Emerging Technologies Law is a blog by William Ting which examines 21st century legal, business & Social tech issues.

Be Your Own Money: Personal Data Currency

Be Your Own Money: Personal Data Currency

 Emerging Technology: Personal Data Currency (Getty Images license)

Emerging Technology: Personal Data Currency (Getty Images license)

     (Note: This Personal Data Currency whitepaper was presented at the 6th Annual Asian Privacy Scholars Network International Conference on September 27, 2017 at the University of Hong Kong, School of Law. It has been digitally witnessed and time-stamped.)

     How many of you wear contact lens? Even if you don’t, your world is about to be changed by Sony’s new patent on contact lens that records and stores video images. Its powered by eye-movements and much more discreet (and therefore more privacy-intrusive) than camera-eyeglasses. Welcome to the magical world of science and technology. This is one of many new gadgets coming out soon that will fundamentally change privacy law and practice and challenge their relevancy and adequacy in the the 21st century.  

     These new technological developments will make it very difficult to protect consumer personal data in the future. But if a window is shut on privacy protection, a door is opened for financial inclusion. If personal data will become harder to protect and existing laws will become inadequate, then a new paradigm should be created to allow consumers to be compensated for the ease of future privacy violations. Consumers can then be a better position to seek compensation for injuries to their information rights. By empowering the consumer to control his/her personal data, a new dawn rises for financial inclusion.

 Once in a generation legislation: General Data Protection Regulation (GDPR) (CC0 Creative Commons)

Once in a generation legislation: General Data Protection Regulation (GDPR) (CC0 Creative Commons)

    Personal data privacy has been occupying the attention of regulators, policy-makers and the media. With the imminent roll-out of the European Union’s General Data Protection Regulation (“GDPR”) in May 2018 (coming up fast), the mainstream literature is replete with discussions on the need to protect the privacy of personal data (or personally identifiable information) in the hopes of increasing public awareness. Various privacy organizations and think tanks have been focusing on the importance of protecting an individual’s right to privacy of his or her personal details. 

     Yet in contrast to the rising concern about protecting the data of consumers and natural persons, the needs of corporate entities to protect the privacy of their corporate data, many of which are proprietary, have gone relatively under-reported. Therefore the privacy dialogue has traditionally focused on the right of an individual to keep his or her data private.

 emerging technologies: privacy-invasive wearables  (Getty Images license)

emerging technologies: privacy-invasive wearables  (Getty Images license)

     One key developing factor is changing the classic divide between personal and corporate data privacy: emerging technologies. Today’s society has been experiencing unprecedented levels of change driven by technological developments. In the world of communications alone, advances in how humans relate and interact with one another through the use of advanced hardwares and digital softwares would certainly be mind-blowing to our grandparents. No doubt, such technological advances have benefited society enormously, yet they present enormous challenges to protecting the privacy of individuals and companies as we head further into the 21st century.

     Through the use of recent examples of emerging technologies (like Sony’s recordable contacts lens and brain-hacking tech), this essay argues that:

  • personal and corporate privacy vulnerabilities are converging due to the rise of innovative emerging technologies that threaten both these interests (Part I);
  • after examining the current regulatory approach to protecting individual and corporate data privacy, the current practice of keeping personal data privacy distinct from corporate data privacy will not remain tenable in light of emerging technologies (Part II);
  • we should consider protecting personal data privacy under a new paradigm under which consumers may use their respective personal data simply as currency (“Personal Data Currency”) (Part III);
  • the Personal Data Currency can be implemented via a client-browser based platform built on the Digital Objects Architecture (Part IV); and 
  • this new paradigm needs to evolve in light of changing technology and competing policy principles (such as free speech) would impede the development of using personal data as currency (Part V).

I) Emerging Technologies Threaten Both Personal & Corporate Data Equally

     The trend toward innovative technologies is both good and bad. It's good because technology help make our lives easier, whether it is hands-free driving or wireless charging and creates jobs because they lay the foundations for new industries. But it's bad because some of their applications can be extremely intrusive on our privacy. From brain-jacking to recordable contact lens, our privacy will constantly be under sieged.

 Sony's Recording Contact Lens Diagram (image from USPTO patent #20160097940 A1)

Sony's Recording Contact Lens Diagram (image from USPTO patent #20160097940 A1)

    I.A) Recordable Contact Lens

     Sony is currently perfecting its latest patent issued for recordable contact lens. When it is market-ready, our world will fundamentally change. Because contact lens are small, near-invisible (try finding them when they fall on the ground), and discreet (that's why they were invented to replace clumsy eyeglasses), making them recordable is every voyeur or industrial spy's dream tool of choice. 

