Every week we are hearing more about data breaches, hacks, identity thefts, you name it. Our personal data and privacy is at risk. What should we do? Delete Facebook? Turn off GPS? Retreat from the online world into the woods? The answer involves learning a bit more about why this happening, taking the right personal steps and then continuing the conversation so collectively we move towards a data paradigm with better outcomes for individuals and businesses.
I’m writing on the topic after the recent avalanche of news in the area and the release of Digital Rights Watch’s (DRW) report titled the The State of Digital Rights. The report discusses our access to and privacy on the internet, and seeks to raise awareness about our digital rights online which it says are an aspect of human rights. It’s certainly timely. Beyond the news and clickbait headlines, this certainly isn’t a topic discussed enough in depth so I’m continuing the conversation in this post with a focus around data tracking, ownership and online privacy.
Metadata, data collection and encryption
These aren’t new facts, but the report highlighted laws (here in Australia) that really trade off our online privacy rights for the objective of national security. Metadata is the information surrounding your online content. Not the content, but to whom it was sent or where it was sent from (geo-location data). The law states:
- your telco must retain your metadata (for at least 2 years),
- law enforcement and security agencies don’t need a warrant or any authorisation to obtain this data,
- agencies don’t need to establish that access is for investigating or fighting a serious crime,
- agencies don’t need to inform you if they do access your metadata.
Data collection activities are expanding and being used to surveil and police us. We are shifting into a world where policing is increasingly data-driven. Law enforcement agencies are using predictive analytics (algorithms informed by large datasets) to predict where crime may occur. This can be a good thing - police are more proactive - but there are downsides too. The creation of large datasets of people not even suspected of a crime, the potential for false positives, social/racial profiling and the lack of penalties for the misuse or loss of that data to name a few.
As data collection activities expand, our right to digital privacy slowly erodes. More of us are starting to self-censor and become selective with what we do online. We use VPNs because we know our activity may be analysed and our identity tagged and classified. It’s no secret that algorithms based on some heuristics will tag, record and notify right after we make a series of communications or interactions to/with certain platforms or channels.
At inception, the internet was pure and free; a borderless digital platform where freedom of speech was first and foremost. We now self-censor as we fear what personal data is being collected on us. Freedom of expression online is diminishing. Metadata retention legislation makes it worse for individuals. It’s a reason why the DRW report calls for its repeal.
The collection of metadata is only the beginning. It may also be the content of our messages we have to be worried about. We must not forget about the PM’s regrettable idea about weakening encryption to get the criminals which could be introduced as law soon. Weakening encryption to get the bad guys, just undermines encryption standards for everyone else. Forcing companies to build backdoors so governments can access messages at the end point will just allow bad actors to exploit those same systems. Our encryption protocols are borderless global standards, our data traverses borders. Balancing freedom and safety is complex, but weakening or curtailing encryption won’t help anybody let alone our national cybersecurity objectives.
The Consumer Data Right
The DRW report recommends the creation of a Data Protection Authority similar to the European Data Protection Authority to uphold the rights to digital privacy and data protection. In May we saw $AU45m budgeted for the establishment of the Consumer Data Right (CDR). The CDR is supposed to follow the lead set in Europe with the General Data Protection Regulation (GDPR).
The CDR hasn’t been developed yet, so we’ll have to wait to see what it offers. It looks like it will be born out of Treasury department. Initially it is set to apply to the banking, energy and telecommunications sectors. Ideally, there should be a separate body that oversees these new rules. This area is broader than any single government department and is certainly worthy of its own dedicated department to develop and mature the policy going forward.
These regulations will help. They give us greater rights to control our own digital data trails, keep businesses accountable and force them to think strategically about their data privacy and cybersecurity systems and capabilities. The idea is that these regulations will also bring greater competition in the economy by giving consumers data portability. In theory yes, but I think this is quite speculative. What is more certain is that this will create costs for businesses.
For some who rely heavily on data in their business models this may potentially reduce their competitive advantage. Tom Burton further explores the topic in a great article here. The real driver of greater competitiveness won’t be top-down regulations on industry, but market-driven open source transformation. We are already seeing a parallel financial system emerge driven by Bitcoin and other open-source cryptocurrencies. This trend will continue as open source comes to other industries beyond software.
