PDEC Blog

PDEC's posts

Send ideas for posts to info@pde.cc. Guest authors welcome. We love to announce events with notice and to review new personal data designs and products.

Keep Crypto Strong – PDEC Position Statement

PDEC Opposes Government “Backdoor” Access to Encrypted Data

 

The Personal Data Ecosystem that PDEC promotes gives people the rights and capabilities to control, access, manage and secure value from data about them and their lives regardless of how such data is derived.

PDEC members include businesses that provide citizens with means to control how other people and organizations may further access or use this information. As such we are committed to the notion that the users (we call them principals[1]) are fundamentally in control of their information. Therefore in some cases PDEC businesses employ mechanisms like encryption to ensure that control, and also to assure their users that even those businesses cannot access or disseminate their personal data without their consent.

Of late a number of world leaders including British Prime Minister David Cameron[2], U.S. President Barak Obama[3], U.S. FBI Director James Comey[4] and the new U.S Attorney General, Lorretta Lynch[5] have made public statements regarding their concern on the growing use of strong end-to-end encryption techniques on the internet. They argue that strong encryption hampers government efforts to fight crime and terrorism through programs of broad electronic surveillance of communication via social media, smart phones, instant messaging, e-mail and file sharing.

To address this issue some have suggested outright bans of such encryption while others have proposed the introduction of means for government to obtain extraordinary privileged access to encrypted communication and data using escrowed or “back-door” keys.

PDEC strongly believes that proposals that attempt to curtail, regulate or compromise strong encryption are unwise for several reasons including:

  • they abridge the rights that individual citizens have to privacy, reversing generations of improvement in human rights
  • the damage that such controls could do the emerging digital economy including the personal data ecosystem and the underlying mechanisms and business models for distribution and control of access
  • and the fact that such methods are in reality impractical at world-wide internet scale, would likely be ineffective at achieving the goals that governments are arguing for, and significantly increase the risk of harm to law abiding individuals and organizations

While it is possible that end-to-end encryption may be employed by criminals or terrorist groups to secure their electronic interaction it is also demonstrably true that strong end-to-end encryption provides the most, and ultimately perhaps the only, viable tool for legitimate businesses and individual citizens to protect their identities and privacy.

Technical experts agree that any attempt to curtail the use of strong end-user encryption or requirements for third party privileged access or key escrow would necessarily dramatically impact any organizations or individuals attempt to interact online in secure manners.[6] Also, requirements for privileged access to user information by one or more government organizations worldwide could create new legal liability risks for organizations that would be difficult to assess accurately and that would be challenging to indemnify. Further such requirements could seriously erode end-user confidence and might actually impede the development of the personal data ecosystem.

Lastly, and perhaps most importantly, it is absolutely clear that efforts to eliminate strong end-to-end encryption cannot be successful. While governments might try to prevent providers of internet software, hardware or services from delivering strong encryption to their customers or otherwise disable the technology by requiring availability of “back door keys” to allow them to decrypt all electronic communication it is clear that compliance with such regulations would never extend to unlawful actors such as criminals or terrorist organizations.

Even if all legitimate internet providers of communication or data storage agreed to permit government access to decrypted information under appropriate legal controls, unlawful actors could easily implement or acquire their own mechanisms for encrypting their data prior to delivering it to compliant lawful services. Even detecting such “second level” encryption would require very broad access to all the data flowing through a wide-variety channels and would contradict the governments stated assertions that their interest in access is narrowly targeted.

Finally the international scope of internet traffic that spans political jurisdictions makes implementation of such controls at internet scale so complex and fraught with diplomatic issues that is difficult to imagine success.

The desire of governments to more easily protect their citizenry is understandable and in principle PDEC supports efforts to do so that do not infringe on the sovereign rights of individuals. However, PDEC believes government actions to exercise such controls should not be done at the expense of legitimate online interaction of businesses or citizens or in a manner that would abrogate the covenants of privacy made by businesses to their clients, customers or users.

[1] PDEC prefers use of the term Principals. Other terms in common usage such as users, end-users, individuals, or subjects do not fully reflect the primacy and sovereign rights of individuals as the principal participant with rights to control data about them that PDEC recognizes as fundamental and basic.

[2] Links:

http://arstechnica.com/tech-policy/2015/01/uk-prime-minister-wants-backdoors-into-messaging-apps-or-hell-ban-them

http://www.bbc.com/news/technology-30794953

http://www.theverge.com/2015/1/12/7533065/whatsapp-imessage-ban-uk-government-encryption

http://www.theguardian.com/uk-news/2015/jan/15/david-cameron-ask-us-barack-obama-help-tracking-islamist-extremists-online

[3] Links:

http://www.slate.com/blogs/future_tense/2015/02/18/white_house_cybersecurity_summit_obama_endorses_then_undermines_encryption.html

http://blogs.wsj.com/digits/2015/01/16/obama-sides-with-cameron-in-encryption-fight

[4] Links:

https://www.fbi.gov/news/speeches/going-dark-are-technology-privacy-and-public-safety-on-a-collision-course