     From the consumer perspective, we will no longer be able to take our privacy (however little there is left of it) for granted. The next time you go to the gym locker and start changing, always in the back of your mind there may be thoughts of whether someone is recording you with their recordable contact lens. The unscrupulous can use these lens to record our ATM pin numbers, our private dinner conversations, our behavior laying out by the pool, what we buy in grocery stores or pharmacies. There will be no way for us to know if someone's contact lens are recordable and that they are actually recording when we don't want them to. It's not like they are holding a large bulky camcorder (remember those in the 1990s) for us to easily spot them recording. It may be hard sometimes to even know if someone is recording us on their smart phones. But if they are using small recordable contact lens, forget about catching them in the act!

 recordable eyes will be watching (CC0 Creative Commons)

recordable eyes will be watching (CC0 Creative Commons)

     From the corporate entity's perspective, recordable contact lenses would be a direct threat to its ability to protect its sensitive trade secrets and business plans. Some hi-tech companies like advance semiconductor wafer makers spend over US$10 billion dollars in research & development expenses with the intent to generate valuable trade secrets and other proprietary information. In order for trade secrets to remain valuable, the corporate entity must take reasonable steps to protect its confidentiality, such as restricting their physical access and signing NDAs with key employees. Currently many hi-tech companies are facing the problem of industrial espionage made easier by the proliferation of smart devices and mobility of employees.  Industrial espionage has been a persistent threat to companies that are developing valuable IPs.  According to the US Department of Commerce, IP accounted for $5.06 trillion in value added, or 34.8% of US GDP in 2010. IP alone accounts for over 40 million U.S. jobs and over 60% of all US exports. American companies that devote time and money researching trade secrets are the most vulnerable. For example, according to the US Congressional Committee on Energy and Commerce Hearing, "[the] scale of international theft of American intellectual property is . . . roughly US$300 billion per year and 2.1 million additional jobs now in our economy."     

     With the advent of recordable contact lenses, rogue employees will have an easier time stealing valuable trade secrets literally with a blink of an eye. Blink several times and potentially hundreds of million of dollars worth of trade secrets may be secretly recorded and stored for download once the rogue employee has left the corporate premises with his/her booty.

 brain-hacking tech: end of privacy? (Getty Images license)

brain-hacking tech: end of privacy? (Getty Images license)

I.B) Brain-Jacking Technology

     Bioengineers and scientists from the University at Buffalo have been working on ways to hack into the brains of mice using magnetic fields. Researchers have successfully used magneto-thermal genetics to manipulate brain cells in mice, enabling the team to control the animal’s behavior. This is the first time anyone has reported using magnetic fields to manipulate animal behavior. While this technology has so far not been tested on humans, there is simply too much vested financial interest to see this technology come into fruition and applicable to humans, especially when the US Defense Advanced Research Projects Agency (DARPA, an agency of the US Department of Defense responsible for the development of emerging technologies for military use) has been funding similar research projects under its Neural Engineering System Design program.  The implications of this emerging technologies for privacy will be gigantic. If this technology becomes mature (and it will one day, you can count it), our very own thoughts, feelings and ability to control our actions and therefore our lives will be at the mercy of unscrupulous third parties trying to hack into our brains to access the passwords for all of our financial accounts or worse yet, personal (and vulnerable) memories. 

     From the consumer perspective, such brain-jacking technology will render our deepest memories to become accessible by third parties. To date, the debate about privacy regulation has focused on protecting consumer's birthdates, pictures and geolocations. It has not foreseen that one day our memories may become vulnerable too. 

     From the corporate entity's perspective, brain-jacking technology will most likely be used to target key R&D personnel or senior management to extract valuable corporate trade secrets and other proprietary information. 

 cloaking technology under development (Vienna University)

cloaking technology under development (Vienna University)

I.C) Personal Cloaking Device: Now You See Me, Now You Don't

     Scientists at the Vienna University of Technology are researching making cloaking technology a reality. They irradiated a completely opaque material from above with a specific wave pattern – causing light waves from the left to pass through the material without any obstruction. Those who are fans of Star Trek would immediately appreciate the significance of this invention: the sight of an invisible Romulan warbird suddenly de-cloaking about to fire its payload of missiles would send shivers down any respectable Star Fleet captain. Of course the current technology is still far off from being deployable onto a spaceship or more realistically a combat vehicle such as a jetfighter. It is more likely that this technology will create personal cloaking devices that a user can wear and make him/herself invisible. Wouldn't this be a cool application of the research being conducted on cloaking tech? It may be a great marketing idea, but again, a personal cloaking device would spell the end of privacy rights. In the future, intruders can literally walk behind us and enter our private homes, bedrooms and other intimate places without our knowing and observe our personal moments alone. Even the best corporate security countermeasures are insufficient to deal with an invisible spy snooping around undetected by human or camera eyes. 

 baseball privacy strikes out (Getty Images license)

baseball privacy strikes out (Getty Images license)

I.D) Apple Watch as Spy Tool

     What images evoke better memories of traditional notions of fair play than an apple pie or a good old fashion baseball game? It turns out that even the privacy of baseball team signals has been compromised by emerging technology, this time the Apple Watch. 

