Tag Archives: personal data

NHS cyber attack shows perils of not holding our own personal data

The global cyber attack that hit huge corporations worldwide and paralysed much of the UK’s National Health Service showed one thing above all – how easily centralised siloes of data can be rendered obselete.

The Wanna Decryptor ransomware attack, which is believed to have affected more than 200,000 systems in over 100 countries, making it the biggest in history, locked computers and systems before holding files hostage until a ransom was paid.

This had a massive impact on hospital trusts across the UK, which were unable to access patient data for treatment, meaning they were forced to send patients away and cancel appointments.

This was far from an attack aimed at the NHS, as some initially feared – but it did show its vulnerabilities – and not just in using older Microsoft computers that hadn’t been patched to cover known security issues.

Rather, it emphasised the loss of control that we all have over our personal data, when instead of having a copy ourselves, it is held in giant siloes controlled by others. And, which may or not be significant in this case, tend to prove to be very attractive honeypot targets for hackers because of the wealth of data they contain.

If we each had a copy of our own health data, the impact on the NHS would have been minimised dramatically. Anyone turning up for treatment or an appointment could have shown the relevant diagnostic and prescription history from within their digi.me app, presumably enabling further action to go ahead instead of mass cancellations.

And this is not just talk of a brave new world – it’s on the cusp of reality, with both a new version of our app and an exciting project demoing just this experience due to be announced within weeks.

The world will never be free of those who want to disrupt, harm and make money through nefarious means. But if we have control over our own data, through the principles of the Internet of Me, we take away a great deal of their power – certainly in their capacity to bring chaos to our lives.

Personal data – the fuel of the future?

Is Data really the world’s most valuable resource, the oil of its day?

That’s the scenario being posited as the lead story on the front page of The Economist – and what this titan of financial publishing and thought says, others listen to.

Of course, here at digi.me we have long been big believers in the power of data to transform and innovate, for individuals, businesses, society and even governments.

But we also know we’re riding the front of a wave, to some degree waiting for the world to catch up with us about the importance of both protecting and owning the elements that make up your very own, very personal digital footprint.

Thankfully, the importance of personal data is an issue that is pushing itself more and more to the forefront of discussion and awareness with every passing month. Incoming EU legislation, the GDPR, which has a great focus on individual power over personal data, will also force more conversations and visibility ahead of its implementation in a year’s time.

But the main Economist article and associated briefing is a great primer for those hoping to get up to speed on this important issue, straddling as it does the middle line between data’s power and the issues misuse of it can cause.

For example, it is clear that: “Data are to this century what oil was to the last one: a driver of growth and change. Flows of data have created new infrastructure, new businesses, new monopolies, new politics and—crucially—new economics.

“Digital information is unlike any previous resource; it is extracted, refined, valued, bought and sold in different ways. It changes the rules for markets and it demands new approaches from regulators.

“Many a battle will be fought over who should own, and benefit from, data.”

But it also adds: “There is cause for concern. Internet companies’ control of data gives them enormous power. Old ways of thinking about competition, devised in the era of oil, look outdated in what has come to be called the “data economy”. A new approach is needed.”

Its clarity, too, on what has fuelled this new approach: “What has changed? Smartphones and the internet have made data abundant, ubiquitous and far more valuable.” adds to its authority – this is a well-researched article, and all the more enjoyable for that.

It is a wide-ranging and very thorough piece, looking at all elements of the data economy (not just personal) and in particular what should be done with the Amazons, Googles and Ubers who own, or have access, to huge swathes of it.

Specifically looking at the personal data economy, it speaks of consumers and online giants being “locked in an awkward embrace…but…also showing symptoms of what is called “learned helplessness”: terms and conditions for services are often impenetrable and users have no choice than to accept them (smartphone apps quit immediately if one does not tap on “I agree”).”

It adds: “For their part, online firms have become dependent on the drug of free data: they have no interest in fundamentally changing the deal with their users. Paying for data and building expensive systems to track contributions would make data refiners much less profitable.”

