Data Rights and Exchange at the Edge

Last month, the article I wrote with Hamed came out on Wired Magazine on Decentralised AI at the “edge”. In the article, I wrote that real time exchange of data can happen at the “edge”, a conceptual decentralised node owned and controlled by a user. This can be a browser, a databox or a HAT Microserver.

Edge exchange of data is a challenge, possibly not technologically, but legally and economically.

Let me explain. Technologically, we already “share” data at the edge, although it is not an economic transaction. We fill in forms, create data using wearables, and interact with the millions of apps and websites from Amazon to Facebook. However, those are not transactional exchanges. In all of those scenarios, we enter the application and everything we do within the application is owned and controlled by the firm that runs it. There is no transaction within these applications between the firm and ourselves, except at the beginning where there is a binary decision by the individual of using the application or not. There may be a transaction between applications to move our data around eg sharing our Spotify data with Alexa but we do not own the transaction rights to those data, even if they are data about us. Our required consent for them to share the data amongst themselves is a law imposed on the firms. Without that law, our consent will not be sought at all.

So what rights do we have for the data sat within these applications under GDPR?

Right to be informed. We have the right to be told how our data would be used in a clear and transparent manner.

Right of access. We have the right to ask for our data (although the format is not stipulated so firms can give you an entire spreadsheet or PDF file)

Right to rectification. Asking the firm to correct the information.

Right to erasure. Asking the firm to delete your data.

Right to restrict processing. Asking the firm to restrict its usage in a certain way eg to profile you.

Right to data portability. Asking the firm for your data in such a way that is machine readable (but does not come close to being interoperable)

Right to object. When you feel the firm is doing something to your data you disagree with, you can object.

Rights in relation to automated decision making and profiling. You have the right to know what information is used to create your profile and where the firm gets its data from.

We don’t have more rights that these because our data within these applications cannot be reasonably isolated ie it’s all mixed within these centralised applications. So what rights do we NOT have in current centralised systems?

Right of possession. Having our data stored in a place where we are the only one who have access to the data.

Right of control. Being the only one deciding who gets to use our data and when.

Right of exclusion. Deciding who doesn’t get to use or see our data.

Right of enjoyment. Being able to use our data for our own purposes whenever we wish to.

Right of disposition. Being able to monetise, exchange, profit, license our own data because we own the rights to it.

These last 5 data rights are what I would term as true “ownership” rights.

Achieving “ownership” rights for data economically, legally and technologically was my focus for the first 4 years of the £1.2m UKRI grant funded HAT project. My fixation about the ownership rights was never about control of personal data, which I consider inadequate. Control over personal data, to me, is a consequence of the way society cope with centralised systems. It is a consolation prize. When all my data is held by centralised systems belonging to corporations, giving me “access” and “control” over my data and asking me to “consent” when the data is shared with others is analogous to my physical body being allowed at certain places and consenting to others to perform activities for me as I go about my daily life. These rights fall short of true freedom. Unfortunately, we have to live with not having ownership rights as technologically, at least till now, there really wasn’t any other way. In our conversations with ICO and various regulatory bodies in the early days of the HAT, one thing was clear — the concept of an individual being a data controller and a data processor to have full freedom over his data in real time and on demand just simply did not exist. If we needed on demand data services, we procured them from organisations who then become data controllers and processors of our data. That’s our lot and we have to live with it.

The HAT Microserver was created to enable us as individuals to become data controllers and processors in our own right. It created, for the first time, the capability of holding, processing and controlling our own data for ourselves. Such an “edge node” is critical to us legally and economically because we need to ensure its contents fell under existing legal frameworks of licensing digital media and content. If it did, the existing legal frameworks would reduce uncertainty and data transactions can finally occur. We can begin the battle to achieve economic power for ourselves. In other words, we want to be able to license data usage the way we can license music. And we want to “spend” our data the way we spend our money. And we can only do that if we had broader ownership rights to data. That meant all our data cannot just sit in another application.

It is well known that one cannot have Intellectual Property Rights over data itself i.e. we cannot legally “own” data. Hence, we created the HAT Microserver to ensure we would have ownership rights (“Sui Generis”) to a database. And in so doing, the data and contents within.

