Privacy, Blockchains and Balkanization: The Rise of Custody and The End of Adtech as We Know it

What is bigger than Y2K, more expensive than an Oracle upgrade and sneakier than a Sasser worm on a vintage Windows PC?

That’s right. GDPR.

GDPR may sound a little bit like a German political faction and, in fact, German political factions may have helped get it started but the cold truth is the letters stand for General Data Protection Regulation and on May 25^th 2018 it becomes the law for the entire EU. For those of you unfamiliar with what GDPR is and how it may affect you there are lots of resources available that can bring you up to speed. You might want to start here. However, if you are a global business or have business partners who are global or know of someone who might know of someone who has a web browser inside the EU and you haven’t already addressed the implications of GDPR, chances are you are rightly and truly screwed.

Without spending too much time on the legal details, GDPR sets out some obvious guidelines for global corporations who are earnest in their interest to conform to its intent: that being the protection of personal information. For instance, firms that handle, process and store personal EU data are admonished to implement specific practices such as hiring or designating a Data Protection Officer. The same would be true for any partners that can access that same information or with whom that information is explicitly or inadvertently shared. Whether those be marketing partners, supply chain partners, credit and settlement partners, delivery and fulfillment partners, after market suppliers, etc. or the technology platform providers including applications, devices, ISP’s, DNS’s, CDN’s, IoT’s, SaaS, and Cloud Services that facilitate these interactions and transactions. You know, the transaction’s entire life cycle, its chain of custody, a concept that businesses will need to become familiar with and explicitly address in the coming years.

Spill this soup and it will create a hot, sticky mess in the most inconvenient of places…your lap. But, as we shall see, anticipating GDPR’s intent is a complex, expensive and ambiguous undertaking.

The way the law is written is for the explicit protection of personal data of EU persons doing business within the EU. However, what transpires post implementation is anybody’s guess. The overall impact on cross boarder data flows and consequently international trade is a matter of ongoing debate and speculation. Nor is it altogether clear under what circumstances the law does or does not apply or what liabilities may or may not be incurred. Future litigation will likely be the only way precedent is established, intent coalesces and fines get sorted out. As written, under GDPR, fines can be levied up to $21.5m per instance or 4% of a firm’s annual revenue, which ever is higher. And consultancy Oliver Wyman estimates that there is a reasonable likelihood that fines will amount to about $5.25b annually and that most of these will be paid by the larger multi-nationals doing business in the EU. For instance, the recent Uber breach we all read so much about would have been worth a scant $260m in GDPR fines. And these fines, as steep as they may seem, will be on top of expenses already incurred by these same multi-nationals in an effort to become and remain compliant with GDPR regulations.

So, like it or not, the GDPR represents a real toll that not all companies can afford and their decision to undertake compliance should not be made casually. Further, when the effects of those decisions are viewed in aggregate, the economic consequences between sovereign trading partners will be measured in billions.

But this may be just the most obvious but not the most consequential of potential outcomes. Since privacy is not just a function of personal data but also of the context in which that data is obtained such as the device employed, the IP employed, cookies dropped, trackers embedded, networks trans-versed, essentially the entire technological context of any given transaction, the ante could become astronomical, as large as the adtech industry itself which would put nearly $100-300b dollars at risk, which is another way of saying it would put all that cheddar up for grabs.

Mind the pennies and the dollars will take care of themselves…

In the run up to the implementation of GDPR, numerous attempts have been made to estimate the size of its impact, both with respect to discrete business entities as well as the overall economies that will inevitability be involved.

According to PWC, 68% of US companies surveyed said they plan to spend between $1m and $10m to prepare for GDPR and 9% indicated they expected to spend more than $10m to achieve compliance. A similar survey by Accenture suggests that more than 50% of business leaders expect that the GDPR will cause them to rethink their IT architectures, physical IT locations, sourcing of IT talent and cybersecurity postures. And 80% of the participants in Accenture’s survey plan to reassess data privacy implications with respect to further foreign investment or increased globalization. Research by Ovum would seem to confirm this view with 85% of US businesses assuming it will be harder to do business in the EU and 78% of US businesses explicitly indicating they will review their approach to EU business post GDPR implementation. And in a somewhat discouraging note, Ovum also discovered that a full 50% of global businesses already believe they will be fined as a result of doing business in the EU after GDPR. Not might be. Will be.

