On Sep 17, 2019, at 12:44 PM, Adrian Gropper <
" class="">
> wrote:
Thanks, Doc. We need to be prepared for the pushback against the individual as the point of integration that I have gotten from the big data brokers: that it adds too much friction.
Too bad.
This is going to be a fight, for sure. But we have a case, or several of them, and need to make it.
We also need to be bigger than we are, which requires funding for Customer Commons, Me2B Alliance, GLIAnet, or whatever. The key is standing on the side of the individual and the world we should have started making in 1995 and have put off until we're deep in the messes that resulted from not making the right moves back then. My reply is that the friction is desirable if we’re to maintain our freedom. I make the analogy of the friction added by a defense counsel when facing the state’s court vs. the expediency of a tribunal.
We also need to argue the scale that Joe talks about in his piece. There are countless efficiencies that come to a marketplace, and to many business and government parties, when the individual can perform an integrating role. And if we want examples of that at work, we have what the Internet, hypertext and email protocols all made possible, which is individuals acting at full agency without subtracting any power at all from institutions—and eliminating many frictions as well.
Doc
Adrian On Tue, Sep 17, 2019 at 9:28 AM Doc Searls <
" class="">
> wrote: First, there is this news:
It begins,
vpnMentor’s research team has found a large data breach that may impact millions of individuals in Ecuador. The leaked database includes over 20 million individuals.
Led by Noam Rotem and Ran Locar, our team discovered the data breach on an unsecured server located in Miami, Florida. The server appears to be owned by Ecuadorian company Novaestrat.
Novaestrat is a consulting company that provides services in data analytics, strategic marketing, and software development.
The data breach involves a large amount of sensitive personally identifiable information at the individual level. The majority of the affected individuals seem to be located in Ecuador.
Although the exact details remain unclear, the leaked database appears to contain information obtained from outside sources.
These sources may include Ecuadorian government registries, an automotive association called Aeade, and Biess, an Ecuadorian national bank.
The breach was closed on September 11, 2019...
The data breach involves around 18 GB of data. As many as 20 million individuals may be impacted by this breach, although some of the data seems to involve individuals who are already deceased.
To give some context about the scale of this leak, Ecuador has a population of around 16 million people.
Individuals in the database are identified by a ten-digit ID code. In some places in the database, that same ten-digit code is referred to as “cedula” and “cedula_ruc”.
In Ecuador, the term “cédula” or “cédula de identidad” refers to a person’s ten-digit national identification number, similar to a social security number in the US.
The term “RUC” refers to Ecuador’s unique taxpayer registry. The value here may refer to a person’s taxpayer identification number.
Okay, now imagine that Adrian's five rules applied across the board to everything, as a matter of policy. To refresh, here they are:
1. No sharing: The data is never shared with any external entities. It is not even shared in de-identified form.
Here the government data would not have been shared with Novaestrat. 2. No aggregation: The data is never aggregated with other types of input or data from external sources. This includes mixing the data gathered via The Service with other data, such as patient-reported outcomes.
Novaestrat would not have had the data to mix with other data. And inside the government, tax and banking information would not have been pulled into one exposed place by aggregation or federation. (Choose your verb. I don't want to get too deep or technical here.) 3. Always voluntary self-identification: The user of The Service is able to choose their own identity. The user does not need to have their identity verified unless required by law.
4. Digital agent support: The user is able to specify a digital agent, trustee, or equivalent information manager, and this specified agent will not be subject to certification or censorship.
5. No vendor lock-in: The Service is easily and conveniently substitutable, so the user can easily move their data to another vendor providing a similar service. This prevents vendor lock-in and is often accomplished using Open Standards. Indications for Use: The five separately self-asserted statements on the PPR Information Governance Label are subject to legal enforcement as would the privacy policy associated with The Service.
While those last three are beside the point in this case, I want to bring them in because they are relevant in other cases.
Where I'm going here is toward what Joe wrote about >12 years ago that the individual, and not the institution, needs to be the point of integration for her own data. Joe:
When we put the user at the center, and make them the point of integration, the entire system becomes simpler, more robust, more scalable, and more useful.
Wallets are points of integration. Key rings are points of integration.
Making institutions points of integration for massive quantities and varieties of personal information is a recipe for disaster.
Yet nearly all "solutions" start at the institutional level, addressing what businesses can do, and what governments can do. Not with what individuals can do.
Self sovereign identity (SSI) has a lot of promise (as I wrote about here), but I'm still waiting for the SSI wallet I'll need.
Meanwhile the GDPR, CCPA and other privacy laws treat us as victims of institutional misdeeds, rather than as entities with full agency in the world.
Joe again:
VRM changes the landscape in a way that not only makes life better for individuals, it profoundly improves the information architecture that modern society depends on. He unpacks an example from my own life at the time—one that pertains to what Adrian and Deborah have been working on in the medical field:
User Centrism as System Architecture
Doc Searls shared a story about his experience getting medical care while at Harvard recently. As a fellow at the Berkman center, he just gave them his Harvard ID card and was immediately ushered into a doctor’s office–minimal paperwork, maximal service. They even called him a cab to go to Mass General and gave him a voucher for the ride. At the hospital, they needed a bit more paperwork, but as everything was in order, they immediately fixed him up. It was excellent service. But what Doc noticed was that at every point where some sort of paperwork was done, there were errors. His name was spelled wrong. They got the wrong birthdate. Wrong employer. Something. As he shuffled from Berkman to the clinic to the cabbie to the hospital to the pharmacy, a paper (and digital trail) followed him through archaic legacy systems with errors accumulating as he went. What became immediately clear to Doc was that for the files at the clinic, the voucher, the systems at the hospital, for all of these systems, he was the natural point of data integration… he was the only component gauranteed to contact each of these service providers. And yet, his physical person was essentially incidental to the entire data trail being created on his behalf. User as Point of Integration But what if those systems were replaced with a VRM approach? What if instead of individual, isolated IT departments and infrastructure, Doc, the user was the integrating agent in the system? That would not only assure that Doc had control over the propagation of his medical history, it would assure all of the service providers in the loop that, in fact, they had access to all of Doc’s medical history. All of his medications. All of his allergies. All of his past surgeries or treatments. His (potentially apocryphal) visits to new age homeopathic healers. His chiropractic treatments. His crazy new diet. All of these things could affect the judgment of the medical professionals charged with his care. And yet, trying to integrate all of those systems from the top down is not only a nightmare, it is a nightmare that apparently continues to fail despite massive federal efforts to re-invent medical care.
Now that surveillance capitalism and maximized aggregation and federation and institutional data sharing have happened so often, so gigantically and so stupidly, maybe it's time to push this approach back to the front burner where it belonged in the first place.
Adrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
|