Power to all my Friends – A New age of data ownership

Posted on October 17, 2011


Once again sitting around a dinner table immersed in the conversational euphoria of many great online experiences shared amongst friends the threads of a more invidious undertow weave a sobering reality. The horror stories of data that has been compromised, band details exposed, Facebook images that went public without permission, disconcertingly targeted advertising appearing on webpages and even phone calls from unknown vendor call centres offering unwanted services.

As a technologist and security specialist I frustrate at the cavalier attitude that many organisations take to individuals data. From ecommerce entities that do not comply with basic PCI-DSS (Payment card Industry Standards and Data Security Standards) to social media and search sites that return questionable value to the individual when balanced against the against the risk the retention and data mining of that data will have.

Technologies exist and practices are already well developed that can empower users to enjoy the Internet and third party services AND keep control over their identities and data.

There are many permutations and tools out there to achieve this, but let me take one blend by way of illustration which is by no means exhaustive in detail but will demonstrate that there is a better way. A way that I predict, in not to dissimilar form, will one day become prevalent, be it once legislators finally say ENOUGH in the face of public outrage and force the initiative, or as I would prefer to think the industry would lead by best practice and self-regulate by adoption. Call me a cynic but I regret that the former rather than the latter is likely the case based on current attitudes of the Google and Facebook’s of this world.

The concept I would suggest would go something like this:

a) Principle establish = individual’s data is owned by the Individual.

b) Principle established = title/ownership of individuals data can never be perpetually transferred to a third party; it can only be grated for a ‘term’.

c) Principle established = On the expiry of a ‘term’ grant of any data by an individual that data will expire automatically and be ERASED.

d) Principle established = data can only be used by the entity it is granted to.

e) Principle established = data can only be used for the purpose it is granted.

f) Adoption of an authentication standard that is well established across multiple platforms and can integrate with multiple vendor solutions.

g) Adoption of an authentication model that allows fractional disclosures of data that can be controlled by the data owner wither anonymously or identifying the individual.

h) Adoption of an orchestration system that can ensure users data is held

i) Websites should have a mandatory rating that categories content to allow better protection of the innocent and to lend some degree of legitimacy.

· Claims based authentication meets the authentication ideals noted above, it is already built into many operating systems, from Windows to Mac and Linux.

· The principles suggested are no more than what individuals already assume when they disclose data.

· Document records management and retention systems already automate the archiving and expiry of data in corporate systems.

· Compliance practices and Trustmark programs already exist to ensure data management is of the highest standards.

· Regulatory penalties exist for non-compliance, but are poorly implemented and policed.

· Many well established and accepted rating systems exist. These can be aligned to websites and automated so browsers respect a user’s elected or policy enforced filters.

Finally I would support a special measure to protect our children. Our children should be allowed to safely explore the online realm without laying down a virtual shadow that can come back and haunt them into their future. As in the physical world children need to understand boundaries and develop their own identities safely, they do this by pushing back and sometime through over exuberant expression. Recruitment agencies are already delving into social network sites and profiling individuals with historic discretions that would otherwise have been forgotten as the expressions of an adolescent.

All we need is a will, the way is already paved, let’s take the journey willingly as the alternative is a force march.