    According to the NY Tomes, Major League Baseball ruled that the Boston Red Sox, who are leading the American League East and expected to head to the playoffs, used the Apple Watch to steal hand signals from opponents’ catchers in games against the second-place Yankees and other teams, The Red Sox admitted that their trainers had received signals via their Apple Watches from video replay personnel and then relayed that information to Red Sox players on the field to tell them about the type of pitch that was about to be thrown. Hey, that's not fair! In baseball, teams are only allowed to use their naked eyes to read secret signs from the opposing team's catcher to the pitcher. No cameras or electronic devices are allowed in dugouts.  The Red Sox also accused the Yankees of using a camera from its YES television network exclusively to steal signs during games. The proliferation of cameras, videos and smart devices has undermined the privacy of the catcher's secret hand signals to the pitcher.

 tool of baseball espionage? (CC0 Creative Commons)

tool of baseball espionage? (CC0 Creative Commons)

     Of course, countries can ban or regulate such emerging technologies. But doing so will compromise innovation and entrepreneurship. Researchers will simply go to countries that do not regulate these areas which will encourage a race to the most liberal research jurisdictions. Countries that have banned or heavily regulated these new technologies will lose important know-how and human talent on how to manage and defeat the risks that these new technologies create. In the absence of regulatory intervention or ethical limits on their use, emerging technologies such as recordable contact lenses, brain-jacking or cloaking devices will also challenge the adequacy of existing privacy law and practice.

II) Inadequate Protection & Compensation under Current Privacy Law and Practice

     A legal interest is "something a law recognizes, as in an advantage, profit, right, or share."  An interest such as privacy is protected under the law in two ways: the law can prevent or limit its injury; and/or compensate the owner of such interest. Protection and compensation are the two key ways in which legal principles protect an interest. Let's look at how well existing privacy law and practice protect or compensate privacy interest. 

 privacy under assault (Getty Images license)

privacy under assault (Getty Images license)

II.A) GDPR

     This Section will examine the European Union's GDPR as representative of the world's major jurisdictions' treatment of this area. The GDPR views privacy as a "fundamental right". It is therefore constitutional in nature on par with a human right. Essentially, the GDPR provides three major rights to an individual to protect his/her privacy: (i) the right to consent (see Article 6), the right to be forgotten (Article 17) and right to access (Article 15).  For example, the right to be forgotten can be said to have derived from Justice Brandeis' famous dissent in Olmstead v. United States (1928), where he defined the "right to be let alone" as "the most comprehensive of rights, and the right most valued by civilized men. These rights have been the subject of much academic discussion. But one critical component is missing from the current GDPR regime: the right of consumer choice to monetize his/her personal data.  (As a side note, the US does not have a comprehensive federal legislation protecting privacy. There is an ad hoc patchwork of statutes which are applicable, notably the Stored Communications Act, a part of the Electronic Communications Privacy Act of 1986 which has been universally criticized as a “dense and confusing” mess.) 

     It is important to note that the GDPR (and every other major privacy regime) will struggle to remain relevant in the face of emerging technology for two reasons.

 makers of "instantaneous photographs" in 1890  (CC0 Creative Commons)

makers of "instantaneous photographs" in 1890  (CC0 Creative Commons)

II.A.1) Existing Privacy Regime Inadequate in Light of Emerging Tech

     First, existing privacy rights (such as the right to consent) will be rendered inadequate in light of emerging technologies. There is an inverse relationship between the state of technology and a person's reasonable expectations of privacy. As technology becomes more pervasive and therefore intrusive, the lower one's reasonable expectations of privacy become.  For example in an article to the Harvard Law Review "Right to Privacy" written back in 1890, Louis Brandeis and Samuel Warren warned that inventions current for their time such as “instantaneous photographs” and “numerous mechanical devices” would make “what is whispered in the closet shall be proclaimed from the house-tops.”  (The article is "one of the most influential essays in the history of American law.") In the 21st century, society will need to face more technological challenges to privacy than just "instantaneous photographs". We are smack right in the middle of the digital and connectivity revolution!