[5] Links:

https://www.districtsentinel.com/loretta-lynch-joins-obama-administration-fearmongering-over-encryption/

[6] Links:

http://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf?sequence=8

https://static.newamerica.org/attachments/3138–113/Encryption_Letter_to_Obama_final_051915.pdf

An Alternative Point of View on Personal Data and Patents

PDEC member Stan Smith offers this guest blog post on patents and Personal Data.  Stan holds a number of patents, and feels this is a genuine method of doing the right thing.  From time to time we’ve noticed that patent-holders raise hackles among those who champion open source, and feel there is a major difference between the two.  Stan’s take is very interesting.  It arose out of discussion on PDEC monthly Conference Calls and interaction with members of the PDEC Governance Committee.  Stan’s passion for his work and his commitment to serving and respecting the individual led to this blog post.  And read it all the way through to learn how Stan’s patents might be of value and benefit to you, as a member of PDEC.


An Alternative Point of View on Personal Data and Patents

Some people maintain they have a right to their personal information and that capturing their information for resale of it to others is tantamount to theft. They can perhaps accept that the entity providing them a service is entitled to a fair exchange for use of a service and that their personal data might be the price or the fee for that exchange; but if the data is sold off to folks they do not know or do not trust for reuse for purposes they are not aware of ahead of time – well that is just WRONG.

Some people maintain that they have a right to their own creative work and that capturing their creative work for resale of it to others is tantamount to theft. Wait a minute – isn’t a patent creative work? Isn’t it too a kind of personal information? Shouldn’t the creator of that patent be entitled to exchange it with any entity; give it away; sell it at an exorbitant price (there will be no takers, but it can be attempted); license it for a time? The government via the patent office and the copyright laws say there is a limit to this. You can only maintain your rights to this kind of personal data/information/property for a limited period of time. Well, maybe that’s reasonable. We can argue about what the right amount of time is. We can also require a person who lays claim to a creative product/data/information to prove that it is theirs, to prove that it is different – that it does not overlap the property of others. That is the patent examination process.

Now we get into the argument about innovation and the right of someone to coopt the innovation/patent for their own use and perhaps even profit from it. Isn’t that what we find so offensive when Google or Facebook or Uber sell off our personal information? It very well may offend us if someone buys/owns a piece of property in our neighborhood and they don’t even put a house on it. They let weeds run rampant. Their property poses a threat to the community. Well, we need to impose community standards on that property. We really can’t just arbitrarily take that property, can we? We really can’t just steal it – even if it would make a perfect spot for a garden or a farm or a factory. We can guilt them. We can tell them they need to offer their property up for the common good. We can incentivize them to improve or use the property by threatening condemnation or fining them for untidiness, but we can’t just take it.

A patent is an interesting kind of property. To get it, you have to expose it. It is not like a business secret – like the formula for Coca Cola. A patent requires the inventor to show everyone how it works and how it is different from the other stuff out there. Anyone can then figure out how to circumvent it, use it to inform themselves about the “art” or creative addition to human knowledge that it includes. Wow! It is in fact a public benefit. Its value – for licensing or for giving the patent owner a window to “farm” it by making his own products or tools using it – is subject to free market forces. Very American; very practical.

But then there are the hypocrites, the people who cry about the theft or cooptation of their personal information/property, but will not respect the property of others. They think patents are bad. For the life of me, I can’t quite get the logic unless it is that they truly endorse a right to trample on and use the property of others. Patent and copyright and other property rights are fair and just. They are social contracts – transparent, mutual, lawful, and require competency and performance.

The complaints about non-practicing entities are spurious – but because of my fear of social isolation I do want you to know I do practice – unfortunately not very well to this point – but I practice hard and regularly. But even a guy who owns a Stradivarius and never plays it is entitled to own it. If we go with the folks in the righteous “politically correct” herd who are irritated by the pioneers and innovators, we’ll go over the cliff or we’ll be corralled by the oligopolies who hate patents that prevent them from growing and expanding further and love patents that keep them in the cat bird seat. This is very political. I hope it is persuasive for you. Stop the hypocrisy. Embrace individual rights, even if these sometimes stand in your way and may prevent you from doing something you weren’t smart enough to figure out first. And if you were smart enough to figure stuff out, you should patent it. Do it as a good deed to share what you have been struggling with with a community of your peers. You can always give away licenses. Consider it a form of intellectual philanthropy if, like me, you are too incompetent at business to convert your IP into money or you want to see your ideas live and thrive.

Oh, and please note that this is copyrighted material; but I hereby entitle you to tell anybody anything in it and to quote it in whole or in part. One last thing, I believe the Founding Fathers had very similar ideas, and I want to give them a nod and a wink and my thanks.


Editor’s note: Stan told us that he is willing to license his patents for use by PDEC members.  Stan said he felt motivated to get the patents and have the processes in good hands, rather than in the hands of monoliths who lack concern for individuals and their personal data.  Stan truly embodies the spirit of PDEC!