 

So what was benignly intended as a path to privacy protection, GDPR is beginning to emerge as a pernicious policy of “local data sovereignty”, what a study by the Information Technology and Innovation Foundation refers to as a form of “digital mercantilism”, a type of tariff based protectionism that favors indigenous players over those whose participation can only be facilitated by cross-boarder data flows. This isn’t exactly new. China has been pursuing a similar policy predicated on out-right censorship and protectionism. But what’s worrisome to those watching this unfold is that GDPR is being held up as a model worthy of emulation by a host of emerging countries who would like to reap the same benefits without acknowledging the costs that might be involved.

This is a case where simple extrapolation can scare the pants right off of you.

The European Center for International Political Economy has examined the potential impact of this policy from several angles. In one scenario, EU service exports to the US are expected to decline by 6.7% while US service exports to the EU would decrease by 16 to 24 percent. In short, most Small and Medium US based service Entities (SME’s) would likely abandoned participation in the EU market and the reciprocal revenues that EU firms might enjoy would also evaporate. In this same scenario service exports from other countries to the EU could drop by as much as 80%. In a second scenario, GDPR would decrease EU GDP by as much as 0.8% to 1.3% which on a consumer welfare basis would amount to between $102b to $170b loss to the EU economy.

Assuming other countries embrace a privacy model similar to what the EU has proposed the global economic impact could be enormous, so large, in fact, that estimates are hard to come by. However, it’s possible to back into an approximate impact by estimating the current value of unencumbered cross-boarder data flows. The McKinsey Global Institute writing in a March 2016 piece entitled “Digital Globalization: The New Era of Global Flows” estimates that over a decade global data flows have raised the world’s GDP by at least 10 percent, a value of $7.8 trillion in 2014 alone. So a single percentage point of worldwide GDP by the end of 2017 would arguably be about $1 trillion.

Assuming world-wide rationalization of data privacy based on the GDPR is adopted sometime in the 2018 timeframe, not altogether out of the question, it might be possible to put an upper and lower bounds on what the world economy might expect to experience. Using blended rates from the European Center for International Political Economy for GDP impact attributable to data localization and privacy policies for developed and developing economies it possible to back into a guesstimate of between $322b to $438b in lost worldwide GDP beginning by the end of 2019. Not exactly what you would call small potatoes. But the loss in GDP would not be the only consideration. As a second order consequence there would be a commensurate loss in “insight” data as more and more transactions, the artifacts of economic activity, sit in inaccessible sovereign stores, slowly turning into wasting assets.(see Sis, Boom, Bah! – December 2015)

All of that notwithstanding…

 As interesting or terrifying as these numbers might be, they don’t even begin to tell the whole story. Hidden deep within your smart phone, a different tale is being told; one that is immensely more personal and immeasurably more perplexing. Buried in the GDPR are some nuggets called Recitals 26, 30 and 32. Taken together they convey the legal principle that any ancillary data, associated with an information based transaction, say invoking a web site or making a purchase, that by itself or in combination with other data exposes the identity of the individual who has initiated such a transaction is considered personal data and therefore can only be captured and employed with the owner’s explicit and affirmative consent. This would include cookies, trackers, IP addresses, device identifiers up to and including any information stored in social media or associated with the technological infrastructure employed to satisfy any given request, a waterfront both broad and murky.

At this juncture it might be worthwhile to take a moment and reflect on the reach and scope that this principle might have on consumer use of the Internet. For instance, all those ads that slam your device like a denial of service attack when all you wanted to do was find out when a movie was showing? Gone. Unless of course you explicitly and affirmatively consent to their display. All those Google or Amazon recommendations that choke your browser when all you wanted to do was find out what local store might sell extra toasty Cheez-Its? Gone. Unless, of course, you explicitly and affirmatively consent to their display. PageFair, a global authority on all things adtech, recently conducted research on the likelihood of anyone consenting to exposing their personal information based on a web based query and the answer that came back was that 79% of users would not provide it. Of course, what could very well happen is that if you don’t provide your explicit consent, the service that was going to find you those extra toasty Cheez-Its will no longer be available for your use.

