Inrupt, Tim Berners-Lee's Solid, and Me

For decades, I have been talking about the importance of individual privacy. For almost as long, I have been using the metaphor of digital feudalism to describe how large companies have become central control points for our data. And for maybe half a decade, I have been talking about the world-sized robot that is the Internet of Things, and how digital security is now a matter of public safety. And most recently, I have been writing and speaking about how technologists need to get involved with public policy.

All of this is a long-winded way of saying that I have joined a company called Inrupt that is working to bring Tim Berners-Lee’s distributed data ownership model that is Solid into the mainstream. (I think of Inrupt basically as the Red Hat of Solid.) I joined the Inrupt team last summer as its Chief of Security Architecture, and have been in stealth mode until now.

The idea behind Solid is both simple and extraordinarily powerful. Your data lives in a pod that is controlled by you. Data generated by your things — your computer, your phone, your IoT whatever — is written to your pod. You authorize granular access to that pod to whoever you want for whatever reason you want. Your data is no longer in a bazillion places on the Internet, controlled by you-have-no-idea-who. It’s yours. If you want your insurance company to have access to your fitness data, you grant it through your pod. If you want your friends to have access to your vacation photos, you grant it through your pod. If you want your thermostat to share data with your air conditioner, you give both of them access through your pod.

The ideal would be for this to be completely distributed. Everyone’s pod would be on a computer they own, running on their network. But that’s not how it’s likely to be in real life. Just as you can theoretically run your own email server but in reality you outsource it to Google or whoever, you are likely to outsource your pod to those same sets of companies. But maybe pods will come standard issue in home routers. Even if you do hand your pod over to some company, it’ll be like letting them host your domain name or manage your cell phone number. If you don’t like what they’re doing, you can always move your pod — just like you can take your cell phone number and move to a different carrier. This will give users a lot more power.

I believe this will fundamentally alter the balance of power in a world where everything is a computer, and everything is producing data about you. Either IoT companies are going to enter into individual data sharing agreements, or they’ll all use the same language and protocols. Solid has a very good chance of being that protocol. And security is critical to making all of this work. Just trying to grasp what sort of granular permissions are required, and how the authentication flows might work, is mind-altering. We’re stretching pretty much every Internet security protocol to its limits and beyond just setting this up.

Building a secure technical infrastructure is largely about policy, but there’s also a wave of technology that can shift things in one direction or the other. Solid is one of those technologies. It moves the Internet away from overly-centralized power of big corporations and governments and towards more rational distributions of power; greater liberty, better privacy, and more freedom for everyone.

I’ve worked with Inrupt’s CEO, John Bruce, at both of my previous companies: Counterpane and Resilient. It’s a little weird working for a start-up that is not a security company. (While security is essential to making Solid work, the technology is fundamentally about the functionality.) It’s also a little surreal working on a project conceived and spearheaded by Tim Berners-Lee. But at this point, I feel that I should only work on things that matter to society. So here I am.

Whatever happens next, it’s going to be a really fun ride.

EDITED TO ADD (2/23): News article. HackerNews thread.

EDITED TO ADD (2/25): More press coverage.

Posted on February 21, 2020 at 2:04 PM71 Comments

Comments

K.S. February 21, 2020 2:18 PM

Seems like a great idea, but how are you going to pressure existing data collectors/abusers to use it? FB is not going to stop collecting and selling personal data to the highest bidder just because a better, more responsible, and more ethical alternative exists.

Q February 21, 2020 2:22 PM

But once you grant someone else access to your data then they now have it also. So then they can sell to anyone else they choose to. And/or they will buy it from some other company that you had previously granted access.

How does the “pod” help here? In the background companies will simply exchange/sell your data amongst themselves, just like they do now.

Clive Robinson February 21, 2020 2:25 PM

@ Bruce,

The idea behind Solid is both simple and extraordinarily powerful. Your data lives in a pod that is controlled by you.

Douglas Adams did a good description of this in one of his later “Hitchiker” books must be thirty years ago. He also highlighted the “all eggs in one basket” and “security fault” with it by having Ford Prefect steal it and use it to impersonate it’s owner.

His idea would be the equivalent of your “pod” inside an NFC “iPhone” in more modern descriptive form.

MarkH February 21, 2020 2:35 PM

@Bruce:

It’s difficult to visualize how this would work in practice … there’s only a few comments above, and they raise some good questions.

So, I’d better read up on the concept!

I wish you and the venture best luck. It’s a righteous and important effort.

Michaela Merz February 21, 2020 2:52 PM

This is the attempt to try to solve a problem with technology. However – there is no technical solution because once data has been shared (by a pod or any other way) we’re in the same situation as we are now. We need laws that regulate how and when data may be used, how long it can be retained, with stiff penalties for abuse and negligence. But if we have those laws, we wouldn’t need pods.

Even this blog requires personal data and I have no control over how it is used. So no – I don’t believe this idea to be a solution. Sorry.

bobbyg February 21, 2020 3:04 PM

Are you being funny with the “pod” label? Cause I don’t know about you, but…pod people?

(Donald Sutherland scream.) 😛

Jester February 21, 2020 3:49 PM

I think most persons, i.e. 90+%, do not have any desire to manage their own data pods and carefully control which companies and devices access which part of the data. It will be like the requirement that you grant access permissions to apps. You just keep clicking till the app is installed. And in the end, the big data companies end up managing your pod, and they will find a way to access the data with and occasionally without your permission, just like Facebook.

