Paradise is not Lost: The Win-Win of Privacy Rights and Self-Sovereign Identity in a Data-Driven Society

DISCLAIMER: This article (“Article”) is intended for informational purposes only, and no attorney-client, fiduciary or other relationship whatsoever is formed by and between or among any persons or entities whatsoever by virtue of this Article’s existence, release, publication or distribution or otherwise. It may be used, redistributed, copied or reproduced solely for educational non-commercial purposes with the written consent of the author. Nothing in this Article constitutes legal advice or investment advice. This Article is based solely on the general industry knowledge and experiences of its author, as well as the author’s understanding and “plain meaning” review of certain publicly available information. The views expressed in this Article are those of the author and may not necessarily reflect the views of her respective employer, clients or any other person or entity whatsoever. This Article speaks only as of the date released, and the author of this Article disclaims all (if any) responsibility to update or supplement this Article after such release.

This article is based upon the experiences and observations of a privacy and blockchain/crypto-seasoned attorney, Susan Joseph. Contact details are found at the end of the article.

Introduction: Privacy in a Technological Age

What does privacy as a fundamental right mean? How does that right fare in a data-driven society? How can we protect privacy through both legal and technological measures? Can blockchain technology help protect digital identity-the cornerstone of how we are technologically counted and known and the access point for every financial service? Answers to these questions will define how we will be able to live our lives as they are increasingly intertwined with, and influenced by, existing and emerging technologies.

Privacy Rights in Our Data-Driven Economy

What does Privacy as a Fundamental Right Mean?

The right to privacy is one of the foundational precepts on which our stated constitutionally protected rights rely. Our right to autonomy and dignity is presupposed by the First (right to be an independent person), Fourth (right to be secure) and Fifth Amendments (right to refuse to self-incriminate). However, our Constitution does not explicitly enumerate a right to privacy.

Back in 1890, soon-to-be Supreme Court Justice Louis Brandeis famously defined the right to privacy in a Harvard Law Review article as “a right to be left alone”. Our technologically connected world did not exist back then, but the law certainly contemplates the protection of the person which extends to and covers his digital self as a representation of his personhood. In a digitally intermeshed world, are we able to be both connected and left alone? This question, and Justice Brandeis’ definition take on new importance as privacy is continuously under attack in today’s data-driven world.

Laws must evolve in response to technologies and societal changes. For instance, copyright law was created long ago in response to the introduction of the then revolutionary technology, the printing press. Likewise, though states such as California are enacting their own versions of privacy laws, today’s digitally connected world requires a federal explicitly enumerated right of privacy to carry out the Declaration of Independence’s fundamental assertions that we have an inalienable “right to life, liberty, and the pursuit of happiness.” It is, therefore, time to envision a comprehensive baseline federal law that imposes a strong duty of care with both remedial and significant penalties and consequences together with a Digital Bill of Rights. Some in Congress such as Senator Cantwell agree and have recently proposed legislation to bring this concept to life.

Our Digital Stories are Shared Business

What Data is Collected?

It is often said that the collective “we” is the product, in this age of “surveillance capitalism”. Every aspect of our lives can be captured and exploited for commercial gain by tech companies and others through collected data — data that should be protected under federal privacy laws. Some examples of data routinely collected by private businesses include our face prints, iris scans, location, purchase habits, sleeping habits, photos, voice recordings, fingerprints, the way we drive, how we exercise, what we read, what information we search for, who we know, how we use appliances and lights within our homes, etc. This information can be stored indefinitely, retrieved immediately, sold to many, and used to devise targeted marketing and profiling.

How is Our Personal Data Generated and Who Collects it?

In 2017, Accenture predicted that each person would generate 2.5 Gigabytes of information by 2020. That amount of information is equivalent to about 1,250 e-books. This information consists of both Personally Identifiable Information (“PII”) which is defined as information that can be used to identify us and the broader spectrum of personal data, defined as information generally about us.

Much of our personal data is generated through internet searching. Google dominates the search arena by conducting ninety-five percent of all mobile searches and 90 percent of all desktop searches. This translates to processing on average 3.5 billion searches a day or 40,000 searches every second. Turning off the tracking options may not effectively protect your privacy. One statistic shows that Google tracks your location even when you seemingly revoke consent. Other companies routinely collect and use our data to fuel applications and target us. Facebook is one such avid data collector and marketer. A leaked document from Facebook as reported in The Guardian states that Facebook collects trillions of data points daily.

Data generated and collected through sensors is on the rise. IBM predicts that there will be over 25 billion devices capturing our data by 2020. The amount of data coming online is almost incomprehensible. Smart devices in buildings including homes, in medical and other devices, and in cars are adding to the data pool.