 

Source: PageFair

And here we have another instance where simple extrapolation can scare the pants right off of you.

Over the past several months Google and Facebook, the two players that have the most to lose when it comes to adtech revenues, have been insisting through the press that they will be completely compliant with GDPR when the reg’s get turned on in early 2018. And, if one assumes that what they mean by this is that they will have their Data Protection Officer ducks all lined up; that would make sense. But the issue of how personally identifiable information (PII) is conveyed from an individual’s device can be down right slippery and who specifically might be liable for such information becoming an unguarded public secret just as hard to pin down.

As recently reported in The Intercept and The Register the average smart phone, whether iOS or Android, is simply crawling with trackers. Exodus Privacy has reportedly identified 44 trackers currently embedded in popular Goggle Play apps. And it would be reasonable to assume that there are a similar number, if not more, embedded in popular iOS apps. And according to The Intercept, the apps containing these trackers that have already been downloaded and installed number in the billions; likely more than a few in the EU. Further, researchers at Columbia University demonstrated as far back as 2016 that information posted to social media accounts including Facebook, Instagram and Twitter, once concatenated, can easily expose the device owner’s location. And location would be considered PII under the GDPR.

So, a couple of things would need to happen in order for the trackers embedded in these apps and hosted by their respective “device platforms” to become GDPR compliant. Each tracker, or its app, when invoked could request explicit consent from the user. Given that there are probably hundreds if not thousands of these buggers already in the wild, that is not likely to happen. Next, the “device platforms” which host these apps could incorporate a utility that, based on signatures, identify a tracker once invoked and request the user’s explicit consent before allowing it to be launched. A slightly more elegant option but likely not one that will be completely reliable and it makes the “device platform” liable for any PII that might inadvertently leak. Finally, a different approach might be one where user activity could be completely cloaked and anonymized through a trusted VPN mechanism and access to that data, including PII, marketed to the adtech community through an authorized third party broker. A concept we first discussed here back in 2015 (see Who’s Zoomin’ Who? – October 2015)

Whose chain of custody is it anyway?

The notion of monetizing and “remunerizing” consumer data expressly for the benefit of the consumer has been sloshing around for years. What makes it so attractive is not the thought of providing consumers tangible incentives but rather the gnawing notion that the measurable efficacy of adtech hovers around zero. Why else would a firm like P & G cut its adtech spending by over $100m and then report it had no measurable impact on sales? (see The Search for El Dorado – September 2011)

Interestingly enough, there is an emerging class of technology that appears ideally suited to auditably handling complex chains of custody, high volumes of fine grained transactions, incentive based markets for measurable participation and anonymity of active participants to persistent chains of pico-valued transactions.

That’s right: blockchain. Assuming of course it doesn’t melt down after the next Cryptokittie stampede.

Over the past couple of months blockchain applications in both the consumer anonymity and prospect remuneration space have emerged that combine a number of common blockchain elements. They maintain transaction custody through chained ledgers and trusted points of attestation. They can cloak participants and encrypt their activity. They exchange value through markets where the price of specific resources can be dynamically established based on scarcity and furnish incentives for both consumers and providers to participate. They provide continuous settlement for services for transactions transpiring at the record, packet or byte level. You can catch an early glimpse of these types of applications in Bitclave, Ocean Protocol and Orchid Labs. (see Anonymity – It Ain’t What it Used to Be)

The pioneers rushing to achieve killer blockchain applications, other than those whose sole purpose is the promotion of crypto-currency, have largely relied on the seat of their pants rather than proven reference archectures and application archetypes. Not exactly the kind of solutions that would engender a whole lot of confidence on the part of sovereign entities when it comes to maintaining PII. But the foundation components that make up the functional capabilities of these applications have been maturing rapidly and projects like Pandora Boxchain have already proposed a generalized reference architecture for basic blockchain infrastructures.

