Trust, Consent and Control - A White Paper

A discussion document.

Introduction

There are technological and sociological impediments to data sharing. There are two key components that span both of these disconnected pillars and they are Trust and Consent, which are part of the wider Ethics Framework (GoPES) Without these two elements (that have very different meanings in each environment) there will be limited progress in establishing a true data economy that benefits all participants. Trust and consent structures are a discussion that needs to evolve from a certain standpoint, that of the data owner i.e. the data creator, you and me. These two concepts and vital components are integral to the creation of the new data economy .

In many of today’s data ecosystems trust and consent are negated by greed and monetisation. In equitable data structures and architectures however, the understanding of consensual data i.e. that which has been given rights and consent by the data over, is paramount. Most Data Owners are blissfully unaware of how their data is used, sold, resold and monetised. In this data driven world data is a precious commodity, and many organisations will go to any lengths to achieve a richer dataset. 

I have seen many attempts at avoiding Trust and Consent, through data obfuscation and complex encryption mechanisms, that have failed due to lack of user understanding and involvement, or rejection by the wider community (Sony UID and Digital Rights Management (DRM) are classic examples). Data is a living breathing thing. It is not static nor is it simple. Data is not a byproduct in today’s world, it is the product and subsequently organisations must engender trust from data owners and they must freely give consent for the use of their data.

To consider trust as a separate item to data governance is an impossible task. The same it’s true for consent. These do not live in simple verticals. They are items that move throughout the ecosystem and benefit all parties concerned, be that monetarily, or in the quality and veracity of the data being used.

Looking at how these two items are related in the wider ecosystem is not impossible. We need to look at everything from the data owners perspective. Without trust there will be no flow of data for third-party use, and without consent there is no data, as it cannot be used without breaking GDPR or other regional directives. 

How then can these vital parts of the data ecosystem evolve? How do we manage an overarching solution ensuring that these key components become pervasive in a frictionless and simple way? How do we ensure that these critical elements are integrated into a governance structure that will provide trust and consent for all users? These could be third parties, or trusted parties within the owners datasphere. How do we ensure that data can be validated and its veracity ensured? How can the flow and use of data be audited and controlled? 

The answer to all these questions is through comprehensive data governance. Governance that promotes trust, strong auditing and Quality Assurance (QA), and the primary requirement of user consent.

In technology we talk about trust and consent in terms of absolutes, by certificates, tokens and by digital rights. However, this is not the case for user data, our data. Trust and Consent are emotional. They are not just technological components. They come from nurturing relationships that have a solid working basis i.e. strong governance.

In technology it is very simple to gain trust between components. We talk all the time about trusted systems however we all know how difficult it is within society to gain trust. Organisations that require data must show that they are trustworthy. They must have strong procedures and excellent data governance. Consent must be earned, it isn’t freely given. Today, our consent is given with EULA’s (End User Licensing Agreements) and other such documentation, which we blindly sign, before we use platforms such as Amazon, Facebook, Netflix and Google and we never give a thought towards how they will use our data, package it, sell it or use it for their own gain. 

I would like us to consider how we begin to develop computational governance and ethics to assist all parties in a framework that begins, with a socio-technical approach, to building a solution that has formal (documentational) structure and is the basis for developing trust relationships throughout the “dataverse”.

I have been involved around trust and consent models for the last 15 years and my thinking is best summed up by the  following statements

Trust is a necessary condition of trade/commerce/use of a service where parties enter into it voluntarily. Specifically, trust, within the bounds of commerce, can be defined as a belief that any party has in entering a trade, commerce or service that the stated intentions of the other parties involved in that interaction are true. 

In this respect, consent is a subcategory of trust. For most aspects of simple commerce it is often implicit rather than explicit. For example if I pick up a bottle of water, bring it to the till and pay the retailer the demanded amount, it is usually a signal I have consented to this trade. I don’t need to make my consent explicit.

Whether explicit or implicit, consent is, almost always, a necessary but not sufficient condition for garnering trust. There are other aspects to building trust like identity, credit worthiness, and even higher order factors such as the governance of the infrastructure and systems around those interactions etc.. (I might not walk into a certain shop because it looks like a front for criminal activity for example). But often, consent  is the most important factor in garnering trust. If one party does not agree to be part of the trade/ activity then there will be no trust.

Cookies, advertising and data trade have for almost two decades now, have gotten around consent by effectively issuing “contracts of adherence”. “Sign this contract if you want to use our software” within an EULA. Ordinary users are not in a position to refuse. On one hand they do not have the resources - e.g. time or lawyers - to renegotiate the terms of the contract. And the alternative of simply saying no is being cast into digital oblivion. People are powerless to refuse the terms of the trade. And yet they must take part if they are to maintain their social capital. This is clearly not an equal relationship. 