Once again, we couldn’t agree more with this analysis of the current state of data trading – but we are confident that the Internet of Me, and the data revolution that platforms such as digi.me which operate under its principles will bring, are a full and proper solution to these issues. And moreover, a solution that is set to take the world by storm.

Digi.me named as finalist in the Citi Tech for Integrity Challenge

Digi.me is delighted to have been chosen as a finalist in the Citi Tech for Integrity Challenge, which is searching for innovative and workable solutions to key problems in the financial and governmental sectors.

Our bid, showcasing digi.me as a product that can help deal with challenges as diverse as corporate governance, anti-money laundering and identity validation, has now passed through two rounds and been shortlisted for a demo day in Dublin later this month.

Here, we will showcase a demo version showing multiple streams of data being uploaded to the app, with innovations addressing the specific ‘pain points’ being shared in presentation format.

These include using technology to analyse and identify patterns of fraudulent health insurance claims, and leveraging emerging technologies such as blockchain to create digital identities for the large population of people, such as refugees, who do not have legal identity papers.

Julian Ranger, digi.me Founder and Executive chairman, said: “Digi.me has always been a platform that will benefit both individual users and those that need to access consented data, and we know there are multiple and important use cases for it in society at large, over and above enabling the global population to take ownership of their own data.

“In these instances, it can enable much higher effectiveness and efficiency in distribution of services to people in distress. Respect of privacy between individuals and organisations is of utmost importance. With digi.me, users’ privacy is of the highest priority.”

At the demo day, digi.me will demonstrate how our product can be used to:

  • enable governments to efficiently and effectively identify refugees who have had to flee their home countries without identification papers. Their digi.me account is effectively an audit trail of their online life and therefore a way to identify both them and their circumstances, as well as reducing costs and waiting times for immigration departments.

  • enable insurance companies to reduce insurance fraud, with a knock-on effect of reducing insurance premiums for consumers

  • enable governments and NGOs to identify the correct individual recipient of any offered support, using their digi.me account to validate who they are and audit what was received. This method could be used for goods, vouchers or financial support whether beneficiaries are present or not.

Digi.me, which has focused largely to date on social media content, is undergoing a major update in the next few weeks which will see the ability to add financial and health data, with more categories of data becoming available over the next months. This update also sees the first public release of digi.me’s Consent Access capability which allows third parties to build apps requesting individual’s to share their data – five such apps are already in production.

The demo will be shown to judges including Colin Moreland, Citi’s Treasury and Trade Solutions Country Head, David Burrows, MD, Microsoft’s Intl Organizations, Ken Moore, Head of Mastercard Labs, and Yolande Piazza, Citi’s CEO of Consumer Fintech.

ISPs selling personal data: we need to frame the debate around consent

The US Senate’s vote to roll back rules preventing ISPs from collecting and selling personal data has generated an enormous amount of controversy.

On the one hand, de-regulating the stifled and stagnating US economy is a necessary move to restart growth and boost innovation.

And of course everyone understands businesses want and need data – it’s their fuel, their magic juice – and something they rely on heavily to try and stay ahead of their competitors.

But those arguments, valid as they are to a degree, overlook the big elephant in the room: consent. Specifically, the rights of individuals to have a say in what happens to some pretty sensitive personal data collected about them through their full browsing history.

Consent is the missing ingredient in this current debate – and its omission means all sides lose out.

Individuals, of course, lose out in this equation because their personal data is being sold on behind their backs without their consent, or indeed without any benefit to them.

But businesses are losing too because they would get better quality, more useful data if they went direct to the source – the individual themselves – and offered something desirable as an exchange.

Additionally, their ability to thrive depends on them being able to deliver the right offer to the right person at the right time. This, in turn, requires better engagement overall, and engagement means conversation. What better way to have a conversation then by starting the relationship asking for data rather than taking or buying it?

