ISPs selling personal data: we need to frame the debate around consent

The US Senate’s vote to roll back rules preventing ISPs from collecting and selling personal data has generated an enormous amount of controversy.

On the one hand, de-regulating the stifled and stagnating US economy is a necessary move to restart growth and boost innovation.

And of course everyone understands businesses want and need data – it’s their fuel, their magic juice – and something they rely on heavily to try and stay ahead of their competitors.

But those arguments, valid as they are to a degree, overlook the big elephant in the room: consent. Specifically, the rights of individuals to have a say in what happens to some pretty sensitive personal data collected about them through their full browsing history.

Consent is the missing ingredient in this current debate – and its omission means all sides lose out.

Individuals, of course, lose out in this equation because their personal data is being sold on behind their backs without their consent, or indeed without any benefit to them.

But businesses are losing too because they would get better quality, more useful data if they went direct to the source – the individual themselves – and offered something desirable as an exchange.

Additionally, their ability to thrive depends on them being able to deliver the right offer to the right person at the right time. This, in turn, requires better engagement overall, and engagement means conversation. What better way to have a conversation then by starting the relationship asking for data rather than taking or buying it?

Of course, here at digi.me, where we have built our vision on the Internet of Me principles and ideals of the individual at the centre of their connected world, in control of what happens to their data, it’s no big surprise which side we are leaning towards.

But it’s clear there are an ongoing debate and awareness-raising to be had about ethics and best practice around the issue of personal data.

While the House has now also voted in favour of this bill, it’s not completely clear whether the White House will sign it without amendments.

But President Trump has said time and time again that he is the people’s voice – and now is a perfect time for this new Administration to hear this voice.

There are increasingly ways, such as digi.me, for both privacy and data-sharing to be compatible, and these should be explored –  although consent is always the better choice, resulting as it does in a more meaningful dialogue.

The bottom line here is that the ISPs are acting perfectly legally, and feeding businesses who are desperate for data and know – at the moment – of no other way to get it.

This change will come, both in awareness and through legislation such as the EU GDPR, which gives many more rights back to individuals around their personal data, and which we firmly believe will prove to be a boon to businesses and innovation when it comes into law next year.

But until then the focus should not be on condemnation or scorn, but showing a better way through the use of data consented at the source.

Then, and only then, can we move forward into a world where our data is ours alone and we share it only through choice.

Digi.me gearing up for RightsCon Brussels

We’re delighted to be attending RightsCon Brussels this week, joining a incredible roster of speakers plus new technology showcases all inspiring how we build tomorrow’s internet.

Our founder and Executive Chairman, Julian Ranger, will be giving a Lightening Talk on how we can solve personal data privacy issues through sharing more in the Internet of Me.

This session is part of the Personal Data and Privacy Stream, and other talks in the same session include the next steps at the UN for the right to privacy in the digital age, how we advance human-centric personal data, and why the internet should be decentralised.

Altogether, RightsCon Brussels will bring together 1,300+ attendees from 95 countries with 500+ organisations, tech companies, universities, startups, and governments represented in a three-day event covering current and emerging issues, such as as privacy and data protection, encryption and cybersecurity and the Internet of Things.

It’s going to be interesting, stimulating and exhilarating – and we’re delighted to be a part of it!

 

 

10 key things you need to know about the EU GDPR and personal data

The General Data Protection Regulation (GDPR) becomes law across Europe in May 2018, replacing a patchwork of data protection laws across the various member states and essentially making privacy the new norm.

Wide-ranging in its scope, a key theme is returning a lot more power over personal data to individuals, who will have new and increased rights over what personal data is collected, what it can be used for and what happens when they want to remove consent.

The GDPR also includes a ‘right to be forgotten’ as well as the right to know when your personal data has been hacked and replaces rules dating back to 1995 when the internet was in its infancy.

Completely in tune with digi.me’s vision to unlock the power of personal data by returning control and ownership to those who create it in the first place, the new law will apply to all businesses not just based in the EU, but also those dealing with EU citizens.

