Privacy By Design – The Case for 1st Party Data Sharing
The vast majority of applications being built today include as a central tenet the ability to hold information about and for their customers in a personal repository. Whether centralized or distributed, their key characteristic is being held by a third-party on behalf of the customers.
As shown in the figure above, the first party personal data storage model (also known as the personal cloud model) provides an alternate approach. Rather than storing data in a centralized repository, all data would be stored in personal data stores or, as they are also called, personal clouds. Online applications would continue to have repositories of data required to run their services but they would no longer need to aggregate personal data. They could use existing personal data in the personal cloud, or they could create new data in it for the application. Eventually, personal data in the application’s own data center might only exist in temporary caches, or be aggregated in a de-identified form.
Third Party Challenges
Third party personal repositories have issues complying with international privacy regulations’ demand for:
- Use specificity: Existing national data protection acts all over the world often severely limit the processing that can be performed on citizen data if it isn’t explicitly defined at the time of collection (use-specificity)
- Transparency and portability: The forthcoming European Data Protection Act places a great deal of further limits on use, and requires an interface for persons to download their own data.
- Right to be forgotten: The act also requires identity providers enable persons to delete their accounts and associated data.
Publicity about the regulatory requirements, and more importantly, about data breaches and rising problems with cyber-surveillance, crime, fraud, extortion, bullying and breaches feed a rising tide of privacy concerns from individuals. Online providers are trying to respond to these concerns in various ways:
- Building new interfaces and processes to comply
- Publishing complex privacy policies to rationalize and justify practices
- Offering improved privacy settings and other features
- Offering encryption features for individuals (such as Google and Apple’s reportedly surveillance-proof smartphones OSes)
However, none of these efforts can change the fact that the third-party personal data storage architecture will continue to face challenges in the present climate of international distrust, regulatory zeal and national data protectionism.
We may welcome some online providers efforts to implement the letter and spirit of the regulations and to satisfy the market demand for privacy and trust in their services, but should recognize that meeting privacy requirements through the third-party architecture is an uphill struggle. Programmatic changes to large centralized systems are expensive and the regulations constantly changing. Moreover, large centralized systems are subject to risk aggregation and a single breach caused by a single error can have catastrophic effects.
Advantages and Disadvantages of the 1st Party Model
In the 1st party model, a breach of all the personal data touched by the application would be unlikely because that data actually resides in millions of little repositories rather than in one large repository. Thus, if a hacker gained access to a system administrator password (as we are told occurred in the recent JP Morgan breach) he would not be able to download millions of records from any database. Instead, he would have to connect to every single personal cloud and request data from it. This type of breach would be much more easily detected and stopped before it affected millions or even just hundreds of customers.
Advantages and Disadvantages of the 1st Party Model
In the 1st party model, a breach of all the personal data touched by the application would be unlikely because that data actually resides in millions of little repositories rather than in one large repository. Thus, if a hacker gained access to a system administrator password (as we are told occurred in the recent JP Morgan breach) he would not be able to download millions of records from any database. Instead, he would have to connect to every single personal cloud and request data from it. This type of breach would be much more easily detected and stopped before it affected millions or even just hundreds of customers.
There will be challenges to the first party privacy and security architecture model as well. Rather than living in one heavily protected fortress, 1st party personal data resides in smaller structures protected by individuals who, in general, don’t have the greatest record for keeping their devices free from malware and preventing their accounts from being compromised. Much will depend on the market providing software or services built for the 1st party model with professional levels of security.
These tools and services for 1st party storage must not only remain decentralized and under the individuals’ complete control, they must also maintain an adequate level of interoperability and consistency so that online applications which rely on them don’t have to reinvent the wheel too often. An example of companies following the personal cloud model are SocialSafe (which allows you to download and own a copy of all your social network activity), Meeco (which is developing applications enabling personalized connections to trusted brands) and Personal.com (which has developed a PDS application).
Hybrid Models
The pure first party model isn’t sufficient to support some analytics which, unlike other forms of online interactions and customer data processing, depend not on one customer’s data but on the aggregation of many customers data. One solution for privacy-compliant big data is to aggregate only non-sensitive personal information thus lessening the impact of a breach and potentially making it easier to obtain informed consent from individuals. This requirement could be satisfied by the hybrid first party architecture shown in the figure below, which introduces a repository for analytics into the 1st party model. This repository, shown in a pink color, would contain non-sensitive or de-identified personal data, leaving most personal data back in the personal clouds.
One thing is for certain, whether online providers go with a first party or a third-party PDS architecture, marrying big data with privacy regulations will become an increasingly tricky business. In “The Future of Big Data – the Big Elephant in the Room,” Kirsten Whitfield describes the ongoing dance with regulators on what constitutes informed consent, how to address pseudonymization, and restrictions on analytics that apply even after informed consent is obtained.
Conclusion
For many IT business and security people, the very idea of a decentralized first party PDS may seem crazy, going against the grain of long held views on the need for organizational control. So dominant has the notion of a centralized PDS architecture become that many forget the Internet itself was first conceived of as a peer to peer network and only later became more centralized. This post has pointed out 1st party PDS architecture alternative and some compelling reasons to consider it.
Conclusion
For many IT business and security people, the very idea of a decentralized first party PDS may seem crazy, going against the grain of long held views on the need for organizational control. So dominant has the notion of a centralized PDS architecture become that many forget the Internet itself was first conceived of as a peer to peer network and only later became more centralized. This post has pointed out 1st party PDS architecture alternative and some compelling reasons to consider it.