The Trust economy will unlock a new world of opportunity.
–– 3 Nov 2020
Today is the first step in this journey; would you like to know more? Read on…
Part 1: Our vision
Consent: [ kuhn-sent ]: accord; concord; harmony. (Oxford English Dictionary)
The established model of the internet and the rules around data, its lifeblood, are being re-written. We’ve all lost control, and companies’ lakes of personal data are turning toxic with rising penalties and weaponised privacy rights.
The complexity of the AdTech ecosystem and its mostly automated practices long ago exceeded the capacity of the human brain to understand them in detail, and in that space uncertainty, doubt and conspiracy theories have grown.
This means a situation where people are increasingly concerned about their data and online identities: 78% believe businesses get the best value from data exchange, and 65% that they have lost control of their personal data. Trust has been badly damaged.
The Tapmydata solution is a framework of tools, ledger and decentralised protocol for people to reclaim their digital identity, crystallise unique, verified elements of consent in an NFT and provide a new, transparent channel for legitimate counterparties to blend data and exchange value.
Data is Destiny: Our mission is to give people control of their data and leverage collective agency in how it’s used, whether to share or get their piece of a market worth $325Bn annually. This forms a critical pillar of the new trust economy that is replacing the data silos of The Old Web.
2: The problem with data
“They trust me, dumb f**ks” – Mark Zuckerberg, Nov 2004
“We should explore . . . universal basic income so that everyone has a cushion to try new ideas.” – Mark Zuckerberg, May 2017
Everybody should be allowed to change their mind, including the biggest winners of the current system. The problem is, with the way data is being used and misused currently the engine of growth for Web 1 & 2 is redlining, in serious danger of exploding.
GDPR, CCPA and similar regulations in countries ranging from Brazil, through India to Japan have raised the stakes on fines and ushered in a culture of litigation for breaches and misuse of consent.
Regulators, advertisers and publishers are outgunned; they cannot manage the myriad of players, intermediaries and potential bad actors who capture, control and make money from consumer data.
Here is a representation of the lumascape, which is the ‘map’ of publishers, intermediaries and platforms which exist between advertisers who want eyeballs on their products, and the consumers of content online. This was in 2010…
And here is the lumascape in 2019! Despite the arrival of GDPR, new platforms, types of data from wearables and greater granularity have created an explosion of intermediaries, with most of the data in the world now created within the past 2 years.
Attempts by the data industry to self-regulate by codes, whitelists and frameworks such as that of the IAB have been ineffective to stop the spread of data, and in some cases exposed as contravening GDPR, existing and upcoming privacy regulations.
Meanwhile, platforms have acted as a law unto themselves, but the direction of travel is clear – away from third party control and unfair concentration of the rewards from data commerce towards individual control, agency and a first party relationship with advertisers with transparency and fair value exchange baked in.
3: End of the line for Data Broking
“The data broking sector is a complex eco-system where information appears to be traded widely without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data,” – UK Information Commissioner Elizabeth Denham.
Companies who use the services of data brokers for marketing and other purposes are now responsible for ensuring that processing of personal data is compliant with GDPR and other applicable regulations. They must undertake due diligence that the personal data being offered has been collected appropriately, is up to date and that people have been informed of their rights and given a means to exercise them, before the data is purchased or rented.
Following a 2 year investigation, in October the UK data regulator ICO used the ‘nuclear option’ to stop credit agency Experian from processing data which was used to create products sold across a range of sectors without valid consent of citizens.
It found that Experian and two other credit reference agencies – Equifax and TransUnion – did a significant amount of “invisible” processing of data, meaning that people did not know it was happening.
These firms provide a way for people to check their credit score for loans and credit cards.
But they are also data brokers, collecting and selling on information gathered from a variety of sources.
The regulator found that the agencies had access to the data of almost every adult in the UK, which was then “screened, traded, profiled, enriched, or enhanced to provide direct marketing services”.
