Self-sovereignty as an answer to the data dilemma
Privacy is not about keeping secrets — it’s about being able to choose and control what you share and who you share it with. But you do not need to share information directly with someone for them to know a whole lot about you.
If an organization collects enough data about you, trends clearly emerge, even if they don’t see your communications directly. The time when you send your first or last message of the day tells them when you are awake. Where your Internet connection originates from shares your location. The people you communicate with most often will indicate your personal bonds and professional ties. Even supposedly anonymous browsing data can be easily de-anonymized, with researchers concluding that a mere 10 URLs can be enough to uniquely identify someone.
Now imagine what an advertising company masquerading as a social network can learn from knowing which ads you click on and which ones you ignore, or which articles you like and which ones you hide, which topics you choose to engage with, and which photos you like.
All these characteristics can be used to assemble a profile of your identity, which can then be used to predict and influence your behavior. Your privacy can be breached without anyone ever reading your private messages.
Most of us have no idea the extent to which our personal data is being harvested. Pervasive data collection is such a vast and abstract issue that the majority of people only become widely concerned in light of specific scandals.
Trust & promises
A recent uptick in public concern, however, has led some Internet giants to offer assurances of greater privacy and more transparency in their data-handling practices. So far, however, this has amounted to little more than asking users to trust them when they attempt to redefine privacy as data mining for their own purposes and promising not to sell user data to third parties.
That’s asking users to put a lot of trust in the good intentions of some of the world’s largest advertising platforms, organizations whose entire business models depend on feeding off of that very data.
And let’s revisit the definition of privacy we initially gave: it’s about having control over what you share, and who you share it with. If you have no control over what a company forces you to share with them, then you have no privacy, regardless of whether or not they re-share it with their partners.
Regulation alone isn’t the solution
The increase in public concern has also led to a push for government regulation, which is often well-meaning but ineffective. Despite being designed to tame the excesses of large corporations, regulation is a broadsword, not a scalpel, and it tends to favor the incumbent.
When a regulation, such as the European Union’s General Data Protection Regulation (GDPR), requires maintaining an army of lawyers to ensure compliance, it often has a stifling effect on startups that can’t afford to do so.
Moreover, regulation often seems to miss the technical fundamentals of the problem. GDPR specifically seems to be concerned about only one aspect of your online identity: facts, not characteristics. Its right to be forgotten gives you the right to ask a company to remove any personally identifiable information that they may have on you, such as your name, e-mail address, or date of birth. But these are just facts. Once companies collect these facts, they proceed to derive characteristics from them and aggregate them into a machine-learning model. This model fits you but also others like you.
At that point, the company no longer needs your specific data. Not only can this model be weaponised to profile others who are similar to you, but it will recognize you the moment you return, even if it doesn’t remember who you are specifically. It may not know it’s seen you before, but the model will retain an idea of you.
Lest we forget, government regulation also has unintended consequences that can be exploited, as when the Romanian government attempted to abuse GDPR to threaten journalists who’d been reporting on corruption and organized crime with a 20 million euros fine unless they revealed their sources.
From stabs at privacy to sovereignty
Education is vital in empowering people to regain control of their online identities, enable them to understand the ways in which their data can be used against them, and to spot the kind of services that feed on their identity. Still, promising more ethical data control won’t be enough to convince users to abandon Facebook and Twitter in droves. If it were, they’d have already done so.
We need to provide better solutions to move the conversation beyond privacy to sovereignty over a user’s online identity. Self-sovereignty is about more than just preventing others from using your data. This data matters to us because our identity, our friends, our chat histories, and our photographic memories matter to us. It is about having both choice and control over that data.
Moving data storage away from the cloud and back to each individual node empowers users to protect the digital extension of themselves, not only from exploitation for advertising purposes but also from permanent loss through cyber-attack or corporate decline. To replace surveillance capitalism with self-sovereignty means empowering people to take back control over their personal data.
Self-sovereignty is not just a crypto-anarchic pipe dream – we are starting to see efforts in this direction driven by incumbents. For example, Microsoft released ION, an open source project that anchors Decentralized Identifiers as a layer 2 overlay on top of Bitcoin. Samsung has also recently announced blockchain-based efforts on self-sovereign identity, collaborating initially with other Korean institutions.
What are we going to do about it?
As an industry, we can’t leave this up only to the incumbents. At Samsung NEXT, we believe in entrepreneurs and their ability to innovate. That’s why we are running the first of our Stack Zero Sessions in Berlin on August 18, right before Berlin Blockchain Week.
We want to bring together a diverse but select group including technologists, investors, researchers, and writers to discuss what do we need to do as an industry to reach customers faster with open solutions that empower them. Attendees have so far suggested a sensational range of topics, from usability to regulation, from mixnets to MPC, from futarchy to redefining agency.