or service. Are your Facebook pictures helpful in selling you a new credit card? How about the contents of your Twitter feed in assessing your willingness to buy life insurance? It’s unlikely, which is why so much of today’s messaging is spam. Proper identity infrastructure will prevent our personal data from getting packaged, repackaged, bundled across multiple data ad driven providers like Facebook or Google, and resold to the highest bidder. Companies make ethically dubious choices to drill ever deeper into consumer personal information to better estimate their needs and how to find the people who need them. They’re not evil, they’re just doing it blindly. The good news is that we can look forward to the future world where proper identity infrastructure will solve most data privacy concerns. The bad news is that we’re not quite there yet.
We have become used to being unaware of what happens to our data once it is “in the cloud”. Lately, some companies have displayed efforts to make people more conscious with regard to their data, but in most cases, such efforts derive from regulations which require them to do so, and are merely from the perspective of form, and not necessarily of substance. That is to say, most data handlers today allegedly bestow the control of the data to its owners, merely by statements which claim to do so. Thus, the customer is said to be in control, particularly since it is requested permission to share its data but, in the end, the statements made by companies tend to be so confusing, or furthermore not very transparent, that users end up not even knowing what they approved, knowing the same as before (namely, nothing) regarding what will happen to their data, and with little assurance that their data will be secure and will not be misused. Users are ultimately forced to accept that their data is in the hands of companies which are incentivized by money and therefore will not compromise their security because this could cost them dearly in terms of revenue and reputation. But what users often don’t realize is that using their data has many profitable avenues without their permission. This renders a feeling of helplessness from the consumers’ standpoint since they don’t know whether their data is secure, or if it will be always properly used.
So what can we do? One way to solve this, that people have been advocating, is to regulate companies that use consumer data and have the government be the de facto data broker. However, that can be very inefficient and ultimately stifle innovation. Another way that people are very excited about is to decentralize the data with the use of blockchain technology. However, that has many technical challenges that also make the use of the data expensive. There’s a middle path that is at the core of our company. If users knew there was a third party broker in charge of transparently verifying the users’ information, since users could be confident of the impartiality of said third party, instead of being forced to trust that the company handling its data will use it properly out of dread of a revenue loss. Such third party identity brokers would also be far easier to regulate and hold to the highest security and privacy standards. These endeavors have even been tried before, especially in the financial services realm, for example by Escrow and Visa.
Privacy vs UX
Another poignant aspect regarding this issue is that people feel cornered into choosing either privacy or security, when it comes to the government, or between privacy or good services, concerning private companies. This is further reinforced by companies repeating this point until it becomes commonly accepted as factual. However, there’s no reason why that should be the case. Of course, if the company that handles user data on third parties, e.g. Facebook login, and that same company also happens to make money by selling that very data we will end up with privacy concerns, and ethical debates. However, these two features, privacy-focused data storage and great UX, are not inherently mutually exclusive. Even in theory, this is the proverbial case of handing the fox the keys to the henhouse.
Let’s note again that not all data collection is bad. Most user-generated data (UGD) is useful for providing better targeted ads and developing desired products and services, but does not constitute personally identifiable information (PII), and should be innocuous. On the other hand, if even benign data is coupled with PII then the potential for misuse is high, such as raising prices on a specific demographic or race. This problem would be covered if companies involve a third party in charge of identity verification and management, whereof trust could be created for companies and users, without fearing misuse of the information. Such third parties can have simple user interfaces allowing data owners to control who is accessing their information, and to what ends.
A study conducted by Stanford economists stated that “People “are willing to relinquish private data quite easily when incentivized to do so.” (Susan Athey, Christian Catalini and Catherine Tucker in “The Digital Privacy Paradox: Small Money, Small Costs, Small Talk” published in June 2017) Yes, a lot of people will readily surrender their personal data when they have no conscience of what it means, and/or when that will result in the provision of some convenience. It’s not necessarily bad. People don’t mind when Netflix or Youtube collects geo-location and watching history in order to improve their recommendation algorithms as it’s clear to them that this data is valuable. What is impermissible is to have that data unilaterally ill-used for whichever ends the collector deems fit.