AlanS February 21, 2020 5:41 PM

Building a secure technical infrastructure is largely about policy…

Except it’s not. You should really read the historian, Thomas P. Hughes. See for example, Networks of Power: Electrification in Western Society, 1880-1930 for an account of how a technical infrastructure developed over time. It wasn’t largely about policy. There were endless factors and complexities.

Scott February 21, 2020 5:57 PM

I’d suggest it might be too late. There is an incredible amount of information out there already. Sort of closing the proverbial barn door after the horse has gotten out. I imagine most of the useful information has been gleaned.

Faustus February 21, 2020 6:33 PM

There are a lot of “Right On!” observations already.

Solid “solving” data privacy/ownership is analogous to how safe injection sites “solve” opiate addiction: It might be helpful but the central problem remains.

What I want is a POD that saves my data for a week or the length of a transaction and then permanently erases almost all of it. I live my life facing forward, not looking at the detritus of the past.

(But this is not going to happen because Solid does not address how our data is hijacked by entities out of our control who store it, profit from it and use it to influence us and control us.)

In general, DATA is the PROBLEM, it is hazardous WASTE, not something we need to keep around. We don’t want to preserve 99.99% of it. We want to erase it. We want it to fade away as it becomes irrelevant to our lives, like data did 50 years ago.

gordo February 21, 2020 6:52 PM

Good call, Mr. Schneier.

Given that the World Wide Web is only 30 years on, Solid and Inrupt represent the democratization of data as a hands-on, generational, data-literacy project. Ideally, rather than having my data used on me it’s better that my data is used by me. Where my and a service provider’s interests align, all the better. When they don’t, I pull my data. Given it’s real-time nature, I suspect that this project will also make data laundering and identity theft easier to detect.

As the saying goes: “Good luck, hard work, and guts.”

Koray February 21, 2020 7:04 PM

The whole thing is predicated on this sentence:

Either IoT companies are going to enter into individual data sharing agreements, or they’ll all use the same language and protocols.

This means that through legislation companies will be forced to pick one of these options. I don’t think the latter will be the popular choice because the language and the protocols are the least interesting part of the technical problem. Running “pod” servers on the public internet that can scale to serve every internet company out there that I may actually want to allow access is a monumental task. (Essentially those “pod” servers already exist inside facebook for my facebook data with the schema that facebook wants, then twitter has theirs with the twitter schema, etc. You wanna consolidate all this data out to a service in the public internet, whose unavailability will knock out all social networks at the same time, whose security breaches may expose all of your data, etc.)

This probably means nobody will be able to build anything on Solid. Instead, I’m going to enter into individual data sharing agreements with the big boys like Facebook, Twitter, etc.

Some Anon February 21, 2020 7:39 PM

Something I think this service needs to be viable: a way to deny permissions without telling the other person you’ve done so. Else companies will just say “Oh, yes, we support Solid pods, so long as you grant us full access permissions to everything.” A lot of outfits will just decide that, if I try to deny them anything, they don’t want me as a user, since only users that can be monetized to the hilt are worth having, from their perspective. See for instance, news sites that just blocked EU IP addresses completely when the GDPR came into force. In other words, if a service demands access to, say, my contacts list, I need the ability to pick “Tell them it’s allowed, but don’t actually give them anything, just return an empty contacts list”.

jmoney February 21, 2020 8:50 PM

What is going to prevent the data broker cabals from laughing off your autonomous pod scheme by façading user pods in a flush of publicly celebrated goodwill, but (not so) secretly continuing along with the same data market (black pods/secret pods/mock pods) in the back end?

The NSA boasts of their yottabyte, but being a public institution funded by public money, where’s their API on my data?

JonKnowsNothing February 21, 2020 9:10 PM

@Bruce Gratz! Work is good, and good work is better.

@All re:

You authorize granular access to that pod to whoever you want for whatever reason you want.

This will be interesting to see in practice. Exactly how much metadata people will be able to block or even understand what that metadata looks like that they may want to be blocked. (ala email headers)

I can see something like the (All In All Out) where whoever wants it gets the “whole 9 yards” versions of today or the (Part In Part Out) promoted as granular control like All Photos, All Locations, No Messages. Once someone can access a sub-pod below the level of the super-pod they will find leakages to adjacent sub-pods. (once you have your hand in the candy jar grab a bit more)

The problems of granularity needed to say: (This metadata on That Message to This Person == OK) but (This Edit History with That photo == NoNo) and keeping those settings beyond your own pod is going be it’s own interesting design. Once you grant access to the super-pod, your data “flies thru the air with the greatest of ease” to someone else’s super-pod with their settings.

Depending on how deep this process traverses the pods and its granularity, it would be more like providing a fingerprinted hunk of data, tracking back to the original pod owner.

Gonna be a very interesting job. Lots to think about and make happen. I’d expect that there will be some fun clashes in design.

ht tps://en.wikipedia.org/wiki/The_whole_nine_yards
ht tps://en.wikipedia.org/wiki/Flying_trapeze
ht tps://en.wikipedia.org/wiki/The_Daring_Young_Man_on_the_Flying_Trapeze
(url fractured to prevent autorun)

Q February 21, 2020 10:27 PM

Can someone please explain the “How?”

