Simon Kavanagh from Tieto explores the importance of both security and responsibility when it comes to decentralised personal data
Do you remember that café in Barcelona which served you a delicious cortado while you surfed their free WIFI? Do you remember the personal information you gave them when you signed up? Surely you read their terms and conditions? More importantly, do you know who has your information now and what they are doing with it?
If you are not working in the area of online privacy and security and are not a member of a group such as Necessary and Proportionate or routinely paint your face to confound facial recognition algorithms, then chances are you didn’t know you were giving personal information away and you certainly don’t know where it is now. It’s also likely that you don’t really care. The majority of people who regularly use online services don’t know or care about the leakage of their personal information. The old adage states that if a service is free then you are the product (think GAFA), but it’s also true that the most common response is: meh (expressing a lack of interest or enthusiasm).
What exactly is the problem with a café holding onto your email address, IP address, date of birth and name? What impact does this have on your life? Well, if you’re lucky then none at all. But luck is hardly a long-term strategy for online security. As more and more of your personal data is being vacuumed up, stored in dubious locations and used without my informed consent, then you will soon run out of luck.
Identity theft is one of the most obvious risks. And it’s a frighteningly trivial thing to accomplish. All that’s needed is some basic personal information (name, address, phone number, social security number etc.) which can be used to trick a phone company (for example) into thinking you are your victim. When this is accomplished you can re-route SMS traffic (including one-time-passwords) and voilà. The attacker now has access to your bank account.
A recent study by a research group showed that in the US alone identity theft hit a record 15.4 million people in 2016, a rise of 16% on the previous year. And if you think it’s only your public Facebook profile which is leaking sensitive data then take a deep breath and have a look at this map showing known medical data breaches in the US from 2009-2016. Closer to home, we have this nice guideline from the Finnish consumer authority, which urges you to take precautions to prevent the same thing happening to you.
Nefarious use of your personal data is one downside of the IT-saturated lives we live. But there are also fantastic possibilities for positive uses of your personal data. This is an area Tieto are especially interested in. For example, why does one identical twin develop a hereditary disease when their sibling does not, though they grew up together, shared the same experiences and have (almost) identical DNA? Unravelling this puzzle involves combining Genotype data with Phenotype data from disparate sources in coordinated research focused on uncovering the links between the two.
And here’s the tricky thing: this data needs to move as per the owner’s informed consent. A citizen-centred, consent network is essential here. This is the challenge that Tieto (together with California start-up Gem) has undertaken. We see a future where anyone can see where their most valuable information is. From there they can take control and make informed decisions as to its use. We don’t see technology as the major stumbling block here (although recent innovations in distributed ledger technology have made a consent network more secure). Raising awareness and combating apathy is much more challenging. Most people simply don’t care. To get over this, Tieto are focusing heavily on user-centred design. The challenge we’ve set ourselves is: how do we design for empowerment?
Outside of research, a citizen-centred consent network which is naturally cross-border is also useful if you ever want to invoke your EU right to have a medical procedure carried out in another member state. This EU right is related to the freedom of choice vision in the Finnish SOTE reform – but exposes the limits of that vision too. In Finland, to realise the Freedom of Choice vision your healthcare data needs to move fluidly between the different professionals. Kanta is the national platform backed by the Finnish government, which will certainly help the movement of your data between Finnish health providers (public and private). That’s excellent, but it works right up to the edge of the Finnish national border and no further.
As of now, there is no easy way your health data moves electronically between EU member countries – instead health tourists are forced to carry a USB drive, a DVD or a folder under their arm (see this report here commissioned by the government of Estonia for more information on the restrictions to the free movement of Health Data). A fundamentally different sort of network is needed for the age where EU medical tourism becomes the norm. One where citizens themselves control who does and doesn’t have access to their medical data. There are many aspects of a successful network such as this. As explained earlier, citizen-centered consent is one. Two others are Identity Verification and Information Veracity (Tieto are also working on these two aspects of trusted transactions together with the Sovrin foundation).
Unfortunately, instances of identity theft and other forms of data-based attack show no signs of decreasing. But these negative consequences of living in the digital age should be balanced against the enormous possibilities we have to build more citizen-centred and empowered IT solutions and services. Tieto is committed to this positive future and we want you to be in control.
Read more about our thoughts on blockchain here:
Self-sovereign identity delivers MyData in practice.
It’s your data. Take it back. Unlocking your health data with blockchain.
Please note: this is a commercial profile
Head of innovation and design in healthcare, welfare and education
Tel: +47 912 43949
Editor's Recommended Articles
Must Read >> Blockchain for sensitive and personal data
Must Read >> Government set to extend UK data protection law
Must Read >> Cyber security, GDPR and the public sector