 21st century devices: 21st century privacy problems (CC0 Creative Commons) 

21st century devices: 21st century privacy problems (CC0 Creative Commons) 

     A measure of the degree of digitization and our degree of online connectedness is global IP network traffic which is expected to explode. According to Cisco, "it would take an individual more than 5 million years to watch the amount of video that will cross global IP networks each month in 2021. Every second, a million minutes of video content will cross the network by 2021 ... [and that] [a]nnual global IP traffic will reach 3.3 ZB." To put this into scale, 1 zettabyte (ZB) equals 1,000 exabytes. And 1 exabyte equals 36,000 hours of HDTV quality video or streaming entire Netflix catalog 3,177 times.  If digital connectivity will increase, then there will also be an increase in consumer interactions with online service or goods providers. More online interactions also increase the risk of privacy violations.

 digitally connected world means more digital connections (Getty Images license)

digitally connected world means more digital connections (Getty Images license)

     Let's examine one of the bedrock of modern privacy protection: the right to consent. Under all privacy legal regime, the individual must consent freely to his/her personal data being collected or processed. However, if according to the above Cisco report, the world will become increasingly digitalized due to explosive growth in network traffic, to what extent will "consent" be free? Most social online platform offers the user a rather stark choice: you either consent to the terms of service or forgo using the platform. Consent provided under those circumstances is hardly free. Most users give their consent "freely" just so they can use online services some of which are optional (social media sites) and some necessities (online banking).

 "I understand that if I do not give the above consent the Company may be prevented from providing me with services." Is this real consent? (author's picture)

"I understand that if I do not give the above consent the Company may be prevented from providing me with services." Is this real consent? (author's picture)

     For example, a friend recently needed to open a bank account in Hong Kong which is notorious for refusing US citizens so as to escape FATCA reporting requirements. He was presented with a "consent form" to sign before banking services can be rendered. Since he needed a bank account in Hong Kong, he had to consent regardless of his true feelings. In other words, even though "consent" is required, most often times, users just give their consent so as to be able to use the online services. It does not mean they really agree with their invasion of privacy.

     In the face of an ever increasing IP network traffic as well as invasive technologies (see the ones described in Section I above), personal privacy expectations will inevitably suffer and be eroded as the right to consent would be unable to offer any real substantive protection.

 who profits from your personal data? (Getty Images license)

who profits from your personal data? (Getty Images license)

   II.A.2) Existing Privacy Regime Fails to Permit Individual to Profit from Personal Data

    Second, current privacy regimes does not allow the individual to profit from personal data which is valuable.

     Data is fast becoming the most valuable asset class for online service or goods provider, social media platforms and third party marketers. Data can generate monetary value for them directly (when the data is sold, traded, or acquired) or indirectly (when a new product or service leveraging customer data is created, but the data itself is not sold). Companies can also combine publicly available and proprietary data to create unique data sets for sale or use. For example the strategy unit of accounting firm PwC has estimated that, in the financial sector alone, the revenue from commercializing data will grow to US$300 billion per year by 2018. According to the LSE, "the value of personal data to online platforms is shown by advertising revenues per user (ARPU), which for a major social media and search firm in the first quarter of 2014 was as much as US$45 on average. This firm has consistently earned ARPU of more than US$40 on average since the fourth quarter of 2012. Another major social media firm’s worldwide ARPU was US$9.45 in 2014, 39 percent higher than in 2013."

     Recognizing that personal data is valuable, the company DataCoup actually pays customers US$8 per month to access their social media accounts and view a feed of transactions from credit & debit cards. This system combines two valuable sources of data for online providers: it tracks both a person’s online activity with a record of his/her spending activity.

     Recently someone asked a social media dating platform for access to all of her data collected on her use. She was shocked when she got back over 800 pages of detailed some intimate insights into her online habits, preferences and persona.

     One thing is common though, the vast majority of consumers from whom all these monetary value were generated never saw a dime, penny or cent from their personal data so used. This has led some commentators to compare this situation to medieval serfdom. The reason why this is so is because personal data or privacy is not recognized as a property right. For example, the GDPR views privacy as a fundamental right, not as a property right. 

     II.A.3) Similarity between Personal Data & Corporate Trade Secrets

     In some ways, personal data and corporate trade secrets are similar. Various jurisdictions define trade secrets differently, but generally a trade secret consists of any information, formula, pattern, compilation, program, device, method, technique or process that:

    •    derives independent economic value from not being generally known to other persons who can obtain economic value from its disclosure or use; and

    •    is the subject of efforts that are reasonable under the circumstances to maintain its secrecy. 

