Entering the age of data privacy

When regulation, new tech, and public opinion converge

On May 25, enforcement begins under the European Union’s General Data Privacy Regulation (GDPR). This long-awaited regulation attempts to put the genie of digital personal data back in the proverbial bottle. Web companies were the first to realize the potential goldmine that is user data and began building businesses around it, attracting users and profits through a model of free services that generate data to sell or consumers to target. ~20 years into this model, public opinion and law-makers have realized the huge costs we’re suffering by letting people be turned into the product. Data breaches and abuses are perhaps the most visible, but huge inefficiencies and massive power in the hands of a few internet monopolies may be just as impactful.

From Larry Diar https://diar.co/volume-2-issue-17/

Many businesses are scrambling to meet the new compliance standards. It’s a sweeping regulation that impacts any business operating in the EU, collecting data from EU citizens, or doing any business in the EU, so the impact is global. Interested observers are waiting to see how some of the more vague language will be interpreted and how aggressively regulators will pursue potentially massive fines (up to 4% of a company’s global revenue). Meanwhile, a few are pondering a very different set of questions: how do regulations built for Web2 complement the new models we are building for Web3?

New cryptographic and decentralized technologies — most notably blockchains — have the potential to build data privacy into the core of digital systems. Developed while the GDPR and similar regimes were being drafted, the spirit of the technology and regulations are kindred: more control in users’ hands, more responsibility required of 2nd and 3rd parties. But it’s unclear in ways how the ‘letter of the law’ will apply to this new technology.

Thinking about how these simultaneous legal and technological changes, and shifts in social expectations, interact is key to planning for a more privacy-preserving future. While there are a few apparent incompatibilities — for example, the right to be forgotten on an immutable ledger — good design principles that help all parties make informed decisions can let these operate well together. Regulations and new technology that aim for ‘privacy by design,’ along with mounting public pressure for good data controls, can combine to usher in a new age of data privacy and user-control.

Private protections via public ledgers

Blockchains like Ethereum are public ledgers: they store pieces of data on a shared system that anyone can access, and nobody can delete. One of the things this enables is a new ‘identity layer’ for the Internet, giving users control of their personal data.

This would change the dynamics of digital interactions, likely altering the currently popular model of collecting and monetizing vast amounts of consumer data — the practice that led to regulations like GDPR. This new dynamic is now possible because decentralized technologies can let us build a decentralized consensus around who somebody is, rather than relying on centrally built and managed silos like Facebook or governments.

There’s an irony to using a public ledger to enable and protect private data. If personal data were put on Ethereum, that data would be permanently public for all to see and use. That is, of course, not what we’re doing at uPort. As detailed in our approach to privacy-preserving identity, this new system relies on a public ledger but minimizes what data is actually put there.

All that needs to be stored on-chain is decentralized identifier (DID), which is just a random string of characters. It’s currently not explicit whether these addresses will be classified as personal information under GDPR. Some precedent and the treatment of IP addresses suggests it may, at least in some cases. However, the DID itself tells nothing about the user: it is simply a random public address that a user claims control of through a private key in order to interact with others via a decentralized identity.

The personal data associated with a DID is controlled privately by the user. This data can be stored on private servers and encrypted so nobody but the user has access, can be pseudonymous so even when the user shares it doesn’t tie to their identity, and can be deleted anytime the user chooses. The only thing public is coded ‘pointers’ between the users DID and servers where the information is stored.

Multiple DIDs are used so that even pseudonymous identities can’t be correlated. In uPort’s system, a user can have a separate identity for each relationship or account, so observers of the public ledgers can’t even build or correlate a significant picture of an pseudonymous identity — only fragments are publicly visible, with no ties between them.

This combination does require thoughtful design to help users, who act as their own data controller. Personal data does not need to be stored publicly — but it certainly can be. Many products, proposals, and open source projects would enable users write personal data to a blockchain if they chose to, and once this is done it cannot be undone. While we cannot control what’s possible in a world of open-source software, we can help developers and users make good decisions. GDPR does not really anticipate situations in which the user is their own controller, and their own legal obligations to themselves.

Done right, users never have to disclose their personal data publicly and get all the benefits of an immutable, user-controlled transaction history. As one example of the flaws of today’s system: 21% of credit reports have erroneous data in them. Immutable transaction records would enable proof of origination to prevent this (and the billions of dollars spent each year on identity resolution, with companies trading user data back and forth), while not requiring that users ever disclose their personal data.

This system isn’t just more secure, it can be more private and far more powerful. Not just for users, but for businesses too: it will make it possible for companies to deliver the same or richer user experience without the risk & cost of holding customer data.

Adoption through value, not just compliance & tech

It’s great that the EU is taking serious steps to curb data abuses, and GDPR may have a significant impact on corporate responsibility. It’s doubtful it will lead to wholesale shift in how data is treated today, with it primarily in the control of organizations. And while public opinion seems to be shifting to demand more security and privacy, convenience and complacency still reign in many cases.

To shift Web3 to a user-centric model, with data truly in the hands of users, will require something more: value. The new model and technologies we are creating ultimately need to show their worth not through ethics and laws but through products and services that give people and organizations obvious value. And while we have work to do, our model will provide enormous reasons for identities of all types to adopt:

  • Save users from identity theft and data breaches (Equifax alone cost an estimated $4bn) and protect organizations against cybercrime, estimated to be $6tn by 2021
  • Give consumers a route to some of the $100bn+ that Facebook & Google collect in ad revenue, and businesses a more effective way to discover and serve their highest value customers
  • Make large data sets & rich customer histories available to startups, reducing barriers to competition
  • Give users infinitely granular control over their devices, accounts, relationships, and digital services
  • Reduce the 83% of adults who worry about identity theft, and the 40% who lose a password every week

The GDPR in Europe may lead to some huge steps in curbing data breaches and giving users more control. It remains to be seen how regulators will treat public ledgers, a relatively new and unconsidered technology, but we’re confident they are complementary. The identity models being built on blockchain tech can not only enable the privacy and security the law aims for, but can drive widespread adoption of data rights and protections well beyond what the regulation calls for.

Join the conversation in our uPort riot community.