Design principles for a new data infrastructure
So far in this series, we have explained 1) that the biggest, most important issue about personal data is the one least talked about: the structural flaw at the heart of our system whereby individuals cannot gather, store or use their data for their own purposes, and 2) that to address this structural flaw we need a new personal data infrastructure that empowers individuals with their data and builds checks and balances into how the system operates.
But what should such an infrastructure look like? What design principles should it adopt to make sure it does its job, remains fit for purpose and does not end up creating more problems than it solves?
Here are some suggestions at to what this infrastructure should look like.
1. Public/social purpose and mission.
The purpose of the new personal data infrastructure is not to monetise data but to promote the public good. This isn’t just the empowerment of one particular stakeholder (citizens). It’s more than that. It’s about building trust into the way the system works (by making it trustworthy), enabling the wide range of new person-centric services (in both public and private sectors) that only become possible when individuals become the point of integration of multiple data sets about them, and helping citizens engage and participate in the digital economy (rather than being effectively excluded and treated as data ‘subjects’).
The new infrastructure should also be securely committed to this public/social mission. In other words, it should not be possible for an infrastructure provider to commit to empowering individuals with their data on one day but to renege on this promise at a later date, whether it’s by a policy shift or merger/takeover. That’s one of the reasons Mydex opted for Community Interest Company (CIC) status. As a CIC we are legally obliged to prioritise our social mission and we are legally asset locked: we cannot be sold to another entity not prioritising the same social mission.
2. Independent
The new infrastructure should be independent of both state and other factional interests such as shareholders wanting to maximise profits. If it is a state-owned or public sector institution the civil liberties risks of state access to personal data (and of other politically motivated interventions) are too high. If it is committed to maximising shareholder profits the public/social mission will inevitably take a back seat.
This does not mean that state actors and investors should not be involved. They should be — but only as participating parties, not as controlling entities. They should not be able to dictate or in any way compromise the infrastructure provider’s commitment to its public mission and purpose. By the way, being independent also means being financially self-sustaining, because otherwise the provider ends up being beholden to subsidy providers.
This creates a challenge. If the infrastructure provider should not be a state-owned public sector institution, a traditional profit seeking private sector corporation, or a charity, what should it be? One solution might be to be one of these entities but with an extra layer of boundaries, safeguards and stipulations. But these are difficult to codify, manage and enforce. We believe CIC status enables us to deliver the independence that is needed. Yes, we want to make be financially self-sufficient and, therefore to be profitable. Which means we have to provide investors with a return. But we don’t want to be dominated by profit seeking: as a CIC, two thirds of any profits we make have to be reinvested in our social mission of empowering individuals with their own data. This, we believe, creates the right sort of balance.
3. Neutral and enabling
Today’s personal data landscape is dominated by battles between vested interests. Everybody wants to ‘own’ and ‘control’ (other) peoples’ data because doing so (they believe) is a means to competitive and strategic advantage and the best way to maximise profits. But if we separate the storage of data from its use and empower individuals to become the magnetic point where data about them is aggregated and integrated, everyone can access and use this data … if (and yes, it is a huge if) they keep to the data sharing terms and conditions set by or on behalf of these individuals.
Giving individuals personal data stores and empowering them with data is not about limiting organisations’ ability to use personal data for legitimate, value-adding purposes. It’s about enabling them to access even more data, at lower cost and risk if (the big ‘if’ again) they are prepared to commit to using this data to create more value and to not abuse their access to this data.
The new personal data infrastructure is not about siding with one vested interest versus another, or about closing down opportunities for organisations. It is about opening up opportunities via specialist, enabling infrastructure that serves all parties equally well — thereby helping us put today’s unseemly, wasteful and destructive battles between vested interests behind us.
4. Distributed not centralised
As we’ve seen from bitter experience, centralised databases that collect huge amounts of personal data in one place become honey pots for hackers and open up too many opportunities for the abuse of power. By ‘distributed’ we mean every individual should have their own personal data store which is uniquely encrypted so that only they can see, access, share or use their own data under their own control. This builds a distribution of power into the very way the system works, not only creating a new source of power to counter-balance existing ones but also making sure the PDS infrastructure provider doesn’t itself become too powerful.
5. Zero-knowledge operations
The organisation/s providing individuals with personal data stores should not be able to look into or control what individuals do with their data. Their job is to provide safety and access to individuals (a bit like a Swiss bank providing a vault where individuals hold their own unique key), not to take advantage of knowledge gained about them. Please note: Having zero-knowledge operations is a technical, operational, architectural matter — not just a matter of committing to ‘the right policies’. It’s not about ‘promising to be good’ (because promises can always be broken). It’s about making it operationally impossible to be ‘bad’.
6. Aligned incentives
Infrastructure providers should not be able to make money from the data that is stored in the data store. As soon as this becomes a possibility, their incentives are unlikely to align with those of the individuals whose data is being stored. Instead PDS infrastructure providers should make their money by providing the data services — the mechanisms — that enable safe storage and sharing of data.
These essential services should be free at the point of use for individuals. We need this to minimise all possible barriers to take up and use by individuals. (The Mydex business model addresses these two requirements by charging connections fees on those organisations wanting to create data sharing relationships with individuals: in other words payment for access and facilitation, not for data itself.)
7. Separation of functions
The PDS infrastructure layer should embody the separation of functions we talked about in our last blog. Data storage and management by individuals should be kept separate from organisations (whether new entrants, PIMS or existing incumbent service providers) accessing this data for the purposes of service provision.
8. Built to last
Finally, the PDS infrastructure should have built-in safeguards against changes to its role, functions and priorities — for instance, in the case of a change of leadership, stock market listing, merger, sale, acquisition, bankruptcy etc. We have seen too many occasions when companies have made grand promises about their personal data policies only to see these promises evaporate on the sale of the company to a new owner (for example). For this sort of infrastructure to be truly trustworthy, the public must know that it will be keeping its promises not only today but in 10, 20 and 30 years’ time. Mydex’s CIC status embeds such safeguards into its legal constitution.
Finding a way forward today
Looking at the above list, three points stand out.
First, while this description of what the new personal data infrastructure should look like seems far away, it isn’t. It has already been built: real, live, working, operational, right now. It’s not some massive costly risky mountain to climb. The mountain has already been climbed. The groundwork has already been done. That is what Mydex has been working at for the last ten years.
Second, we are not claiming to represent the only possible solution to the infrastructure design challenge. There will be many different ways to skin the cat. It’s healthy — indeed necessary — for a range of alternative models to be tested and tried. But what we are saying is that unless certain key design principles are determined at the outset, there is an overwhelming probability that any new infrastructure that is established will be subverted or gamed by those with vested interests to acquire and use personal data in ways that do not serve the interests of citizens.
Finally, as we work through these design principles it becomes clear this whole space requires innovation at multiple levels. The idea that individuals should be able to store, manage and use their own data for their own purposes is one innovation. The particular sets of technologies and capabilities that enable this to happen demand a slew of technology and other innovations. We also need business model innovations to align interests in new ways; and institutional innovation that breaks the mould of out-dated either/ors of ‘public’ vs ‘private’ dichotomies; and funding innovations that break free of venture capitalist-style strictures that ‘we must earn a fat return within three years’.
All this is a challenge. But such challenge are not new. They have arisen and been met in multiple different ways each time a need has arisen for new infrastructure, whether it was canals, roads and railways, electricity or water supply, the establishment of and access to the Internet. It’s now time for us to rise to the challenge of personal data.
