Digital Identity: Who Should Hold the Keys?
Having already established that we are moving into a new phase of what we might term the electronic enlightenment, with accountability for information held as electronic data required from its inception, the next questions should centre around ownership and control of data, especially personal data. With the neutrality of the internet itself under threat, it is the author's view that only we, the individual data subjects, should have control.
Who do we trust exactly when it comes to personal data? It turns out that we place our trust in unknowns on a regular and ongoing basis. Often we do not fully grasp:
- who has our data
- to whom the data is sent
- what is done with the data
- where the data is physically stored
- for how long it is retained
- how it is protected
- who we can ask for the data to be erased, corrected, restricted etc.
While we are waiting for the new GDPR laws to come into effect for European data subjects, it would be tempting but naïve to think that the regulation will resolve all of these doubts. Some data controllers and processors will lag behind compliance with the new regulation. Sometimes this will be because of ignorance, skepticism, wilful non-cooperation, incompetence, i.e. all factors that are beyond the control of data subjects.
When it comes to third parties and our data, this lack of control over our personal data is not the 'fault' of data subjects, it is just how things have evolved up to today. Newly-empowered they may be, but are you prepared to rely on the ICO (in the UK at least) to act as sole guardian of our new rights? Surely there will be far too much going for them to do much for individuals on a day-to-day basis. Their concerns will likely be enforcement, starting with some big names, major breaches and those companies whose primary raison d'être is to abuse the personal data they possess.
So do we instead turn to the companies and other organisations that hold our data to protect us? After all, the GDPR will be in place to govern them, isn't that then the point?
Cynical this may be, but the motivations for companies are not aligned with those of individual data subjects. We have seen how data has become one of the key business assets for companies, and the monetisation of these assets is in direct conflict with individuals' desire to exercise control. Companies will comply with the GDPR eventually, or suffer the consequences of reputational damage in the case of a breach, or being less competitive commercially when compared to companies that can easily demonstrate compliance. But it would be foolish to trust companies to act as trusted guardians of personal data.
Who can we trust then? Ultimately this is all about society as a whole reaching a new level of digital maturity. The answer is that we must build the tools that individuals need in order to maintain control over personal data. Rather like a password manager application that allows an individual to manage security, there needs to be a personal data ledger that shows an individual all the third parties who possess their personal data, and that gives them the ability to manage permissions, retentions, requests for erasure or restriction of processing, generates reports and so on.
While I used the word "ledger", it is not yet clear that blockchain technologies will be the best solution for the above challenges. In any case, for individuals it will be less about the underlying technology and more about the application layer that they use to manage their identities. We need these tools urgently, they need to be extremely affordable, and they need to be out of the control of commercially-motivated corporations.