The use by companies of third-party Identity brokers would be even more powerful with regard to privacy if it gave complete control to their users, since they would be able to see and control who can access their data. This would help users be more conscious of their privacy, and prevent them from falling in either of the two extremes: being afraid of their data being in the cloud at all, or plain unconcern of the collection and usage of personal data. This brings forward the subject of trust, which “means putting data protection and user control in the hands of consumers. (…) Having the ability to prove that people are who they say they are without them exposing personal data or having trusted third parties to vouch for them.“ (Max Demyan, in Hackernoon, March 2019)
This awakening of awareness, arose in recent times, at the same time gives way to new ventures which bet on privacy and owner controlled data. We are observing a proliferation of alternative services which claim not to collect data, to be anonymous, or where data owners are the ones who decide what happens to their data and are apparently well informed about it. Examples of said companies include DuckDuckGo, Brave, Tresorit, and others. Apple is also betting on this approach, as may be appreciated in its latest campaign; and Facebook appears to be deeply preoccupied with this as well, since it is aiming to become more privacy-centered. In the same vein, extremely rigid regulatory measures have also been brought forth, especially in some Western countries, which focus on data privacy and control by the owners, strictly punishing companies which don’t comply, making it easier for citizens who feel their data privacy related rights have been violated to present claims.
Some recent examples of this new regulatory push are European Union’s GDPR, as well as Illinois BIPA, and UK laws regarding data privacy. Several companies and governments are exploring options, such as implementing a federated identity where the user has ultimate control. The former would allow the proper identification of consumers and their needs, but without exposing personal people’s data unnecessarily. An example of federated identity put into practice is e-Estonia, which is indeed used comprehensively for traveling, taxes, health services, and much more, while the ID holders are empowered with regard to their data.
This way of systematizing would suggest that citizens feel completely at ease with regard to the handling of their data by the government, whilst not by “evil” private companies which are providing them with services or products and will probably profit by some misuse of their personal data. This may sound a little bit as a joke, but it is not. Both companies and governments are working hard on publicity or other means to make people more confident with regard to the attainment of their data. For example, US citizens used to be reluctant to the idea of the government using facial recognition technology. However, the latest polls conducted showed that “just one in four Americans want strict government limits in the use of biometric technology.” (According to numbers by the Center for Data Innovation, as reported by RT on January 2019)
So what is the best path forward? I cannot claim to be impartial, as I personally decided to join Mati because I believe their solution makes the most sense, but instead of proselytizing I would like to offer a third way. At Mati, we believe an alliance between governments and companies with an unbiased third party that would take over identity verification and management would give way to appropriate handling of personal data, to the empowerment of the users with regard to that same data, and to the creation and entrenchment of trust between all the involved parties. Thus, useful handling of data may take place, without it being misused for the wrong purposes. This will help companies provide better services and government deliver better security, whilst truly giving people control with regard to their personal data. We believe this is possible provided a good infrastructure and strong encryption system are in place, along with a simple and friendly user interface.
On the other end of the implementation spectrum lies a concept known as “self-sovereign identity”. It suggests that the control of every identity document and personal information should be in the hands of the data owners, rather than of alien entities, be it government or companies. The idea behind this is to bestow the identity holder with full access and control with regard to their personal data. Even though this concept hasn’t been fully developed, at Mati we are very interested in it and do believe in the idea behind it, since we hold that users should be in control of their data, and such data should be of use to them for the procurement of diverse services, products, and benefits; always in a transparent way.
Of course, there are many intervening factors, which lead people to think such a solution could not be easily implemented. Whether self-sovereign identity is possible or even a good final solution, with proper infrastructure and encryption standards we might achieve a middle ground, referred to as federated identity, provided by trusted third party data brokers, with which private companies will be able to provide better services, and to more people. The caveat with federated identity is of course that the user must be the customer, not the product. Beyond the corporate applications, the government itself could use such third party brokers to better provide public services without the population fearing out-of-control and pervasive government surveillance.
Control of personal data does have to go back to the users. The way to achieve this without sacrificing the advantages of technology and data analysis to produce better customized products and services is to have an unbiased, transparent, professional provider of identity, which has to be in charge of verifying the information presented by customers, as well as of the management of said data. With a nice and easy to use interface, users would be able to enter their personal dashboard and see who has access to which of their data, and manage it from there. Enter Mati.