How does a user with a “pod” prevent Google from collecting location data from the users Android phone?

All I can see on the Solid website is just vague pontificating of how wonderful it could be, and nothing about the actual technical details of how it is supposed to put control in the hands of the user.

Steve February 21, 2020 11:26 PM

@Q and everybody looking for more info: you should check https://github.com/solid/solid

IMHO it won’t work since like everything on the Internet once something is out or copied your control / ownership banishes. No matter laws protections, no matter technology solutions.

JonKnowsNothing February 22, 2020 1:14 AM

re: How

disclaimer: I know nothing -> see handle

A) There has to be an understanding that the existing system(s) are non-functional. That means some serious changes need to happen.

B) People do not like change, Corporations like it less and for Governments advocating for “change” means you are the no-fly-list and marked in their black books as an “undesirable person” seeking to alter the status quo and subject to all sorts of un-fun things.

C) Anyone doing A is volunteering for B

Zho….. just because I know nothing but imagining how it might work.

1) To have control over all your data, you have to separate ALL of it from the normal process. So the super-pod will hold your data and then some process would peel off tiny bits of it to funnel out to the normal processes of the internet but only enough to make things go from here to there.

2) It would be like a large orange with segments of your data inside the skin, each segment would contain something different.

3) When something from inside the orange needs to be moved, it would be like those wrapped fruit candies – orange flavored but not the orange itself.

4) How much wrapped candy you share, is also a finger print of what you have. So it’s not much good for hiding really deep things.

5) The corporations that live on your candy will starve because you can deliver all the fake candy you want provided you can continue to feed them the wrapped versions and they cannot block it.

6) Governments are gonna blow back on this unless they recognize that the pod and wrappers give them more precise fingerprints than they have now. The system isn’t anonymous even if has N+ levels of abstraction. Like font and driver fingerprinting systems, this will be even more definite.

7) It’s a lot like turning off javascript and using a script blocker but for data.

see: disclaimer above

ht tps://en.wikipedia.org/wiki/Abstraction_layer
(url fractured to prevent autorun)

lurker February 22, 2020 1:30 AM

@Faustus

In general, DATA is the PROBLEM, it is hazardous WASTE, not something we need to keep around. We don’t want to preserve 99.99% of it. We want to erase it. We want it to fade away…

q.v. previous post by Bruce on Technology vs.Policy, i.e. lawmakers: Lawyers and Accountants (especially Tax Accountants) want to keep that data Forever. Their entire businesses are based on data existing on paper, in various copies for redundancy. All your trivial transaction details are their bread and butter. You may burn your sales dockets if you wish, but they will keep them out there on tha intarwebs.

Q February 22, 2020 1:41 AM

Okay, so now you have a pod. So what? Google will still collect your location data, and Microsoft will still collect all your telemetry, and every other company will still collect whatever else they can.

So what is the point here? What is being solved? All I can see is that now you have a centrally located pod with some information about you. This is in addition to all the other data companies are collecting. Aren’t we really just adding yet more data into the mix. We aren’t reducing data gathering, quite the opposite. It doesn’t appear to be possible to stop all the other data collecting that you have no control over.

All I can see so far is that now it makes it “more convenient” for a user to share their data with some website. Instead of having to fill in lots of text boxes with your address and phone number, now you can tell your pod to expose it on your behalf.

The last thing I want is to make it easy to share my data. It should be hard and inconvenient to share it, then I am less likely to accidentally tick the wrong box and share the wrong info.

Sausage Elly February 22, 2020 2:27 AM

After pushing for EME I would be very cautious to work alongside Tim with expectations of bettering technology. He has lost credibility.

Jörg February 22, 2020 2:57 AM

Looks a bit like the Askemos concept and software we developed over the years.

Yes, the fine grained access control was the centerpiece.

A “pod” would be a “representative” there. It would run on your phone or for better security on an raspberrypi at home. (Hosts its own website that way.)

Those would hold your data and apps (or DApps if you want) together with some selected backups (think of family, friends, bussiness partners) with byzantine fault tolerance.

Sorry for the self-promotion. I just don’t like seeing time and money wasted reinventing the wheel.

Alejandro February 22, 2020 6:09 AM

If anyone can make a difference, it’s you Bruce.

Thanks for your passion and commitment to the internet and our rights.

You partners are awesome too.

United we stand, divided we fall!

Let’s unite to take our rights and our data back.

Sed Contra February 22, 2020 6:39 AM

This is too much like work. The computer and internetz were only legtimate as tools, but now the tools will finally be master of the users. People, serve your data. The final tyranny and dehumanization, the reduction of the human to button pusher, and only one button too. The choice that ends choice.

Bruce Schneier February 22, 2020 9:24 AM

@ K.S.

“Seems like a great idea, but how are you going to pressure existing data collectors/abusers to use it? FB is not going to stop collecting and selling personal data to the highest bidder just because a better, more responsible, and more ethical alternative exists.”

I don’t think we do. My guess is that Facebook and etc will be late adopters. We’ll have much better luck with potential Facebook competitors and other smaller Internet companies to start. And also with conventional companies that are starting to see large customer/user databases as a liability, and would rather have access rights to data controlled by those customers/users.