Of course, here at digi.me, where we have built our vision on the Internet of Me principles and ideals of the individual at the centre of their connected world, in control of what happens to their data, it’s no big surprise which side we are leaning towards.

But it’s clear there are an ongoing debate and awareness-raising to be had about ethics and best practice around the issue of personal data.

While the House has now also voted in favour of this bill, it’s not completely clear whether the White House will sign it without amendments.

But President Trump has said time and time again that he is the people’s voice – and now is a perfect time for this new Administration to hear this voice.

There are increasingly ways, such as digi.me, for both privacy and data-sharing to be compatible, and these should be explored –  although consent is always the better choice, resulting as it does in a more meaningful dialogue.

The bottom line here is that the ISPs are acting perfectly legally, and feeding businesses who are desperate for data and know – at the moment – of no other way to get it.

This change will come, both in awareness and through legislation such as the EU GDPR, which gives many more rights back to individuals around their personal data, and which we firmly believe will prove to be a boon to businesses and innovation when it comes into law next year.

But until then the focus should not be on condemnation or scorn, but showing a better way through the use of data consented at the source.

Then, and only then, can we move forward into a world where our data is ours alone and we share it only through choice.

Digi.me gearing up for RightsCon Brussels

We’re delighted to be attending RightsCon Brussels this week, joining a incredible roster of speakers plus new technology showcases all inspiring how we build tomorrow’s internet.

Our founder and Executive Chairman, Julian Ranger, will be giving a Lightening Talk on how we can solve personal data privacy issues through sharing more in the Internet of Me.

This session is part of the Personal Data and Privacy Stream, and other talks in the same session include the next steps at the UN for the right to privacy in the digital age, how we advance human-centric personal data, and why the internet should be decentralised.

Altogether, RightsCon Brussels will bring together 1,300+ attendees from 95 countries with 500+ organisations, tech companies, universities, startups, and governments represented in a three-day event covering current and emerging issues, such as as privacy and data protection, encryption and cybersecurity and the Internet of Things.

It’s going to be interesting, stimulating and exhilarating – and we’re delighted to be a part of it!

 

 

10 key things you need to know about the EU GDPR and personal data

The General Data Protection Regulation (GDPR) becomes law across Europe in May 2018, replacing a patchwork of data protection laws across the various member states and essentially making privacy the new norm.

Wide-ranging in its scope, a key theme is returning a lot more power over personal data to individuals, who will have new and increased rights over what personal data is collected, what it can be used for and what happens when they want to remove consent.

The GDPR also includes a ‘right to be forgotten’ as well as the right to know when your personal data has been hacked and replaces rules dating back to 1995 when the internet was in its infancy.

Completely in tune with digi.me’s vision to unlock the power of personal data by returning control and ownership to those who create it in the first place, the new law will apply to all businesses not just based in the EU, but also those dealing with EU citizens.

Here’s a quick guide to the main features:

  1. Privacy by design means that when you download an app or sign up for a service, you should not be asked for data that is not directly needed or relevant for the purposes of interacting with that app or service. Services should no longer be asking for capabilities they don’t actually need, which will immediately restrict data leakage.
  2. Explicit permission means just that – when you give permission to an app or website to have or use your details in a specific way, they can’t use it for any other purpose or, crucially, sell it on to third parties.
  3. Data portability gives you the right to ask for any data that a company has about you, which should be returned in a machine-readable form so that you can reuse it, for example to give it to another service provider.
  4. Giving someone your data doesn’t mean they will always have access to it – under the GDPR you have a right to be forgotten and will be able to ask companies or platforms to delete your data if you no longer want them to have it. The two caveats to this are a) that this won’t apply to some information that there is a legal requirement to keep, for example medical records and b) that it is also a personal right to forget, distinct from the 3rd party Right to be Forgotten, where individuals can request that outdated or undesirable information about them be removed from search engines. (read more about the difference here)
  5. Clear and affirmative consent will be needed before private data is processed and this will require an “active step” such as ticking a box. The Parliament is clear that “silence, pre-ticked boxes or inactivity will thus not constitute consent. In future, it should also be as easy for a person to withdraw consent as to give it.”
  6. Right to be informed in plain and clear language – MEPs have insisted that the new rules will put an end to “small print” privacy policies and that information should be given in clear and plain language before any data is collected.
  7. Clear limits on the use of profiling – new limits where automated processing of personal data is used to “analyse or predict a person’s performance at work, economic situation, location, health, preferences, reliability or behaviour”, including creditworthiness. Under the new regulation, profiling would generally only be allowed with the consent of the person concerned, where permitted by law or when needed to pursue a contract and should comprise a human element, including an expectation of the decision to be reached. MEPs also insisted that profiling should not lead to discrimination or be based solely on sensitive data, such as ethnic origin, political opinions, religion or sexual orientation.
  8. One law for the whole continent – one of the biggest attractions is that Europe will now be covered by one law, applied in the same way everywhere, instead of a patchwork of national ones. Eliminating the need to consult local lawyers in each country a business has dealings or premises will see direct cost savings as well as legal certainty. Savings from dealing with one pan-European law rather than 28 are estimated at €2.3bn per year.
  9. Regulatory one-stop shop – businesses will only have to deal with one regulatory body rather than 28, making it simpler and cheaper for companies to do business in the EU.
  10. The new rules promote techniques such as anonymisation (removing personally identifiable information where it is not needed), pseudonymisation (replacing personally identifiable material with artificial identifiers), and encryption (encoding messages so only those authorised can read it) to protect personal data.

Overall, the new data protection rules give businesses opportunities to remove the lack of trust that can affect people’s engagement through innovative uses of personal data, while giving individuals clear, effective information about what their data is being used for will help build trust in analytics and innovation for the benefit of all.

The new rules will be backed up by harsh sanctions including fines of up to 4pc of a company’s global turnover if they don’t comply.

Driving interoperability adoption with the Kantara Initiative

Here at digi.me, we have three driving principles that inform and influence every step we take.

Two of them, you won’t be surprised to hear, are privacy and security – but the third is slightly less obvious. What is it? It’s interoperability, and it’s absolutely vital in the field of personal data ownership and control.

The ability for open data exchange, and for data from various platforms and businesses to be brought together in a reusable and useful format demands interoperability, which in itself requires common standards and ontologies.

If we are to bring (as we must to regain full control over our personal data) massively disparate sources of data together, and then require them to function together as a whole, at least for processing purposes, interoperability is the only way forward.

And so the work on advancing that becomes hugely important – which was a key reason behind digi.me joining the Kantara Initiative, as they are doing a great deal of pioneering work in this area.

Julian Ranger, Founder and Executive Chairman of digi.me, said: “It is important that we are leading the work to promote cross-businesss and cross-platform interoperability to allow individuals to maximise the use of their personal data whilst having full control.

“To this end, we have joined the Board of Kantara and are active within their Working Groups promoting development and adoption of standards for the Personal Data Ecosystem.”

Find out more about Kantara in this short leaflet summarising their most notable activities.

Sir Tim Berners-Lee: Loss of personal data control is an Internet tragedy

The loss of control over personal data sharing is one of the three biggest threats to the world wide web as it currently exists, according to its founder.

Writing an open letter in The Guardian to mark the 28th anniversary of his creation, when he wrote the initial proposal for what became the web, Sir Tim Berners-Lee said he has become increasingly worried over the past year about three new trends, which he believes  “we must tackle in order for the web to fulfill its true potential as a tool that serves all of humanity.”

And he is keen to see personal data control put back in the hands of those who create it as a major step to solving the first one.

Regarding this first point, loss of personal control of data, he wrote: “The current business model for many websites offers free content in exchange for personal data. Many of us agree to this – albeit often by accepting long and confusing terms and conditions documents – but fundamentally we do not mind some information being collected in exchange for free services.