     Like trade secrets, personal data is intangible (most data exists digitally), unique (like a person's DNA) and independently valuable to third parties (like online service providers and marketing firms who would all be interested in obtaining information on a consumer's DNA). Personal data (like medical information or financial records) usually is usually kept confidential by its owner. No one goes around broadcasting their bank account numbers online. Therefore substantively, trade secrets law appears to be merely the application of privacy principles applied to corporate entities. Yet the ironical thing is that trade secrets are afforded more legal protection than personal data even though the two are similar substantively. 

 corporate crown jewels: trade secrets (Getty Images license)

corporate crown jewels: trade secrets (Getty Images license)

   Intangible rights like trade secrets owned by corporate entities are also subject to the same vulnerabilities exposed by emerging technologies as personal data. As explained in Section I, corporate trade secrets are just as vulnerable to being misappropriated by use of recordable contact lenses as someone's privacy. Yet corporate trade secrets owners are able to seek legal redress because their intangible trade secrets are protected as property rights and not as privacy rights, with enormous implications. Owners of trade secrets are able to seek legal redress for any anticipatory or actual misappropriations by seeking injunctions and/or damages. Further, owners of proprietary rights may also monetize their assets by sale, purchase or licensing arrangements. For trade secrets owners, being able to seek legal redress is crucial. For example, in 2014 the accounting firm PwC and the Center for Responsible Enterprise and Trade estimated the value of trade secret theft in the US to be 1% to 3% of its GDP, the equivalent of US$200 billion to $550 billion per year. If one adds the loss suffered by other world economies, trade secret theft globally could amount to trillions of US dollars. 

 though similar to trade secrets, personal data is unenforceable in the courts as property (CC0 Creative Commons)

though similar to trade secrets, personal data is unenforceable in the courts as property (CC0 Creative Commons)

     Given the projected rise of digitalization (as evidenced by enormous increases in internet traffic) and development of invasive technologies, this difference between intangible privacy rights and intangible trade secrets rights (both of which are subject to the same vulnerabilities) is no longer tenable. This essay does not seek to argue that intangible privacy rights ought to be regulated under traditional trade secrets law. Nor does this essay argue that privacy right be recognized as a property right free for the owner to trade. (For this argument, please see article entitled "Property, Privacy & Personal Data" especially the author's idea of a“hybrid inalienability” that allows individuals to share, as well as to place limitations on, the future use of their personal information.) This essay takes a different approach by arguing that personal data be treated as a currency instead of property.

 your personal data currency (Getty Images license)

your personal data currency (Getty Images license)

     III)  New Paradigm: Personal Data Currency

     Allowing individuals to control his/her own personal data will be important because emerging technologies will make protecting a person's privacy extremely difficult. If protecting privacy would become difficult, then at least allow consumers the chance to get fair compensation for the use of their personal data. One of the way to do so is to treat personal data as currency. What does this mean?

 personal data NOT accepted here (CC0 Creative Commons)

personal data NOT accepted here (CC0 Creative Commons)

     Have you ever tried to use your date of birth or social security number to get something concrete in return? Let's say you go to the grand bazaar at Istanbul Turkey and you wanted to trade your street address for 100 grams of saffron. The spice trader will probably look at you funny and demand payment by hard fiat currency (or bitcoin if he is a techno-geek). Yet, in the online digital world, your street address has value to online services or goods providers. That's why you are able to use for "free" a particular social media platform in return for disclosing your personal data. Intuitively you see a similarity between using personal data and hard fiat currency to get something you want. 

 personal data is accepted here!  (CC0 Creative Commons)

personal data is accepted here!  (CC0 Creative Commons)

      Personal data fits into the traditional definition of money or currency. Also, personal data, like most of world's currencies, exists in digital form.

III.A) Personal Data Meets Currency Test

     According to the European Central Bank ("ECB"), a currency has one or more of the following key attributes:

  1. Unit of account: currency is a unit of account allowing goods and services to be priced;
  2. Medium of exchange: a means of payment with a value that everyone trusts; and
  3. Store of value.  
 personal data has key currency attributes (CC0 Creative Commons)

personal data has key currency attributes (CC0 Creative Commons)

     Personal data is in effect a form of currency. How so? We have to remember not all of these attributes perfectly fit in any particular currency. For example, bitcoin serves as an excellent unit of account but very poorly as a medium of exchange (not many burger shops accept them).  But personal data can be made into a unit of account to price the value of accessing a particular social media platform or use a third party app. For example, the cost of accessing an app for free can be measured in terms of how much personal data a user is willing to disclose. Also, personal data has been used as a medium of exchange: users provide their names, birth dates and location in return for using a particular social media platform. Lastly, personal data acts as a store of value because its value appreciates over time as online services and goods providers figure out new ways to exploit personal data in light of emerging technologies. For example, online platforms had no valuable use for personal genome mapping because the price of DNA sequencing was too prohibitive for most consumers to do. Now due to rising technological efficiencies, the cost of DNA sequencing is expected to fall significantly. This will lead to more consumers doing DNA sequencing. Having widely available human genome mapping increases the quality of health care and reduces its cost. DNA sequencing for a particular consumer would be valuable information to have now when before it was nonexistent due to its prohibitive cost. 

 money, like personal data, is mostly digital  (Getty Images license)

money, like personal data, is mostly digital  (Getty Images license)

III.B) Personal Data, like Most Currencies, Exists in Digital Form 

     The ECB admits that currency can be stored in "digital form": "[m]oney can exist in a bank account in the form of a computer entry or stored in the form of a savings account. Digital cash, or e-money, is monetary value stored in a pre-paid card or smartphone, for example."  This is due to how the currency supply is measured. M1 also called narrow money, normally includes physical coins and notes in circulation. M2 or broad money includes M1 plus bank deposits which are digital because they are held in a bank account in the form of a computer entry. For example, next time you go to your bank, ask the teller to show you your bank balance. He/she will show you a series of numbers in the bank's computers representing exactly how much you have deposited at your bank. Your bank teller will never show you how much money you have on deposit by taking out physical money and counting the exact amount in front of you. 