Bruce Schneier February 22, 2020 9:25 AM

@Q:

“But once you grant someone else access to your data then they now have it also. So then they can sell to anyone else they choose to. And/or they will buy it from some other company that you had previously granted access. How does the ‘pod’ help here? In the background companies will simply exchange/sell your data amongst themselves, just like they do now.”

It does not solve that problem at all.

Bruce Schneier February 22, 2020 9:27 AM

@Michael Leake:

“as an individual who wants this, how do i sign on. what is the fee?”

Go to the Solid page and get yourself a pod. It’s all open source and open standards. There’s a surprising amount you can do with it even today, even though it’s basically developer tools and clever techy toys.

Bruce Schneier February 22, 2020 9:27 AM

@bobbyg:

“Are you being funny with the ‘pod’ label? Cause I don’t know about you, but…pod people?”

You’d have to ask Sir Tim about that. The name was well before my time.

Bruce Schneier February 22, 2020 9:29 AM

@Jester:

“I think most persons, i.e. 90+%, do not have any desire to manage their own data pods and carefully control which companies and devices access which part of the data. It will be like the requirement that you grant access permissions to apps. You just keep clicking till the app is installed. And in the end, the big data companies end up managing your pod, and they will find a way to access the data with and occasionally without your permission, just like Facebook.”

I think you’re largely correct about that. The question is what sorts of incremental privacy/security/control benefits we can give them. I think this decentralized technology has a lot of benefits in that regard. People can choose who will manage their pods, and they can choose someone who more closely aligns with their wants.

Bruce Schneier February 22, 2020 9:31 AM

@Scott:

“I’d suggest it might be too late. There is an incredible amount of information out there already. Sort of closing the proverbial barn door after the horse has gotten out. I imagine most of the useful information has been gleaned.”

I don’t think so. I generally reject the “this is the only time in human history it was possible to do X, and now forever and until the end of the species we are stuck with not-X.

I think still it’s worth trying to build a better Internet.

PattiM February 22, 2020 10:13 AM

Wellll… it would have been nice… but my data is already out there from scores of hacks – I’m sure it’s spread all over cybercrime forums. So maybe after everyone of my generation dies – the next generation may benefit? Also, can’t someone just skim information from electronics communications channels (or databases) and eventually get most everything that sits in any given pod?

Bruce Schneier February 22, 2020 2:28 PM

@Sausage Elly:

“After pushing for EME I would be very cautious to work alongside Tim with expectations of bettering technology. He has lost credibility.”

I get that. I also don’t think it’s all or nothing.

Q February 22, 2020 4:49 PM

It does not solve that problem at all.

Oh.

Data generated by your things — your computer, your phone, your IoT whatever — is written to your pod.

So is the idea to buy a whole new set of gear (router, phone, computer, IoT, OS, …) and abandon all existing services (FB, Twitter, Windows, Android, iOS, FitBit, …), starting anew all the data collection?

If so, and if it encourages manufacturers to actually make gear that doesn’t send everything back to themselves, then good. But there will still be the problems of analytics, and cookies, and web-bugs, and JS, and remote updates, and every other privacy invading technique the data hungry companies like to use.

So who is going to make a non-spying version of Android/Windows/iOS, and put it into non-spying hardware, and promise to never send out anything to anyone except your personally designated pod? And how would someone audit that?

Curious February 22, 2020 5:03 PM

I initially wrote a long text, but I will just voice a general concern regarding the simple idea of a dystopia involving cybernetics. Presumably such a future will turn ugly, even if only ending up being ugly by law alone. Like maybe forcing implants into newborns, if I may speculate wildly here.

And if one incorporated voting security into an existing concept of having a personal computer as a piece of cybernetics, I can imagine how things turn bad, in how a society that demand security, act as being so frail so as to becoming very violent about protecting its “way of life”, as in extrapolating the rather vague notion of ‘natinal security’ over to your personal existence as a walking computer re. voting in national elections and who knows what more.

I wonder, if insurance companies could be thought to be demanding everybody to start wearing a tracking gadget, when would that happen in the future? Maybe a law is all it takes for stopping that, or allowing that.

I haven’t slept on any of this, I just got a little worried about cybernetics for a moment. So Bruce’s article isn’t about cybernetics, but perhaps something like a personal pod would eventually end up involving cybernetics as some kind of logical consequence of security in the not-too-distant-future.

Rachel February 22, 2020 10:42 PM

It’s all too easy to knock people down when they are genuinely acting from a position of service, and believing that things can be better for everyone. Often, also, there are tangential effects even whent the primary objective is not attained
Mr Schneier could just as easily be devoting his time to making money, flowing with the status quo of his peers instead of challenging the tide whenever necessary, and generally being evil.
Think about how much time and money Mr Schneier has devoted to this blog, which he gives away for free with no advertising. And how much benefits it then proivides!
Even the CIA agents reading it find it a jolly good turn and enjoy implementing some of the tradecraft therein in a generally haphazard and hazardous fashion.

Thanks too for personally responding to several of the major comments, Mr Schneier

I would like to see the US have a (the) GDPR

and I’d like to see the UK retain the GDPR afer the transition period from exiting the EU is over, end of this year.