But, we’re missing a trick. As our data is then held in proprietary silos, out of sight to us, we lose out on the benefits we could realise if we had direct control over this data and chose when and with whom to share it.

“What’s more, we often do not have any way of feeding back to companies what data we’d rather not share – especially with third parties – the T&Cs are all or nothing.”

This, of course, chimes 100 per cent with the Internet of Me vision (image above), where individuals at the centre of their connected world are in charge of their data and what is shared and with whom.

This ideal world, as well as being at the heart of our personal data and company mission, will also be front and centre of the next version of our app, which will allow both more streams of data to be collected in a private library, and the capability for sharing slices of data with directly with companies for personalised rewards.

Sir Tim goes on to point out that this widespread data collection by companies has other impacts, notably increasingly giving goverments the ability to watch our every move online, which creates a chilling effect on free speech.

Combined with the two other major issues of the web making it too easy to spread misinformation and the need for greater transparency in online political advertising, he writes: “These are complex problems, and the solutions will not be simple. But a few broad paths to progress are already clear.

“We must work together with web companies to strike a balance that puts a fair level of data control back in the hands of people, including the development of new technology such as personal “data pods” if needed and exploring alternative revenue models such as subscriptions and micropayments.”

Ultimately, he said: “It has taken all of us to build the web we have, and now it is up to all of us to build the web we want – for everyone.”

 

 

 

UK’s data protection body issues GDPR guidance on consent

The Information Commissioner in the UK has drafted guidelines for what businesses and organisations handling personal data will need to do to comply with the new GDPR out for consultation.

In the draft guidance, the ICO notes that: “The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how you use their data.

“When consent is used properly, it helps you build trust and enhance your reputation.”

The draft guidance’s key points include:

• Doing consent well should put individuals in control, build customer trust and engagement, and enhance your reputation.

• Consent means offering individuals genuine choice and control.

• Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.

• Explicit consent requires a very clear and specific statement of consent.

• Keep your consent requests separate from other terms and conditions.

• Be specific and granular. Vague or blanket consent is not enough.

• Be clear and concise.

• Name any third parties who will rely on the consent.

• Make it easy for people to withdraw consent and tell them how.

• Keep evidence of consent – who, when, how, and what you told people.

• Keep consent under review, and refresh it if anything changes.

• Avoid making consent a precondition of a service.

Overall, the draft guidance sets out how the ICO interprets the GDPR, key changes from existing data protection regulation, and its general recommended approach to compliance and good practice.

But it is also clear that the guidance will need to evolve both to take account of future guidelines issued by relevant European authorities, and according to experience once the law is in place from May of next year.

Digi.me’s Julian Ranger elected to MEF global board

Julian Ranger, the founder and executive chairman of digi.me, has been elected to the global board of Mobile Ecosystem Forum (MEF).

Digi.me is already a full member of the global trade body, and Julian has been working closely with MEF as part of the Consumer Trust working group to enable businesses to successfully take advantage of the transition to personal ownership of data.

As part of this, he has contributed to a major submission to the EU’s Horizon 2020 funding which would allow MEF to undertake trials and research, as well as introduced MEF to potential strategic partners and promoted its work to key personal data innovators.

He said: “I am delighted and privileged to be elected to Global Board of MEF, where I will be particularly supporting the MEF’s Trust and Personal Data initiatives and helping to develop interoperability requirements.

“As privacy becomes ever more a focus, especially with new laws such as GDPR, there is a strong belief that this presents an opportunity to businesses that embrace change with Trust rather than being a bar on business.”

In his election submission, Julian promised to focus on ensuring that MEF’s Consumer Trust initiative develops as the ‘doers group’ vis-à-vis other industry efforts – delivering value to members whilst addressing industry imperatives around research, interoperability and new use cases.

He also looks forward to supporting the Executive with dedicated introductions and business ideas to identify investment and partners to support these crucial activities.