 

The Mydex Story, Part 4

One of the joys of working with the PDEC membership is getting to know the people and their companies.  It is safe to say that passion is a common trait.   We experience this during the monthly PDEC conference calls, as well as in other communications (meetups, calls, workshops and conferences).  As a result of conversations during a recent monthly PDEC conference call and subsequent communications, we are pleased to offer a four part blog post series from guest blogger David Alexander.

David is the Chief Executive, Co-Founder and and Platform Architect at Mydex.  This is the fourth in a series of  four posts in which David will shed light on the development of Mydex as a CIC, and the journey the company has been on, and where it is headed.  Enjoy reading it!


 

Mydex has been a member of the PDEC Start-Up Circle since its inception. In this series of blog posts David Alexander gives an update on Mydex the Community Interest Company, the Mydex Trust Framework, its ISO27001 certified platform and as a certified Fair Data company.

We are doing this in four parts.

Mydex has been members of the PDEC Start-Up circle since its inception. In a series of blog posts over the next few days David Alexander, Mydex CEO, C0-Founder and Platform Architect, is giving an update on Mydex the Community Interest Company, the Mydex Trust Framework, its ISO27001 certified platform and as a certified Fair Data company.

We are doing this in four parts.

You can read Part One and Two on how Mydex has tackled some of the hard problems first.

Part Three looks at Mydex as a Community Interest Company and why this is so important.

Part Four today discusses Mydex’s business model and focus.

What is Mydex’s business model?

Our goal is sustainability over the long term and ongoing execution of our social purpose and mission. To achieve this we have created a simple commercial model that delivers a pay as you go approach for use of the platform. Individuals pay nothing and give up nothing – they are the community we serve.   Connecting organisations and apps developers pay. This means it scales easily and there is no barrier to entry.   That makes us inclusive and open to all.

Choosing this funding route was another aspect of doing the hard parts first. Our chosen pathway is doubly challenging. But we believe that our success in this approach will mean we have established a secure, sustainable foundation for an irreversible transformation in how individuals manage and control their personal data and its use by others, they will be truly empowered.

And so far, we are being successful. We have survived the hardest part of the journey. We have live personal data stores (try for yourself here). We have contracts with clients. We have apps using the platform. We have many exciting discussions under way and a growing pipeline of organisations and apps developers connecting and planning their connections to the Mydex platform. And as you would expect we have ambitious plans.

So what don’t we do? That is easy and clear. We don’t do consultancy, integration services or application development. Our connecting organisations have suppliers for those or do it themselves.

That’s part of why we believe we will be successful; we are totally focused on doing what we need to do (which is big and ambitious enough) and not dissipating resources on doing things other people are better at doing and already doing.

Mydex CIC has laid the foundations of trust, which are a combination of legal, technical, and commercial elements with independent external verification.

We have provided the means for individuals to securely capture, store, organise and share personal data from all aspects of their lives with whomsoever they need to in a way that places them at the centre of their lives and interactions with the outside world. In short they are empowered and as we all know personal control over personal data is good for everyone…….

TheMydex Story, Part 3

One of the great joys of working with the members of PDEC is getting to know the people and their companies.  It is safe to say that passion is a common trait.   We experience this during the monthly PDEC conference calls, as well as in other communications (meetups, calls, workshops and conferences).  As a result of conversations during a recent monthly PDEC conference call and subsequent communications, we are pleased to offer a four part blog post series from guest blogger David Alexander.

David is the Chief Executive, Co-Founder and and Platform Architect at Mydex.  This is the third in a series of  four posts in which David will shed light on the development of Mydex as a CIC, and the journey the company has been on, and where it is headed.  Enjoy reading it!


 

Mydex has been a member of the PDEC Start-Up Circle since its inception. In this series of blog posts David Alexander gives an update on Mydex the Community Interest Company, the Mydex Trust Framework, its ISO27001 certified platform and as a certified Fair Data company.

We are doing this in four parts.

Part Three today looks at Mydex as a Community Interest Company and why this is so important.

We are a CIC a “Community Interest Company”

That means we operate as a disciplined, commercial entity. However, two thirds of any profits go back to our social purpose which is to ‘help individuals realise the value of their data’. Critically, we are asset locked: that means there is no trade sale, flotation or exit strategy for the shareholders. Our shareholders are in it for the long term. This means three important things.

  • First, we serve the individual – their empowerment is our core aim, it shapes all that we do.
  • Second, it means we have avoided diversions caused by the wrong sources of funding where the short term demands of investors can divert us from our long term strategy.
  • Third, we are not built for exit. We are built for sustainability and long term duration. (We believe investors can and will make lots of money, but only by committing to long term mission).

And those three things mean that large organisations and governments can work with us safe in the knowledge that we will be here not only next year, but in five years time, and in 20 years time. To repeat: we are here for the duration.

We are positioning ourselves as the neutral zone (Switzerland) of personal data. We are neutral. We are not competing with any companies or app developers over the monetisation of data or personal services. We are acting as the infrastructure and platform for the trusted use of data. This means everyone within the ecosystem can work with us, confidently and safely.