Problems with our current systems will unfortunately still persist despite regulatory changes. Centralised platforms like Google and Facebook still own your data. Access to and ownership of that data are different concepts, just as Oli Frost learnt when trying to auction his data off. Regulations help but there is no intrinsic incentive for a large corporate to disclose their data practices. If something goes wrong with the management of your data at corporate end, the users are usually the last to hear about it.
Regulations about mandatory reporting of data breaches do exist, but the internet is a global network. Users from one country access services in another country, and these regulations may not be harmonised between both nations. Raising questions around which laws apply in a given situation - host country or user country.
Market drivers towards decentralisation
Individual users are now seeking greater control over their online identity, privacy and data. The online data we create is highly valuable to business. For some, data collection and analysis form a core part of their business models. This data is gifted by users in exchange for services. Problems arise when businesses either misuse that data, or it’s breached through hacks and exploits and reaches the hands of unauthorised persons.
Corporate mishandling and misuse of our data coupled with greater data collection and surveillance by governments is clearly on the increase. As we generally lack the ability to explicitly set permissions around who can access our data, and the ability to verify those permissions, trust problems between consumer and business have been deepening. Decreasing digital rights and privacy are symptoms of increasingly powerful centralised networks. These issues are driving users to seek decentralised alternatives to meet their needs.
Decentralisation describes the design of a network that isn’t managed by a central group. Decision making is brought to the community rather than small groups of people with controlling power. These new systems are being built on blockchain, or distributed ledger technologies. Startups are building new decentralised applications (dapps) on these platforms that manage data and identity with greater transparency, security and accountability for users, than the often closed and opaque efforts of existing centralised services.
These innovative new applications are giving control and rights back to users. They are being developed now and there are many examples to explore to learn more about how this emerging landscape will impact existing systems. Consensys is building uPort a self-sovereign identity system on the Ethereum blockchain. Bron.tech and Dock are building decentralised networks where users own and manage their own identity and data trails. Akasha is a developing a decentralised social media network. Many other dapps are being built to address other use cases as well.
For businesses who integrate with new identity and data management systems, meeting regulatory requirements such as GDPR will actually be easier as they are storing less of the data themselves. What it means for governments is a deep discussion. These technologies and new dapps will bump up against existing systems but certainly push us towards more open democracy at the same time.
It’ll be a while before we see great decentralised applications scale out, disrupt and make a large impact - but it’s coming.
What to do now
Digital Rights Watch does a fine job in raising awareness, informing policy and lobbying for better outcomes based on rules and regulation around our digital rights. It should continue to do so. There are other recommendations in the report that I haven’t touched on, so please do explore them. We’ll probably see further support for the eSafety initiatives for children but I personally don’t hold much hope that in the short term the current government will implement many more. There is now solid attention on general cybersecurity for defence, government and business, but there simply seems to be no one within the government with the foresight to champion individual digital rights for Australians.
If you are a business owner, you can make a difference and build greater trust with your users by thinking about their data privacy. Don’t wait to be told; think about how you are handling your users’ data before it comes back to bite you. If you have users in the EU, to comply with GDPR you’ll need to do this anyway. Some of the basics:
- Understand what data you are storing in the cloud,
- Know if you are storing identifiable information (peoples’ names, contact details, transactions),
- Collect only what you need - do you really need info on race, ethnicity, political, or religious beliefs?
- Implement systems to protect data from loss and unauthorised access,
- Start researching decentralised identity and data management for future integration.
And for everyone else, should we even care about all of this? I feel it’s a debate we continually need to have. I believe it cannot be excused away. As Mr Snowden reminds us, “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”
I believe that individuals should be empowering themselves to understand the digital world they reside in, what gets tracked, what doesn’t, what rights you have, and what rights you don’t. The best thing we can do right now is minimise and anonymise our digital trails and be selective about the applications and systems we use - I’ll write more on that in the future. For now keep reading and keep learning. It’s critical we understand the system just as much as the system understand us.