Solving the Data Privacy issue of today and tomorrow
Uttering “No Thank you. Please don’t call me again” has become as common for me as greeting Good Morning.
Offers of Credit Card and Pre-approved loans seem to get extended easily enough irrespective of whether I need or want it or not.
What (doesn’t) surprises me is how many people have access to my phone number and name. And if they know my phone number, what’s the probability that no one out in the world knows my bank details or my credit card number.
The thought scares me as it should.
When I try to think who all have access to my number, I wasn’t surprised at the realization that phone numbers are basically given away — in the supermarket where we shop, when we apply for jobs, or when we get a new license. Our basic assumption that our data is safe with folks we give it to could apparently be not any more wrong.
Stories of data breaches are so common that folks scroll over the news claiming billions of data points stolen from the company you trusted with your data.
At the very least seemingly unimportant details like name and location could have been exposed, but till it hits your face through an incident it is easy to gauge the depth of the data stored and discount the impact it could have on you.
If the companies that are the subject of the news are those I interact with daily — Facebook, Twitter, Instagram, it would not be surprising if someone out there has the data of every click made, every scroll halted, and everybody and everything ever talked.
Announcement of stolen data and proclamation that data will be monitored somehow affects us differently. One is news and distant while the other reeks of intrusiveness and privacy invasion and calls for WhatsApp boycott and abandonment.The current news in the series is the latest (and once more) data breach at Facebook. Answers are being sought. It is currently unknown, for sure what data was stolen and how current it is.
But that’s the story of just data breaches — when an entity intentionally exploits the security vulnerability of a company and steals data.
How about companies giving away data by design?
Let’s talk about Product and Design for a moment.
With the ease of sending money using just a phone number, GooglePay has now become an integral part of life. Be it a small vendor sitting on the roadside serving cups of tea or shops in big malls, all are open to using Google Pay as the mode of payment. I can use the Product to pay for the Auto I just took to go to the metro station.
But here’s the funny part. The person on the receiving end now has my name, and phone number available for eternity. It is not impossible to sell the same or use it for harassment. Is data breach so common and the value of data so low that privacy is no longer a concern in the design?
Who Does Stolen Data Impact?
It’s a fact that we, the users, get heavily impacted by the loss of our data, or even our data in the wrong hands has the potential to cause drastic loss. Unfortunately most companies we trust our data with neither provide us the details of how it is used nor feel accountable and responsible for the same.
History is full of companies who have mismanaged their data and have either gotten away with it or paid amounts in fines that are entirely inconsequential to their accounts.
If you consider your data to be included in all these data breaches, and there has been a fine paid for the same, the collective price of your data would not exceed 20–30$ for perpetual use.
Consider this data adjacent to the information that in 2018 alone, Facebook alone earned an average of ~$ 110 in ad revenue per American user.
Multiply this by the number of years you are likely to be on Facebook with the number of Products accessing your data, and that would be the present true value of your data.
Data Privacy Is A Solvable Issue
The umbrella of Data Privacy covers multiple aspects of Data Ownership (Who owns user data), Data Breaches, and Data Access and Permission (Who is allowed access to the data).
Like most problems, this issue is solvable too. Like most complicated problems, the solution might not be perfect but would certainly reduce the intensity of the problem.
The theme to every solution that has a chance at solving or reducing the impact of such issues leans towards : - Giving more control to users to manage the exposure of their data, and - Making companies more accountable and responsible towards data handling.
Anyone solution in seclusion is not likely to achieve full resolution of the issue at hand.
1. Decentralizing Privacy
Everyone wants a slice of the Pie today, whether we go to the nearby supermarket, or Facebook or log in to a new eCommerce site we have been hearing about.
While Autofill makes it easier to fill in the repeated information, we are essentially allowing the creation of multiple instances of our data that will be owned by multiple different parties. Post entering our data, unless the companies are governed by strict laws like GDPR, we absolutely lose track of our data and become unaware of what it is being used for.
A solution that seems simpler than it is, is to have our data in one place and decide, to grant temporary access to limited data to whoever requests it.
Say the new website requested your data, and you have a central site you could go to and authorize the access for some time. Your Data is ingested per your authorization and access revoked according to your predefined timespan.
The mechanism would also provide you a centralized view of who has or ever had access to your data. However, two primary questions jump out of the above proposal are:
Doesn't centralizing data make it more vulnerable?
How do we ensure that any entity requesting our data has access for only the limited period of time we allow?
The answer to both these questions lies in leveraging the concept of decentralized data management through BlockChain.
“Decentralizing Privacy: Using Blockchain to Protect Personal Data” talks in detail about creating a Personal Data Management System using Blockchain that is focused on users retaining ownership and visibility into their data.
Overview of Access Management System — https://ieeexplore.ieee.org/document/7163223
The key features of the proposed solution are:
Web/Mobile Dashboard to an overview of data and ability to change entity’s permission to data
Decentralized Data Storage supported by strong Encryption/Decryption
Identity Management to ensure data protection from players in the system
The concept of Decentralized Privacy, while elegant, is not the simplest to implement and achieve in practice. Its success, post winning over the technical challenges, would be also dependent on adoption by key industry players.
But, if achieved, the solution would change the parameters of how companies differentiate themselves.
2. OS Enforced Data Privacy
Apple’s new IOS 14 is still dominating the news. If you aren’t aware of the specific reason why — The OS would require explicit user permission for data tracking across Applications. It makes sense for OS providers who enable other Applications to perform their intended operation, to be able to discipline them as well.
The fact that popular Operating systems can be counted on your fingers provides additional merit to the model in terms of easing the enforcement.
If Google and Microsoft were to follow suit and implement the same on Android, the applications using cross-app data would find themselves in serious dearth of the same.
However for this to be practically possible, all the major players need to align on this vision of the future. The implementation of the privacy model across the key players, in addition to existing, would be expected to enjoy protests from key industry players whose business models are dependent on user data.
3. Privacy through Design
As briefly touched upon in the article above, many products in their core are dependent on data sharing. For example,
Uber is dependent on you as a rider, sharing your location and destination with the driver
Amazon delivery is dependent on sharing your address with the delivery person
Google Pay is dependent on knowing the phone number or QR code, or UPI details to be able to transfer money
The concern is as much when the service is provided as after the transaction has happened. For privacy to be retained:
The service provider (delivery person, payment recipient, Uber driver) should not have any access to your data post transaction completion. Examples: - Inability to retain phone numbers - Inability to retain address
During the transaction, the amount and the class of data exposed should be the absolute minimum required. Examples: - Transaction not requiring name unless necessary - Masked Phone numbers
For the above to be implemented, companies need to build their products with user privacy at the core of their vision, which has not been something of a priority for them yet.
An organization’s selfish interest in leveraging user data for money has led to the creation and success of new and unique Business Models and this arms them with reason enough to not focus on user privacy.
At the same time, companies like Apple have stood up and created a differentiator by going against the flow.
With increasing focus on data privacy, the day will arrive, sooner or later, when it becomes a common and mandatory consideration and all Products need to comply. It is time that the high and mighty of the industry, give a deep and honest thought about their business models with Data Privacy in mind.