On July 8, the Information Commissioner’s Office (ICO) announced the highest GDPR fine ever of £183 million over last year’s data breach at British Airways. The UK’s data watchdog elected to fine the airline as its “poor security arrangements” led to the breach of credit card information, names, addresses, travel booking details, and logins of around 500,000 customers. In recent years, consumers have become wearily accustomed to data breaches of this magnitude.
GDPR & CCPA – What and How?
GDPR allows a company to be fined a maximum of 4% of its worldwide turnover; British Airways’ fine amounts to 1.5% of its 2017 revenue. With this fine, the ICO wants to send out a signal to companies that they should care about their customer privacy. From 2020, the California Consumer Privacy Act (CCPA) will introduce similar data privacy rights for residents of the sunshine state.
In the EU, meanwhile, the following types of data fall under the auspices of GDPR:
- Education history
- Employment history or job title
- Mobile device ID
- Cookie ID
- Location data
- Vehicle registration plate number
This is just a small list of potential data points that GDPR covers. You might think that personal data only includes name, address, and phone number. In fact, under the GDPR act, anything that helps to identify a person is considered to be personal information, including theirs physical, physiological, genetic, mental, economic, cultural, or social identity.
Need for on-chain data permissions
In my opinion, GDPR is doing a good thing within Europe. However, our data is still in the hands of companies that can decide to use it correctly or abuse it. Therefore, I believe that blockchain fits well for this use case, especially for storing data permissions on-chain.
The concept of on-chain data permissions is also known as “ethical data,” which forms part of the Web 3.0 vision. This school of thought holds that businesses should be able to harness user data – provided the end user is compensated and/or has consented to it. Data ethics also obliges businesses to create data-sharing frameworks that adhere to data storage laws such as GDPR, where applicable.
Datawallet is a project focused on storing data in an ethical way using blockchain technology. I asked its CEO Serafin Lion Engel to expand on the need for “Ethical data” to construct Web 3.0.
“Datawallet is the critical first step to the realization of Web 3.0. The vision of creating a decentralized internet, where every application runs locally on a person’s own device, hinges critically on our ability to first locally source and store our data in order to fuel these applications,” he explained.
“It’s the safest and most seamless way to gather the data you create on the internet, cryptographically store it on your own device, and through Datawallet’s personal API, share it with any application you like. Datawallet 3.0 is the cornerstone of Web 3.”
Let’s further explore how Datawallet enables Web 3.0.
Storing Data Ethically with Datawallet
Datawallet is a digital wallet for your online data. It grants consumers a simple, private and meaningful way to control their data, thereby shifting responsibility for data storage from web companies to consumers. From the perspective of businesses, the advantage of integrating a solution like Datawallet is that it ensures regulatory compliance while building trusted relationships with consumers.
Developers are also incentivized to create products that utilize Datawallet, whose private-public key pair will be familiar to blockchain devs. An infinite number of additional keys can be created, each controlling the data for a particular product or service. Permission flow is controlled via the Datawallet SDK, while a GUI speeds up app creation. Datawallet allows fine-grained permissioning over its data, stored on-chain. Also, every permissioning change is stored in an easily auditable blockchain record.
Datawallet aims to fix the broken data ecosystem and bring trust and transparency over data usage.
After analyzing their whitepaper, I have gleaned the following key points about Datawallet:
- Data can be sourced directly from websites like Facebook or Amazon and securely stored in the user’s local data vault, fully encrypted.
- Datawallet does not control the data at any point during the sourcing process.
- Once the data has been stored, no entity other than the organization it pertains to can access it without the user’s consent.
Datawallet aims to power an array of Web 3.0 apps that utilize ethical, cross-platform data. In doing so, it will pave the way for subsequent Web 3.0 products and integrations, formed around a framework in which all permission data is immutably stored on-chain.
The sourcing tool is a key element for the Datawallet ecosystem. It enables users to “source” (import) their online data into their personal Datawallet. Crucially, no data flows through APIs. All data is processed and stored locally.
