On April 10th, Mark-have-I-said-I’m-sorry-enough-yet-Zuckerburg was facing a Senate Committee, pretending to sound responsible and issuing the occasional “mea culpa.” The senators, as one would expect, didn’t understand the technology side and spent most of their time trying to say something memorable. Kudos went to Lindsey Graham (R-SC) for mentioning the word “monopoly.” This word strikes fear into the hearts of big company executives, and can make a social network CEO melt like that Nazi villain in Raiders Of The Lost Ark. But it didn’t.
Nevertheless: Personal data abused, elections interfered with, citizens outraged — no doubt we’ll soon see a convoy of regulations coming down the pike. Politicians are filling the air with sound-bites that suggest imminent action and express noble goals (along party lines of course). One might get the impression that sometime soon, no single piece of personal data will ever be bruised or abused again. Dream on.
For one thing, the Facebook business model depends entirely on exploiting personal data, and no politician wants to be responsible for downing America’s sixth largest company. So expect a poorly formulated “Privacy Bill of Rights” or “Bill of Privacy Rights” to emerge.
Subsequently, lobbyists will circle like vultures over road kill until the traffic dies away, so they can dip their beaks into the impending legislation to “enhance” it. They will prevent any of the companies they represent (Facebook, Google, Twitter, et al) losing a dime of revenue, and with a fair wind, they may actually turn it into a revenue opportunity.
That’s how it might have happened, if the EU hadn’t ruined the game. Unfortunately for our beloved data pirates, the EU has set the bar for privacy legislation and it’s not a low one. American politicians may feel the urge to compete — but sadly they’re unfit.
High-Speed EU Data Privacy
Briefly explained, EU data privacy that goes by the name of GDPR, amounts to the following (skim or skip this bit if you hate reading about regulations):
- The right of consent. No organization can store your data unless you freely give your informed and specific consent to every way that it uses the data through deliberately opting in. Without that, no organization has the right to store your data, even though you may have entered it.
- The right to be unpredictable. The automated processing of personal data to analyze or predict an individual’s behavior is curtailed. In particular, such prediction is forbidden if it will have a significant impact on the individual, such as in a hiring or credit decision. (Equifax, why weepest thou?)
- The right of access. This goes beyond having access to data that is held: it includes, knowing what data is held; how it was acquired; how long it will be kept; how it has been processed and why; to whom the data has been disclosed (I’m looking at you Mr. Zuckerburg); and if it has, how it has been protected.
- The right to change. You have the right to change (i.e., correct) any of the data held about you.
- The right to erasure. This is also referred to as the right to be forgotten. You cannot keep my data if I do not want you to. You must delete it.
- The right to portability. You can request all your data from an organization, and it must be transferred in a “machine-readable” format — so a CSV file will do.
- The right to know. This is my personal favorite. You have the right to know whether an organization (any organization) is holding your data. It has to tell you.
- The right to complain. And finally, the “don’t mess with my data or I’ll report you” clause. There is a supervisory authority (the data police) to whom you can report data misdemeanors and felonies.
Can America Beat The EU?
There’s scant possibility that the US legislative system will get even halfway to where Europe is. They don’t have the players. The US legislative team has been performing abysmally of late — they haven’t won a trophy since the LA Dodgers last won the World Series. But perhaps it doesn’t matter. Promising new teams are emerging from the newly formed crypto economy, and they may do the job on America’s behalf. They may even go further.
Crypto businesses that preside over personal data tend to give a damn about privacy. As new businesses that are de-facto-international, they’d be stupid to flout GDPR, so they don’t. Some, like Permission.io (the company I work for, previously Algebraix) are going further than GDPR. Rather than explain the technology employed (it’s complicated), let me frame it in the terms I’ve used above to describe the EU’s personal data rights program.
We would like to enhance those handsome regulations in the following way:
- The right to personal cryptographic control. You have the right to personal cryptographic control (by private key) of ALL your personal data and the right to provide permission for its usage at the item level.
- The right to anonymity. You have the right to have your data anonymized when requested by others so that it does not include any personal data that identifies who you are. (This may seem an impossible to implement, but it isn’t because of the next right).
- The right to zero knowledge proof. You have the right to employ zero-knowledge proofs to provide credentials to preserve your anonymity.
OK. I realize that explaining and demonstrating that the above is both practical and possible involves more than me just writing it down. So I’ll explain what we mean in a future posting.