By now we’ve all seen the headlines about Facebook’s poor data practices: as many as 87 million users’ personal records affected by Cambridge Analytica, 2.2 billion users’ profiles scraped by third parties, and so on.
But what went wrong isn’t limited to Facebook. The problem is that an internet run by centralized digital superpowers leaves users with little control over their data.
Centralization’s Weaknesses
Think of the internet as an extremely efficient copy machine that anyone can use. This makes it very easy to share information — including information you want to keep private.
That’s why we need rules. When we say “data privacy,” we are referring to the rules set by platforms — determining who has permission to handle data and who gets informed when it happens.
To use a platform, users have to check a box saying they agree to the rules. The problem is tech giants don’t give users real insight into the rules beyond saying, “Trust us!”
As we now know, Facebook gave wildly disproportionate permission to third-party app developers to copy their users’ personal information. By exploiting this permission, Cambridge Analytica was able to use a single app to collect millions of personal records at almost no cost, and nobody was informed until it was too late.
Unfortunately, these types of situations will continue to happen. Centralized platforms lack incentives to properly disclose their data practices, so users will be left in the dark when the “copy machine” falls into the wrong hands again.
The Role of Decentralization
For data that is clearly valuable, users should be able to explicitly set permissions around who can access it, and those permissions should be easy to verify.
We can use blockchain technology for this. The idea is not to store everyone’s private data on-chain; it’s very expensive to add records to a blockchain, and public blockchains can be read by anyone.
What makes a blockchain special is that it’s write-only; it’s practically impossible to change a record on the blockchain once it’s there. Here’s the insight: we can use a blockchain to store not the data but the permissions. If private data is secured in an encrypted database, a blockchain can act as a ticketing system, keeping track of who can get in, without exposing the data underneath.
Suppose you had your health data stored off-chain, requiring a cryptographic key to unlock it. You want three parties to have access: your doctor, your health insurance provider and your partner. These parties could be represented by white-listed addresses that are recorded on the blockchain, representing their right to use the key.
A blockchain is an immutable sequence of events. If, say, the white list suddenly included four or five parties, you would know something else was going on. Just as you can see where your bitcoin or ether came from, there should be a clear record of who is accessing your data.
Scarcity as Protection
To return to the idea of the internet as a giant copy machine: the same principle that makes bitcoin possible — “digital scarcity,” meaning the coin can’t simply be duplicated or created by anyone — can also help make data harder to replicate.
The idea is that we can tokenize the data in order to create laws of physics around it. In order to prevent future Cambridge Analyticas from exploiting loopholes, we could create an ecosystem in which user data is represented by tokens. This creates an extra layer of protection between outside parties and valuable data, and assigns the data some value.
From a developer’s perspective, calling an API would be represented by a transaction on the blockchain, with a cost proportional to the amount of data requested. The cost would be negligible for normal, day-to-day use — but it would prohibit a single app from making off with tens of millions of records. Scarcity and value provide friction, which exposes unusual activity.
These transactions would receive oversight from miners or validators who collect fees for enforcing the network’s agreed-upon rules. Depending on the kind of blockchain, these validators could be individuals spread out across the world or they could be something more like private arbitrators or internal auditors. The point is, there would be third parties keeping the system accountable.
Final Thoughts
As a centralized entity, Facebook has no incentive to be a fair referee, and it’s clear they’re not up to the task of keeping our data safe. We need an approach to data privacy that doesn’t count on the word of a single party. Blockchains allow us to create systems with multiple points of accountability and transparency that can give users real control over their digital lives.
This is a guest post by Chris Tse. Opinions expressed are his own and do not necessarily reflect those of Bitcoin Magazine or BTC Media Inc.