Privacy-sensitive users are drawn to solutions with certain features: end-to-end encryption, granular consent, data ownership, and secure storage. But what is it that privacy can really do for users, and is there a non-exploitative business model in it for companies?
KuppingerCole envisioned Life Management Platforms back in 2012 as the pathway to individual data sovereignty. Data sovereignty is incrementally being introduced as a right of individuals, with principles being introduced in the European GDPR, the Canadian PIPEDA, the CCPA, and others. While these regulations manage the commercial data interactions between the individual and the business, there is still a huge gap between the data protections offered and meaningful data sovereignty for the individual; the user does not yet have a cohesive means to manage their personal data and share it with third parties and still maintain ownership and control. In other words, privacy seekers are still waiting for a Life Management Platform.
Imagine a secure digital data store for your identity documents, financial records, credit score, health records, ownership deeds, and credentials. Imagine that you could share that data securely in a digital format, without sending a scan or filling out a registration form. But beyond simply sharing, you have the control over which entities can view or store that data. You can restrict the length of time they have your data, and you have an auditable list of which third parties you have shared information with. Your data remains centered around you, not the entities you have created an account with.
Imagine submitting a mortgage application to multiple banks, scouting out the best opportunity. You can put permissions on your data so that it only resides with the bank that you sign the contract with; otherwise it is returned to your personal data storage. This way you can shop around without leaving a stream of personal data behind.
Imagine visiting the doctor with an aging relative, where medical results should be shared with not only the patient, but a designated guardian as well. The aging relative can delegate you to receive information on their behalf and grant data access privileges to you; to share medical information but not financial, for example. In the case of a child these permissions can be granted until they gain full data ownership at 18 or the appropriate legal age.
Imagine posting a photograph on social media with your copyright. Your intellectual property resides in your data storage, but you’ve displayed it on your channel for the world to see. Someone else wants to use that photo, and you grant conditional access, for a fee. One download, with no further reproductions.
We have to recognize that we are describing a product that does not yet exist…not fully anyway. You can find elements of a Life Management Platform here and there, tucked in decentralized identity projects, enterprise digital rights management, or privacy solutions for consent management. A Life Management Platform should contain a user-centric data storage, the means to share data with strong rights management, and standard protocols to establish the veracity and digital provenance of shared data.
Data storage: There is a huge need for a secure data storage for individuals to hold personal data, critical documents, health records, proof of ownership, education credentials, etc. This is missing entirely from most privacy solutions, and only a few niche organizations are developing such a digital safe. The most promising technology solutions seem to be based on decentralized architectures like blockchain. These give the benefit of verifying data against authoritative sources – like a government-issued ID document against the public records – and storing the digital proof in the blockchain while the data itself resides in the user’s own device. Decentralized identity wallets and exchange of data are facilitated through the Verifiable Credentials emerging standard.
Permissioned Exchange: Verifiable Credentials lay the groundwork for data exchange, and some solutions are rolling out revocation rights, but granular permissions and rights management for shared data is still to come. This should include delegated access, guardian access for incapacitated individuals or minors, protection for IP, and protection for data posted in public, like social media channel. Data that is meant to be private must have permissions control to address the individuals it is shared with and the actions they can take.
Verified data, verified identity: Underpinning the ability to store and share one’s own private data securely are standards: Verifiable Credentials as mentioned earlier, and Decentralized Identifiers (DIDs). DIDs establish a universal protocol for describing unique identifiers in decentralized systems and Verifiable Credentials make it possible to attach an interoperable cryptographic proof of provenance to data that is shared. Widespread adoption of such standards make it possible to establish that data is verified with transparent publication of which entities have issued it and which have validated it. Similarly, identities that are interacting online can be verified and correlated to a real-world identity. This identity can still be masked during low value transactions to preserve the user’s desire to be anonymous, but some transactions, like in banking scenarios, the user can interact and share their private data that is correlated to their real-world identity.
Life Management Platforms are a futuristic concept, but one that becomes more relevant every day. Trends towards digital, user-centricity, privacy, and reusability all influence the need to hold, control, and share information privately. It will have a huge impact on how we interact as customers, employees, and business partners, be marked with automation and self-service, and attain even higher granularity on permission. Much of the details depend on the structure of the Life Management Platforms that will emerge in the next few years. This is new territory, and we will continue to struggle to balance the pressing need for privacy and the business cases that will inevitably rise out of innovation.