Data Sovereignty
Tue May 24 2022
The current success of blockchain as a technology fulfilled the idea of monetary Sovereignty. Governments provide value by maintaining a stable currency under which people across time and space can interact with one another economically. Government money is debt. It is an IOU provided by the Central Bank. As a result, governments have the right to inflate your money away, causing you to lose economic capital without your consent. Currently, the state of our information is owned by the corporations we interact with. Our medical records are passed from hospital to hospital, and our email and contact information are sold repeatedly to entities we’ve never heard of. Yes, regulation is forcing companies to reveal what information they have on us and giving us the power to ask them to delete it, but this seems backward. It should not be a right granted to us by the government; it should be a right that we reserve. Data sovereignty means that anyone who wants our data needs to ask for it and possibly pay us for it if we don’t inherently derive value from the interaction. This shift from external ownership to self-ownership requires overcoming many hurdles.
Owning Data
Currently, the only data you own are your passwords. This is why password managers are the first to implement data sovereignty. The data is lightweight, consistently formatted, and requires your confirmation to give it out to access the website you desire. Some password managers even branch out to include credit cards and other personal information. Storage of these kinds of data has already reached a sufficient level of sophistication with encrypted cloud backups using public/private key cryptography that only you can access. Owning your data in the future could look like a database that’s accessed like your password manager. Pop into a site, and if they want your data, you need to click a button or confirm to give it out. However, we’ve already encountered a problem, how do you create a social network when you need to approve access to every photo or post anytime one of your friends wants to see what you’re up to? This creates a very closed web experience where your information becomes inaccessible to everyone.
Data normalization
Different data providers use incompatible data formats. To access data uniformly across data providers, an abstraction layer is needed. This abstraction layer must make a best-effort attempt to normalize most data formats. To incentivize the creation of high-quality and up-to-date normalization packages, publishers of normalization packages will be financially rewarded with micropayments for every access. Normalization packages will be open-source and universally accessible to audit the normalization functions. Data normalization also reduces data siloing and encourages the deduplication of data.
Access
Most data access is request and response; the data owner may or may not need approval. All data access is through a data normalization package, so all possible call patterns are known. Permissionless access requires micropayments to the data owner and can only return an actual/false value. To reduce data farming, data owners determine a cool-down period during which fees increase exponentially. Permissioned access will always be free and comes in two forms, single-use or trust-based. Trust-based allows access to a list of data normalizations for a specific time and creates a safelist of access permissions that are time-bound so social network apps can access and display other users’ data on your devices through predetermined data normalization packages.
Delegated Trust
You generate new passwords; there’s no need to prove that this data is valid. If it’s not, you probably entered it wrong — oops. For data not generated by you, for instance, medical or educational records, the proof is needed to validate the data with the data provider. This can be done through cryptography by signing the data with the provider’s key. Now that we can prove the provider generated the data, how do we know if we trust the provider? This raises hairy questions about authority (who has it, who doesn’t). Simple systems of control are top-down. A centralized ‘trusted’ source can then authorize others. This is not ideal since a trusted authority can be corrupted. Rather than a centralized authority, every verifier must maintain a list of keys considered ‘trusted.’ To make this easier, private/public key delegation allows authorizations to be delegated. If I am a trusted hospital, I can delegate keys to individual branches or even sell access to my delegated keys. If my delegated keys have been abused, I can revoke that delegation to protect my reputation.
Bootstrapping a New System
The internet has no built-in data privacy. It was designed to be open and permissionless. Passwords were added to restrict access. Before the internet, software applications ran on your local machine and saved data to your local machine. Privacy was the default. With internet companies, your data lives on their servers and they decide which subset of your data they show you. A new system is needed, built on top of the internet, with privacy as the default. Software companies should be building apps, not managing your data.