Imagine walking into a shop, asking for a bottle of water, and in return they demanded your personal purchase history for the last thirty days and tracked you for another 30 days. Who would say yes? Of course if every shop offered water on these terms eventually you’d give up and say yes. But is that genuine consent?

So although technically consent has been given, - we all clicked yes -  it is not genuine consent 

Users need to be able to say no as readily as they can say yes. There needs to be a balance of power. 

Data Quality Management provides this power. In a sense DQM have always acted in this capacity. Representing large groups of Data Users in order to leverage the power of their demands as a collective. 

No one is forced to adhere to a Trust based model. However companies should, through their fiduciary duties,  act in the data owners best interests.

Therefore being part of a trusted data environment becomes an act of rich/genuine consent. 

This becomes the first step in building out a sustainable trust based economy.  

Trust is a Two Way Street

Trust is a two-way street. Without trust (of Data Providers/Aggregators) the veracity of their data sets will always be doubted by Data Buyers and their associated analysts. Without trust, the Data Owners will never willingly contribute their data to these data sets. Sadly the latter of these means that frequently data is obtained in less than trustworthy (and legal) ways. I have seen presentations where companies proclaim that they obtained data from data breaches, showing us that data isn't always consensual and always obtained legally. Yet these companies continue to flourish, showing us that data ethics isn't even on these companies' radar, let alone good governance! Data Buyers suffer and spend countless hours and dollars cleaning this data  to make it potentially fit for use. Research conducted by Talnd in 2021 shows that 60% of business executives don’t always trust their company’s data. More than a third still don’t base most of their decisions on it. Frequently these sets are filled with unverifiable data making decision making based on it precarious to say the least! 95% of respondents to the Talnd survey said there should  be cross industry metrics to assess the quality of data thus making it more trustworthy.

Data Creators and Owners like you and me have an inherent mistrust of the large data gatherers such as FaceBook, Amazon and Google,  who between them control almost 70% of the adtech marketing data and the majority of mobile phone apps (Adam Towvim, DPPA , October 2021). The telecommunications companies hold colossal amounts of data on us all. Do we trust them to do what is right with our data? It's an uncomfortable question that we don't like to think about. These companies spend many millions of dollars on brand exposure, not just to establish their brand but to establish trust. 

So how can data creators - around 5.62  billion consumer connections generating 1.7MB/sec - regain some control in this world? You can say “No, not me” as did over 75% of Apple users recently causing FaceBook to plead with users to switch data sharing back on. Eric Seufert of Mobile Dev Memo states “The iOS changes could cut Facebook’s revenue by 7% (in lost advertising income) if around 80% of users say no.” (Bloomberg, July 2021). The datamarket for advertising/marketing is around $900Billion, so others must be hurting too! 

However there has to be a better way. A way where trust is developed and ensured by the Data Users and consent is controlled, managed and permeated from the Data Owner.

Consent is Control

What is consent? How is it gained and how is it given?  Consent is, unfortunately, a difficult thing to understand legally but is reduced to a simple “tick” for most Data Owners.

“Consent of the Data Owner means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which, the data owner by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to the data owner.” EU General Data Protection Regulation (GDPR) legislation

This statement is complex but its meaning is very clear.  Simply put it means “no consent no use”.

We live in a world where data is treated as a free commodity by the larger corporations and it is used without explicit consent for a number of purposes. Consent is implied in the EULA and GDPR documentation that we freely sign.However there is some good news.

GDPR further clarifies the conditions for consent as follows in Article 7 (of the GDPR legislation):

1. Where processing is based on consent, the Data User shall be able to demonstrate that the Data Owner has consented to processing of their personal data.

2. If the Data Owner’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

3. The Data Owner shall have the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the Data Owner shall be informed thereof. It shall be as easy to withdraw as to give consent.

4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

OK, so the lawyers are happy, but what does it actually mean?

Consent Must be Freely Given

The Data Owner has not been pressured or “cornered” into agreeing to the use of their data. Data  Users cannot require consent to data processing as a condition e.g allowing using the service. Data Users need to be able to say no.  The one exception is if Data Users need some piece of data from someone to provide them with a service.This does add ambiguity to my way of thinking. 

Consent Must be Specific

GDPR states  “The request for consent shall be presented in a manner which is clearly distinguishable from the other matters.” It should be clear what data processing activities Data Users intend to carry out, granting the Data Owner - you or me -  an opportunity to consent to each activity.

Data Users can’t explain everything in a single, long paragraph with a single consent checkbox at the end. Instead, Data Users must explain each data use case separately, giving Data Owners an opportunity to consent, or not, to each action. Data Users also cannot use one piece of consensual data (say an email address) for more than one activity. Consent has to be gained for ALL activities which the data is used for.

Consent Must be Informed

Informed consent means the Data Owner knows the Data Users identity, what data processing activities they intend to conduct, the purpose of the data processing, and that the Data Owner can withdraw their consent at any time.

