midata - let's be clear, it needs to be my data

After the consultation last year on midata to which I think several member of Horizon responded (well done team!), we saw the government response in November, and now the move to legislation in the House of Lords (search for 58C on that page - and could someone teach them about the name tag!)

I am a strong proponent of making data available to customers. Today I have online access to a lot of my data - bank, credit card, energy, but the data is presented as webpages designed for human consumption accessed via some arbitrary means of authentication. If I can download the data it requires me to do it interactively and it arrives in some random (often proprietary) format and / or with a private schema.

We have been here before; the open data movement initially struggled with human readable webpages and proprietary file formats, and continues to campaign to get the datasets released in agreed and open standard forms that can be downloaded and processed by software on our behalf.

If midata legislation can be used to drive towards standardisation in the industries that already allow us access to our personal data to enable a new software market, for example in personal finance management and energy planning, then great. If the legislation can be applied more generally to all my personal transactional data, I can envisage applications offering dietary advice based on my shopping habits, and through mobile location aware apps, fusions of data offering personalised advice related to off the shelf medications, and household heating control using historical occupancy data and current household members whereabouts; etc.

The creativity potential here is vast and can be implemented using software running on my computer / tablet / mobile that can process my data in private; this approach has been at the heart of our research in the dataware project for the last three years.

However, I am deeply concerned by the idea that third parties are going to step in and start offering these applications as online services based on the assumption we will hand over this base raw personal data to them. If you thought the furore about smart meters was justified, this more general approach stands to be the privacy violation of the century.

There are times when society should protect us all and not resort to caveat emptor - consumer protection is enshrined in many country's laws, for example in the UK we have the Sale of Goods Act 1979 - at some point we must adopt the same approach to these online services.

A fool and their data are easily parted.

Literatin in use - 18.6 years of education
needed to understand this privacy policy
At the root of the issue is the legal basis on which many companies process this personal data - by clicking on "I agree to the terms and conditions" you are presumed to have given informed consent. Really? Are the vast majority of consumers actually engaging in informed consent at this point?

Using our Literatintool [1], I find a well known social media site where the privacy policy is "...suitable only for a graduate-level audience". I would suggest that for many in society they simply have not been informed, even if they did read it!

Furthermore, it is well documented [2] that many people think the very presence of an oft not very prominent privacy policy, means their data is kept private rather than it being a liability disclaimer by the company collecting, mining and sharing it. So a societal level misunderstanding; possibly (and the basis on some of our ongoing research!) based on a presumption that civilised societies have consumer protection legislation...

Babies and their bath water.

Does this line of thinking foreclose cloud services generally (the current darling of entrepreneurs and venture capitalists alike), and the comparison websites (e.g. uswitch, confused, moneysupermarket, those damn meerkats) which are much loved by those who believe in the informed consumer?

No - just requires a bit more thinking about the data transaction, than the "give em everything" philosophy. Let's just think through a couple of examples:
Energy data - personal yes, but if you
don't know who I am, is it private?
Energy switching - even in a complex market with price of day tariffs where a service provider might need my raw energy data at one minute intervals to compute the optimal tarriff [3], they only then need the first part of my (UK) postcode to understand which suppliers might be relevant - amongst the many things they do not need to do the job are my name, address, phone number, email address, age, or shoe size.
Car insurance - this actually came up during the consultation meeting on midata at BIS in London, and a chap from a comparison website agreed that actually they didn't need any identifiable information - yes postcode, age, driving experience, employment, car type, etc, but again no need for name or specific address. Indeed even when they deliver you as a customer to a specific insurer (who will require your name!), they can earn their commission without ever knowing who you are...
That some of these folks want much more data is not about the service they supply to you, but that they operate a multi-sided platform [4] and deliver you and your data to advertisers and service suppliers; oh and perhaps so they can send you a cuddly toy - but to tell you the truth I'll pass on possessing a clan of Suricata suricatta if I can have my privacy please.

[1] Luger, E., Moran, S., and Rodden, T. Consent for All: Revealing the Hidden Complexity of Terms and Conditions. to appear in SIGCHI Conference on Human Factors in Computing Systems, 2013.
[2] Joseph Turow, Chris Jay Hoofnagle, Deirdre K. Mulligan, Nathaniel Good, and Jens Grossklags, The Federal Trade Commission and Consumer Privacy in the Coming Decade, I/S: Journal of Law and Policy for the Information Societ, 3(3), 2007 (link).
[3] Given recent changes in UK energy billing the chances we pursue such complex tariffs seems remote.
[4] Ng, Irene CL Value & Worth: Creating New Markets in the Digital Economy, Cambridge: Innovorsa Press, 2013 (http://valueandworthbook.com/)

Written on January 28, 2013