Next, the locally sourced data is encrypted on the user’s device and stored. The encryption key is derived from an integrated Ethereum wallet. The resulting solution ensures that once a user sources their data into their Datawallet, neither Datawallet nor any other organization can access the data without the user’s active initiation.
In order to enable access to the data when it is requested, a “use” component provides this access request. Datawallet’s on-chain permissioning system allows users to decrypt and share their data with apps and brands they trust. The user has full control over who can use their data, when they can use it and how.
When Datawallet encounters a whitelisted app, it retrieves the requested data points from the app’s smart contract on the blockchain to present to the user. If the user agrees to give this app access to the specified data points, Datawallet will sign and publish this as a transaction on the blockchain. At the same time, it will release the decrypted data.
Datawallet Showcase App: YouAreTheProduct.wtf
Datawallet has built a showcase app called `YouAreTheProduct.wtf`. This application tracks everything possible about you to build a data profile. As Facebook is still seen as a rather untrustworthy social media giant, the data is sourced from Facebook into your Datawallet.
After some time, Datawallet can show you your Facebook Ad profile. Also, see what Facebook thinks your ‘real’ interests are, find out which companies directly target you through Facebook ads and see a list of every ad you’ve ever interacted with through FB.
The goal of this showcase app is to make you aware about the fact that Facebook knows a lot about you and (ab)uses this information to directly target you with the most relevant ads. In short, you are the product!
The Blockstack team’s overarching goal is to give users control of their data and identity. They’re accomplishing that goal by providing a suite of developer tools and protocols intended to lower the start-up barriers of dApp development.
One of the project’s first features, Blockstack Authentication, connects your identity to all of the dApps in the Blockstack ecosystem. It utilizes single sign-on with your universal username, and in place of passwords, public-key cryptography that runs on your local device’s software.
Authentication is entirely on-chain, maintained by the Blockstack blockchain and Blockstack Naming System.
At last, Blockstack uses Gaia data storage. Gaia is a user-controlled storage system that enables applications to interact with private data lockers.
Goal: Blockstack ID provides user-controlled login and storage that enable you to take back control of your identity and data.
Datum is not a direct competitor but also focuses on safe data storage. Users can pay a small fee for having their data stored in the Datum Network. The data is stored encrypted and anonymized. Once the data is stored, users can decide if and with whom they want to share this data.
Also, users can sell their data to reputable businesses in return for DAT tokens.
Goal: Provide an easy to use solution for storing data securely and managing who can access the data. Besides, the Datum SDK allows developers to create applications that securely store data.
This year, PikcioChain released its PikcioBrowser which aims to transform internet search. The browser helps users to protect their identity (and data) while browsing the web. The browser does not store any meaningful data like cookies or search history, nor disclose any information to third-parties.
Goal: Protect user data while browsing via peer-to-peer technology, without sharing any personal information.
Strengths and Opportunities for Datawallet
- Forms a single encrypted and secured data silo
- User has complete control over their own data
- Fine-grained permissioning
- Viable alternative to the data brokerage market
Weaknesses and Threats for Datawallet
- Datawallet will not be suitable for all businesses, some of whom will prefer to store user data themselves.
- Current internet relies on ads and data brokerage for revenue, which users willingly or unwittingly consent to. Eliminating this ability may require charging users for access to web services instead.
- Web 3.0 solutions such as Datawallet trade greater security and privacy for lower usability, which may deter some users.
The current internet needs better data control for users, who are currently paying for access with their identity. This is a recipe for disaster and is simply unsustainable given the prohibitive costs of data loss to end users and enterprises alike. Solutions such as Datawallet and Blockstack will be integral in ensuring the success of the emerging Web 3.0, as well as bolstering the privacy of Web 2.0 services that elect to integrate self-sovereign data solutions.
Personally, I believe we will see more adoption of data security tools out of necessity, both on the current web and on the decentralized model that is now being constructed. Convincing large companies to implement Datawallet will be tough, but that task should get easier with every large scale data breach, demonstrating the need for tougher data storage standards.
Full disclosure: I do not own Datawallet, Datum, or Pikcio tokens and I have not participated in any of these ICOs. This article is not intended as investment advice. The article is written in cooperation with Datawallet. All information comes from my own research