What the UK IGF group should propose in Bali
The UK Internet Governance Forum (IGF) invited me to speak at their prep meeting this week. The gist of what I said is below and there’s an online webcast (with camera pointed at the floor) here. UKIGF is a forum of Nominet, DCMS and others that feeds into the global IGF, the UN’s global multi-stakeholder forum for dialogue on Internet governance.
So the UK IGF event begged the question: what position should the UK take to the global IGF discussions in Bali in October?
Here’s an idea. The UK should propose that the IGF adopt the principle that on the Internet people must take control of the management and sharing of their own personal data. This means people must have transparency about who sees what personal data and why. At the very least people need access in machine-readable format to their personal data held by others.
Such a call from IGF would complement what the WEF has been on. At the last UK election it was in both the Conservative party and Labour party manifesto. There are government data giveback initiatives under way in the US, UK and elsewhere, complementing what is already available from social networks. It’s a trend noted by The Economist. It’s what Doc Searls and Project VRM have been calling for for years. It’s a critical missing dimension of trust in online activity.
The IGF appears to be at a dangerous crossroads, with authoritarian regimes trying to achieve population scale surveillance and the real risk of regulatory oversight by the International Telecomms Union (ITU) putting an end to the era of dynamic innovation online. Recent revelations about NSA and GCHQ interception of traffic will exacerbate a climate of mistrust.
Yet the open Internet is immensely popular, globally used and depended on. Business is booming, and there’s scope for much more. To unlock the Internet’s fuller potential for human development IGF must address the major global and local challenges; this means a constructive approach to the issues of trust and transparency. This is essential for governments, business and for individuals alike. IGF must work to restore trust in how personal data is used.
Personal control over personal data is a strong call to action and a simple principle to commit to. It supports economic growth and people’s aspirations everywhere. Without it we’re persisting with a solely organisation-centric approach to personalisation, marketing and authentication that is collapsing under the weight of its logistical inefficiency.
IGF meetings can be a bit waffly. It’s keenest proponents admit that the wider public have little or no idea what it does or what it’s there fore. It’s not very good at self-promotion. But we’d miss the IGF if it were gone.
Go on UK delegation: take a simple proposal of global appeal to Bali. Personal control over personal data. What do you say?
Notes for UK IGF session on identity and privacy incentives.
Identity and privacy: how we see the incentives
Mydex foresees — as do many others — a new personal data ecosystem where individuals controlling their own data introduces a new dimension, a new capability with huge advantages. We’ll start that transition when there’s a proposition on the table which is win win win for each party involved.
We identify three actors:
- the individual (whose interests Mydex as a CIC is established to serve),
- organisations with customers who benefit from a consensual trusted connection to individuals. Mydex offers a compelling business proposition to these organisations.
- application and service developers/the new economy of trust-based services that work with volunteered personal information from service such as Mydex (which must be diverse and interoperable)
We see the incentives this way:
- for the individual: convenience, and a better way to get done something they want or have to get done anyway. In due course empowerment, control and the ability to realise the value of their personal data. But we believe that is not where this transition starts
- For organisations with customers: cut costs, accelerate channel shift, get out of the business of passwords and offer better authentication. Restoration of trust in relationships with individuals, because trusted realtionships are more valuable. Ability eg to provide joined up services without breaking privacy laws, because you can establish clear auditable permission from the individual
- For app developers; new markets base on VPI; a trusted framework in which you can create responsible and privacy friendly “manage your finance, manage your health, travel shopping etc” services. This is a substantial reinvention of the online economy.
Of course, HMG’s new ID assurance providers — of which Mydex is one among five — need to make a viable business doing this. But they have to do it without succumbing to the *wrong* incentive: exploiting people’s personal data. That must be ruled out , and we ensures it is ruled out in our service because Mydex cannot see the personal data, including the attributes and certificates the individual controls and shares.
Keeping ID assurance providers honest is the central point of the HMG’s ID privacy principles (consultation on which finished 12 Sept). Here they are (abbreviated, E&OE, see current official draft here):
GDS ID assurance privacy principles (abridged)
1. User Control ID assurance activities can only take place if I consent or approve them.
2. Transparency ID assurance can only take place in ways I understand and when I am fully informed.
3. Multiplicity — I can use and choose as many different identifiers or ID providers as I want to.
4. Data Minimisation — My request or transaction only uses the minimum data necessary to meet my needs.
5. Data Quality — I choose when to update my records.
6. Service-User Access/Portability I have to be provided with copies of all of my data on request; I can move/remove my data whenever I want.
7. Governance/Certification I can trust the Scheme because all the participants have to be accredited.
8. Problem Resolution — If there is a problem I know there is an independent arbiter who can find a solution.
9. Exceptional Circs Any exception has to be approved by Parliament and is subject to independent scrutiny.
To Mydex these ID privacy principles are a sound statement of a self-evident truth. They’re still in draft, and we’d be content to see them strongly embedded in the ID assurance contracts with proper remedies for any breach.
Meanwhile, GDS’s emerging Good Practice Guides for ID assurance seem fit for purpose. The whole scheme is, we believe, every bit as important as previously proposed National ID Scheme; it’s just a much better idea. Not least, It is designed to work online — that’s the whole point. There’s important work under way with the GDS’s current Alpha test pilots. These will provide chance to check:
- is it convenient, is it safe, is the individual really in control?
- is implementation sound from the individual’s PoV?
- can individuals be confident they match up to the privacy principles?
[Questions]
