Thursday 7 May 2015

Making users the 'client' not the product (becoming an 'Data Guardian')

There is space in the market for a company to become an Data Guardian for the digital trails and activities created everyday by everybody that users the Internet.

This would be a service provided to the end user (person or company) that would store and anonymize the user's data (as stored or used by 3rd party services), in a way that the user would be able to control who, what, how and when their data is shared and used.

In practice this means that the user would stop being 'the product' (whose data is used and sold without his/her control), and would become 'the customer' (able to control/manage its own data).

From a technological point of view, this would be a service that acted as a Data Broker (or Guardian) between the user and a particular service (or government). A key requirement would be the security of this service, maybe even including features where only the user is actually able to decrypt/unlock data (i.e. even the 'Data Guardian' service would not have access to the data, which makes it easy to protect :) ). This would also reduce the amount of (real) user's data that is stored by analytics companies, banks, supermarkets, loyalty cards, websites, phone companies, etc... (you can think of this service as 'TOR for day-to-day data')

Unfortunately companies like Google, Facebook, Twitter, LinkedIn and our own Governments, have a business model that is designed around the erasure of user's privacy. They are also actively engaged on social engineering their users into accepting less and less accountability into how their user's data is used, stored and sold. Their real customers (the ones actually paying) want to have more and more access to their product (ie. the users), which puts these companies in a conflict of interest situation on the topic of their product's privacy.

But are the users (i.e. the product) happy with this situation? Are they happy with the fact that they have no control over who gets their web, banking, geolocation or even PII information? Of course not! But since the risk is still low (or only affecting a small number of the wider population), there is still no critical mass in demanding change. That said, we can start to see the change happening by the recent moves by the EU and US, although I think that we are still a couple 'major incidents' away from real changes to be forced into the industry.

So who is going to lead this effort and become a trusted 'privacy' brand for users? A brand/service so good that the users are willing to pay them for data protection. Well, for sure the companies whose business model depend on No Privacy will not be the ones pushing (which is a massive blind spot for then, since for example, Google business model should be based on protecting my data, not in selling it).

Maybe its a government agency or NGO that will do this?

Most likely it will be a company whose business model is aligned with the user's privacy and data sharing desires.

The irony is that when users allow their data to be shared with company XYZ, they are actually much more valuable to that company (which is something that can be sold, and maybe the user could even be given a share the profit generated by those transactions). After all, users like targeted marketing and information, as long as it is relevant to then, actionable and non-intrusive. Google (and others) make billions on selling our data, why should they keep all the profits?