Here’s a quick guide to the main features:

  1. Privacy by design means that when you download an app or sign up for a service, you should not be asked for data that is not directly needed or relevant for the purposes of interacting with that app or service. Services should no longer be asking for capabilities they don’t actually need, which will immediately restrict data leakage.
  2. Explicit permission means just that – when you give permission to an app or website to have or use your details in a specific way, they can’t use it for any other purpose or, crucially, sell it on to third parties.
  3. Data portability gives you the right to ask for any data that a company has about you, which should be returned in a machine-readable form so that you can reuse it, for example to give it to another service provider.
  4. Giving someone your data doesn’t mean they will always have access to it – under the GDPR you have a right to be forgotten and will be able to ask companies or platforms to delete your data if you no longer want them to have it. The two caveats to this are a) that this won’t apply to some information that there is a legal requirement to keep, for example medical records and b) that it is also a personal right to forget, distinct from the 3rd party Right to be Forgotten, where individuals can request that outdated or undesirable information about them be removed from search engines. (read more about the difference here)
  5. Clear and affirmative consent will be needed before private data is processed and this will require an “active step” such as ticking a box. The Parliament is clear that “silence, pre-ticked boxes or inactivity will thus not constitute consent. In future, it should also be as easy for a person to withdraw consent as to give it.”
  6. Right to be informed in plain and clear language – MEPs have insisted that the new rules will put an end to “small print” privacy policies and that information should be given in clear and plain language before any data is collected.
  7. Clear limits on the use of profiling – new limits where automated processing of personal data is used to “analyse or predict a person’s performance at work, economic situation, location, health, preferences, reliability or behaviour”, including creditworthiness. Under the new regulation, profiling would generally only be allowed with the consent of the person concerned, where permitted by law or when needed to pursue a contract and should comprise a human element, including an expectation of the decision to be reached. MEPs also insisted that profiling should not lead to discrimination or be based solely on sensitive data, such as ethnic origin, political opinions, religion or sexual orientation.
  8. One law for the whole continent – one of the biggest attractions is that Europe will now be covered by one law, applied in the same way everywhere, instead of a patchwork of national ones. Eliminating the need to consult local lawyers in each country a business has dealings or premises will see direct cost savings as well as legal certainty. Savings from dealing with one pan-European law rather than 28 are estimated at €2.3bn per year.
  9. Regulatory one-stop shop – businesses will only have to deal with one regulatory body rather than 28, making it simpler and cheaper for companies to do business in the EU.
  10. The new rules promote techniques such as anonymisation (removing personally identifiable information where it is not needed), pseudonymisation (replacing personally identifiable material with artificial identifiers), and encryption (encoding messages so only those authorised can read it) to protect personal data.

Overall, the new data protection rules give businesses opportunities to remove the lack of trust that can affect people’s engagement through innovative uses of personal data, while giving individuals clear, effective information about what their data is being used for will help build trust in analytics and innovation for the benefit of all.

The new rules will be backed up by harsh sanctions including fines of up to 4pc of a company’s global turnover if they don’t comply.

Driving interoperability adoption with the Kantara Initiative

Here at digi.me, we have three driving principles that inform and influence every step we take.

Two of them, you won’t be surprised to hear, are privacy and security – but the third is slightly less obvious. What is it? It’s interoperability, and it’s absolutely vital in the field of personal data ownership and control.

The ability for open data exchange, and for data from various platforms and businesses to be brought together in a reusable and useful format demands interoperability, which in itself requires common standards and ontologies.

If we are to bring (as we must to regain full control over our personal data) massively disparate sources of data together, and then require them to function together as a whole, at least for processing purposes, interoperability is the only way forward.

And so the work on advancing that becomes hugely important – which was a key reason behind digi.me joining the Kantara Initiative, as they are doing a great deal of pioneering work in this area.

Julian Ranger, Founder and Executive Chairman of digi.me, said: “It is important that we are leading the work to promote cross-businesss and cross-platform interoperability to allow individuals to maximise the use of their personal data whilst having full control.

“To this end, we have joined the Board of Kantara and are active within their Working Groups promoting development and adoption of standards for the Personal Data Ecosystem.”

Find out more about Kantara in this short leaflet summarising their most notable activities.

Sir Tim Berners-Lee: Loss of personal data control is an Internet tragedy

The loss of control over personal data sharing is one of the three biggest threats to the world wide web as it currently exists, according to its founder.

Writing an open letter in The Guardian to mark the 28th anniversary of his creation, when he wrote the initial proposal for what became the web, Sir Tim Berners-Lee said he has become increasingly worried over the past year about three new trends, which he believes  “we must tackle in order for the web to fulfill its true potential as a tool that serves all of humanity.”

And he is keen to see personal data control put back in the hands of those who create it as a major step to solving the first one.

Regarding this first point, loss of personal control of data, he wrote: “The current business model for many websites offers free content in exchange for personal data. Many of us agree to this – albeit often by accepting long and confusing terms and conditions documents – but fundamentally we do not mind some information being collected in exchange for free services.

But, we’re missing a trick. As our data is then held in proprietary silos, out of sight to us, we lose out on the benefits we could realise if we had direct control over this data and chose when and with whom to share it.