Let’s look at the seemingly straightforward example of smart light bulbs. Did you know that Amazon and Google collect data from these “smart home” implementations? They increasingly require that a light bulb controlled by a smart speaker continuously provide status reports to its hub. And the information acts as a tracker to our daily lives. As a recent insurance journal article succinctly puts it: “Even light fixtures, in elaborate setups, are a map of home life: When do you get home? When does the light in your child’s bedroom usually go off? What days do you burn the midnight oil?”

Or look at the connected doorbells that have made their way into our lives. Amazon, through its Ring subsidiary, captures interactions that are relayed to local police if pertinent to an investigation. In fact, Ring’s terms of service state that you grant them an unlimited, irrevocable and perpetual license to use the content which may include audio, images, video or text. Amazon has already testified to Congress earlier in the year about its practices, and will be further answering to Congress regarding encryption, potential future facial recognition plans, who has access to reviewing content including third party contractors, etc. in January.

You may not want to consent to this automatic and passive method of collecting your data; and you may not even be aware of it. Your home may be your castle, but by utilizing the most advanced home technology, you have allowed in a Trojan Horse in the form of your technology or smart device provider.

What do Companies do with Our Data?

Companies make predictions from our data to select and nudge our behavior toward product and service purchases or to influence our relationships, associations, and voting choices. We are regularly micro and macro targeted. The applications that we use seem to fit us so well because they are created from and for us. And, they offer a carefully cultivated window to influence and shape our future. Some companies, like Facebook, feed millions of data points into algorithms which offer up six behavior predictions per second that can be marketed and deployed to advertisers who seek to influence our interactions. Facebook’s approach is particularly powerful as it directs relatively personalized targeting to connected individuals subject to social influence.

The dark side of this bargain is that a David and Goliath style power imbalance favors very large technology service providers over consumers who have little choice to decline the surveillance and targeting because alternative products and services are not otherwise widely available. The “consent” to terms of service more similarly resembles a contract of adhesion than a level playing field. An individual is bound by thousands of words of obscurely written privacy policies and one-sided terms of service that he would have to weed through to determine if/how he could even take protective action. The reality, of course, is that almost no one has the time or expertise to read and understand these policies.

There have been some strong public repercussions for companies both collecting data and sending it to third parties to review. Apple now provides consumers with the choice to opt in and allow Siri access to data. Apple employees rather than external third-party contractors review the conversation snippets. Amazon has implemented central controls that enable users to delete Alexa recordings individually or en masse and to opt out of human review of recordings entirely. Google has a slightly more convoluted set of directions to opt out of recordings and the human review of them. You can turn off much of the data collection in many instances,

The New York Times recently published a guide to “opting out” of the data collection of the many services an individual typically uses. But these are defensive maneuvers, and they do not provide a comprehensive or complete solution. The end result is that our personal data is circulated and used both individually and in aggregate well beyond what we thought we permissioned, and we have custodied it with BigTech or other companies without adequate assurance of its safety and downstream transmission.

How Big of a Problem is Data Oversharing?

Examples of data oversharing and misuse abound. For instance, last year The Wall Street Journal reported the sharing of an individual’s most personal health information to Facebook even where that individual was not signed up to Facebook. Though much of that oversharing was remedied after public outcry, not all was. Many are familiar with Cambridge Analytica and the misuse of our data that affected global elections. In that example, our dignity and very autonomy, not to mention our governments, civil stability and well-being were targeted and manipulated. And just recently, The Wall Street Journal reported that Google, through a program called Project Nightingale, is collecting medical data from a large health care provider without patient or doctor consent to analyze for health care insights and patient care suggestions. That program has triggered a federal investigation.

Technology companies did not start out to control our every move. And we did not start out expecting to be controlled. Amazon, Google, and Facebook for instance sprouted a mere generation ago and brought technological innovation to the world with the goals of connection, information access ,and convenience. Unfortunately, along the way, they morphed their business models. The online advertising industry grew with them, evolved, and largely eviscerated our privacy while they were looking, but we were not. It is time for us to seriously start looking.

Companies Have not Honored Our Trust

At the end of the day, we have to ask, at what cost is all of this convenience? We have come to expect that our data will be mishandled. Companies seem to have lost the ability to be good data stewards. The list of data breaches continues to grow. Once trust is broken, it is hard for a company to reclaim it. Several of the more egregious breaches are listed below.

Misconfigured firewall? See Capital One where an estimated 100 million USA and 6 million Canadian affected individuals at a cost to Capital One of $150mm.

