A few weeks ago, I put up a post on LinkedIn, wherein I grumbled about how the ‘own your data’ argument was making the rounds again and why it was annoying. Here’s a select Tl;Dr from the thread:

Despite all the various techno-solutionism approaches out there (clearinghouses, the blockchain, data sovereignty, mesh nets), these don't work, and cannot work, because you cannot meaningfully revoke your consent to share information about yourself in all contexts and continue living in a society …

While I originally started with the selling-your-data aspect of data ownership, in many respects, I think my general complaint against data ownership extends beyond the sale/commoditization of data, be it self-sovereign identities or other exotic ways for people to maintain control over their personal data.

At that time, I issued a call to action to hear from boosters and proponents of these approaches on why I’m wrong. And to their credit, I received many thoughtful responses, and only a handful of annoying promotional pitches.

FWIW, I do plan to follow-up with many of these folks as part of a larger listening tour, if for nothing else, than to really immerse myself in the logic behind it and nuances and use-cases that I might be missing.

My (Preliminary) Thesis

Given that my September has been mental, I had to backburner this post as I prepared to speak at three conferences, and attend a few more, in addition to recording and editing various Chance Conversations podcasts, and y’know, being a consultant.

But a recent conversation with Ricardo J. Méndez, and his write-up of the same, , reminded me that I should at least push out a few thoughts on the subject while they were still burning in my mind.

I plan to write a much longer, more in-depth and nuanced post on this subject,1 but I wanted to at least lay out my central thesis on why most data ownership/self-sovereign models won’t and can’t work. It consists of a few core themes:

1. Personal Data is not a Property Right: Personal data (including your identity) is not a tangible form of property that you can hold or possess, nor is it an intangible asset like a copyright or patent that you possess a monopoly over. But property ownership is premised on the understanding that you have a right to use, possess, sell, and/or give that tangible or intangible property away.
   
   While selling data might make sense in a few isolated online contexts, most other uses of personal data don’t allow individuals to do all or any ‘ownership-like’ things with personal data, particularly when someone else has it. You can’t for example, ‘give away’ personal data that’s indirectly being collected about you, like your facial features and gait movement when you’re passing by someone’s Ring doorbell or a CCTV camera, or even an artist drawing you on the street. You don’t meaningfully have the ability to use or possess your criminal or tax records (and certainly can’t compel the authorities to stop using that information!). You don’t own this data, even if it’s squarely about you.
   
   And things get even more murky if you try to reconcile an ownership model with shared, mixed, or group data. I might share an opinion about you or somebody else over an email ('Suzie has a great personality and would make for a strong hire', or 'I think Paul is an incompetent DPO and shouldn’t be working for XY Corp.'), or I might have information about you as an employee that's part of a larger dataset of employee data. Under most legal regimes, this is personal data about you, but in no universe would anyone reasonably argue that you own or have control over that data. I wrote about much of this here.

   

   No, You Do Not Own Your Personal Data

   Carey Lening

   ·

   Jan 30

   Read full story

2. The Social Contract: That brings me to point 2: We live as members of a complex society. That society has laws, norms, and obligations; and abiding by these laws, norms & obligations, generally leaves us better off than if we were living as loners in the wilderness.
   
   Data sharing, for better or worse, is part of the social contract we all agree to. And in some respects, so is identity. No, I don’t mean to say that this requires us sharing things with Meta, Google, or Twitter. I’m talking about the data sharing and identity verification we do when we exchange emails with people, open a bank account, call someone, seek healthcare, or access government services. These things aren’t meaningfully revocable.
   
   Pretending that we can all be libertarians or sovereign citizens about our data and our identities, and freely revoke or control that information, ignores reality and the social contract we have agreed to by virtue of existing in a society. Assuming we have some power to revoke someone else’s knowledge about us is absurd. But that’s what a true self-sovereign approach ultimately requires.

3. Techno-Solutionism Doesn’t Solve Problems: No one has convincingly shown me a data ownership approach/solution/tool that doesn’t involve overly-engineered, complicated tech like distributed ledgers, tokens, zero-knowledge proofs, super-nerdy encryption, or user-storage-based solutions that have many weak links and failure points. If the tech isn’t simple, it won’t be widely adopted. It’s the mom test: If you can’t explain it to the average mom (or dad, or 5-year-old), it’s not going to be used.
   
   Conversely: Nobody has really shown me how their fancy mesh-net centralized/quasi-centralized approach won’t suffer the same pitfalls as the systems we have today. Even if those systems are technically decentralized, in order to make individual bits of data about us, like our name, email address, photograph, DNA, health data, etc., available to sell/monetize, the data must be stored somewhere that can, with a push of a button, be shared, sold, or revoked for a given use case, or from a particular controller. Sure, that trusted provider might not be Meta, but that doesn’t stop the fact that someone has your data and is mediating how that data is shared.
   
   And for anyone arguing self-hosting/edge storage, I invite you to peruse the many, many threads online about all the poor bastards who have lost their iCloud backup keys, or their Bitcoin wallets. Now multiply that by eight billion.

4. Use-cases generally presume a digital component: Personal Data doesn't strictly consist of 1s and 0s. There are loads of cases, especially outside of the digital/online realm where you’re not going to be able to monetize or revoke access to your data. Or store it in some distributed ledger.

   
   That isn’t to say I think all use-cases are bunk — aspects of data ownership and the data control models are in some senses already baked into the law (notably, data subject rights to erasure, data portability, and in the larger context of interoperability). Privacy-enhancing technologies like federated learning & edge computing and storage options provide legitimate pathways for users to take back control of their data.
   
   And I agree with Ricardo — “there is no reason why my Fitness information should be anywhere other than my watch and the phone it's connected to”. There are legitimate use-cases where localized storage is a better solution than sticking everything in Google Drive, or making copies across hundreds of thousands of systems. Making those cases seamless, and giving individuals control over whether things are backed up, or making it easier to say, take your social network to a new system (via interoperability) is a good thing.

   
   Ricardo had a killer point: “[D]ata ownership is a sliding scale, not a toggle.” We should have more control than take it or leave it. But that isn’t the same as having a property ownership right over our data and identity, or assuming we can unbundle ourselves from society just because we aren’t happy with the state we’ve landed ourselves in.

   My goal is to try to articulate why that is, where there’s convergence between my central theses and the own your data/self-sovereignty proponents, and where there might not be a ready answer.

Share

Leave a comment

Oh, and btw, I hope to by the end, actually spell sovereignty right on the first go, without having to rely on autocorrect.