As to your related blog post Mr Schneier – you state

‘ The United States is one of the few democracies without some formal data protection ‘

I’m not trying to sound like Jello Biafra, but I believe you’ll find the United States is not, by definition, a democracy

john February 23, 2020 4:00 AM

I have two sorts of data to protect:

  • credentials & ID such as my CC number or my name and address
  • activity trails, like button presses, URLs, web searches, location, interactions with web pages, emails, texts

(That is for me, IoT devices have similar data in terms of credentials and activity trails)

The problem with the first type is companies which wish to hold on to the data “for my convenience” and then get hacked.

The problem with the second is companies which wish to record the data then do analytics and then seek advantage over me.

The issue is not me having a copy, the issue is ensuring that these companies get as little as possible in the first place and then don’t keep any.

Solid doesn’t solve this. To achieve this we need companies…, er, no let me expand that to entities, since various governmental three-letter agencies grab the data as well.

Restarting my sentence: we need entities which either by law or otherwise do not hold the data of either type for any longer than the immediate need. I don’t see Solid itself as the solution for this. Perhaps there might arise companies which work with Solid and then don’t hold the data.

So, question, Does Solid ensure time-boxed access to data?

My own suggestion would be on the legal side and would make the originator of the data the legal owner, meaning that transfer requires a sales contract. This applies more to the second type of data than the first.

That is, if the some measurement or observation originates on my machine, it belongs to me and you can have it, so long as you pay me. Perhaps only a fraction of a penny for each item but for a stream, it would amount to noticeable money. A single item is nearly valueless anyway, analytics is only useful if you have some kind of a stream.

Not Him Again February 23, 2020 5:18 AM

Apologies if I’m parroting something Bruce or others have already expressed.

We need new laws that make “our” information our property.

Recording a telephone conversation is illegal in many states under wiretap laws. Disseminating data from my DNS queries, my car, my electric meter and my IoT crock pot should be illegal as well.

I hand Facebook much more money in ad revenue than they return to me in free social media. I’d really prefer an itemized bill in both directions. Solid can broker this sale for me. Might monopoly law help here?

We must have the right to rent our information without further dissemination to and by data brokers. Copyright.

It’s absurd I don’t get a cut when my cell phone provider sells my CSLI. Don’t tell me my phone bill is lower–I want a line item on my bill if and when I opt in.

Ad-supported entertainment or news would be legal. Selling my viewing logs without paying me would not.

“Our” information does not want to be free. It wants to be left alone or paid to work.

X February 23, 2020 9:06 AM

Each grant of access is also a grant of copy. Even with a strong contract you lose control of your data with each grant of access.

AnotherJohn February 23, 2020 9:09 AM

Solid looks potentially very interesting for kickstarting the personal data economy, although it seems a lot of technical challenges remain – not least latency: it’s much quicker to query a large pot of data than multiple small ones distributed around the world. I’m glad Bruce is now working on this project as security had seemed to be something of an afterthought. It’s also worth mentioning that MaidSafe’s SAFE Network (currently in Alpha) is also designed to Solid-compatible and could have a lot to add to the security side of the equation.

RealFakeNews February 23, 2020 2:25 PM

The only issue I see worthy of fixing isn’t addressed at all.

The problem is the broad terms under which data is shared: “you agree we share with 3rd parties”.

Data is mis-used everywhere.

Forget sharing select data; I want you to stop using the data you already have.

Only legislation can fix the mis-use of data.

Grima February 23, 2020 4:05 PM

@Not Him Again re: ‘We need new laws that make “our” information our property.’ Among the first changes to the principal founding document of the Unites States were supposedly immutable guarantees of rights of ownership of various kinds to individuals, and also a guarantee to those individuals of the right to the means to protect that ownership. Before the ink was dry on that document, some members of the government and their private sector cronies were plotting how to use the apparatus of government to abrogate those rights and seize ownership of anything of any value. That initiative has been continually enhanced through the current day. So when you cry for more “laws” guaranteeing individual ownership of a kind of property not envisioned until relatively recently, you should be aware that the entity you would trust to enforce that guarantee will be the the most potent force seeking to breach it.

Mike Linksvayer February 23, 2020 4:08 PM

Looking forward to Inrupt’s public policy interventions. Fair to assume part of the strategy?

Ivicaa February 23, 2020 4:09 PM

A fantastic idea to have a pod with personal data. Managing all this by oneself, would be a too great burden for an individual. I guess there are two more components at least needed. 1) Blockchain as a shared data-/process-model on a decentralised infrastructure for storing “who is allowed to have access to what data and when?” and laws criminalising the use of the data without a valid proof for the allowance, which is validated via blockchain.

