It is possible for us to prove things about ourselves in ways which put those facts and our relationship to them beyond all reasonable doubt. We can say they are true with an exceptionally high level of certainty. Technology exists which can pick up that information and using strong encryption put it within what we might call a “digital token”. Such tokens can only be read by machines which have the correct codes to make sense of them. For all practical purposes the encryption is unbreakable.
Armed with my token I could present it to a web site or online service as proof that I was, say, over 18, over 13 or that I lived in London NW3. OK I would have to guard against third parties discovering how to put themselves in my place but that is true in any and every scenario. Even so there are yet more twiddly bits which could be added in to reduce the possibility of that happening despite my own best efforts at being negligent.
If all a web site or online service needed to know was that I was above a certain age or that I lived in a particular geographical area I would not need to tell them anything else about myself. The token would have vouched for me.
The digital token could cover many different attributes, including my preferences in terms of being tracked or other aspects of privacy. Any site which interacted with my token would not need to trouble me with a bazillion questions. They were all answered in a trice.
Think Pay Pal
I agree that any system devised by humans can be defeated somehow or other but you can take concerns of that nature to ridiculous and wholly disproportionate extremes. If we wait for everything to be 100% certain 100% of the time the status quo will prevail forever.
But think of PayPal. I use it a lot. One reason I like Pay Pal is because I do not have to surrender my banking information or credit card details to companies I might know little or nothing about. Pay Pal is the honest broker. I trust Pay Pal. The digital token idea would work in a similar way. If a site needs to know anything about me that the digital token cannot answer it will need to ask me specifically and that would put me on my guard.
Data minimization
Pay Pal and these kinds of tokens are examples of data minimization at work. The Occam’s razor of the digerati. Of course we would all need to have confidence in the token issuing equivalent of Pay Pal but there was a time when Pay Pal did not exist and now it does. There are even alternatives to Pay Pal which I am told are every bit as trustworthy.
Why is this idea not being taken up on a larger scale? Who benefits most from the current state of affairs where our personal data is swishing around in innumerable places, without our knowledge or meaningful consent as to its uses? That’s not hard to answer. The beneficiaries are those companies that depend either wholly or in part on collecting as much personal data as they can about us. The ones that use it to sell advertising.
No. Don’t ask me to name them. Wild horses would not drag that information out of me.
We are no longer talking about selling soap powder
The sea that is advertising has floated many new technological vessels for which, in one way or another, we should all be truly grateful.
But in the emerging era of “big data”, in a time when digital data is said to be the “new oil”, we have gone way past the point where this is only about selling us the latest flavour of milk shake or new, improved Daz. Our whole lives are out there.
Disingenuous protestations about available alternatives
Saying people can always choose to opt out of cyberspace, use alternative methods, is disingenuous. We can’t.
Pretty soon in the UK there will be certain transactions which, if they are not carried out online will not be carried out at all. Ever. The Government is one of the principal drivers herding us all in that direction. There’s no problem with this in principle but Government has a commensurate responsibility to safeguard the wider public interest in the new environment they are wilfully helping to create.
Saying people can choose different online companies or services that might handle their personal data differently is also disingenuous. Beyond a certain point the network effect kicks in. The near monopoly position some services have established means you go with them or you don’t go at all.
And if regulators seem powerless to put the brakes on why would any commercial enterprise hobble itself by refusing to open its pockets to the cash supplied by the advertising gravy train? In the UK very few large companies set themselves up as being ethically superior to their competitors. In fact I can only think of one off the top of my head: the Co-op, and there’s an awful lot of history behind that.
Those siren voices
The companies that tell us that these days people have different attitudes towards privacy and that we don’t care any more about how our personal data are used are the very businesses that stand to benefit most financially from that being so.
Their business model ultimately relies upon our sense of bewilderment at or lack of patience with the seemingly endless options or the complexity of the privacy choices offered, or our inertia, laziness, our anxieties about not being cool, our preference for (the deceptively named) “free” over paid for. Absolutely I accept that there are some internet users who take these things very seriously, are not inert or lazy and look into them carefully, always read the terms and conditions before they click the box, but our online leaders did not get to be the size they are today off the back of people like that. And they know it. They rely on it.
These companies are engaged in a hegemonic project, trying to establish a new orthodoxy. If that is too much for you let’s just call it marketing. They are creating the demand and satisfying it. This does not mean we are all easily manipulated sheep but it does mean we must recognise how powerful the medium can be in shaping expectations and therefore in determining outcomes.
Are our data protectors fit for purpose?
Against this new private Leviathan the EU’s anti-trust laws can help but our major line of defence seems to be the data protection authorities.
However, data protection agencies can be such slender reeds. For one thing within the EU they all work solely at national level. Of course they liaise through the Article 29 Working Party and they have a nominal commitment to “harmonising” practice across all 27 Member States but collectively we have seen little evidence that they are up to the task of taking on the internet giants.
I am sure there is a need for data protection laws to be pursued at a national level but within the EU is it right that major multinationals can shop around and choose to plonk themselves under the control and supervision of the smallest, weakest ones? No it is not.
Big data needs a big regulator that can face them on closer to equal terms. Size matters. Big can be beautiful. Companies work multinationally. The public authorities need to be able to match them.
New habits for old
With an appropriate, large scale and sustained promotional campaign we could establish, as we did with smoking and buckling up seat belts before driving, there is a right way, a sensible way, to behave around one’s digital personal data and there are stupid ways that not only endanger the individual directly responsible but which can also do serious damage to others as well. We would encourage the good and discourage the bad. But we need tools to give expression to the new habits we want people to form and the digital token idea seems a natural to me.
NB There is a short postscript to this blog.
Desiderata 