Source: Pandora Boxchain Project

Further, academic research such as the recently published paper entitled “A Taxonomy of Blockchain-Based Systems for Architecture Design” have provided much clearer guidance on exactly what platforms are most suitable for specific applications and use cases.

 

Source: “A Taxonomy of Blockchain-Based Systems for Architecture Design”, Xiwei Xu∗†, Ingo Weber∗†, Mark Staples∗†, Liming Zhu∗†, Jan Bosch¶, Len Bass‡, Cesare Pautasso§, Paul Rimba∗

Given the relative maturity that blockchain platforms have achieved, and assuming that an agreement could be reached on the consensus component for handling PII, it wouldn’t be inconceivable that the EU could certify specific blockchain instances as being GDPR compliant. Augmented by conventional VPN and market making techniques, these instances could be then be deployed privately as part of a multi-party supply chain applications or publically as part of consumer interrogation marketplaces where private data could be shared on a remunerative basis.

Source: On Technology//On Strategy Blog

If you begin here and add in a trusted intermediary to cloak consumer identity and the necessary market making facilities for remuneration to consumers and compensation to infrastructure providers you could have a robust chain of custody that protects PII while at the same time directly connecting relevant consumer data to parties of specific interest. However, without some means of achieving affirmative consent for the collection and use of PII, the data so collected is going to sit in anonymous silo’s, literally balkanized to bits and mostly useless to parties anxious to apply machine learning to gain new customer insights. The trick here would be to construct a mechanism, a kind of proxy or agent, that would allow consumers the ability to specify an appropriately granular affirmative consent without insisting that such consent be provided for every single transaction an individual would make in the course of their everyday lives.

The moment you’ve all been waiting for…

We are nearing a moment where the need for personal privacy and frictionless commerce could either keep company for our collective economic and personal benefit or part company to our certain economic and personal detriment. Fortunately, there are technical options we can pursue which could address these concerns to the mutual satisfaction of all parties. But several difficult questions remain. How would a consumer furnish their explicit consent and at what level of granularity? Who would be entrusted to operate a facility that simultaneously cloaks and exposes personal information? How would consumer remuneration be accomplished? And what mechanism would that authority use to accomplish this? What level of compensation would the system employ for infrastructure components and what basis would be employed to determine how incentives are created and compensation awarded? At what level of granularity does the system design and sheer number of transactions overwhelm the value proposition it was meant to serve?

 It could be argued that current circumstances might be used as an economic benchmark to inform future decisions. Since consumers have already surrendered their personal information to enjoy the benefits that accrue through the use of the Internet why would they need additional protection and compensation? Don’t bet on it. If current precedent becomes future predicate then all of the “device platform” providers, the Googles, Apples, Microsofts and Samsungs and most of the social media and ISP’s of the world should set up financial reserves immediately and start flushing GDPR fines through their P&L’s beginning 1Q18. It won’t be a matter of if they might be fined. It’s more a matter how much would the EU consider adequate.

A simple solution to all this would be for trade treaties to incorporate safe harbor agreements and be done with it. However, the EU and other sovereign entities aren’t likely to accept such agreements or big company dissembling for not fully complying with local privacy laws even if their intent at times might seem technologically ambiguous. There are those who would argue that the EU would like nothing better than to sue the likes of Google into oblivion before turning their attention to Apple, Amazon and Facebook; especially if there are indigenous alternatives available to take up the slack. And given that the custody of personal information could be protected using existing blockchain technology, it would be easy to forgive the EU for not blinking when the inevitable legal excuses make their way to Brussels.

The holidays are over; you may want to get on this.

 

For a more recent take on the issues behind these topics please go to “Identity and Sovereignty” in the Epilogues tab.

 

Cover graphic courtesy of royalty free, stock photos, all other images, statistics, citations, etc. derived and included under fair use/royalty free provisions.