How can technology help citizens take control of their own data?

With the rapid adoption of digital technology has come an apparent sacrifice of the level of control by a citizen over their own data. Government agencies can only do so much to enforce the rules against mega social media platforms notorious for taking advantage and sometimes the government has been proven to be part of the problem and not necessarily the solution.

There is emerging digital identity technology being developed by innovators who contend will empower citizens to take greater control over their own data being collected (and often monetised) by these very organisations.

This article examines the state of play and offers some guidance to those interested in taking back control of their own information.

What's happening in the world of citizen data rights?

Across the world the rights of citizens to enjoy the liberties and freedoms afforded by society forms the fundamental fabric of the social contract. The notion is divined from the fundamental right of privacy and there is an increasing tension between this foundational tenet and the advancement of technology innovation which is increasingly dependent upon access to citizen data.

The situation is made worse by horror stories where government agencies and large platform companies have abused their access to citizen data. For example, in the US there are many cases where the use of the US Patriot Act has allowed government agencies untold surveillance powers upon its citizens (and even non-citizens) in the name of 'national security' and this has often spurned massive backlash and many Hollywood interpretations (think Will Smith in "Enemy of the State"). Other examples include:

• United States: The U.S. government has been involved in several scandals related to mass surveillance, such as the NSA’s PRISM program, which collected data from major internet companies, including Google, Facebook, and Apple - without the knowledge of users from all around the world. The U.S. government has also used facial recognition technology to identify and track protesters, activists, and journalists.
• China: The Chinese government has been accused of using big data to violate human rights, such as by spying on its citizens, censoring online content, and persecuting ethnic minorities. China has also imposed a controversial national security law in Hong Kong, which gives the authorities sweeping powers to access and seize personal data from anyone suspected of endangering national security.
• India: The Indian government has been criticized for its Aadhaar project, which is a biometric identification system that collects the fingerprints, iris scans, and photos of over 1.2 billion Indians. The Aadhaar data has been linked to various public services, such as welfare, banking, and taxation, but it has also been vulnerable to data breaches, identity theft, and exclusion.
• Russia: The Russian government has been accused of using cyberattacks to interfere in the elections and affairs of other countries, such as the U.S., France, and Germany. Russia has also enacted laws that require internet service providers and online platforms to store and share user data with the authorities, and to block access to websites that are deemed undesirable.

Let's not even get into the dramas caused by companies who have been caught exploiting citizens and their data, including:

• Facebook: The social media giant has been involved in several data breaches and scandals, such as the Cambridge Analytica incident, where the data of 87 million users was harvested without their consent and used for political purposes. Facebook also admitted to sharing user data with more than 150 companies, including Amazon, Netflix, and Spotify, without notifying the users. In 2023, Facebook faced a US$5 billion fine for its role in the misuse of user data.
• Google: In 2023, Google agreed to pay a US$170 million fine for illegally collecting personal data from children on YouTube and using it for targeted ads. Google also faced lawsuits for tracking users’ location even when they turned off the setting, and for scanning Gmail users’ emails for advertising purposes.
• Verizon: The telecommunications company was fined US$7.4 million in 2014 for using its customers’ personal information, such as phone numbers and billing addresses, to market its own services without their consent or notification. Verizon also agreed to notify its customers of their opt-out rights and implement a compliance plan to protect their privacy
• Didi Global: The Chinese ride-hailing company was fined US$1.19 billion in 2022 for violating data privacy laws and failing to protect the personal information of its users. The fine was the largest ever imposed by China’s data privacy regulator and came after a series of investigations into Didi’s data practices.
• Amazon: The e-commerce giant was fined US$877 million in 2021 by Luxembourg’s data privacy authority for violating the EU’s General Data Protection Regulation (GDPR) by processing personal data without the consent of its customers. The fine was the largest ever issued under the GDPR and followed a complaint filed by a French privacy group.
• Equifax: The credit reporting agency suffered a massive data breach in 2017 that affected 147 million Americans, exposing their names, social security numbers, birth dates, addresses, and driver’s license numbers. Equifax agreed to pay at least US$575 million in fines and compensation to the affected consumers in 2019.
• Instagram: The photo-sharing app was fined US$403 million in 2022 by Ireland’s data privacy watchdog for violating the GDPR by processing the personal data of children under 13 without their parents’ consent. The fine was the second-largest ever issued under the GDPR and followed an investigation that found that Instagram had failed to protect the privacy rights of its young users.

So why would we ever continue to give them our data?

