Monday 23 July 2018

A fool and their data are easily parted: Is "data portability" really all it's cracked up to be?

Last week, Microsoft, Facebook, Google and Twitter announced plans to introduce a new open source initiative for consumer data portability, called the Data Transfer Product. A noble endeavour, many will argue, which obeys both the letter and the spirit of the new data portability requirement in Article 20 of the GDPR. That Article requires data controllers transmit, under certain circumstances and on the request of a user, that user's personal data to another controller "in a structured, commonly used and machine-readable format" and " without hindrance from the controller to which the data have been provided".  Data portability is generally seen as A Good Thing and the industry has long been lambasted for dragging its feet on this on the assumption, made by many, that individual providers don't want to share their users' personal data because they see them as their own business's commercial assets. But, true as that may have been all the way back in the 90s, is that really still the case in today's data-driven society?

Let Matron play Cassandra once again and say that, first of all, a joint project for data portability set up by the likes of Microsoft, Facebook, Google and Twitter is unlikely to be done solely for the benefit of users. A sane and rational part of us knows this, even if that is often the part that we choose not to listen to. But even if you have not yet joined the tribe of the "Incurably Suspicious" of which Matron is a card-carrying member, there are some points to consider here that should be clear to everyone.

You can check out any time you like...

As most us know, even if given the option, most users will likely decide to share their data with a new provider while continuing to keep that same data on the old provider‘s service “ just in case”. The online environment is our Hotel California. We don’t “leave” services, we multi-home. 

This has been a fact for the majority of people ever since before Viktor Mayer-Schönberger declared, in his book "Delete: The Virtue of Forgetting in the Digital Age", that the (time) cost of deleting [data/online content/communications] has become more expensive at roughly the same time that the (financial) cost of storing that data forever has gone down. And as long as that storage doesn't cost us a penny, most people will ask themselves, what's the harm in also keeping it on the old service, even if we no longer use it? We do it for safekeeping, or because we still use the old service for some purposes (news gathering but not photo sharing) or to communicate with some people but not others (our mothers v our friends, acquaintances or work colleagues). The point is, we mostly don't delete. And they know that.

Which is why any data portability project that focuses on “share and remain” rather than “share and delete” type user behaviour is not only an instrument that empowers users to have control over their data, but also one that facilitates the widest possible distribution - by users themselves - of their personal data between different providers. We’re not “porting” our data in the sense that we take them away from one provider and give them to another. We just duplicate them. It's all about convenience but without necessarily affecting either provider's bottom line.

Interestingly, this was one of the few things that the late Caspar Bowden and I ever disagreed on. I remember a long and heated discussion over bad coffee in some University cafeteria during some conference around 2012 when he told me about his campaign to make data portability a legal requirement. He got ever more enthusiastic, I became increasingly horrified. Because he saw portability as an instrument of user control, I saw it chiefly as a way of conning users into handing out their data to ever more different providers. And quite honestly, what’s not to like from the providers’ POV?

We are programmed to receive

Because one of the best kept secrets of the data economy now is that, contrary to popular belief, personal data is not necessarily a competitive asset. One provider doesn’t necessarily lose out, just because another provider has access to the same data too.

In fact, if the GDPR just allowed this, unfettered ubiquitous sharing of internet users' data between providers could probably be to the commercial benefit of all of them, particularly if it then also allowed for the seamless tracking of all of a user’s online activity by everyone. This is, after all,  just the raw data, which they can share. These days, the competitive element increasingly lies in what each of those providers does with those data - and this means their profiling algorithms, their means to combine those data with other data and the subsequent sale of the data product.

Open access proponents already know this. And once commercial providers "got it" too, we saw industry resistance to data portability slowly fade away.

We are all just prisoners here, of our own device

But data portability does much to assist providers in eroding principles like data minimisation, purpose limitation and storage limitation and in getting around the much more annoying conditions of those other legal grounds.

Because user consent is still a binary concept. You have it or you don't. And (depending on how good you are at writing privacy policies) once you have it, it will often allow you do things with data that you would not otherwise be allowed to do because of restrictions put in place in the context of those pesky other legal grounds - restrictions that were imposed for good reasons that we would do well to remember occasionally.

But a fool and their data are easily parted and “share and remain” data portability is just another way to facilitate the spread of personal data across the internet with minimum fuss and effort - all with the individual user's full knowledge and consent. And therein lies the problem that the GDPR has - as yet - not solved sufficiently.

This could be Heaven or this could be Hell

So is Matron categorically against data portability? No. How can she be? It’s a question of user autonomy after all. But it’s also just another example of why we need restrictions on consent. Because individual users are often not the best judge of what kind of data uses serve them and others well. So if we can’t (or don’t want to) limit users in who they share their data with, we must make sure that we limit what providers can do with those data. 

If we don’t, people will inevitably use this new instrument in the way they always do: for short-term benefit (usually accruing only to them) and against their own and (increasingly) collective or societal long-term interests.

Not for the first time, the fact that Caspar left us so early bugs the hell out of Matron. Just once she would have loved to hear him say, “you were right”.

No comments:

Post a Comment