Perspectives: Opinions from our network of advisors, investors, operators and analysts on the risks and opportunities they see.
The tech industry has long maintained that the protection of personal data should be self-regulated and that a macro regulatory approach like the European Union’s General Data Protection Regulation (GDPR) is overkill. Concerns over abuses during the 2016 U.S. presidential election, as well as massive data breaches such as those afflicting Marriott, Target and Equifax, have increased the likelihood that the tech industry will face U.S. Congressional oversight in the future.
Already, California is moving forward with the California Data Privacy Act, and the size of that state’s economy means Sacramento may well set the U.S. standard even if Congress dithers.
Trevor Butterworth is a Dublin-based consultant whose clients include one of the leading institutions in the so-called digital identity movement. He sees regulation as inevitable, but believes the larger solution will be to put control of individual data back into the hands of the individual. He spoke with Karma Network’s Contributing Editor, Michael Moran.
Michael Moran: It’s been just under a year since the European Union’s General Data Protection Rule went into effect, and it and the mess that major tech companies in the US have made of data management and governance, we’re hearing a lot of talk of data regulation in the U.S. Is this all about the 2016 election, or is there something deeper going on?
Trevor Butterworth: For years people said, ‘Oh nobody cares about privacy online.’ Right? That was the mantra endlessly repeated. People are just happy to have the convenience and all the good stuff. Now we are in a massive transitional stage where those naive user days are over. People have become increasingly aware that the entire technology world is problematic. An analogy might be the kind of optimism that greeted the so-called ‘agricultural revolution’ of the 1950s and ‘60s, and development of new products, plastics, all of these things that sort of ushered in new conveniences. We look back now – processed food, oceans choking on plastics, God knows what health damage – and we’re rightly appalled.
And that brings us back to data privacy and individuals. One of the biggest mistakes a lot of commentators and analysts make is to assume that the public and the culture is static or neutral on any of these items. They are not. They’re upset, even angry in retrospect, and that will drive change.
Michael Moran: But now we’re dealing less with questions of human physical health or environmental health and rather with our thoughts, human interrelationships, and our right to be private, unique individuals. That changes things for politicians, right?
Butterworth: We have all these products and things that are absolutely wonderful for us. They do great things and we get great services and you can get your entire supermarket shopping delivered in a box. We’ve had that convenience for 10 to 15 years and now, just like the agricultural revolution and the emergence of the plastic economy, we’re beginning to grapple with the negative side effects. We now see that none of these tech companies were really acting in our best interests. Instead, they have been engaging in population and human behavioral experiments on a planetary scale, yet are able to zoom in to a country, state, neighborhood and even individual level. And surprise, surprise, we don’t like that!
Questions are beginning to be asked. They’re being asked by different constituencies, with different perspectives and interests. Here’s an example: One of the most powerful of these constituencies is wealthy women with children.This is a very, very influential group, particularly with regard to nutrition and healthcare policy. They are beginning to wonder whether their children are being negatively affected by social media, whether they’re being tracked by companies, whether the immersion in screen time is producing learning deficits and antisocial behavior. Their fears will trickle down to the media and then through the population at large, so that’s one sort of major risk factor for the tech world right now.
Michael Moran: Some of the largest U.S., Chinese and other tech companies – and many of the smallest, too, if they want to tap into the world’s largest economic bloc – have had to adjust their wide-open data policies to comply with GDPR. That “regulatory bazooka” approach to regulation seems to have worked, and yet I’m not seeing Facebook, or Google, or Yahoo, moving toward greater transparency unless they are under direct duress. So what’s it going to take?
Butterworth: There’s a direct economic incentive to comply with the EU regulations, regardless of how much of your trade is with Europe. Europe’s regulators have shown they have teeth. That simply hasn’t been true in the U.S. so far, though there is now talk of massive fines on Facebook. There’s also another factor — the trend of data breaches, and the fact that corporations are being held liable for poor practices. That is not only GDPR but also what happened with Equifax and Target and others. They took a big economic hit in share price, and they earned that hit. Making data a liability and an exposure will finally focus people on how important it truly is.
We’re now at the start of atech identity revolution. People want the Internet to return in some broad sense to its roots as a more idealistic, utilitarian tool. I suspect that, in advanced, non-authoritarian markets at least, there will have to be some very direct and absolutely clear agreement on data sharing in place before data ownership is assigned. GDPR is just the first step, and it will be advanced by the distributed ledger [Blockchain] movement which represents the next step. And once there’s a critical mass of companies developing on these networks, then everybody’s going to follow up they’re doing.
Michael Moran: Tell me a bit about the Sovrin Foundation, the UK-based data identity group that is one of your clients. Their pitch is “Control your own identity.” That sounds simple, but that was a challenge even before the Internet. Tell me more.
Butterworth: I advise the Sovrin Foundation and its CEO, Heather Dahl, as they seek to establish standards in the digital identity movement. Sovrin’s specific approach, which has been adopted by many of the world’s largest tech companies and others, is specifically around what they call a ‘self-sovereign identity.’ At the same time, you have the emergence of technology around distributed ledgers, cryptographic keys that will enable a cultural shift to solve a lot of these problems.The idea is that you not only master GDPR compliance but you can enter into a consent-based relationship with your customers in ways that are much more highly protected, transparent and targeted than before.
If you look at the number of major companies running the Sovrin Foundation’s network protocols – that’s a kind of a global network for decentralized identity – they include IBM and Cisco, major global law firms and companies [view a list here].You see a massive uptick in the number of developers from big companies (and) also startup innovators developing new tools for decentralized identity.
Right now, we are about to reach a moment where the distributed ledger revolution ought to take off. The fact that there is there is so much traction around the self-sovereign identity idea is a signal that there’s there’s going to be a major cultural change in the way the Internet operates and the way we interact with our data. GDPR is essentially a negative approach, a reaction to the problems of data identity and ownership and sharing. What you really need is technology that’s actually both solving the problem and also giving business tools to be innovative.
Once you have the sort of the equivalent of touch-and- go- identity, what you’re actually doing is sharing proofs of identity rather than the actual information. You can begin to start offering all sorts of interesting services to customers from a really secure and compliant basis because you’re using some sort of decentralized technology like a Micro Clouds. You get rid of the problems associated with that old-fashioned database where everybody’s data lived. Each person has their own sort of little fortress of cloud-based data. Right now we see technology moving at such a pace that actually there’s an opportunity to solve this problem before there’s a real loss of trust in data sharing and the Internet.