Data Commons – a trust framework
The walk down the memory lane continues. Back in 2013 we did a project about subscriber data that is still more than relevant, which we have not published anything about yet. And the current discussions around privacy related to Augmented and Mixed Reality have brought the topic back on top of our minds. The Data Commons project was carried out by a team of mixed competencies with, apart from us, data researchers and wide area network experts. We started off by deciding that we should avoid focusing on privacy of personal data and look at opportunities for what subscriber data could be used for instead. But of course we quickly went off in the complete opposite direction and did a project around data privacy.
The aim of the project became to formulate thoughts and develop concepts that could showcase something we could use to discuss how Ericsson could be a trusted partner in regards to privacy and security of data. It resulted in the concept of "Data Commons", a trust platform that we have revisited in almost every project ever since. But it still remains a conceptual framework, why we thought it could be time to share it with the rest of the world.
In essence, Data Commons is a proposed system and an organisation that facilitates the relationships between individuals and institutions that gather, manage and utilise personal data in controlled and transparent ways.
The idea is that Data Commons do not store any of the data itself, but is a central repository of personal manifests that describes the access and usage rights of all data generated by an individual in any digital service — and that also regulate relationships with organisations and companies that use and/or share ownership or usage rights to that same data. In most cases, data generated from using a service or application is also business critical for that service or application; either in order for the service to function or in order for the service provider to be able to charge for the service.
Data Commons could provide individuals with easy access to their data, information about who has access to it, information about how the data is used and how it is interpreted, ways to control the access to the data, clear indication of how public the data is as well as means of adjusting this, and last but not least a way to correct the data or interpretations of the data. Individuals could also become "data donors" using the framework
Companies and organisations will have a method to deal with issues relating to privacy and integrity, the ability to facilitate opt in/out, transparency and value sharing, a possibility to innovate and define new business opportunities by providing methods and techniques that utilise the vast amounts of data that the provided solution will have knowledge about.
We developed four concepts to exemplify how Data Commons could work for different kinds of users:
The annual data report
In order for an initiative like Data Commons to be trusted and relevant to the public, it is important for it to be present in people's minds (without expecting them to actively engage too much) as well as transparent enough. At regular intervals a personalised report based on all data for each person is generated, printed and sent to each individual. The concept is inspired by the Swedish pension fund sends out an annual orange envelope with a summary of how much you have so far accumulated for your old age pension, including a forecast of what it can provide in old age pension from Sweden. The idea with using the same model for your accumulated data is similar; to educate and create an awareness about current and predicted future value of personal data, where the data is stored, how it is and can be used, now and in the future, and with illustrative examples and graphs showing what can currently be deduced from analysing it.
The interactive dashboard
Those who are a bit more engaged and curious could log in to a web based portal where all personal data could be explored in more detail using a set of interactive tools. The web portal highlights issues such as who has data about me, what data is stored about me, and what the data is used for. Rights and terms of usage could be managed there.
A business can use the Data Commons brand and some provided components in establishing trust with the customer as well as providing the customer with a clear (transparent) idea of what data it wants to store and what the data is to be used for. This could for example be use of data for new business purposes, without violating people's privacy. Querying Data Commons about specific information would also check if individuals having such information are OK to share, what exactly they want to share with whom and for which use (and perhaps for what price). Data Commons finds the data that has access rights matching the querier's organisational form (e.g commercial, educational, public, non-profit etc), intended use and perhaps budget and then grants access to the correct set of data and handles payment to the individual data-holders.
As mentioned, Data Commons is nothing more than a conceptual framework that we in numerous projects over the five past years have identified as useful. One of the reasons why it has not yet been developed further is that it is a very tricky topic to do right. It requires massive collaborations and global policies to be in place. Who should be the body behind the Data Commons? Is it the government? A private company? A NGO? A public-private partnership? We do not have the answers other than it depends. It differs between different countries and cultures who/what is seen as a more trusted body. Letting the state govern the Data Commons in countries where the government is corrupt might not be the optimal solutions, whereas in countries like Sweden that might actually be the best option and preferred over a privately owned company.
Also, we see great opportunities for more advanced forms of data security frameworks to preserve privacy of users of coming AR and VR mapping services. Sharing e.g. detailed point cloud data that you have generated with your device of your local environment might produce quite intimate information, yet necessary for many (coming) services to work. How do we handle privacy in relation to such point cloud data?