Data Portability and Privacy

#facebook published “Charting a Way Forward on Privacy and Data Portability” on 4/10/19 however it is *not* a white paper but a document seeking free guidance and input. In their own words “To address these challenges, we’re seeking feedback and guidance from a wide range of stakeholders about how to build portability in a way that empowers people and fosters competition while maintaining their trust in online services”

I have, like many others, given a lot of input over the years to Facebook for free via invites to brainstorms, private sessions and roundtables. In all cases massive promises are made by #Facebook about what next but they never deliver. No papers, no summary, no write up, no thanks – nothing. I set out my thinking on the #facebook data portability paper at the end as interest to those who might also read the paper.

I have been exploring the topic of data portability for some time. This piece explores the strategic opinions for market models and the regulators stance for data portability. The #Facebook paper is a long way off the best thinking out there and this is a summary of my *current* thinking on the topic of portability, #facebook might read this but I am not sure they will like it, as data portability provides the reason why their model will become disintermediated.

There is excellent work going on in regards to Data Portability by Liz Brandt at Ctrl-Shift.

Definitions/ Assumptions for this post

Data: Data is data *this is really important to read this as it sets a context and framing*

Party: A person or body but in this case no “trust” is implied

Secure: Meaning that the Data is encryption and is controlled by privilege access controls (ACL) and (regulated) processes.

Trusted Party: Irrespective of the activity (porting transfer, mobility), it is assumed that Trusted Parties (holding or receiving), are on both sides of the process/system. Trusted Parties provide Secure holding, access and movement of Data.

Trust: As in; is the organisation trustworthy? This is explored in Trust is not a destination

Ontology: The agreed set of categories where the Data properties and the relations between any Data item or object is unified or standardised to enable Data to be [portable, shareable and movable] between Parties.

Consent: Layered consent is complex. And there is no right answer to consent as if too harsh it can drive out innovation and growth The ethics of opt-in and the morals of opt-out

Transfer: Data is transferred from one place to a new place using an Ontology. The current Data Holders copy is now *NO* longer designed as the primary/ regular access. Where, copies of the data are post transfer, depends on contract, agreements, consent, law and regulation. By example data may be copied and the original Data holder copy deleted or held for regulatory reasons/ by agreement.

Data Holder: A Party who has a copy of the Data

Data Exporter: A Trusted Party who has been requested to Transfer their Data to a Data Receiver according to the Rights

Data Receiver: A Trusted Party who receives Data from a Data Holder by Transfer according to the Rights

Rights: Rights [read, write, copy and delete] include what level and type of Rights a Party has been granted in regard to a specific a Data set, item or object. Rights also embrace access controls.

Defining the Activities

Data Portability: [portable, ported]

  1. The application of data being transferred from one Trusted Parties business system to another Trusted Parties business system directly or indirectly. A user (or system) may initiate the transfer but the user does not necessarily have to be involved
  2.  In the GDPR context, portability is simply the right to receive personal data and transmit it from one service provider to another.
  3.  ISO defines “data portability” as the “ability to easily transfer data from one system to another without being required to re-enter data,” 
“Data Portability” is a real mess, but should we say it is an action or activity ?

Data Sharing: [Shareable, shared]

  1. Enables a Party to have access to data but does not need to have a copy of the [original] data.
  2.  Consent granted to instruct a Party about something, which can be a data attribute or the actual data. 
Is “Data Sharing” passive, it is the requirement and capability?

Data Mobility: [movable, movement]

  1. An economic framework which enables for the free movement of Data.
  2. A Market Model that enables the flow of Data around a market.
Is data “Data Mobility” a framework?

To the specifics of the #facebook paper

1. Let’s be clear, #Facebook have not tried and are not making it easy. Words are easy to write but it is, at best, disingenuous to the market to claim they are doing their best

2. Data Transfer Project I been following on GitHub since announced – it is not active enough

3. Facebook are right “Data Portability” is complex and there are conflicting motivations by different players, but Facebook should not be dependent on free input to help them. What is their own position?

4. There is a core assumption “Will portability make it more competitive” probably not as it is not an economic framework.

5. Facebook hide all their assumptions and motivations. Set them out if you want anyone to comment. Presenting a few technical conflicts is to easy and avoids the reality.

6. The whole papers dives into the technical methods before framing value, economics and social implications. By example and whilst a good question: “Where does a pure data portability request start”, rather than say a data sharing request?” So what; what problem are you trying to solve?

7. As usual they like to ignore or just only skim user consent

8. There is nothing about passing control, rights, agreements or consent

9. Interesting that they ignore “Did you have the rights to the data in the first place?” and focus if you have the rights now

10. The whole paper ignores other approaches and solutions. They only focusses on one that facebook want to frame as a solution.