uPort
Published in

uPort

Parties, Privacy & Blockchain

It’s 1982. Alice picks up her landline phone and calls Bob, her friend and the local shopkeeper. In the course of conversation she shares that she’s pregnant.

There are 5 entities involved in this exchange:
A) Alice
B) Bob
C) The phone line & infrastructure itself
D) The company that built the phone line infrastructure
E) The company that operates the phone network, which automatically captures meta-data about phone calls to maintain service quality & employs operators who connect calls between two people.

It’s 1982. The internet, PCs and cell phones are around the corner, though nobody is planning for these. But we can think of this as a simple starting point to think about modern data privacy — uses, protections, and responsibilities around personal information.

uPort lets users and organizations interact and share data directly, with no 3rd party

What rights & responsibilities does each party hold?

Here we’ll establish some assumptions and questions specific to this situation, focusing on how we believe the parties should behave. And in the next section we’ll generalize that to see what we can learn for modern, more complex situations.

A) Alice, the subject, can share information about herself freely, and has a responsibility to herself to be discrete about who she shares with

B) Bob, the receiver of data, has a few roles and considerations:

  • As Alice’s friend, he probably should not share her secret — but there’s no law against gossip
  • As a local shopkeeper, Bob probably should be allowed to use the provided info to suggest Alice buy a baby formula next time she visits
  • As a possessor of personal data, Bob probably should not be able to sell this data to pharmaceutical companies who want to sell baby products

C) The technology used, the phone and network infrastructure, is a tool; it transmits the sound according to some properties. ‘Data’ is created through phone use as phone lines are either free or busy, and so a person’s activity could be collected from the phone infrastructure. There’s no normative claims on this, it’s just a statement about the technology.

D) The infrastructure creators probably should work to design phones, phone lines, and other infrastructure to minimize the amount of data that is created in public, and have a responsibility to make clear to users of the phone system what data others could collect from their usage. If this is done transparently and honestly, then the privacy-compromising creation of that data is reasonably up to the user.

E) The network operator

  • Should be allowed to collect data necessary to operate the network, collecting as little personal information as possible to do this
  • Unlike Bob, who was a party to the conversation, the network operator was a facilitator and should not be able to eavesdrop on personal conversations and try to sell Alice their baby monitoring product without an explicit agreement
  • They certainly should not be able to sell the data about what they hear to the highest bidder (say, a pharmaceutical company that wants to sell baby products) without explicit consent from the users

What does this situation tell us about modern tech privacy?

The GDPR regulations going into effect in Europe are basically trying to establish the roles and expectations, specifically for Bob the shopkeeper and the network operator. Collecting and using personal data from users will require specific legal basis.

One of the reasons we ended up in today’s flawed system with providers like Facebook aggregating and, arguably, abusing user data is that we did not treat various parties differently based on their role. Facebook claims to be a ‘platform’ and not a content creator itself. If that’s the case, they are akin to the telephone network operator (and builder). Yet they monitor (eavesdrop on) all the conversations between Alice and Bob and everybody else, and treat the data as their own. Some of the interesting questions surrounding how to interpret GDPR, particularly while building a new technology like uPort, stem from figuring out which party is in which role.

The blockchain technology we are building on is a tool, like phones and phone lines. It’s a particularly interesting tool because it inherently stores data in public, but that is just a fact about the technology that all parties must balance when choosing whether to use it, and for what. A decentralized identity system, which gives users and decentralized applications the ability to transact directly and securely through tools like the uPort app and platform, without a 3rd party being involved at all, would also be part of that infrastructure.

This makes uPort one of the network builders. We take our responsibility to build this system to minimize public data very seriously, building in privacy by design, and will help build tools that lets users and developers make good decisions. Once the system is built, uPort the company does not monitor the data exchange, nor is it even involved in it — unlike a platform like Facebook. Users interact directly.

Self-sovereign identity systems like this put data creation, sharing and storage in control of the users, without involvement from 3rd parties. Regulations like GDPR aim to make sure receivers of data, like Bob, treat the personal data shared with them responsibly. And we need to change norms, educate users, and design systems that let users, like Alice, make good decisions about when and how to share data about themselves.

The above is purely hypothetical and is certainly not meant as legal advice.

Join the conversation about data privacy in uPort’s riot community.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store