Plain text data storage risk? See Equifax where an estimated 147mm people were affected and a recent FTC settlement of up to $700mm penalty was assessed.

Elections skewed and democracy threatened? See Cambridge Analytica and Facebook (USA, Brexit, Israel, etc.) Cambridge Analytica declared bankruptcy, the FTC assessed $5 billion in sanctions against Facebook, but we have no real assurance this type of breach will not happen again.

Fingerprints and facial recognition potentially compromised? See Suprema, the security company responsible for the biometrics lock system that allows access to secure facilities and office buildings for over 1mm people globally. Adecco stated data from 2,000 of its Belgian staff was affected. You can create new passwords. How do you create new fingerprints?

There is good news on the horizon. Both new legal frameworks and technological solutions such as self-sovereign identity can be implemented to help fix this mess, protect our privacy, and bring integrity back to digital systems.

Legal Frameworks Can Be Created That Protect Our Privacy

Strengthen the Right to Privacy

The Supreme Court in Griswold v. Connecticut in 1965 explicitly stated that guarantees in the Bill of Rights have penumbras which create zones of privacy. In other words, the right to privacy exists, is recognized, and protected — at least within certain bounds. Over the years, the implied right to privacy in the Constitution has been further expounded upon by the courts and legislatures. Specific statutory rights to privacy have also developed which limit access to PII such as HIPAA and others. However, no comprehensive federal law yet exists that creates a well-regulated and orderly scheme to protect our data and our privacy.

Data Should be Legally Treated as both Property and an Information Flow

Our data is multifaceted. It has property-like characteristics. It is also an information flow that we necessarily must share in certain instances and keep to ourselves in other situations. Consider who actually owns my photo data when I share it with a social media site such as Facebook.

From an information flow perspective, suppose I post a group photo that includes me and other non-Facebook members. Is the photo owned by all, and must we all consent to its posting and posting afterlife? What if one of us wants to take down that photo posting? How does a non-Facebook member know the photo is posted or even ask for it to be deleted? Can I require that Facebook delete all information related to that photo posting including comments by others? What about the re-posts that have occurred? Does anyone have the right to take them down?

From a property rights perspective, if Facebook wants to monetize the use of my information, why shouldn’t I have the ability to be compensated? How are non-Facebook members who have not permissioned the use of their data compensated when their information is shared? What are original poster’s data ownership rights including compensation regarding the downstream sharing of posted information to third parties?

Currently, Congress has several bills in front of it that tackle data ownership. While it initially sounds appealing to simply treat data as property, this schema devalues the way data is used and respected in society. It is problematic to think of data as simply another piece of property. As a recent Brookings article states: “Treating personal information as property to be licensed or sold may induce people to trade away their privacy rights for very little value while injecting enormous friction into free flow of information. The better way to strengthen privacy is to ensure that individual privacy interests are respected as personal information flows to desirable uses, not to reduce personal data to a commodity.”

Recently, Senator Cantwell introduced a comprehensive bill that treats data as both property and an information flow. The bill is entitled the Consumer Online Privacy Rights Act (“COPRA”) and its goal is to fundamentally protect privacy rights and strengthen data security. This bill has enforcement teeth and strong definitions. The bill encompasses commercial data processing, and broadly defines personal information as well as sensitive information which includes things such as the content of email messages, health information, financial account numbers, geolocation and the like. The bill makes consent an “opt in” process and has a consumer “opt out” provision for data sharing. Other protections exist as well as the creation of a new duty of loyalty that is “fiduciary like”.

Strong enforcement is contemplated both by directing the FTC to create a new Bureau of Privacy complete with staffing, the ability to issue regulations and penalty prosecution, and by allowing state attorneys general the ability to enforce the new law. Private rights of action are created with liquidated damages of $1,000 per violation per day. While this bill has not yet been passed by Congress or signed into law, it may garner support since it was introduced by a ranking member of the Commerce Committee.

Call to Adopt a Constitutionally Protected Digital Bill of Rights

The most fundamental privacy protection is envisioned as a constitutionally protected right. A natural outflow of that protection is a Digital Bill of Rights clearly setting forth the rights and responsibilities of those who handle data. A recent MIT Technology Review article outlined some general principles for a Data Bill of Rights. Those rights include:

• The right of the people to be secure against unreasonable surveillance shall not be violated.
• No person shall have his or her behavior surreptitiously manipulated.
• No person shall be unfairly discriminated against on the basis of data.