As individuals, having database rights isn’t that new — the database sitting in your PC hard disk would be yours and you can do whatever you choose with the contents within it. The challenge is not merely database rights, it’s how the exchange of the contents within can happen quickly, and without fuss. In other words, scaling the market for personal data at the “edge”.

Say you have a song you created on your digital piano and recorded it into your PC. You could have found a buyer for the song and then email it across to them. You accept their terms and they acquire all the rights for your song. Then they license your song to Spotify and That process exists because it is impossible for you to stream your song from your own servers — it will cost too much. And you will still need the ability to market that song to the world, which is usually the role of record labels. In a similar way, imagine you have downloaded all your Facebook data and would like to exchange it for a service that may give you a discount for an insurance, based on your profile. You can download it and email it across but that manner of exchange is not just unscalable, it’s slow.

In a world of personal data, being slow is enough for a market not to form.

Data sharing has to be fast the same way spending money has to be fast. Imagine if you brought no money with you to the supermarket and when you find something you like, you would need to go home, find some cash, put them into an envelope and mail it out to the vendor. Only then would you get your merchandise. It is unlikely that such transactions will prevail. This is the same with data — data sharing has to be fast so that the data is relevant for the context of which it is shared and for both parties to benefit from it.

Data Rights and speedy data sharing practices are therefore critical for the use of data and innovating on data services at the edge. This was why the HATDeX Platform was created. The ability to execute fast data transactions that preserved data rights of individuals with proper governance rules and clear contracts. The equivalent of smart contracts for blockchain.

Let me illustrate this with our new partner, OneZero-Me.

OneZero-Me wants to “buy” data at the “edge”, directly from the individual — the first HAT Merchant to do so. Their use case is simple. If they can obtain individuals data at the “edge”, they can give them benefits e.g. discounts for insurance or loans when they shop online. In other words, OneZero Me wants to help individuals use their data to get benefit when they shop for insurance, loans or credit online.

OneZero-Me built their service on the HAT, giving individuals their own personal data account. They started with a simple service to prove the use case, asking for a HAT owner’s Facebook data to give them insight into their writing “gender”. It is kept deliberately light hearted but it’s an MVP to test the speed of the exchange. You can go try it out for yourself here.

The data contract at the edge

As you go through this process bear in mind that this is not Facebook data that is directly being shared. This is the individual sharing his HAT data with an application. It may feel like the user is consenting to sharing data directly from Facebook, but in actual fact the data comes from his HAT, as he PRE-acquired his FB data into his HAT through subject access from the Facebook DataPlug service of HATDeX. It may seem a minor point but it is important from a legal point of view. This is the first time individuals are able to enter into a contract to legally license their data for usage by an application “at the edge” within seconds, and in a fully scalable way.

The exchange of data has been carefully architected to ensure speed, transparency and simplicity. Despite all its complexities, it needs to be easy to use and understand for the user. Yet, the essential aspects of setting up contracts like these need to be scalable and robust. In the event of a dispute between a HAT owner and an application, the HATDeX platform must be able to provide the logs on when the contract was entered into. More importantly, the data was not acquired by OneZeroMe, it was queried and scored to achieve a result in this case the “gender” of your writing style. The query was without a PII (personal identifying information) and OneZeroMe kept only the score without the identity. This mechanism of sharing data enables the individual to get a benefit from their data while staying private. A proof of concept that would enable individuals to get lower insurance or other benefits from their data and only proceed to reveal who they are if they get the benefit. Such a mechanism helps give individuals control over the use of data and reduce biases and discrimination as the data in in their hands and not the firm.

Would this be a threat to Facebook? I don’t think so. In fact, the more individuals can use their Facebook data to their benefit, the more they would be willing to engage with Facebook to generate more data. This is why Fitbit and Spotify happily share their data with other services for free through open APIs — any use of their data would create a greater dependency on them.

The next step is to actually embed such “edge” services into websites and other applications, enabling organisations to acquire or inquire data directly from their own customers within a few seconds through a HAT personal data account. Aided by sophisticated machine learning algorithms and services created by OneZero-Me, both the individual and the firm will benefit.

Exciting times.

Group CEO, Dataswift Inc.; Professor, University of Warwick; Turing Fellow; Website

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store