We keep giving them the data because the benefits appear to outweigh the detriments. As significant as the abovementioned horror stories are, they are still the exception to the general rule that governments and businesses are overwhelmingly doing good things with citizen data (including by obtaining consent and treating the data respectfully and with care). There are continued improvements in the obligations upon such entities in the methods they use to look after citizen data and compliance & enforcement frameworks such as the General Data Protection Regulation and other similar frameworks have helped to significantly improve things. Examples of the many benefits of continuing to allow governments and businesses to use citizen data include:

Effective Public administration

• Reducing duplication, fraud, and error - and therefore avoiding the costs often associated with such issues
• Enhancing the quality and accessibility of public services - such as delivering them proactively, personally, and digitally, and improving customer satisfaction and trust.
• Addressing societal challenges and opportunities - such as responding to emergencies, promoting public health and safety, and advancing environmental and social justice. It facilitates easier access to government and private services, education, healthcare, and other essential resources, reducing barriers for vulnerable populations.
• Supporting evidence-based policy making and evaluation - such as using data analytics and artificial intelligence to inform decisions, monitor outcomes, and identify best practices.
• Increasing the civic engagement and social inclusion of citizens - such as enabling them to participate in consultations, deliberations, and co-creation of public policies and services, and to access opportunities and benefits.
• Promoting the education and awareness of citizens - such as enabling them to learn and access knowledge, skills, and resources, and to understand their rights and responsibilities.

Industry-driven innovation

• Fostering innovation and competitiveness - such as creating new business opportunities, products, and services, and stimulating research and development. Customer data provides valuable insights into market trends and consumer needs. Companies can use this information to innovate, develop new products, and enhance existing ones to better meet customer expectations.
• Enhanced customer service - access to customer data allows businesses to provide better and more personalized customer support. Companies use customer data to tailor their products and services to individual preferences. This personalisation can enhance the user experience by providing relevant recommendations, content, and offers. This can include anticipating customer needs, resolving issues more efficiently, and offering a more satisfying overall customer experience.
• Supporting evidence-based decision-making in business and evaluation - Businesses can use customer data to inform strategic decisions using data analytics and artificial intelligence / machine learning to inform decisions, monitor outcomes, and identify best practices. This data-driven approach can lead to more informed choices in areas such as marketing strategies, inventory management, and resource allocation.
• Improved efficiency - access to customer data allows businesses to streamline their operations and improve efficiency. For example, data analytics can help companies identify areas for optimisation, reduce waste, and enhance overall productivity. With stored payment information and other relevant data, transactions can be expedited, leading to a quicker and more convenient shopping experience for customers.
• Targeted advertising, promotions and programs - by understanding customer preferences and behavior, businesses can create targeted advertising campaigns. This benefits both consumers, who receive more relevant ads, and companies, which can optimise their advertising budgets by reaching a more receptive audience. Examples include Customer Loyalty Programs where businesses can use customer data to implement loyalty programs and rewards systems. By understanding customer behavior and preferences, companies can offer personalised incentives, discounts, or rewards to encourage customer loyalty.

So as long as the overwhelming everyday benefits of providing ongoing access to citizen outweigh the occasional (and unfortunately often significant) detriments, citizens will and still should continue to give access to governments and businesses.

Fine. I'll let them use my data. But is there any way that I can get increase the amount of control over the way it is used?

Yes. And it all has to do with "Digital Identity" and the way in which a citizens' identity is used in the world of digital technology.

After having conducted significant research and leading some decent digital identity solutions at scale for both government agencies and businesses, I believe that Digital Identity technology has the potential to empower citizens and give citizens more control over their data and information using the following key technology approaches:

A User-Centric outcome via Self-Sovereign Identity

Digital identity technologies should be designed to be user-centric i.e. putting individuals in control of their own identity information. This way, users can manage and share only the necessary information, reducing the risk of unnecessary data exposure. This is enabled by Self-Sovereign Identity (SSI), a concept that enables individuals to have control over their own digital identities without the need for a central authority. Users store their identity information on a personal device, such as a smartphone, and choose when and how to share it.

Distributed Digital Identity

Distributed Digital Identity is achieved by applying blockchain technology as a form of SSI to secure and authenticate these identities (read my article on Blockchain to understand more about it) providing Decentralized Identity (DID) systems giving users control over their identity without reliance on a central authority. This can enhance privacy and security while reducing the risk of large-scale data breaches. Blockchain-based digital identity systems also provide transparency and auditability where users can track when and where their data was accessed, creating a clear trail of transactions. This transparency can build trust and enable users to take control of their data usage.

Strong authentication mechanisms, such as biometrics or multi-factor authentication, can also be integrated into SSI digital identity systems to enhance the security of users' data and reduces the risk of unauthorized access.

Consent-Based Information Sharing

Digital identity systems should also incorporate consent mechanisms, allowing individuals to give explicit permission before their data is shared. This ensures that users have control over who accesses their information and for what purpose.

Data Minimisation

Digital identity technologies should support the principle of data minimisation, where only the minimum amount of information necessary for a specific transaction or interaction is shared. This helps in limiting the exposure of personal data.

So what are the benefits of using this technology?

Along with the significant enhancements outlined above, the specific benefits derived from adopting the abovementioned Digital Identity approaches can be quite significant including:

Security and Privacy

Distributed Digital Identity systems with Consent Based Information Sharing and Data Minimisation designs can provide a secure and tamper-resistant way to store and manage identity information and more resilient to hacking and fraud.