Enacting a Digital Bill of Rights could enable a comprehensive rights scheme that would be supported by clear and meaningful enforcement including penalties, remedial action, individual rights of action, class actions, and the ability to stop operations if the offending behavior does not cease. These types of protections do not exist in this manner today.

Federal Law Can Draw From Other Legal Frameworks That Protect Privacy

Other governments have started to implement proactive and protective privacy laws. The enactment of the General Data Protection Regulation (“GDPR”) in the European Union is a good step toward accountability for BigTech and other companies that collect and use our personal data. It provides significant financial consequences for violators as well as remedial actions to protect individuals. It attempts to restore the balance of power from an asymmetric relationship to one that is more fair.

In the USA, some states have enacted privacy forward legislation. California declared privacy as an inalienable right back in 1972, and recently enacted a Consumer Privacy Law effective January 1, 2020 that is similar to the GDPR. The law enumerates and protects the right to know what PII is being collected, whether that PII is sold or disclosed and to whom, the ability to say no to the sale of PII, the ability to access PII stored by a third party, and the right to equal access to services and prices from service providers even if an individual exercises his privacy rights, although this provision has been narrowed per recent amendments.

New York has gone further and has introduced a proposed privacy law to create an explicit fiduciary relationship between the data holder and the data creator along with a private right of action to enforce this relationship. While it does not look like the bill in its current form will be passed, some parts of it could be enacted in the future.

These advancements sound encouraging. However, consider that a patchwork of state privacy laws that affect digital transmissions across state lines can very quickly become messy and difficult to enforce. It could be that the state with the most restrictive laws, which today is California, creates the regional or national default manner of operation if an entity operates in the restrictive state and across state lines. A more consistent approach would be to create strong federal protections. In addition to legal protection, technological solutions can help champion this right.

Technological Solutions Can Be Implemented That Protect Privacy

Data Minimization Principals Should be Followed

The principal of data minimization, collecting and retaining only that data that is necessary for the stated purpose, can be applied to protect privacy and identity. Since identity determines how you are counted and what transactions you can engage in, let’s look at the components of digital identity.

Components of Digital Identity

Claims: an identity claim is a statement made by the individual. One that contains two claims could be: ‘My name is Mary and my date of birth is June 28, 1979.” This can also be thought of as an attestation.

Verifiable Credentials: Documentation that provides evidence for the claim. These come in different formats, such as passports, birth certificates and drivers’ licenses.

Proofs: Showing that you hold the verifiable credential itself. This can be done by offering the verifiable credential such as a showing a driver’s license. It can also be done by offering evidence that you have/hold a credential itself without showing the actual credential. This type of proof is referred to as “zero knowledge proof”.

Verified Credentials: A third party validates that according to their records, the claims are true.

Attester: An issuer (which could be a third party such as a bank) issues a credential that says an individual has a bank account there. For instance, in the case of a bank account, the Bank agrees and issues a credential that “attests” to the fact that the bank account is there. The Bank would be the Attester. Or, an individual can issue a credential that “self-attests” to the fact asked to be proven. The individual would then be the Attester.

Credential Issues With Centralized Identity Systems

Frequently in real life you routinely cannot provide just the relevant data needed to prove your identity when presenting a credential. For instance, if you want to enter an office building to go to a meeting for which your name is on an approved list at a security front desk, all the building security needs to know is that you are who you say you are, and your name matches the security list. But the form of credential you provide is your Driver’s License which has much more information than your name. By default, there is an oversharing of data. If your Driver’s License number is captured and retained by the building security personnel, the building management’s liability and risk increases as it has made itself a hacking target by holding this information.

Decentralized Identity is an Evolving Solution

In the near future, we can imagine a world where we have the technological, legal, and economic ability to reasonably share data for the services we want and recall further usage of it once the original shared purpose has been satisfied. In the above example, this would mean that only the data required to enter the building is shared, and that data is recalled (i.e. not allowed to be retained) once you leave the building.

In all types of systems, we still have to accommodate the fact that traditional data on-boarding is necessary. Someone still has to collect and hold the data, offer it, and allow it to be used. Further, once the data has been shared, there is no automatic mechanism to protect it from further disclosure. Adding that type of control would be a vast improvement.

If data sharing can be fit for its most narrow purpose, this simple change would go a long way to restoring digital trust and reasonably allocating liability.

It is exciting to see what is on the horizon. Approximately 86 major participants in the identity and technology space have joined together in a technologically focused consortium, the Decentralized Identity Foundation (“DIF”). Notably, Facebook, Google, Amazon and similar BigTech, many smart device and financial service providers are not members. However, certain large technology and other enterprises such as Microsoft, IBM, Mastercard, Aetna, and Accenture are participating.

