Category: policy

The Personal Data Economy at K(NO)W Identity Conference

I was happy to take part in the inaugural K(NO)W Identity Conference, organized by several ex-Googlers through their new organization One World Identity.

Although it turned out to be one of the more thoughtful discussions I’ve participated in on the emerging personal data ecosystem (hats off to Electronic Frontier Foundation’s Rainey Reitman for excellent moderating), it also shows the challenges of discussing such a complex subject in a room full of folks working on identity, privacy, security and data.

The biggest area of misunderstanding remains around the many win-win benefits for both individuals and companies when users are empowered with their data. Watch the video and let me know what you think @shanegreen.

https://www.youtube.com/watch?v=AUhCVYUQ0vM

Today’s Facebook report on personal data & privacy gets a lot right

Is it a wolf in sheep’s clothing or a sign of enlightenment at the world’s largest collector of personal data?

wolf-in-sheep-image

I must admit I was more than a little wary when I was invited by Facebook’s Global Deputy Chief Privacy Officer, Stephen Deadman, to participate in an off-the-record roundtable on the future of personal data and privacy. The involvement of the UK consulting firm helped convince me, given their long-time focus on building transparency and trust in this area. I’m glad I did.

I must admit I was more than a little wary when I was invited by Facebook’s Global Deputy Chief Privacy Officer, Stephen Deadman, to participate in an off-the-record roundtable on the future of personal data and privacy. The involvement of the UK consulting firm Ctrl-Shift helped convince me, given their long-time focus on building transparency and trust in this area. I’m glad I did.

Overshadowed by today’s announcement of 500 million Instagram users,Facebook released a report this morning called “A New Paradigm for Personal Data: Five Shifts to Drive Trust and Growth.” You can download it here: http://bit.ly/28L4HII or check out Deadman’s Op-Ed here:http://bit.ly/28LMDB9.

I hope Mark Zuckerberg reads it and internalizes its many good recommendations, especially given the powerful catalyzing role Facebook could play to empower people with data. It’s not just the right thing to do, it would be great for the company’s long-term business (oh, and for that pesky regulatory problem).

While much of the report’s thinking has been articulated previously, including by Ctrl-Shift, the Personal Data Ecosystem Consortium (where Personal, Inc. was a founding member), the World Economic Forum’s Global Agenda Council on Data and The Aspen Institute’s Communications & Society Program (both of which I participated in), it matters that Facebook spent its time and energy to convene so many trusted experts — 175 in all across 21 global roundtables — and to publish such a thoughtful and balanced report.

Unlike regulators, privacy and security advocates or most any industry player, no matter how large, Facebook is in a unique position to put the tools directly into the hands of their users and provide powerful direct and indirect incentives for them to start becoming hubs for their data.

In this model, users could re-use their data in a permission-based way, and in infinite combinations, across the entire connected universe at home, work and everywhere in between. It would be the ultimate democratization of data in a fair and transparent ecosystem where individuals actively decide when, where and how to participate in a robust value exchange tied to their data.

So why would Facebook take such a risk when its current business model is built on its ownership and control of user data?

Deadman answers that question in the introduction to the new report:

My observation from the years I’ve spent working on privacy and data related issues is that the personal data debate has been largely grounded in a limiting premise – that the desire to innovate with data is generally incompatible with preserving individuals’ rights to privacy and self-determination.

This premise is entrenched by regulators, policymakers and industry, as we tend to talk in terms of trade-offs, as though these two equally desirable goals will always be in tension with each other, and our only choice is to balance them off against each other.

I firmly believe that such trade-off thinking is undesirable – it leads to suboptimal outcomes – and I also believe it’s unnecessary: we now have the skills, technology and motivation to transcend this supposed trade-off.

He goes further:

The debate also entrenches an assumption that only organisations can control data, ignoring the ability and potential of individuals to take a more active role, exercising agency, choice and control over their own data.

I don’t think the evidence supports this assumption. What is more, when people have more control over their own data, more growth, innovation and value can be created than when they don’t.

It’s this very last point that will win the day. There is simply more opportunity to innovate and create value when individuals are empowered in this way. No single company, or government for that matter, can ever match the competitive advantage of individuals (or teams of individuals) to aggregate and permission access to the constantly growing and changing data from across their lives — including their connected devices.

And those who try to keep the individual out of the equation risk being punished as this new model emerges. Data collection, use and monetization simply can’t be kept behind the curtains much longer. Deadman is right to draw Facebook’s attention to both the opportunity — and the risk — of not embracing the rightful role of users.

There is also a surprising set of security benefits of a model with less standalone copies of data in the world, especially when the data that is shared on a session basis and comes networked with real-time validation and authentication. The future would not only be more secure with this approach, it also happens to be in the interest of the world’s largest identity provider.