     About two-thirds of the world's currencies are held in digital form (because they are measured as broad money) in the form of bank deposits entries. Most currencies are digital, therefore they are simply data on some bank's computer ledger (vulnerable to be hacked) except that this data belongs to the banking intermediaries and central banks. Currency is in effect data itself in the modern world.

     Personal data is also digital because it is usually stored in computer format. True, physical records of an individual's birth exist, but for most practical purposes, users rely on the digital manifestation of their physical records. Personal data in its digital format is then disclosed online directly or indirectly (when it is tracked, monitored or analyzed by first or third parties). 

 personal data currency = financial inclusion (Getty Images license)

personal data currency = financial inclusion (Getty Images license)

     Each individual would be able to have his/her own currency in effect because personal data is unique to each person. We can all be a mini-central bank creating our own currency accepted worldwide by online services and goods providers. This would be an ultimate step towards genuine financial inclusion. As long as a person has access to a simple smart device, internet and electricity, he/she can create his/her own Personal Data Currency.

 how it works (Getty Images license) 

how it works (Getty Images license) 

IV) Implementation of Personal Data Currency

     In the venture capital world, ideas are not as valuable as their implementation. It seems that everything is being built on a blockchain platform. But not every application requires a token-incentivized "Nakamoto consensus" system. Plus blockchain is still relatively undeveloped and slow. I doubt prospective users of a social media platform would want to wait 10 minutes or more before their personal data can be "validated" on a blockchain before being allowed to use the platform. For a faster and a more lower tech and therefore more accessible and inclusive approach, I have decided on building a personal data registry platform on top of a client-browser.

     It is important to note that the personal data currency is not meant to displace government fiat currency (whether in its physical or soon to be virtual form), but will co-exist to help consumers to monetize their personal data in the online world.

 browser-based system (CC0 Creative Commons)

browser-based system (CC0 Creative Commons)

IV.A) Browser-based Personal Data Registry

     This browser-based personal data registry system allows a consumer to store his/her personal data on his/her local browser to be used as a medium of exchange. The underlying architecture for this system is envisioned to be built on the "Digital Object Architecture ("DOA")" which is being developed by Dr. Robert E. Kahn, one of the creators of the modern Internet and Chairman, CEO and President of the Corporation for National Research Initiatives (CNRI). 

     The DOA provides a framework for managing information of all kinds when represented or converted into digital form. DOA is a logical extension of the Internet for managing information in digital form (instead of simply moving bits and bytes from one place to the other) and I shall write more about this technology in future posts. The DOA provides a standardized means of structuring, identifying and accessing information for ease of use over both short and long time frames.

     The DOA enables programs to interact directly with digital objects which is important because the framework allows for personal data stored in the form of digital objects to be exchanged for goods or services in online third party apps. The DOA also supports interoperability with other information systems.  

     (As a side note, on September 27, 2017,  I had the honor of dialing into a webinar hosted by the Chamber of Digital Commerce and none other than Dr. Robert Kahn (creator of the DOA) spoke and explained its workings. I asked him whether the DOA can be used to store a user's personal data using his/her smart device as a repository. Dr. Kahn replied that if the designer chose that particular application, then yes, "absolutely.")

     The internal logic to use DOA is simple. Most of the world's currencies like personal data exist in digital form. The DOA is a framework to manage digital information. Therefore, the DOA framework is one of the best ways to implement the personal data currency model.  

     This registry has four features.

     Feature 1: Inputing One's Personal Data as Unit of Value

     Web storage makes it possible to store data directly in an individual's own local browser. This is different from cookies because it’s not shared with the server. There are two ways to store data on the browser: local and session. Local storage means that it’s persistent and the data will not be lost when the session ends (like session storage).

     Under the Digital Object Architecture, any kind of information in digital form may be represented as a digital object. Personal data can easily be rendered into "digital objects" each with a unique "identifier" or handle. These digital objects are stored in "repositories". Your smart device may be one of the hundred of millions of decentralized repositories. In the personal data currency system, the user enters his/her personal data directly into the browser of his/her smart device so it can be carried around wherever they go. Currently, many online service or goods providers are processing payment information via the use of APIs that act as a conduit to payment information stored on a consumer's browser. This is similar to how parts of the personal data currency will function. See Google's Payment Request API.