Shockwaves have already spread through the world of data marketing in the few days since this ruling, heightening the sense of urgency to find a way to keep the risk of further actions and damage to clients of this ecosystem manageable, while dealing in users who don’t even know the names of these dominant players. The UK regulator has given Experian, and by association the whole broking industry, 9 months to get itself in order.
4: Who we are
Tapmydata has an advanced, robust data rights solution and channel for organisations to rebuild trust with citizens – securely, transparently and with Privacy by Design – the first of its kind worldwide.
We have a proven capability to deliver consumer grade technology that works reliably, with Privacy by Design and using the public blockchain as a statement of record.
Covering PrivTech, crypto and data commerce, our leadership team is experienced in founding, growing and exiting businesses across the tech spectrum. Our specialists bring together the skills to take new ideas from conception through MVP to delivery on an agile basis.
We have a current base of 4,000 users who use Tapmydata to discover where their data is held, repatriate it from companies and store it securely on their smartphone (Apple & Android).
Over the course of 18 months and over 15,000 requests, we’ve proven that people do care about their privacy, what happens to their data and in whose hands it ends up. Our ledger system and knowledge base on data rights is now the largest and most mature in the world, and has significant potential for research. AI development and benchmarking.
We’ve shone a light on how seriously organisations really take their commitment to data privacy and rights and over 500 of them currently use our platform in some way. Our technology and team are uniquely placed to use this platform and trust of our community to give them greater individual autonomy over their digital identity, and on-ramp to the opportunities for data monetisation through a ‘digital dividend’.
This combines with the movement led from the US by Andrew Yang and the “Yang Gang”, and the mission of the EU to create a fair, accessible market for consumer data by 2022. Whether individually, via ‘agents’ or digital unions we are a key connector between people and their Data Destiny.
5: Our Journey so far
The extension and promotion of personal data rights was one of the main goals of GDPR and subsequent regulations. Citizens have the right to request, order deletion and/or repatriation of their data in an easily accessible, machine-readable format.
This is an excellent opportunity to show how a secure channel combined with a blockchain ledger could manage ‘transactions’ between people and the organisations which hold their data as controllers or processors, something we termed ‘Data Dialogue’.
Our first product was developed and launched with this being the core proposition, the first ‘real world’ experiment around data rights with 2 goals:
1: To establish whether people cared about their rights, would want to exercise them and control their data, given tools and a frictionless user experience.
2: That organisations would be keen to demonstrate their commitment to data rights and best practice when presented with a dedicated channel designed with security and transparency as twin drivers.
At the core of our rights platform is the Tapmydata app which operates as a directory of organisations, a personal data store, wallet and secure end-to-end encrypted messaging platform for communicating with organisations and sending files back and forth.
In the back-end of the system is a secure platform for organisations to manage their team and respond to rights requests. Although the platform was built primarily for rights, it is in essence a secure request and response platform with crypto baked in and we recently deployed the product to customers in response to the COVID-19 system for contact tracing. See our Church of Scotland case study.
18 months and 15,000 requests later, the answer to (1) is a resounding ‘yes’ – users trust the tools, take a proprietary attitude to their data and think well of organisations which respond promptly and fully.
The response from organisations to our second goal was far less emphatic; while some embraced the platform and found it enabled 80% of requests to be closed automatically, others saw their obligations towards data rights based on a strict interpretation of compliance obligations. The old ways (email, web forms, post) were ‘good enough’.
The notion among privacy advocates that a Data Protection officer fielding rights requests in the setting of a Big Tech firm is like the role of an Environmental Protection Officer employed by an oil company is not without some justification, based on our findings.
Also evident is the fact the majority of requests are being made by legal intermediaries, in the early stages of putting together a case or probing the operational competence of a counter party around data. Rights are being weaponised, but alone are not yet the ‘killer app’ for privacy many predicted.
What became clear across the board from our first phase is that organisations struggle with verifying credentials and sharing ID ‘proofs’ in any context, not just rights.