Thatguy February 23, 2020 11:06 PM

While I do agree and am on the same side regarding privacy and data. This particular solution to me raises more questions than answers. I think several commentors above hit on some finer points such as how can you make google or facebook not build their own “pod” of a person. However, what about some other questions.. for instance, What about your pod in the justice system? Becuase all of your data is in one place, couldnt this be called into question in almost every case? whether your on trial or not? witnesses, plaintiff, jurors, whereabouts, communications, and character traits called into question? People are horrible with tech, how could we expect someone to maintain or take care of their individual pod or their childs? HOW could they take care of it? What if you dont have a computer? What if your pod is stored in a cloud? Who’s cloud?. For instance would you store your pod with Google or Amazon? In exchange for what? access? no one is going to want to pay for their “pod” to be stored in an online data collection, and or, trust that the same place wont access it. Who exactly are these pods envisioned to protect against? How are they protected? with a password? Im not suggesting these questions dont all have solutions. I am making the point that its unclear about who we are trying to protect our pods from? A Corporation? Many corporations who share data? Governments? Which ones? What rights or protections do these pods have? Depending on which coountry is in question, all of this may go right out the window. What about applying for a loan? creditors? or even a place of employment? What would stop them from requiring access to this information? It may not be legal to “require” access, however, there is no gaurantee you might get a job or a loan if you dont. My point is, this data is dangerous to begin with let alone having it all in one place. While its true there is a potential “value” to having it it. I feel like in the average persons possession it will have negative consequences. How does someone validate the accuracy of the data stored? What if someone were using your WIFI or you had malware running in the background of a machine? What data might get recorded to your pod that could have future implications? To me this could be another way of mass surveillance like China does but without all of the Cameras. Local police all the way to Federal would demand access to this information…presumably at all times. With how our government works with respect to corporate interests and lobbying it would over-time trickle down the chain to places such as banks, creditor, employers, insurers, etc. The data simply needs to be erased. There needs to be laws, audits, and random inspections to enforce this, with brutal consequences if non compliant. We need an “administration” such as FDA or FAA to regulate and enforce the laws.

TRX February 24, 2020 7:47 AM

I Want To Believe… but.

A) what I’m seeing is a “single point of failure” system. Legions of black hats will devote their spare time to crackiing it.

B) it has “portable authentication system” written all over it. It has to have authentication in order to work. And if your system gets established, that’s what it’s going to become, like it or not. Like the US Social Security cards with “not to be used for identification” on them.

C) once it becomes a de facto authentication system, various governments are going to demand back doors.

D) what happens to users who opt out of becoming Pod People? I run into that frequently with “two factor authentication”, which in practice means “SMS to a cellular phone.” I don’t have one, which locks me out of various web services and greatly complicates using others. “No Pod, no play?” It will happen.

E) probably “much, much more!”, but I haven’t quite woken up yet this morning.

Schneier and Berners-Lee, that’s like Superman and Batman. And I’m sure you’ll pick capable people for doing the minor lifting. But this thing you’re trying to create, it goes way beyond what you described above, with some questionable second and third order effects that need to be addressed.

Andrew Updegrove February 24, 2020 7:59 AM

While the urgency of the problem is increasing, its existence is not. Way back in February of 2004 I wrote a piece titled, “A Look into the Future: Introducing the Personal Datasphere.” In that essay, I highlighted the need for individuals to be able to take direct custody and control of their cradle to grave data, granting permission only to those to whom they consented.

I described the essential requirements of a PDS as follows:

  • Easy input of all types of data now or in the future imaginable
  • Easy organization of that data in an intuitive way
  • Secure storage and backup
  • Appropriate rights management and privacy protection, including with respect to government access
  • Ready access from anywhere, at any time, through any currently available or future digital device
  • Single sign on owner access to PDS information that is maintained by third parties (e.g., physicians, government, etc.)
  • Seamless exchange with anyone granted appropriate rights, anywhere in the world
  • Portability throughout the life of the owner

I think that list has held up pretty well, and I’m guessing the blueprint that Tim and Co. have come up with doesn’t look radically different. Note that, in order for all of this to work, a set of robust, backwards compatible, faithfully maintained standards will be needed as well as the open source platform needed to support it.

You can find the complete piece here: https://www.consortiuminfo.org/bulletins/feb04.php#trends

Copy! February 24, 2020 11:39 AM

Computers inherently copy. That’s what they do at the most basic level. For example: when a CPU needs to use information off a hard disk or solid state drive, it first has the IO system copy it to RAM, then the CPU deals with it there… as it’s dealing with it there, there are (at least) two more copies made… one in the CPU level cache, and one in the CPU registers themselves…

That’s a simplified explanation, my point being, computers cannot operate without copying data. So as soon as you grant electronic access, you are inherently granting the ability to copy. Electronics doesn’t work without copying. I believe others have said this already here, but not with the fundamental explanation I said above. As soon as someone outside of my direct control has a readable (non-encrypted, decipherable) copy, they can do anything they darn well please with that copy.

Now companies could pinky promise to delete their copy when they’re done with it, sure, but they need either an incentive to do it (carrot), or coercion to do it (stick). They won’t just do it automatically. Automatically is where we’re at now.

Examples of incentives:
* the data is so big that it costs more to store it than it’s worth
* the data is perceived as so valueless that it’s deleted asap
* the company is paid to delete it

Examples of coercion:
* laws force them to do it, with stiff penalties (note: data is international, so this may not work without one strong [i.e. oppressive?] world government, which we don’t yet have to the needed extent)
* user refuses to do business with company that mishandles their data (this hasn’t worked so far because on average users don’t perceive enough value in their own data to do this. everyone will practically their soul to satan for a $2 discount at the grocery–my point is made either way you take that!)

Nikolaus Hagenau February 24, 2020 12:20 PM

What is needed is a “data pod” that remembers who sent it, received it, looked at it, into it, edited it, etc. AND reports that all back to its owner. So in short a sort of semi-intelligent meta data log. Can be a blockchained pod. And needs to be virtualized and anon.

Not-Him-Again February 25, 2020 1:31 AM

@Grima

“…the entity you would trust to enforce that guarantee will be the the most potent force seeking to breach it.”