     Privacy concerns are easily addressed because it is the consumer him/herself who inputs his/her own personal data into the browser of his/her own smart device. The personal data is not stored at some remote external central repository. Under GDPR terms, the consumer would be the "collector/processor" of his/her own personally identifiable information. 

     Data is divided into different fixed uniform categories and the worth of each category depends on its utility and value to third party online service/goods provider or marketing firms. This serves the unit of account attribute of a currency allowing goods and services to be priced depending on the value of a particular category. For example, personal data included in the "Basic Personally Identifiable Information" would not be worth as much as Biomedical information such as DNA sequencing. If an online marketing firm desires use of a user's Financial information for example, it would need to offer goods or services of a high corresponding value.

 value of currency depends on value of personal data (Getty Images license)

value of currency depends on value of personal data (Getty Images license)

     The registry as a whole constitutes an individual's Personal Data Currency. No additional paper or virtual money is required to be issued. Don't need ICOs, cryptocurrencies or bitcoins. The browser-based registry serves as a ledger of the individual's total "net worth" valued in terms of his/her personal data. Notice that an individual's Personal Data Currency is not depleted as it is spent for online goods or services because each different online third party is incentivized to obtain the individual's personal data. A person can expend his/her personal data to acquire use of multiple social media platforms using the same information stored in his/her browser registry. In this way, Personal Data Currency is relatively more infinite in use than traditional currencies which are depleted as they are expended within the economy. 

     The categories are divided as follows.

  • Basic Personally Identifiable Information
  • Personal Photos and Videos
  • Demographic Data (ethnic group, age bracket)
  • Public Record Data (marriage or driver's license info)
  • Social Media (messages, photos, contacts)
  • Neighbourhood (home area info)
  • Vehicle
  • Life Events (married or divorced)
  • Financial (credit card details, mortgages outstanding)
  • Travel (favorite destinations, airlines, hotels and resorts)
  • Purchase Behavior (shopping preferences)
  • Health (biomedical info, DNA sequencing)

     Of course, the data would need to be encrypted using hash SHA to protect the privacy of such personal data. Because the data is not stored on a central server (like a third party credit reporting agency or registry like Equifax which was hacked recently) it is relatively less vulnerable to cyberattack because an individual's own smart device or desktop presents a smaller and therefore less financially attractive target for cyber-criminals.  The data will be stored instead on the consumer's smart device which will be a repository under the Digital Object Architecture. Because this registry is built on a user's own browser in his/her smart device, in theory every global citizen will have his or her own currency for use.

 personal data currency as medium of exchange (Getty Images license)

personal data currency as medium of exchange (Getty Images license)

Feature 2: Medium of Exchange

     The browser acts as a conduit between the user's personal data to online third parties. Under the Digital Object Architecture, a "resolution system" is required to set the rules for accessing a particular digital object (like a street address), authorization for its access, authentication, public keys and the terms & conditions of its use. 

     For example, the resolution system of the Digital Object Architecture may allow a user to initiate purchase transactions by sending out an offer or request (specifying the goods or services to be purchased, the type of personal data category to be used to pay for such transaction and other terms of payment) to a specified online third party web address. Once this request or offer is received, the third party's server reviews the terms of the proposed trade and sends a reply back to the client browser. If the user is happy with the feedback from the online third party, the user can confirm the transaction using the specified category of his/her personal data as currency for the transaction. If the user does not accept the reply from the online third party, the user can re-issue another offer with more attractive terms or terminate the entire proposed transaction and look for another online third party who is will to accept the initial offer.

 Value of personal data grows over time (CC0 Creative Commons)

Value of personal data grows over time (CC0 Creative Commons)

    Feature 3: Storage of Value

     Certain parts of an individual's personal data will increase in value as third party social media platforms, service or goods providers or marketing firms discover new applications for a particular type of data. Personal data such as an individual's Health or Financial information has the best potential to appreciate over time. Therefore, the consumer would be best advised to enter into transactions with online third parties mindful of this fact. Because personal data is not treated as property here but as a currency, the user would not be able to condition his/her consent to expire after the passage of a certain amount of time or other restrictions once he/she has completed a transaction using one's personal data as currency. Therefore, setting the value of exchange will be important for the user to determine on his/her own. Alternatively, consumers may pool their individual personal data together to form a larger investment "fund" which leverages economy of scale to secure favorable exchange prices and terms of sale with online third parties. 

 personal data currency helps protect consumers' interest (Getty Images license)

personal data currency helps protect consumers' interest (Getty Images license)