DIF’s mission is to develop the foundational elements necessary to establish an open ecosystem for decentralized identity for people, applications, organizations, and devices, and ensure interoperability between all participants. In short, decentralized identity technological solutions with concomitant standards are being built. To that end, the World Wide Web Consortium (“WC3”) has a working group to address the standards for Decentralized Identifiers.

Self-Sovereign Identity Systems May Minimize Data Oversharing

What is Self-Sovereign Identity?

In the self-sovereign identity vision, individuals and entities are enabled to create and manage their identifiers in a decentralized fashion, without relying on a third-party identity provider for validation. The system architecture is structurally set up to work from the perspective of the individual or the entity that is to be identified, and in the case of humans, is often anchored by unique biometric identifiers. It is unlike existing identity solutions that are structured from the perspective of the organization that provides an identifier. Elizabeth M. Renieris, founder of the identity-focused hackylawyER consultancy, cautions: “The human-centric paradigm shift offered by self-sovereign identity requires reengineering the law as much as it means reconfiguring the tech.”

Implicit in this vision is the idea that you show the minimum information needed to access products and services. This is closer to the way the offline world works. Many of the proposed identity systems that are being developed are powered by blockchain technology. Properly designed, this type of solution could cut down oversharing and mitigate against potential breaches and reputational liability.

Practically speaking, a self-sovereign identity system can work in the following way: your verifiable credentials are held by you on your phone or in your personal cloud. The point is you hold that data, and you determine where it goes. You may offer up that data as proof to a third party to verify it, and you may put automated or manual rules in place that do not allow that third party to keep it.

Governing Principals of Identity

Some final words on Self-Sovereign Identity. Identity practitioners have suggested governing principals to reinforce that the individual is control of his identity. These include:

1. Existence. Users must have an independent existence.
2. Control. Users must control their identities.
3. Access. Users must have access to their own data.
4. Transparency. Systems and algorithms must be transparent. Note: To this end, the foundation of all technology solutions to enable SSI must be open source.
5. Persistence. Identities must be long-lived. Though note that newer proposals focus on single use or disposable identities. This principal is evolving.
6. Portability. Information and services about identity must be transportable.
7. Interoperability. Identities should be as widely usable as possible.
8. Consent. Users must agree to the use of their identity.
9. Minimization. Data collection, use, and retention must be minimized.
10. Protection. The rights of users must be protected.

Self-Sovereign Identity has Pluses and Minuses

Self-Sovereign Identity has both pluses and minuses for consumers and enterprise. Both legal and technological barriers exist today. The law would need to evolve in tandem with the technology and regulations would have to be enacted to empower this type of business process. With this type of identity system, control and responsibility are housed with the individual. Arguably, it places an extreme burden on the individual due to information, technological and legal asymmetries.

Data-driven businesses models such as social media platforms that rely on harvesting our data to create products and services would have to be incentivized to adopt a self-sovereign identity scheme, and pushback would be expected as this would threaten their current business model. However, enterprise should welcome this type of de-risking. Some benefits might be their ease of compliance in ensuring our data is not trafficked downstream and the creation of a new environment of digital trust.

As Elizabeth M. Renieris quoted earlier in this article states, “The architecture of self-sovereign identity, properly designed and implemented to minimize data collection and storage, could disrupt existing data-driven business models while also creating opportunities for more privacy-preserving products and services to emerge in a race to the top.” This point should be re-emphasized. The potential for new and better products and services to emerge that could be more profitable is an enticing motivator.

Conclusion: Protect Privacy Through Legal and Technological Means

In our increasingly data-driven world, we must adopt strong protections that preserve our autonomy. Such protections are derived from both legal and technological frameworks. Legal protections can be created by establishing a comprehensive federal scheme that recognizes privacy as a fundamental right. A Digital Bill of Rights with strong enforcement provisions similar to the model introduced in the COPRA bill should be created. Technological solutions such as Self-Sovereign Identity are architecturally developed from the individual privacy point of view. These decentralized/blockchain identity systems are evolving. Tensions between these new identity systems, status quo business models, and existing privacy and data protection laws will have to be resolved. However, these types of systems may encourage new and more profitable products and services while helping to restore a more equal balance of power between an individual and the service provider. Privacy is possible in the digital age. With legal and technological means working together, we can protect our right to be left alone.

For more information on these subjects, please contact:

Author: Susan Joseph: sjoseph@susangjoseph.com / www.susangjoseph.com

LinkedIn: www.linkedin.com/in/susangjoseph/

Twitter: @SusanJoseph1786