In previous blogs, we discussed the fact that data is physical and inherently controllable. Much like I can move a candy bar from the left side of my keyboard to the right, leave it there in anticipation, and slap away a hand intent on stealing it, it’s possible to physically control where data goes, where it remains at rest, and who can access it.
What does this say about data ownership? Quite a bit, as it turns out. The concept of ownership has a long history among us humans, which not only sheds light on what it means to own data but also provides well-vetted legal constructs we can apply to things like data privacy and cybersecurity.
But first the bad news: As it stands today, you probably don’t own much, if any, of your personal data. And that’s an enormous problem.
Three Types of Control
To understand how it’s possible that you don’t own the data representing your most private details, let’s use an analogy of a car to investigate the three basic types of control:
- Use: You can use your car. You make it go to the end of the block, stop at the sign, turn left, and steer toward the grocery store. Physical processes, such as depressing the gas pedal to provide more fuel to the engine, are involved here.
- Access: When you return home, you can pull the key from the ignition, exit the car, and lock it, making it extremely difficult for another person to use the car for their own purposes. You have access control.
- Rules: Societal controls also influence our use of cars. For example, you must have a license to legally drive. Stoplights, as physical as they seem, are little more than a shared agreement about which cars will proceed and which ones will wait at intersections.
The first two controls — use and access — are built into cars by manufacturers. You couldn’t control a car without steering or brakes, for instance. And you don’t control a vehicle’s use if you can’t take the key from the ignition and lock it, as any passerby could do with it as they choose and, for all intents, make it theirs. These controls are necessary to the concept of owning a car.
What’s more, without use and access controls, it would be impossible to ensure your car was operated in accordance with the rules of the road. Stoplights don’t physically force cars to stop, brakes do. The lights are basically a request to humans driving cars to exert a certain type of control, such as braking. The justice system strives to increase the likelihood we all obey this request by using enforcement systems like red light cameras that send a ticket in the mail. Some drivers still break the law, however.
Why You Don’t Own Your Data
More and more personal data is generated every day and, unfortunately, we don’t own the vast majority of data “about” ourselves. How can I tell? We have limited, if any, control over it—and as we saw above, control is necessary for ownership.
Consider the piece of surveillance gear most of us carry in our pockets, also known as a smartphone. Depending on what software (OS, apps, etc.) are installed, this little device may spy on where you go, what you read, what products you research, who you send messages to, and much more. Many of the companies involved may also know—because they forced you to supply—your name, gender, and other details, which they may sell to third-parties. If you purchase anything online (and who doesn’t these days?), various entities are also in possession of your credit card number, billing and shipping addresses, and so on.
What types of control do you have over this data?
- Can you restrict access by “locking” your personal data so it cannot be viewed, changed, copied, or shared without your permission?
- Do you have the equivalent of brakes? Can you force companies to permanently delete your personal data so they can no longer use it or share it with anyone else?
- Can you steer your own data, perhaps keeping it away from certain types of advertisers?
The answer to most of these question will be “no,” at least most of the time. To the extent that individuals have any control over their data today, it is almost always rules-based. An EU resident, for example, may take up her right to be forgotten, demanding that Google not feature unflattering media stories about her in its search returns. She can only trust that Google’s processes will result in that data becoming inaccessible to prospective employers; she has no direct control of the data to give her the ability to actually make it happen.
Trust is Broken
Speaking of trust, most of us don’t trust the entities that possess our personal data. We’ve been burned too many times.
I don’t know about you, but I’ve successfully unsubscribed from any number of newsletters only to have new messages appear in my inbox years later. Common issues, such as failure to purge backup copies of an old subscriber list, can easily cause data to resurface at a company with which I want no further relationship.
That example is accidental. Companies also knowingly use data in ways we never approved (Facebook’s Cambridge Analytica scandal being just one high-profile example). The staggering number of data breaches each year also demonstrates the extent to which these companies put our data at risk.
Rules like the EU’s General Data Protection Regulation and the California Consumer Privacy Act are intended to assign penalties, the equivalent of a traffic ticket, for privacy and security failures. But just like traffic lights don’t make our cars stop, these rules won’t give us back our privacy or our data security. For that we need to own and control our personal data.
Is that possible? Absolutely.
As we’ve discussed here on the blog, data is physical and, therefore, inherently controllable. Absio, for one, offers technology that empowers software developers to add access and use controls directly to data objects using just a few lines of code. From this capability and other technologies like it can emerge true data ownership, which will support real privacy and far greater security than we enjoy today.