I mean what if I want to outsource payroll to say Equifax?
That would require sharing private data about employees with Equifax so that they're able to handle paying them.
Or if I want to ship a package to somebody; can I not give a 3rd party (DHL) the recipients address?
I like your idea but I think it needs some refinement. Perhaps just a time restriction; although I'm sure DHL would love to keep a photo proving that the package was delivered for a year.
You can architect it in a way that let's the person choose what they want to share with 3rd parties. The most basic is just, this is an actual human. Then make it illegal for companies to share tracking data based on your passport id with anyone.
You can also architect it so that the government doesn't know who is trying to authenticate you.
It does prevent you from making multiple accounts with the same company though.
Not sure what you are talking about, can you quote what you mean? No one gets to decide, I mean personal information being shared between companies on the backend. That should be heavily monitored with oversight. Like the sites you visited, etc.
You can build a charter that makes that sort of thing functionally impossible.
Strong data protection guidelines that prohibit giving third-parties access to data would be a starting place, but there are a lot of barriers you could put up to such an outcome (barriers that wouldn't be possible for a for-profit corporation.)
Ideally, you wouldn't have to trust them, you would be able to contract with them. Or rather, if you owned the data, they would have to contract with you to use it.
I agree that given the current environment, it would require regulatory changes to implement the data ownership concept. And given the degree of regulatory capture in such markets, good luck getting such a change implemented.
Maybe entrust this function to a government agency? A least they wouldn’t be in the business of selling your information—i assume that happens in some fashion under the current system but maybe someone can clarify?
I think it would depend a lot on who has the power in said product. The business model of the product.
If it's tailored towards workers, it could be as simple as a key that you, the employee, could revoke at any time, making the centralized data void. Something like rainbow.me
For the b2b model... well it could be like equifax I guess? Offer to provide that service to the business to check the data, while allowing the user to revoke it at any time, for a small fee paid in the crypto of your choice perhaps paid by the business for accessing the data.
Nope – not explicitly, that would be something within _their_ terms of service since it's their data. Their own customers would have to hold them accountable.
I know that's a cop-out – but I can't imagine a system where we could enforce some kind of downstream compliance.
Things like GDPR are a good way to make companies accountable and I look forward to that becoming more broadly accepted.
A divident, while logically possible, may be practically quite difficult to implement and regulate effectively. Not that we shouldn't try to do it, it'll just be hard.
I think there's a simpler way to solve this.
This is just an exchange, you're getting a product, and you're giving away to them and all subsequent third parties all the rights to your data in exchange.
That's your payment.
The problem here is that this is your only form of payment by default for that tier of product and that sucks.
In my opinion it should illegal to do that by default without first giving the customer the option to pay in money in exchange that exact same product.
And if I'm paying I don't want you sharing my personally identifiable information shared with no analytics, no tracking, no third-party consulting and if you can't pass a security audit or can't figure out how to anonymize/encrypt my information properly, I don't want you accessing it in clear form at all outside your company promises including from your remote employees. I think that's fair.
If you're startup and can't afford to pay for a credible audit, then you shouldn't be allowed to even know my first name. You'll have to use a secure and audited intermediary to provide you that in anonymized form and you figure out how to handle on your own.
These laws already exist as part of Sarbanes-Oxley but aren't as strict as what you're proposing. Certain public companies are required to implement safeguards that prevent most employees from having access to customer PII(personal identifiable information). Non-public companies don't have to comply with SOX regulations but maybe some of them should be expanded to include large private companies.
I think the issue right now is that private user information is viewed as an asset, not a liability. If we could find a way to make it more of a liability, companies would be less likely to collect it just for the sake of having it, and they would be more proactive in securing it.
I propose allowing people to use their private data as a form of monetary exchange. Iow, GDPR disallows apps/sites to ask a user if they would allow targeted advertising or would like to pay for the app. There is no good reason for this in my eyes. Transparency is great but don't force people to not be allowed to use their personal data in an exchange.
That's already an issue. I also don't see how it's reasonable to ask someone to essentially sign a contract with a third party entity to do one's job while sacrificing that individual's personal privacy in the process.
I like this idea and have been wondering about it.
Right now it is considered normal for every company to keep personal data, but what if it was forbidden to store anything for longer than say 10 minutes and it is only allowed to keep anything in random access memory, not persistent storage? What if the person dealing with a company could generate a random identifier to allow for time-limited access to their data through a standard API?
What if the companies/organizations were by law required to ONLY access personal data through that API with all access being logged and auditable by the individual? If during an audit code (due to reasonable suspicion) it is found that the company is storing the data instead of reading and forgetting immediately, the company would face heavy fines.
Would this be enough? Probably not to deter bad actors... Maybe companies should not have access to any personal data in the first place? Only post office/delivery company would need to know where the mail for temporary ID must be delivered to.
Same with phone numbers, they don't need them. Only phone companies need to be able to resolve the temporary ID to make a call. It would FINALLY deal with the spam even though I guess phone companies are skimming money off that, so they won't be too happy if the legislation required it.
Exceptions can be made, but if there are fewer exceptions, the data would be far more tightly controlled.
Just have it so that any time a person or company's data is sold or leased, the company doing the selling must mail (via physical correspondence) the person or company with a notification of what data was sent and why.
People will get tired of the junk mail and companies will lose money trying to peddle data.
That is exactly the sort of middle ground I had in mind. You aren't entirely prohibiting sharing data that might involve other people, but it is only shared for a specific purpose requested by the person providing the data and never used for anything else.
Hmm, I wonder about this. Consider that company A requests and is granted access to some of your data - what's to stop them selling that data on to company B?
Regulation could form part of the solution, but I'm wondering if anything can be done from a technical standpoint.
I get what you’re saying but the reality is many industries just can’t do this. I have strict data residency and sovereignty requirements - there are potential criminal charges. It’s a non-starter for lots of industries
That would require sharing private data about employees with Equifax so that they're able to handle paying them.
Or if I want to ship a package to somebody; can I not give a 3rd party (DHL) the recipients address?
I like your idea but I think it needs some refinement. Perhaps just a time restriction; although I'm sure DHL would love to keep a photo proving that the package was delivered for a year.
reply