“What’s more, we often do not have any way of feeding back to companies what data we’d rather not share – especially with third parties – the T&Cs are all or nothing.”

This, of course, chimes 100 per cent with the Internet of Me vision (image above), where individuals at the centre of their connected world are in charge of their data and what is shared and with whom.

This ideal world, as well as being at the heart of our personal data and company mission, will also be front and centre of the next version of our app, which will allow both more streams of data to be collected in a private library, and the capability for sharing slices of data with directly with companies for personalised rewards.

Sir Tim goes on to point out that this widespread data collection by companies has other impacts, notably increasingly giving goverments the ability to watch our every move online, which creates a chilling effect on free speech.

Combined with the two other major issues of the web making it too easy to spread misinformation and the need for greater transparency in online political advertising, he writes: “These are complex problems, and the solutions will not be simple. But a few broad paths to progress are already clear.

“We must work together with web companies to strike a balance that puts a fair level of data control back in the hands of people, including the development of new technology such as personal “data pods” if needed and exploring alternative revenue models such as subscriptions and micropayments.”

Ultimately, he said: “It has taken all of us to build the web we have, and now it is up to all of us to build the web we want – for everyone.”

 

 

 

UK’s data protection body issues GDPR guidance on consent

The Information Commissioner in the UK has drafted guidelines for what businesses and organisations handling personal data will need to do to comply with the new GDPR out for consultation.

In the draft guidance, the ICO notes that: “The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how you use their data.

“When consent is used properly, it helps you build trust and enhance your reputation.”

The draft guidance’s key points include:

• Doing consent well should put individuals in control, build customer trust and engagement, and enhance your reputation.

• Consent means offering individuals genuine choice and control.

• Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.

• Explicit consent requires a very clear and specific statement of consent.

• Keep your consent requests separate from other terms and conditions.

• Be specific and granular. Vague or blanket consent is not enough.

• Be clear and concise.

• Name any third parties who will rely on the consent.

• Make it easy for people to withdraw consent and tell them how.

• Keep evidence of consent – who, when, how, and what you told people.

• Keep consent under review, and refresh it if anything changes.

• Avoid making consent a precondition of a service.

Overall, the draft guidance sets out how the ICO interprets the GDPR, key changes from existing data protection regulation, and its general recommended approach to compliance and good practice.

But it is also clear that the guidance will need to evolve both to take account of future guidelines issued by relevant European authorities, and according to experience once the law is in place from May of next year.

Digi.me’s Julian Ranger elected to MEF global board

Julian Ranger, the founder and executive chairman of digi.me, has been elected to the global board of Mobile Ecosystem Forum (MEF).

Digi.me is already a full member of the global trade body, and Julian has been working closely with MEF as part of the Consumer Trust working group to enable businesses to successfully take advantage of the transition to personal ownership of data.

As part of this, he has contributed to a major submission to the EU’s Horizon 2020 funding which would allow MEF to undertake trials and research, as well as introduced MEF to potential strategic partners and promoted its work to key personal data innovators.

He said: “I am delighted and privileged to be elected to Global Board of MEF, where I will be particularly supporting the MEF’s Trust and Personal Data initiatives and helping to develop interoperability requirements.

“As privacy becomes ever more a focus, especially with new laws such as GDPR, there is a strong belief that this presents an opportunity to businesses that embrace change with Trust rather than being a bar on business.”

In his election submission, Julian promised to focus on ensuring that MEF’s Consumer Trust initiative develops as the ‘doers group’ vis-à-vis other industry efforts – delivering value to members whilst addressing industry imperatives around research, interoperability and new use cases.

He also looks forward to supporting the Executive with dedicated introductions and business ideas to identify investment and partners to support these crucial activities.

Even if you ignore privacy, old-school data sharing is just so tedious

Technological innovation is a boon to time, to data sharing and to the imperfect nature of human beings who are far too capable of losing forever things that are precious to them.

In our time-poor society, there is a marked desirability for anything that does a task more efficiently – and that applies to the storage and search of personal data as much as anything else.

Consider an ongoing case study from yours truly. My parents being of an age where they are minded to get everything in order, piles of documents and photos have been arriving frequently from my childhood home.

These, encompassing school reports, baby pictures and all manner of things inbetween, are fascinating to look back on and hold emotional and entertainment value for me now, as well as potentially my children in the future.

But these flimsy paper and card memories have done well to get this far reasonably unscathed bar the odd coffee stain – and won’t last indefinitely unless I scan them to make them into a more permanent record by the standards of our time. Which, to be fair, is pretty unlikely.