Feature 4: Compensation

     We have seen how emerging technology and the rise of internet traffic over the years will mean that privacy expectations will be eroded. The state of privacy protection is inversely proportional to the state of technology. Therefore it is doubtful whether concepts like right to consent or access would make a practical difference to privacy rights in the future as few consumers can afford legal fees to seek compensation in the courts. If privacy rights cannot be protected, then its curtailment should be compensated by another way which does not require resolution of courts or intervention by data regulators. Allowing an individual to use his/her personal data like currency is a way for him/her to receive compensation for his personal data. By empowering the individual to control the flow of his/her personal data, the value of global data may be redistributed towards the individual that generated the data in the first place.

 limits to be overcome (Getty Images license)

limits to be overcome (Getty Images license)

V) Technical & Policy Challenges

     There are three key challenges facing the proposed Personal Data Currency model. 

     First, one of the key technical challenges for this model requires the wider adoption of the Digital Object Architecture. This essay by no means attempts to resolve all of the technical challenges implicated in fitting the personal data currency model seamlessly into the Digital Objects Architecture. Any misunderstandings about the DOA are my own and do not reflect any shortcomings in the elegance and technical prowess of the DOA.  

 lawful purposes protected by due process (CC0 Creative Commons)

lawful purposes protected by due process (CC0 Creative Commons)

    Second, competing policy principles (such as free speech) or law enforcement interests would require an individual to tolerate the access of his/her personal data for limited use. For example, law enforcement may be required to investigate the geolocation data for purposes of crime investigation. Assuming the required warrants have been obtained and due process protections safeguarded, these abridgements of an individual's personal data rights are similar to a government "taking" that may not be compensated.  

 personal data currency compliments GDPR principles? (CC0 Creative Commons)

personal data currency compliments GDPR principles? (CC0 Creative Commons)

     Third, the Personal Data Currency model may conflict with prevailing privacy law and practice such as the GDPR which is silent on whether an individual may use his/her personal data as currency to purchase online goods or services from third parties. There is also the problem of determining whether the "right to consent" within the meaning of the GDPR has been satisfied to permit the processing or collection of the personal data exchanged under a transaction. By using specified categories of one's personal data to pay for goods or services, it may be inferred that an individual has consented to the processing or collecting of the personal data that formed the basis of the parties' freely agreed upon bargain. The GDPR requires explicit consent. One way to address this is for the resolution system (that sets the terms of exchange) to specifically require consumer consent to use personal data as currency. This issue arises because fundamentally the consumer is not provided with a right of choice to use his/her personal data as a currency to be used as a medium of exchange. 

 one of the most valuable personal data (CC0 Creative Commons)

one of the most valuable personal data (CC0 Creative Commons)

     Another example is whether the expenditure of a consumer's health information as currency in exchange for certain goods or services would conflict with health privacy laws like the US Health Insurance Portability and Accountability Act of 1996 ("HIPPA"). HIPAA has a privacy rule that regulates the use and disclosure of "Protected Health Information ("PHI") held by "covered entities" (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions.) PHI includes medical history or payment history. Covered entities must disclose PHI to the individual within 30 days upon request. Under HIPPA, a covered entity may not disclose PHI to facilitate treatment, payment, or health care operations without a patient's express written authorization. Any other disclosures of PHI require the written authorization from the PHI owner. 

     One may view the privacy protections afforded in HIPPA as running parallel to the right of an individual to expend his/her health information as currency. HIPPA applies to covered entities and not to the PHI owner and does not prohibit the PHI owner from effecting transactions using his/her health information as currency.

 choice + financial inclusion = personal data currency (Getty Images license)

choice + financial inclusion = personal data currency (Getty Images license)

Conclusions

     The research and development of recordable contact lens and brain-hacking technologies are not positive signs for privacy protection. Given the inverse relationship between privacy and technology, we can reasonably expect that existing privacy law and practice will fall behind technological advances. In the face of the coming technological onslaught on privacy, one of the ways to provide realistic relief to consumers would be to seek ways to help them monetize their personal data so as to use market forces to lessen the sting of privacy infractions while waiting for laws to catch up. 

    The literature is replete with articles on turning privacy rights into property rights. This essay is not one of them. Instead, this essay has argued for the establishment of Personal Data Currency to empower the individual to control the destiny of his/her personal data by expending it in online transactions with third parties. The Personal Data Currency regime seeks to re-establish balance towards consumers by providing the key impetus toward financial inclusion, empowerment of consumers to control their own personal data and freedom of choice.

#PersonalDataCurrency #GDPR #Privacy #digitalobjectarchitecture

 

 

 

 

 

 

Banking on the Brink: FinTech's Impact on Banks

Banking on the Brink: FinTech's Impact on Banks

ICO Best Practices: the Good, the Bad & the Ugly

ICO Best Practices: the Good, the Bad & the Ugly