August 22, 2012

Data Protection vs. Ownership

A big topic and an interesting one!  Everyone is concerned (or should be!) about what data is out there online, who controls it, and what it is used for.  So, what data is out there about you?  Between all the social networks, email providers, blog sites, forums, and more. No one really has a clue.

The problem, simply, is that there are many sites and only one of you.  None of these sites are singing from the same hymn sheet.  They each collect their own data and give you a certain amount of “control” in the settings they provide.  Of course, it’s very limited control and you can bet a good chunk of change it bears little resemblance to what they _really_ know (or assume) about you if they mine their databases. The thing is, they’re each taking their own “copy” of your data, and maintaining your online data becomes a nightmare. It’s like moving house times ten if you happen to, well, move house, for example.

Governments aren’t really helping

That's my Data!

I mean, I guess they have tried, sort of.  It doesn’t really work.  “Policing the Internet” has been a concern for decades now.  It’s not possible.  Different country, different rules.  Crossing boundaries – confusing.  If I’m on Facebook and it happens to be using a server in the USA – what’s the legal situation as I am in the UK?  If Facebook terms and conditions purport they own my data – does the UK Data Protection Act agree?  The UK act would actually say I can request all of my data.  Of course, Facebook, as one of the larger operators, is keen to please all Governments as best it can and would probably oblige (eventually!).  But really, I don’t think they would be “required to”, leaning on their own laws.

Suppose there was something on this site, the FlatCoder Ltd. site, that violated a data protection law in another country?  I could argue “good luck enforcing that”, since the Flatcoder server is based in the UK, I’m in the UK, the company is the UK and we operate in the UK.  If I’m operating with in UK law, why do I care?  I could be wrong (quite possibly, I’m not a lawyer!) but it is still a grey area.

How does the landscape look then?

“The new US privacy framework came into focus as the White House ended a long political debate on Thursday by calling for a “bill of rights” to cover consumers online. The proposal calls for a series of voluntary agreements, to be hammered out in negotiations between consumer groups and online advertisers, that would shape how personal data is collected, protected and used.”

February 23, 2012 7:40 pm, The Financial Times

Voluntary agreements?  Good luck.  It’s like the new “do not track” feature turning up in browsers.  It’s a nice idea but a “global take-up” just will not happen and so, it becomes pointless. It’s pointless because it’s voluntary and impossible to enforce. “Do not track” simply asks a web site not to track, it does not enforce it, nor is enforcement possible.

Meanwhile, here in the EU, we got a new “Cookie Law”.  It’s a fun one.  Essentially, it requires that a “compliant” site requests “consent for cookies”.  Then it allows for “implied consent” which is simply “we told you we are storing cookies, if you continue to use the site, you have agreed”.  You probably saw the Cookie Banner when you first came to this site, your consent has been “implied”.

Aside from it being just the stupidest law ever (seriously), it’s impossible to enforce or police, much the same as “do not track” or any other “voluntary agreement”.  As I understand it presently, at worst – a non-compliant site might be “approached” and asked to comply.  Scary, being approached.

The point…

This whole “opt-in, opt-out, click here, click there” approach is EVERY BIT as confusing as the original problem situation!  Are you really going to remember what you clicked yes/no to on Facebook, Twitter, LinkedIn, BBC News Site, Financial Times, Formula 1 Official Website, “insert any website here”? …because that’s what is being asked of you!  It’s being asked and it doesn’t really change anything.

I do not think the problems surrounding data protection and privacy can be tackled until ownership is established.

It’s a mess, can we fix it?

I’m not sure.  But I have some ideas.  The big thing that people are ignoring (and has been ignored in this post, until now) is the issue of OWNERSHIP.  Who owns the data?  Really?  The whole problem is that different copies of your data, not necessarily the same, possibly erroneous, possibly rather detailed, are on file all over the place with different OWNERS.  Every site you subscribe to, every social network, email account, whatever.  They’ve got a “piece of you” (only, on that note, they’re not even obligated to confirm that it really is you!).  A slice of data they feel “free to keep”, not obliged to maintain, not obliged to discard.  In other words – when the PROVIDERS OWN THE DATA it is NOT taken care of responsibly enough.  Don’t let them tell you otherwise.  If the OWNERS were responsible, you’d be able to access ALL of your data, ALL of the time, to correct it, change it, add to it as necessary.  Instead, you’re limited by what “Settings” these providers do or do not give you.

Maybe… YOU should own YOUR data?

It’s as simple as that.  Well, I’m sure it’s not, but in principle it’s a better foundation to build on than what we have now.  The whole problem (all of the problems) we have discussed so far “go away” if the INDIVIDUAL (that’s you!) has OWNERSHIP of the data.  Instead of all the providers operating independently, they should be TIED together.  It’s a middleware problem.  Something is missing to tie everything together, to get everyone on the same hymn sheet, even if you change it.

Stating the obvious…

The obvious leap, it would seem, would be an intermediary service.  A service that providers (such as Facebook or Twitter) would hook into for their data.  A service that the data owner, you, could access and amend and control at leisure.  If you no longer want Facebook to have your date of birth, it should be as simple as ticking a box.  If you change your address, it should be sent to all except those you specify, and so on.

Now, I realise I wrote that flippantly.  It would be a massive undertaking.  Which service providers would “join the movement”?  Facebook?  Twitter?  I doubt it.  It would take some serious momentum and pressure, probably laws and legislation.  Some useful laws for a change.  Again, they cannot be implemented globally, but if there is no legal enforcement in the country of any given provider, they cannot “join the movement”.  Simple.  Well, it’s not.


I’ve been chewing on this for a while so please do let me know what you think!  I’ll be back in a future post with some specific ideas for an implementation.