Sep 1, 2021

5 min read

1. Data Ownership: beyond data protection, towards data access control

When everyday Internet users started hearing about data in the 2010s, it seemed to be reserved to the tech-savvy despite making the headlines, primarily because of data breach scandals. There were warnings about data being lost, misused, or plainly abused, but many of us found it to be difficult to relate to: how can you lose something you never thought you had? Big tech companies that were already making an enormous profit by means of individual data were very good at hiding its value and uses.

In 2021, society is better informed, but the situation itself hasn’t changed much. Facebook’s default response to any data breach scandal is ‘We need to do better’ since 2016, yet more than 533 million Facebook users’ personal information was leaked this year. There were many others, including the LinkedIn data breach when data associated with 700 million of its users was posted for sale in a Dark Web forum in June and the Microsoft Exchange Server data breach in March, with over 30 thousand organisations being exposed.

The fact that these attacks continue to happen highlights the enormous market for data and its associated value. Data that is being generated today is vast and precise, which means that the information that can be extracted from that data is also detailed and all-encompassing. With the gap between the physical and the virtual world quickly closing, someone having access to your data means someone having access to your life. This access is provided by more and more physical objects entering cyberspace — anything from our ovens and fridges to our cars and health monitors is now part of the network. This can bring about huge improvements to each of us individually and to the society as a whole, but can also have very real implications if someone chooses to abuse (or loses) that data.

The evident failure to safeguard individuals’ data and the increasing risks of such misuse has led to a recent technological trend, which aims to empower individuals with the capacity to manage their own data by providing anything from secure data storage to data management tools. Partly fostered and accelerated by legislations such as the General Data Protection Regulation in the European Union, it primarily focuses on giving control back to data subjects through protection and security. Whereas this, no doubt, marks a very positive shift towards an inclusive data-driven economy, it is important to consider its further implications.

Security and protection in the context of the data economy still imply a hierarchical approach — individuals need to be shielded from companies that abuse their data by other companies that safeguard it. Whereas this points to recognizing data subjects as an integral part of the market, it precludes individuals from assuming an active role. Individual involvement is still mediated, and the lack of tools for involvement means that they remain onshore while the ship continues to sail.

Furthermore, security is not without its problems. In a system so vast and so complex as the Internet, it is easy to overlook details and introduce vulnerabilities that can be easily exploited by attackers. In fact, attackers and defenders are always in a never-ending arms race. Like two sides of the same coin, one’s actions result in action from the other side, such as improved security is often an after-effect of someone exploiting a vulnerability and developers reacting to it by issuing a patch. Back in 1989, Internet security expert Gene Spafford famously said: “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards — and even then I have my doubts”. What this means is that the promise of security is a promise that cannot always be fulfilled. Hence, it should not be the sole foundation on which the individual’s role in the data economy is built.

What seems more appropriate is the notion of data ownership — being recognised as a data subject and having access, usage, control, and participatory rights over your data — which is quickly gaining momentum. Contrary to the passive approach embedded in the protection on its own, the idea of ownership empowers individuals to reclaim control over something that belongs to them. This is crucial since it entirely transforms the way individuals perceive their data. If you own something of value (that is, something is truly yours), you will not be as willing to give it away for free. Ownership destabilises the current data market and creates a space for transformation by making it harder for companies to hide or mask the way they treat and profit from individuals’ data. Most importantly, the loss of data that is owned by someone equals the loss of individual assets, which can then be treated as such.

Nevertheless, most of the solutions out there that promise to give the control back to data subjects aren’t compatible with the idea of data ownership. They take on the responsibility of controlling data access, thus taking this capacity away from the individuals by assuming the role of a intermediary. Generally speaking, intermediation is one of the key building blocks of the majority of services we as people are used to. Banks are there to facilitate financial transactions and housing agencies to help us sell our real estate. But very rarely do the intermediaries have complete control of the asset itself — the asset that isn’t simply a value assigned to something or a representation of an asset. When it comes to current data management solutions that promise to safeguard your data or manage data access control — you hand in the data in its entirety. But how can you be in control of something you don’t have? What happens when there’s an attack on a storage system and the data is lost — how do you ascribe a value to something that could have been sold a theoretically infinite number of times?

It seems then that full recognition and enabling of data subjects can be achieved by means of handing in the data access control to them directly. To do that means providing rights over individual data in an uncompromising way, not partially and not patronisingly. Whereas larger issues with Internet security may always remain, data ownership can provide means to build an inclusive data economy not on promises that cannot be fulfilled but on a transformed outlook, inclusivity and unmediated trust.