In our own business, we are seeing this user-centric model starting to take root inside the workplace by and between employees. The enterprise is one of the few places where the need for individuals to practice active data management and data security is both understood and able to be mandated. It’s probably no accident that the Facebook at Work solution is one of the company’s biggest new initiatives.

The report finishes with grand brush strokes, painting a vision of a race to the top among companies who compete for access to user data based on trust, transparency and the value they can deliver. These market-based solutions have all the elements of the “digital enlightenment” many of us have been talking about for a long time.

For those of you worried that Facebook is simply trying to co-opt this new model before it is even established, or use it as a shield to avoid regulation, I understand the concern. But I really don’t think there will be any going back once it happens. As people wake up and experience the magic of having their data go to work for them, they will never be passive about their data or oblivious to its value again.

While Facebook has a lot to gain by being a leader, it has even more to lose by being seen by its community of users as holding them back. I applaud Deadman and his colleagues for taking such a bold position.

This post was originally published here on Medium.

A Rising Tide of Data, Partnered With Privacy by Design, Will Lift All Boats

This piece was originally published on the Disruptive Competition Project blog (DisCo).

 
DisCo

By Dr. Ann Cavoukian and Shane Green

Over the last year, we have started to see a remarkable shift in the way the world thinks about data and privacy. The old levies of compliance and binary permission settings are being washed away by a rising tide of data that is growing at a rate exceeding Moore’s Law.

In fact, more data will be created and captured this year than in all of human history. Fueling this explosion are connected devices so numerous that, according to a recent GSMA study, there will be more such devices throwing off data this year than there are people in the world.

In this rapidly changing data ecosystem, tools such as one-time notice-and-consent agreements and simple transparent disclosures are less helpful, perhaps becoming obsolete. Individuals can no longer be treated as passive data subjects who merely provide information for collection and use by an organization. Instead, more sophisticated approaches are required based on context-based approvals and, more importantly, informed individuals who are engaged with their data across their lives.

We too must evolve, and those companies and organizations that empower individuals to be full partners in this emerging personal data ecosystem will create tremendous value in the form of stronger, deeper and trusted relationships with their customers, thereby gaining new competitive advantages, including greater, not less, access to data.

The latest signs that these once revolutionary ideas are today becoming mainstream, and will tomorrow become the standard for doing business, are two recent reports by centrist, pro-business think tanks. Continue reading

Data Vaults Go Mainstream at World Economic Forum

This post was originally published under the same title on the Personal blog, A Personal Stand and can also be found on the World Economic Forum Rethinking Personal Data website 
WEF.v1

In the last six months, a fast growing and somewhat unexpected chorus has emerged around the need to give people greater control over their personal information.

Mainstream think tanks are now focused on it – see the recent Aspen Institute report, which focuses extensively on “the new economy of personal information” and the central role of individuals in it.

Governments are also catalyzing this new model. The Midata initiative in the U.K. and the Open Data initiative in the United States are giving back government-collected data to citizens in organized, reusable form.

But what’s most interesting is the growing realization among companies that their futures are tied to building new relationships with consumers who are increasingly empowered with and savvy about their digital data, and who have growing concerns about how their data is captured and used.

That’s why a new report released today by the World Economic Forum, whose membership is made up of Fortune 1000 companies, is so important. “Unlocking the Value of Personal Data: From Collection to Usage” is a product of the Forum’s multi-year Rethinking Personal Data Project, and was led by Forum official Bill Hoffman (see his blog today on the report) and a steering committee of the Boston Consulting Group, Kaiser Permanente, Visa, Microsoft, AT&T and VimpelCom. Personal also participated, and is a member of the Forum’s Global Agenda Council on Data-Driven Development.

When you consider the organizations behind the report, its major conclusions are all the more dramatic:

    • Companies and governments need to put people at the center of their data, empowering individuals to engage in how their data flows through technology. This means giving consumers greater access to and control over their information as well as the tools to benefit directly from it.
    • We need to move past old notions of privacy that revolved around simple notice and consent. Instead, companies should adopt Privacy by Design principles that address every stage of product, technology and business development. This would ensure, for example, that apps feature user-driven permissioning of data and have greater transparency and control over how it’s used and valued.
    • The report blows a hole through the canard that e-commerce and privacy cannot peacefully coexist. It’s not a zero-sum game. Instead, it’s a win-win for businesses and consumers where even more data can flow between trusted parties.
    • Perhaps most exciting, the report detailed a number of use cases in which companies are helping consumers to leverage their personal information to improve their lives, ranging from health care (Kaiser Permanente) to financial data (Visa) to automotive price transparency (Truecar) to online reputational information (Reputation.com).
    • Personal was also profiled to demonstrate how personal data vaults can make the time-wasting tradition of form filling obsolete, saving literally billions of hours annually, and greatly improving the delivery of public and private sector services. Check out www.personal.com/fillit to see how your company or organization can participate.