Replicated tens or hundreds of times for each of us, businesses, charities and government bodies ask for inconsistent, mostly excessive amounts of information, often opening up the individual to fraud and identity theft in all but the most clear-cut contexts of customer onboarding.
We found that with rights requests, organisations often need to verify individuals before returning data and whilst this is proper and correct (you wouldn’t want to send one person’s data to another) a lot of the time these organisations would use inappropriate and arduous procedures – quite possibly by design – to wear people down and avoid having to service the original request. To counteract this we developed our own, appropriate and measured series of ID verification technologies that organisations can use within the Tapmydata platform.
Want to know more? You can try our ID verification beta in the Tapmydata app today. It works with passports currently and will be extended to support other ID documents.
Where does Self Sovereign Identity (SSI) sit?
Self-sovereign identity has a key role to play in the future of your privacy and identity. SSI means the individual manages the elements that make up their identity and controls access to those credentials – digitally. With SSI, power to control personal data resides with the individual, not an administrative third party granting or tracking access to those credentials.
The SSI system gives you the ability to use your digital wallet and authenticate your own identity using the credentials you have been issued. You no longer have to give up control of personal information to dozens of databases each time you want to access new services, with the associated security risk.
A number of established SSI initiatives already exist and the world of data in general, and blockchain in particular, would greatly benefit from universal standards in technology and regulation.
To the individual, Tapmydata offers the first step towards building their own sovereign ID – a digital profile of verified personal information independent of any organisation, while presenting an on-ramp to more complex SSI services as they become available.
Consent is the final and most crucial piece of the puzzle. It’s the ground zero on which all the processing of our personal data, the activity done by others which gives it value, is based.
Right now, operational conventions and technology exist for organisations to obtain one type of consent (via web form or cookie notice) from individuals, store and use this for their own (varied) purposes and to share with third parties.
Robust, blockchain-verified consent is the logical next step for our technology and where we see greatest value add in the future, bridging the gap between individuals and organisations.
Having verifiable proof that your database of personal private information is consented will become invaluable; not just for legal liability reasons but also speeding up merger and acquisition due-diligence, leaving a light data (and risk) footprint and building trust with a user base.
We believe that NFTs along with individual verified data will sit at the core of future consent models and having been on this journey, are uniquely placed to be a key player in this new field.
6: Why now
Companies have been collecting and treating our consent like a free commodity, while accumulating and selling it as an asset.
Current methods and technologies for dealing with this problem are manual, or products of web 1, 2 and have reached the end of their natural lifespan. Consent is broken.
GDPR was the watershed moment 2 years ago, where the world was first introduced to a framework for capturing, processing and monetising data on an ethical basis.
Further regulation has since been introduced around the world to introduce and strengthen data protection rights, and GDPR has been taken on as ‘gold standard’ for large organisations who want to take a pan-global approach to data compliance. .
Examples of this include the CCPA in California (https://www.dataprotectionreport.com/2019/06/nevada-new-york-and-other-states-follow-californias-ccpa/) and many other countries around the world with GDPR like regulation or that are considering similar regulation. See 10 Countries with GDPR-like Data Privacy Laws https://insights.comforte.com/countries-with-gdpr-like-data-privacy-laws
Combined with growing regulation in the data protection space we’ve also seen a growing awareness of inverse privacy (listen to our CEO Gilbert Hill featured on Decrypt Podcast which talks about this) and disinformation and fake news is spreading faster than the recent spate of wildfires!
The goal with GDPR was to start a re-boot of data commerce; now the EU is committed to create a market for consumer data by 2022, where individuals get their fair share in terms of control, and something approaching a universal basic income.
Blockchain and in particular NFT’s with identifying information in their smart contracts are now sufficiently mature to make this the tipping point for a new deal with data, building on current foundations of AdTech and legal interpretation of consent but with a vital new component – individual autonomy. We’re ready to lead this movement.
Part 2 : Our Solution – Blockchain Verified Consent
We’ll be sharing our solution around a new token, NFTs and how they together to create a protocol for blockchain verified consent in the next part of this series, published later this week.