In arguing for property rights on our own information, I rely on common sense. Personally, we scorn busy-bodies and the office gossip. We support wiretap laws and detest peeping toms. So it baffles me that we then collectively turn around and let companies wiretap almost everything we do online and package it into dossiers which are sold to complete strangers.

Spies will spy and regulators get captured. That’s why I’m not counting on the executive branch to enforce criminal laws fashioned after the EU GDPR. Instead, I want a personal copyright so we can count on self-interested lawyers filing class-action lawsuits in the civil courts. I want less snooping but I also want my pod account credited when someone uses my information to advertise a ski vacation or a political candidate. Why does the media company get to keep all the money when it’s my time and attention? I want my cut and greater transparency and I’ll happily pay for e-mail and search engine services with the proceeds.

As others noted, the horse has already left the barn. Without copyright, everything already recorded will be retained in private dossiers that will continue to grow. But if that horse is my property, others can’t put it out to stud without consequences.

Raul February 25, 2020 3:38 AM

Controlling access to our own little personal pods will does not give us control over what entities out there can do with their little copies of slices of our pods.

When we submitted a passport application during the old, pre-digital era, we needed to write our personal data on some paper forms, and the government somewhere kept those forms. The information we shared in that form was (abstractly) in our personal “pod”, but still we simple copied (wrote down) that same info onto that form which the government kept in their files. So that form is now information they have and control. In fact, the government also kept photocopies of some required official personal documents as well, which we needed to provide. So all that information and photocopies then left our personal “physical” pod even back then, and were replicated in the database records of the government, for them to process our passport request, and which now they control. Same in universities, employers, hospitals, banks, etc. Whenever we needed some contract or application with them, we filled out forms for them, we gave photocopies of our personal documents, and suddently they kept all of that, our personal details and copies of our official documents, in their files. It becomes now part of their own “operational pods”.

The entities accessing our data have their own files with our data, and they have full control of their own files, don’t they? Whether we create these personal pods, and properly control access to them, businesses and government entities will need and keep their own “operational pods” with huge amounts of customer and personal data from all people they interact with. And we don’t control those pods, or do we?

Clive Robinson February 25, 2020 4:18 AM

@ Copy!, ALL

Now companies could pinky promise to delete their copy when they’re done with it, sure, but they need either an incentive to do it (carrot), or coercion to do it (stick).

Whilst correct for the way we’ve alowed things to become, what we actually have is a “faux market”. Such a market has become to valuable to let go, thus there is little chance either the carrort or stick will work, where money is concerned the mentality is to grab all and use it because if you are fast enough you will stay ahead of the fines. We’ve seen this mentality in banks, and SigInt agencies alike, and they both try to get “friendly legislation”. The only way to deal with such a faux market is to stave it so it withers and dies, because even poisoning it[1] won’t work.

The only reason such a faux market came to exist was because it was based on an assumption most miss that we realy should investigate more,

    Why should they have access to the information in the first place?

That is they do not need it to supply a legitimate service so why do they grab it?

Well it’s often said that as social creatures we “over trust” thus we haemorrhage information, just as we shed skin cells with our DNA everywhere we go.

Do we need to? No is the answer and the more of us that say “No” the faster this faux market will die.

Part of this is why I don’t use javascript or cookies, social media, online shopping, or store / credit cards. Whilst cash is not untracable it does act as a proxy in transactions. Thus the question arises of,

    What proxies can we use to silo or firewall information?

It is a question that needs to be not just asked but acted upon.

[1] One idea that you hear suggested is to lay down “false trails” via “randomization” etc. Well such anonymisation is known not to work in databases when cross correlated with other databases so it has the same problem. Worse such behaviour looks very much like you are trying to hide things. Thus you are in danger of attracting attention, and innocent or not prosecuters will use it against you one way or another you can be sure of that. It’s also technically a crime in the US if the supplier of a service puts in their terms and conditions that such behaviour is not allowed…

Peter A. February 25, 2020 6:26 AM

I don’t get the idea. How that POD is different from keeping an encrypted archive somewhere (possibly in multiple locations, with automatic synchronization) with all stuff you can imagine, and then decrypting that one file out of archive and giving it over to someone? Once you’ve done it, you’ve lost control over that file – provided that you ever had sole control of it (or backup copies, or autosaved copies, or…) when you created it before putting into the archive.

It may be nice to have all your devices putting anything you create (or they infer about you automatically) in an standard encrypted archive for you to retrieve later (how that essentially differs from full-disk encryption?), but how you force their creators not to cheat on you?

Sed Contra February 25, 2020 12:58 PM

The problems outlined for you and me are present even more intensely for companies, governments, and also their intersecting concerns in the case of cross border data contexts. Indonesian oil data to be reviewed by experts in Denmark ? No way pal. That database is only here.

The lockdown implied for all computing would probably make DMCA etc of ill fame look like kids’ game rules. Sigh, freedom it was nice knowing you, even partially.

Curious February 25, 2020 1:05 PM

I wonder, how would an idea of fully homomorphic encryption mix with the idea of a personal pod of data?