Not to mention that they can’t simply be pinged over in an email, requiring physical transport as well as storage on arrival. So you’ve got to be very determined to share them successfully, and confident the recipient will like them enough to keep hold of them safely.

Consider the difference with photographs, in particular, now – synced to the cloud, stored on our phones or computers to leaf through at will – and its clear how much the shift to digital has revolutionised our data as well as our lives.

My parents are reasonably tech savvy these days, but my children will never know the delights (and frustrations) of waiting to get your holiday photos back from the chemist, so you could see what you’d actually taken and whether it was remotely in focus.

To them – to all of us, these days – pictures are as instant as the memories that generate them. And in all likelihood will survive longer.

Life still has to catch up with technology in terms of what happens to our collections of data after we die, but they exist at scale, and can be stored and shared with ease by both parties.

Which is pretty magnificent in itself.

 

 

Digi.me featured in The Economist as the way forward for personal data sharing

It’s always a delight to read a thought-provoking article in a news magazine you admire and find an unexpected reference to the good work your company is doing.

That was my happy experience earlier in the week, when the article, with a snappy tagline of ‘Should our bankers and insurers be our Facebook friend?‘ had already drawn me in (headlines like Big data, financial services and privacy have a tendency to do that.)

The piece is an explanation of what one contributor calls “an intensifying data arms-race in finance” – or the fact that additional factors, such as posts, language and tone on social media posts, are increasingly being used to help decide insurance premiums.

As ever when data is scattered freely without thought for potential consequences, having someone delving in your digital life that you didn’t expect to see there can go either way.

As the article explains: “Data can improve predictions of whether someone will fall ill or drive into a tree. Good algorithms are faster and cheaper than underwriters. Insurers also claim that the better they know customers, the more they can help change bad habits.”

Good potential use case -the insurer finds someone is about to do a bungee jump, but his or her life insurance policy doesn’t cover this – cue offering an add-on for a more tailored product.

But, as ever, there is a flip side as well: “The riskiest customers, and those offline, might be priced out. The more the industry relies on complex—and proprietary—algorithms, feeding machines that keep learning, the harder it will be for customers, and regulators, to untangle why they were rejected. ”

As the article makes clear: “Algorithms can be wrong. A bilingual speaker’s search-engine entries could look erratic; a social-worker’s location-tracker could imply a risky lifestyle.”

And since it is unclear how judgments are made, says Frederike Kaltheuner, from Privacy International, “you could get stuck in a Kafkaesque situation where you’re put in a certain box and can’t find out why, and can’t get out.”

While regulation, and indeed customers themselves, have a role to play in this, it is technology that will ultimately find ways to make this work for all parties. And that is where digi.me comes in.

“New businesses that give people more control over data, such as digi.me, which lets users share data only with those they want, hold promise. If such tools help users become their own data-brokers, they may be willing to share more data with their mortgage lenders or insurers,” the article states.

“But trust will truly be earned only if financial firms, old and new, get ahead of the game and start talking to customers about what’s really going on behind their screens.”

So, ultimately, leaving the customer out of the equation while mining their data is going to fall out of favour, and fast.

The individual at the centre of their connected world, as in the Internet of Me model, in control of their data and what happens to it, is very definitely the future.

 

Mozilla Internet Health Report: what lies ahead for the web?

As the web wraps ever tighter around us, Mozilla’s open-source Internet Health Report is investigating what is helping (and hurting) our greatest shared global resource.

The aim is to start a conversation with the “citizens of the internet” about what is healthy, what is not – and what lies ahead for the ecosystem as it continues to evolve, along with a proliferation of connected devices.

The initial version covers familar Mozilla topics like decentralisation, open innovation, and online privacy and security; through to newer areas like digital inclusion and web literacy.

Chosen because they are all deeply intertwined, Mozilla believes these issues and the choices we make around them have a deep impact on how the internet functions.

A Mozilla blog explains: “The Internet of Things, autonomous systems, artificial intelligence: these innovations will no doubt bring good to our lives and society. However, they will also create a world where we no longer simply ‘use a computer,’ we live inside it.

“This changes the stakes. The Internet is now our environment. How it works — and whether it’s healthy — has a direct impact on our happiness, our privacy, our pocketbooks, our economies and democracies.”

So the health of the internet becomes of critical interest to us all, and we all need to play our part in creating a global movement to safeguard it.

The blog goes on to say: “We need to help people understand what’s at risk and what they can do.

“We have started work on the Internet Health Report at Mozilla for exactly this reason. It is an open source project to document and explain what’s happening to this valuable public resource.”

To find out more about contributing to future versions of the report, click here.