We’re excited to see the model we have been building over the past three years start to catch fire, and we expect to see a lot more progress in the next six months.

Data as a Human Right

This post was originally published on the World Economic Forum Blog.

WEF-logo

Data has the power to transform our lives – collectively and individually. What is needed to unlock the profound opportunity data affords to improve the human condition – and to defend against a multitude of threats – is not technical, but an ethical framework for its use by and beyond those who initially collect it, including providing access to individuals.

At its most fundamental level, data about individuals represents a new kind of “digital self” that cannot be easily distinguished from the physical person. Some consider it a form of property; others a form of expression or speech. Those working in the area of genomics often view personal data as the DNA sequences that make us truly unique. Whatever lens one uses, it has become increasingly clear that the consequences of how personal data is used are every bit as real for people and society as any material, physical or economic force.

Properly harnessed by ethical practitioners, the principled use of “big data” sets can improve our economies, create jobs, reduce crime, increase public health, identify corruption and waste, predict and mitigate humanitarian crises, and lessen our impact on the environment. Similarly, empowering individuals with access to reusable copies of data collected by others, also called “small data”, can help them drastically improve the quality of their lives, from making better financial, education and health decisions, to saving time and reducing friction in discovering and accessing private and public sector services. Evidence of the positive impact of leveraging data, by both institutions and individuals, abounds.

However, data, like the technology that generates it, is in and of itself neutral. It can be used for good or ill. With a proper, ethical framework, data can – and should – be leveraged for the benefit of humankind, simultaneously at the societal, organizational and individual level. Misused, its power to harm and exploit is similarly unlimited.

In fact, what raises the ethical use and respect for data potentially into the realm of a fundamental human right is its ability to describe and reveal unique human identity, attributes and behaviors – and its power to affect a person’s, and a society’s, well-being as a result. Just as in the physical world, basic rights and opportunities must be preserved.

Indeed, it is already well recognized that invasions of our digital privacy can be exploited for repression, and that technologies for sharing data can be harnessed to support freedom. More fundamentally, though, we need to extend our core rights themselves into the digital world. For example, we must adapt our notion of freedom of thought to account for the new reality that much of our thinking goes on in digital spaces – as does the management and sharing of our most private information. Preserving individual freedom will now require protecting autonomy with respect to our own data.

Clearly, cultural and regional differences regarding human rights in the analog, physical world are sure to arise in this digital, data-oriented world. We do not seek to resolve those issues, but to develop a clear framework of principles to help provide data, data access and data use the protections they deserve.

Personal and the World Economic Forum’s New Report

This post was originally published under the same title on the Personal blog, A Personal Stand.WEF-logo

When I learned of the World Economic Forum’s first report on personal data in early 2011, I was surprised to see an organization comprised of Fortune 1000 companies highlight the many cutting-edge problems we were addressing at Personal. Their report went so far as to call personal data a “new economic asset class,” and made a bold assertion that individuals needed to be empowered with their data to create balance, fairness and stability in the new digital economy.

We were delighted to then be asked to participate in the Forum’s Rethinking Personal Data Working Group, which today released a new report, produced in collaboration with The Boston Consulting Group, entitled: “Rethinking Personal Data: Strengthening Trust.” You can see the Forum’s press release here, and our own here.

The report broadly defines personal data, including data that is directly or indirectly known about you and your family, friends, work, values and beliefs, location/GPS, car, home, finances, spending, browsing history, app usage, health, education – you name it. It further examines the growing instability that comes from a lack of trust and transparency in how personal data is captured and used by companies and governments, while highlighting benefits for all stakeholders, including people, if a better framework emerges that balances the competing needs and interests of all parties.

While startups are famous for “making sausage” – the idea that the reality is messy behind the scenes even when the outcome is good – I think it is fair to say we made some (very good) sausage over the last year. There were a wide range of passionate and thoughtful views on most every subject that touches personal data – ownership rights, consent, the primacy of the individual, the right to be forgotten, transparency, privacy, data security, national security, sovereignty, public safety, regulation, public health, political freedom, and, last but far from least, innovation and economic growth.

Many of the report’s recommendations focus on much needed improvements to the current model, where companies and governments are central. Others point to ways to explore new models that could give individuals a better seat at the table and that can create, through enhanced trust, even better outcomes for companies and governments willing to abide by new rules.

We were delighted to both participate in this important endeavor and to see Personal, along with companies like Dropbox, Reputation.com, Mydex and Qiy, be highlighted as an innovator working to empower people with their data. We are confident that the benefits will be magical for all involved as people are able to effectively manage and use this “new economic asset” across their lives.

