A simple solution to the privacy conundrum?

The way in which businesses and governments handle personal data is a topic that always seems to provoke controversy.

In Europe, the ongoing bid to reform the data protection regime has been dismissed both as anti-business bureaucracy and as a lobbyist-fuelled plot to weaken the rights of citizens.

Businesses are constantly being sold the power of big data analytics to solve their problems, but if a company puts a foot wrong when it comes to privacy, they are savaged by the press.

Likewise, governments are compelled to release more and more of their information into the public domain, but for some experts, publishing even aggregated personal data is a breach of trust.

It is tempting to see the matter as an era-defining existential dilemma, the classic conflict of the individual versus society fought in the rows and columns of a database.

But according to Dr Alex "Sandy" Pentland, of MIT's Human Dynamics Laboratory, the solution to that dilemma is actually rather simple.

"People get very excited about the edge cases but for the stuff that really matters – healthcare data, financial data and telecommunications data – it's not that complicated."

"You could eliminate identify fraud in 24 hours"
Dr Alex "Sandy" Pentland


First off, he says, the idea that all data should be private is absurd. "That's like believing everyone should walk around with masks on, skulking in the dark."

In fact, most people understand that in order for an organisation to provide them with a service, they need to hand over some data. "You can't make a phone call unless your telco has some data about you," he says.

However, individuals need a degree of control over their data, he says, and a clearer view of how organisations are using it. "Today, it all happens in back rooms. You can't control it because you don't even know its happening."

"And those privacy clauses which are just 'tick here and we'll do whatever we want with your data'? That's not transparency."

The solution that Pentland espouses, and one that is being pursued by a number of projects around the world, is a combination of personal data stores, or clouds, and a trust framework that allows data to be shared only with informed consent.

SWIFT thinking

The model for this idea is SWIFT, the inter-bank financial transfer system. SWIFT is paid for and operated by the banks, it crosses international borders, and requires no new regulation, and yet it safely transact trillions of dollars every day. "They have peer-to-peer agreements and joint liability, so if one bank messes up, everybody has to pay."

In a personal data trust network, organisations request access to personal data stored in individual 'clouds'. They are granted permission on a contract basis – if they breach the terms of the contract, they are excluded from the network.

"A trust network is combination of data sharing and contractual agreements governing how that data can be used, that gives you control and visibility into your data."

The idea is being put into practice in the Italian city of Trento. Citizens have been issued with personal data clouds, and can control and see how their data is being used. It's early days yet, but "people seem comfortable with it," Pentland says.

He foresees all manner of organisations, from charities to membership bodies and even to churches, providing their own personal cloud services, and using standard protocols to exchange permissions and contracts.

Such an ecosystem would have many public benefits, he says. "You could eliminate identify fraud in 24 hours."

But will businesses support the idea? Pentland was recently appointed as an advisor to European telco Teléfonica, which owns O2 in the UK. "They've been very receptive to this so far," he says. "They are very happy to give customers greater control of their data, and they are very sensitive to their role in this ecosystem."

That goes for most utilities, banks and telcos, Pentland believes. Besides, as regulated industries, they can be forced to adopt the system if our government wills it.

Once an ecosystem of responsible personal data use has been established in the regulated industries, Pentland adds, governments will then be able to address the most complicated cases. This could mean encouraging the likes of Google and Facebook, companies that Pentland says "grew up before we realised there was a problem", to operate in a more transparent and open manner.

"Once the regulators can get best practice going in these regulated industries, they can go back to Google and Facebook and say, 'What makes you special?" he says. "And they won't have a good answer for that."

Related Topics

Personal Data