Inclusion and Accessibility

Distributed Digital Identity can enable citizens without traditional forms of identification to access to services such as finance, education, agriculture and social welfare, particularly beneficial for those in underserved or remote areas. There are amazing use cases globally including the following:

• AgriLedger : This is a project that uses blockchain to create digital identities for smallholder farmers in developing countries, and to track and verify the provenance and quality of their agricultural products. This can help farmers access better markets, prices, and financing, and reduce food waste and fraud.
• Earth ID : This is a project that uses blockchain to create self-sovereign identities for individuals and organizations, and to enable them to verify and share their identity information with others. This can help users access various services and opportunities, such as banking, education, health, and travel, and protect their privacy and security.
• Yoti : This is a project that uses blockchain to create digital identities for individuals, and to enable them to prove their identity and attributes online and offline. This can help users access various services and benefits, such as age verification, biometric authentication, and humanitarian aid.
• IBM's Refugee Empowerment Solution : This is a project that uses blockchain to create digital identities for refugees and displaced persons, and to enable them to access essential services and support, such as health care, education, and legal assistance. This can help users restore their dignity and rights, and rebuild their lives.
• Amply : Amply is a project that uses blockchain to create and manage digital identities for preschool children in South Africa, and to enable them to access early childhood development services, such as education, health, and social protection. Amply also allows teachers and service providers to record and verify the attendance and participation of children, and to claim subsidies from the government. Amply aims to empower children and their caregivers with self-sovereign identities that they can use throughout their lives, and to improve the quality and efficiency of public services for early childhood development.

Streamlined Processes

Distributed Digital Identity can simplify administrative processes, reducing paperwork and bureaucracy, leading to more efficient delivery of public services. Also by eliminating intermediaries and reducing the need for physical infrastructure, there can be significant cost savings for both governments and citizens.

Smart Contracts

Automated processes through smart contracts can add an extra layer of security, ensuring that transactions and interactions are legitimate. Smart Contracts can also facilitate cross-border recognition of identities, making it easier for citizens to engage in global activities such as travel, business, or online services. (Read more about Smart Contracts in my article about Blockchain )

Disaster Response and Aid Distribution

In times of crisis or disasters, digital identity can expedite the delivery of aid and emergency services by quickly verifying and identifying affected individuals. Distributed Digital Identity can enhance transparency in aid distribution, reducing the chances of corruption and ensuring that assistance reaches those who need it the most.

E-Governance and Civic Participation

Governments can use digital identity for more efficient and transparent governance, tracking citizen interactions and improving public services. An example would be voting systems underlined by Distributed Digital Identity which can be integrated into secure voting systems, enhancing the integrity of elections and promoting civic participation.

Immutable Records for Social Services

Blockchain can be used to create immutable records for social programs, ensuring that benefits reach the intended recipients without the risk of manipulation.

IBM uses Distributed Digital Identity systems to deliver social good initiatives in its IBM Science for Social Good program Science for Social Good - IBM Research

So what can I do to make this happen?

There's a couple of ways:

1. Get informed - do your research and get yourself up to speed on how your data is currently used by the government and businesses and other businesses such as charities and NGOs. Then follow up with them and check to see if they are using the abovementioned technologies and if not, ask them "why not?". You can make the decision to let them keep your data or go through the process of extracting it (no matter how easy or painful that process may be) - its ultimately up to you!
2. Join the cause - there are a number of ways you can contribute to efforts that you believe are making worthwhile progress towards the effective implementation of citizen-centric control over data and information. Do your research about a cause that you believe in and follow-up with them to understand how you can help progress their mission.
3. Incorporate it into your life - whether by finding out how to do so in the business your work for or own or perhaps for the government agency within which you operate.

Whilst it is essential that governments and businesses respect and protect the privacy and security of citizen data and ensure that data sharing and access are based on the principles of lawfulness, fairness, necessity, proportionality, and purpose limitation, it is even more important that citizens are informed and involved in the governance and management of their data, and that they insist on having the choice and control over how their data and information are used and by whom.

Resources

• Assessing the Tension Between Privacy and Innovation
• Santani "The Fight for Personal Data", 2019
• Heather Kelly and Emily Guskin, “Americans widely distrust Facebook, TikTok and Instagram with their data, poll finds,” The Washington Post, December 22, 2021
• Aaron Holmes, “How police are using technology like drones and facial recognition to monitor protests and track people across the US,” Business Insider, June 1, 2020,

• The changing paradigm of distributed ledger technologies - Deloitte
• Final-White-Paper-1-Blockchain-in-Africa-Opportunities-and-Challenges-for-The-Next-Decades.pdf ( smartafrica.org )
• Distributed Ledger Technology and Digital Identity: Prospects and Pitfalls Ahead · Better Than Cash Alliance
• Governance and societal impact of blockchain-based self-sovereign identities | Policy and Society | Oxford Academic ( oup.com )
• Blockchain Identity Management: Complete Guide 2023
• Can Digital Identity Solutions Benefit from Blockchain Technology? — ENISA