Here’s a wacky and I guess ignorant thought: So, I don’t know how homomorphic encryption works in theory, but maybe in the future, homomorphic encryption is somehow a mandated form of encryption, or method for interaction with computer terminals, but, if your personal data maybe is something refactored with every interaction if making additions or deletions from your encrypted file, maybe you end up never knowing what is encrypted in your own damn data file, such that any personal password becomes meaningless because you no longer have control of your encrypted data and its very structure might be a backdoor itself refactored around on your passowrd for the file, or, maybe your password is something used to simply autheticate known data, but being more like a kind of authentication of a glorified time stamp, but no longer controlling or authenticating the structure of the file itself? Maybe that is how homomorphic encryption in this dystopic future of mine could work?

Eugene February 27, 2020 8:57 AM

it resembles some ideas depicted in
https://en.wikipedia.org/wiki/The_Quantum_Thief

from https://www.karangill.com/glossary-quantum-thief-fractal-prince-jean-le-flambeur/#Gevulot


Gevulot
Gevulot (Hebrew for “borders”) is a privacy protocol used in the Oubliette. It is a system that allows people in the Oubliette, both citizens and visitors alike, to set the desired level of privacy in every social encounter, to share memories and to access the exomemory. People can obscure themselves from being
seen by others if they are hidden behind a gevulot “fog”. However, this effect is only apparent, as analog recording devices, like cameras, can still capture images of people behind gevulot. Gevulot is physically implemented using a wearable shell, which visitors to the Oubliette are given upon entry.


Exomemory
The exomemory in the Oubliette is the public memory of the Oubliette. Anyone in the Oubliette can look up the exomemory to obtain information by ‘blinking: note the apostrophe in front of “b”, which denotes the Oubliette-specific action of blinking to access information from the exomemory. Possibly derived from “web link”, along the same lines whereby “web log” became blog.

Zoli March 2, 2020 1:58 AM

Solid 2be SoLead!

hope 2be country specifically implemented and integrated even in cross-border relations, like Sed Contra has mentioned here.

c1ue March 2, 2020 11:36 AM

The biggest issue I have with the pod concept is that it makes data poisoning much harder.
Data poisoning is the only way to combat what is already out there: by introducing sufficient noise as the make the entire data set unreliable.

1&1~=Umm March 2, 2020 8:13 PM

@c1ue:

“Data poisoning is the only way to combat what is already out there: by introducing sufficient noise as the make the entire data set unreliable.”

Sorry but ‘data poisoning’ does not work, in the same way that trying to make databases anonynous does not work.

In essence your non random signals will always eventually rise above the random noise.

I’m not sure who came up with the idea of ‘data poisoning’ but they apparently did not know much about maths and probability.

Thunderbird March 5, 2020 4:24 PM

I assume you address these kinds of issues, but if I store and control all “my” information, what prevents me from altering it to suit my needs? Or discarding it?

I would enjoy the ability to edit my bank balance, which seems like “my” data. I would also enjoy being able to discard all geotracking information so that they couldn’t convict me of murdering someone (assuming I was going to get all murdery sometime). Or is this kind of thing also not addressed?

At any rate, I am glad someone is working on stuff like this.

KJN March 7, 2020 2:00 PM

There is a security/privacy issue for which the pod appears to be a worse solution than a data silo such as Facebook.

It concerns the privacy of the individual consumers of your data. When you post something on Facebook, you cannot tell who has read it, except those who leave a comment or a “reaction” (a “like”, etc).

If you control your pod, and therefore the authentication for each data access, then you can find out who has accessed your data – and who has not. You discover that your funny pictures of your cat, your children’s glorious wedding photos, and your acute political observations are read by – nobody. You may also discover that an old friend from High School has an unhealthy level of interest in your swimsuit photos.

There is no escape from this issue if your pod is provided by a third party. Commercial providers of pods will compete on features, and this will make it hard for them not to offer everything of which the technology is capable.

Terence July 25, 2020 8:57 AM

@Rachel —

and I’d like to see the UK retain the GDPR afer the transition period from exiting the EU is over, end of this year.

The UK left the EU on January 31, 2020.

After the transition period, the UK won’t be regulated domestically by the European General Data Protection Regulation (GDPR). Instead, the UK has passed its own version into law, known as the UK-GDPR.

If you blinked you may have missed it, but his new law took effect on Exit Day January 31, 2020.

The UK-GDPR is essentially the same law as the European GDPR, only changed to accommodate UK law.

This means the core definitions and legal terminology now famous from the GDPR, such as “personal data” and the rights of “data subjects”, “controller” and “processor”, and their need for a legal basis for processing — like prior consent — are also found in the UK-GDPR.

However, the UK-GDPR does expand on — and deviate from — the GDPR in several ways that will make changes to the scope of data protection law in the UK.

For example, because of the extraterritorial provisions of the UK-GDPR, any website or company in the world that collects or processes the personal data of individuals inside the UK, is required to comply with the UK-GDPR.

What does this mean for our websites in the EU and further afield, offering services to and collecting personal data of individuals in the United Kingdom?

It means leaving the European Union doesn’t mean a lessening of requirements as to how we process personal data. In fact, the global standard set by the GDPR is now literally becoming, in various forms, the domestic standard of the world.

Protecting the privacy and personal data of our end-users and customers is the new minimum requirement for everyone, not just for those savvy enough to provide it for themselves.

In the UK we will all need to meet the same high GDPR standards as before, only now these will be enforced by the ICO (Information Commissioner’s Office) in the UK, and we are all subject to their audits.

And so are our suppliers, wherever they are.

I’m thinking here of our hosting and infrastructure providers in the UK, in Europe and beyond.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.