It also means that the request for consent, and the explanation of the data processing activities and their purpose, are described in plain language (“in an intelligible and easily accessible form, using clear and plain language”). That means no technical jargon or legalese. Anyone accessing a Data Users service(s) should be able to understand what they’re asking the Data Owner to agree to.

The France vs  Google case gives us a good real-world example. The French authorities said the company did not meet the requirements of informed consent:

“The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent. For example, in the section ‘Ads Personalization,’ it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations … and therefore the amount of data processed and combined.”

The British Information Commissioner’s Office provides further context: “If the request for consent is vague, sweeping or difficult to understand, then it will be invalid. In particular, language likely to confuse — for example, the use of double negatives or inconsistent language — will invalidate consent.”

Consent Must be Unambiguous

There should be no question about whether the Data Owner has consented.  “Silence, pre-ticked boxes or inactivity should not therefore constitute consent.” Unambiguous consent choosing technical settings for granting information access or another statement or action which clearly indicates  the Data Owner’s acceptance of the proposed processing of their personal data.

Consent Must be Revocable

The GDPR does not indicate a shelf life for consent. Theoretically, a person’s consent is indefinite, though there might be situations in which it becomes clear that consent is no longer valid or reasonable, or violates some principle of data processing. However, a Data Owner has the right to withdraw consent at any time. Moreover, Data Users must make it easy for them to do so. In general, it should be as easy for them to withdraw consent as it was to obtain it.

So, in summary,  the request for consent must be simple, clear, revocable and unambiguous.

Legislation

In late 2020, European regulators seized upon the idea of Data Unions and have drawn up regulation - The Data Governance Act (DGA) - to encourage the model of share and earn. They have made their intentions clear. They want Data Unions to succeed (as they are a Trust and Consent model),  and are allotting €2billion in grants to help build this vision. 

As currently drafted, the EU’s DGA and the  Digital Markets Act (DMA) bring huge benefits to this nascent ecosystem by: 

Giving legal standing and legitimacy to Data Unions so that data buyers and regulators can trust these new organizations.

Allowing users of Amazon, Facebook, Google and other massive platforms ( ‘gatekeepers’) to port their data in real-time and through APIs to third party organizations like Data Unions.

Making €2B in match funded grants available to build out the systems that regulators want to support.

Setting a new direction for the data brokering industry.

Note

“The Commission plans to invest €2 billion to foster the development of data processing infrastructures, tools, architectures and mechanisms for data sharing.”

-Regulation on Data Governance, Q&A, Nov 2020 

If the model can be shown to benefit EU Data Union members i.e Data Owners, it will simply be a matter of time before legislation backing the share and earn model for data spreads across the globe and becomes a new economic standard. This is the model that forward thinking frameworks should adopt.

 Solutions

Data Owners can start reclaiming the ownership and sovereignty of their data by 

Adopting organisations that have legal and governmental responsibility for their data- where they, as the end user, have control over what their data is used for.

What about Data Vaults?

DV (Personal Data Vaults) have been around since the late 1990s with PIMs (Personal Information Manager) and are one of the most underutilised technological creations in the data economy i.e a store for personal data which users (DO) own and control. The use cases are very clear. A PDV acts as:

A store for personal information and personal data from multiple sources

A solution for sovereign identity

A way for websites to collect analytics on customers arriving at their site 

A means for advertisers, credit checkers and other service providers to query the digital footprint of an individual and sell them tailored services. 

Provides Consensual Access to Data with full Personal Control.

In essence, a DV inverts the data control for a better controlled data ecosystem. Instead of websites and digital service suppliers forcing Data Owners to adopt EULAs and a multitude of cookies, they ‘carry’ a vault (actually remote) which can only be interrogated on their terms.  

GoPES

A single use case driven solution that allows ALL organisations to apply governance privacy, ethics and security  (in line with enterprise best practice), and indicates technology choices for a solution to provide the correct level of adherence to legislation.

For information on GoPES 

Refer to its author John Hauxwell using john@AIdentity.uk

For information on the frictionless data marketplace please contact me directly at john@aidentity.uk

Summary

This is not wishful thinking. Data centric marketplaces already exist, but are, on the whole, in “the wild west”. A Data Creator/Data Owner consent based federated marketplace with strong standards (GoPES) applied and accepted throughout the “data value chain” can provide rewards for all,  in cleaner high veracity data and stronger user control of their created data.

For more information on GDPR see  https://gdpr.eu/

Data Usage numbers sources - assuming approximately 4.5 Billion unique Smartphone connections

https://data.worldbank.org/indicator/IT.NET.BBND for fixed numbers 

https://datareportal.com/global-digital-overview for mobile numbershttps://techjury.net/blog/how-much-data-is-created-every-day/#gref for data volumes