Will Sir Tim Berners-Lee protect your privacy and “take over the world”?
“The intent is world domination,” Sir Tim Berners-Lee said in an article by Fast Company, September, last year, while unveiling his new company’s (Inrupt) Solid endeavor that is meant to revolutionize the way that the Internet processes data by giving the ownership and control of the data back to the data subject.
According to Berners-Lee, the Solid ecosystem, developed by Inrupt, is meant to help all of us “find trusted services for storing, securing and managing personal data” see: One small step for the web…
The endeavor is quite admirable, but will it really help protect yours and mine data? Let's look at how Solid works.
Within the Solid ecosystem, you decide where you store your data. Photos you take, comments you write, contacts in your address book, calendar events, how many miles you run each day from your fitness tracker.
In the Solid ecosystem, you store all of your data in a container called a “POD”. When an app needs data from it, you tell the app whether it can read or write to your “POD”. If you want to take your pod with you, you can. In that sense, it’s like a virtual USB stick. In order to prove ownership over your data, applications need you to identify yourselves. Within Solid, your pod proves who you are. It’s your identity. When you want to log in, you log in with your pod. No need for third-party identity providers.
That provides for a much better privacy model. Your data stays with you and you can control how your data can be used and where it is stored. Having the freedom to choose how they may use and store your data gives the control back to you as a data subject.
Still, Inrupt employees, according to their FAQ, currently have access to the unencrypted data on your Pod. In order to protect mine- and your privacy, Solid needs to secure the confidentiality, integrity, and availability of your data through the whole Solid ecosystem. Currently, that is not the case as they have several data protection challenges. Letting the Pod owner identify themselves by using their pod e.g. combined with the rather week link between the Pod server provider, the user, and the Solid application, could make it possible for an attacker to steal a pod by identifying himself as a Pod server provider. By getting access to the Pod, the attacker could then steal the identity of the Pod owner. A disloyal Inrupt- or Pod server provider employee, could steal your data and identity given that the data and identity not are encrypted and signed by you as a Pod owner. There are several ways to mitigate this risk, but Inrupt still need to build proper data protection by design and by default into their ecosystem to make it possible
Your Pod is likely to be a lucrative target for hackers and cybercriminals looking to steal your data or identity, and Inrupt’s Solid can be considered to be new technology that, when exploited, would pose a high risk to the rights and freedoms of natural persons. If the data is especially sensitive in nature, the technology could also cause physical harm. reference: Examples of processing ‘likely to result in high risk
As defined in article 4 a ‘ controller ‘ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
Under EU privacy, Inrupt inc., the owner of the Solid pod server and the legal entity that creates Solid applications, will be considered to be data controllers according to article 26 which means that a whole range of obligations comes into focus for all of the above. One example is that all the data controllers will need to do a DPIA before they can consider starting the development of an application that uses data from a solid pod meant to store data for a citizen living or traveling within EU.
Tim Berners-Lee company, Inrupt, have several challenges to solve in order to protect the confidentiality, integrity, and availability of our data. As they also state in their FAQ, “Inrupt is not GDPR compliant”, but once they are, you and I will get the sought after control over the privacy and ownership of our personal data, then, perhaps, the goal of “world domination”, won’t be that farfetched.