A Digital Bill of Rights By the People, For the People

This post was originally published under the same title on the Personal blog, A Personal Stand.

The Obama Administration unveiled today its long-awaited framework for online privacy, Consumer Data Privacy in a Networked World. The result is a bold and thoughtful step in the right direction, and it will make an impact, regardless of whether Congress acts. It’s another sign that power on the Internet is shifting toward individuals and away from companies.

There’s still much more to do:

1.  In talking about reform and creating a new model, we must put individuals firmly at the center of the framework. This means giving them the tools to drive demand for their valuable data resources to transform the current model into a “user-centric” one. With individuals truly in control – and looking out on the world from their perspective – every other principle and right about privacy falls into place.

2.  While the framework will require companies to re-evaluate their data practices and conform to new standards, what about our government’s obligations in handling our data? The Obama Administration has been impressively forward-looking in this arena – particularly with veterans, education and health record data – but it seems that individuals care as much about what the government knows about them as they do about companies.  We need rules for government, too.

3.  Actual citizens need a seat at the table alongside the privacy advocates, law enforcement representatives, companies and academics that will help establish codes of conduct.  If the framework is being constructed for the benefit of individuals, don’t we deserve a say in the matter, too? Perhaps the final say?

To make the last point a reality, we’re taking matters into our own hands.  In a few weeks at SXSW in Austin, Texas, I will join my friend, Anne Bezancon, founder and CEO of Placecast to create – with other SXSW attendees – a Bill of Rights “by the people, for the people” that we would expect both companies and the government to respect. If you will be attending the conference, please join us for our interactive Sunday afternoon session, We the People: Creating a Consumer’s Bill of Rights. Please also check out the session by our CTO, Tarik Kurspahic, on building a “privacy by design” company.

A World Without Borders – Customer Data in Bankruptcy

Here is the link to my post in the Personal company blog on how customer data should be treated in bankruptcy: http://blog.personal.com/2011/09/a-world-without-borders-–-customer-data-in-bankruptcy

We don’t have this issue at Personal as individuals own their data from the start when using our data vault service (thus there would be no “customer data assets” for us to sell were the company to go out of business), but I expect it to become a bigger and bigger issue in the coming years.

The Data Wars Begin

In a week where President Obama and the White House announced their intention to enter the fray over consumer data and privacy, the most interesting recent news has actually been the rapid escalation between Google and Facebook over data ownership. Framing it in terms of a trade war, TechCrunch declared the beginning of true data protectionism, and has been highlighting the almost daily back and forth between the two biggest aggregators of consumer/Owner data in the world.

This fight over the right to export email and contact data from one service to the other is shining a bright light on the much larger and more important issue — how critically dependent they both are on owning and controlling your and my data. No matter their rhetoric, their actions cannot hide the fact that the they look at our data as theirs. Pretty hard to start a trade war if you don’t have some kind of good or service to withhold. In both cases, the only thing they have to hold hostage is our data. That’s it.

Most trade wars are bad for everyone involved. This one, however, might end up helping Owners. Unlike privacy, which has proven harder to understand and to motivate people, data ownership is far more tangible. Either you can do what you want with your data or you can’t. There is not much room for either of them to sit on the fence. If Google and Facebook continue to retaliate, which I’m betting they do, they will do more to show their true colors around data ownership than anything the White House or Wall Street Journal could do combined. Should be fun to watch.

S.

A New Model Requires New Principles

The first week my team and I started Personal, it was clear to us that we had to have a statement of principles that we would live by internally and be held accountable to by the rest of the world. I don’t mean the mandatory “company values” statement. I mean a fundamentally new set of principles that would govern our every decision; principles based on the conviction that each individual must have the ultimate control, flexibility and benefit of his or her data.

After a thorough review of many good (and not so good) ideas, we agreed on the following:

– Right to data ownership, privacy and economic benefits by individuals
– Transparency in all collection and use of personal data
– Data portability and deletion rights
– Right to simple opt-in and opt-out mechanisms

In the coming weeks, I will explore each of these more deeply and offer early insights into how Personal has built such principles into our products, business model and company culture.

But I want to first share the fact that data portability and deletion rights was especially perplexing when we first debated it. How could we spend all this time investing our time and resources to build such a great platform and innovative business model and just allow people to decide to take their data elsewhere and delete all traces of it on our system?

The answer was simple – we couldn’t find a single compelling argument not to do it. We are building Personal for ourselves and our families and friends as much as anyone, and we all agreed that we would want to be able to pick up and leave if we lost faith in the company for any reason without penalty or friction. Yes, that means, in some ways, we will only be as good as our last pitch, but that is how we believe it should be when it comes to data. Anyone for having your money trapped in a bank you have lost confidence in? Or if you find another bank with far better rates and services? We welcome having to meet such a high standard.

S.