Chapter 1: Learn how pervasive consumer concerns about data privacy, unethical ad-driven business models, and the imbalance of power in digital interactions highlight the need for trust-building through transparency and regulation.
6. Recapturing Data and Identity
Chapter 8: Learn how AI’s rapid advancement and widespread adoption present both opportunities and challenges, requiring trust and ethical implementation for responsible deployment. Key concerns include privacy, accountability, transparency, bias, and regulatory adaptation, emphasizing the need for robust governance frameworks, explainable AI, and stakeholder trust to ensure AI’s positive societal impact.
Content in this chapter
The internet and adjacent ecosystems are evolving. A novel iteration of the internet architecture shifts control of personal data and online identity from centralized corporate entities to individual users. The emergence of Web3 fundamentally transforms personal information management and digital identity (Zheng et al., 2018). Traditional Web 2.0 infrastructure relies heavily on centralized authentication systems, typically provided by major technology companies like Google or Facebook. While offering convenience, this model places control of digital identities and associated data in corporate hands. The more mature web presents a paradigm shift in this architectural approach (Wang & De Filippi, 2020; Bassi & Bandirali, 2023). The Web3 framework introduces self-sovereign identity, analogous to a user-controlled digital passport. This system leverages blockchain technology to verify identity without disclosing unnecessary personal data (Preukschat & Reed, 2021). The technology facilitates selective attribute verification – for instance, age verification without birth date disclosure.
The transformation extends to data storage and sharing mechanisms. Web3 replaces centralized server storage with distributed systems, effectively creating individual digital vaults under user control. This architecture enables granular control over information sharing, including specific data elements, recipient selection, and duration of access. The system maintains transparent records of all transactions while preserving revocation capabilities. Implementation challenges persist, particularly regarding user accessibility and regulatory compliance with existing privacy frameworks (Bernabe et al., 2023). Nevertheless, the new web represents a significant architectural advancement toward enhanced individual control over digital presence and data sovereignty.
The theoretical foundation for understanding such networked systems traces back to Milgram’s (1967) seminal “small-world experiment,” which demonstrated that human beings are connected through surprisingly short chains of social relationships. This concept of interconnectedness extends beyond social networks to various natural and technological systems. Network theory has proven valuable in analyzing diverse phenomena, from epidemiological spread patterns (Barabási & Pósfai, 2016) to protein-protein interaction networks in cellular systems (Vidal & Cusick, 2011).
The Internet’s evolution follows similar network principles, with its growth and adoption driven by network effects – the phenomenon where a service’s value increases with its number of users (Shapiro & Varian, 1999). While these network effects have been crucial for digital business success, they also present significant challenges. Just as biological networks can propagate beneficial or harmful elements (such as pathogens), digital networks can similarly amplify both positive and negative outcomes. This duality particularly manifests in data privacy and control issues in contemporary digital platforms.
The contemporary digital economy is predominantly driven by advertising-based revenue models, significantly centralising the World Wide Web’s economic infrastructure (Srnicek, 2017). This centralization has facilitated the emergence of dominant platform companies that have established proprietary digital ecosystems, systematically collecting and analyzing user-generated data to create comprehensive digital identity profiles (Zuboff, 2019).
The success of digital businesses follows a recursive pattern: advanced algorithms enable sophisticated digital products and services, which, when delivering perceived value, generate increased user engagement and more detailed behavioural data (Alaimo & Kallinikos, 2017). This self-reinforcing cycle creates an expanding data repository that drives corporate profitability. Nguyen et al. (2013) highlight the fundamental tension in this ecosystem, emphasizing that current platform architectures create an inherent power imbalance between service providers and users. Their analysis reveals that while users contribute valuable personal data, they lack meaningful control over collecting and monetising information. This asymmetry necessitates a shift toward user-centric data architectures and policies.
This recognition of data asymmetry has prompted significant responses from both users and regulatory bodies. At the individual level, users are increasingly implementing privacy protection measures, including encryption tools and data minimization strategies (Acquisti et al., 2016). Simultaneously, regulatory frameworks have emerged globally, with the European Union’s General Data Protection Regulation leading the way by introducing fundamental rights such as data portability and explicit consent requirements (Hoofnagle et al., 2019). These regulations aim to rebalance the power dynamics between data controllers and individuals, creating new standards for data protection across jurisdictions (Greenleaf, 2019).
All this leads to the hypothesis that the area of living in a land of milk and honey is ending for the large players in the digital economy. The current centralized data monetization approaches appear to be reaching their limitations (Kenney & Zysman, 2020). Established platform companies are demonstrating awareness of this impending transformation. For instance, major social media corporations actively diversify their revenue streams beyond traditional advertising-based data monetization (Nieborg & Poell, 2018). Meta’s strategic pivot toward virtual reality and digital payments exemplifies this transition, reflecting broader industry recognition of evolving market dynamics. But this is another story. Before painting a picture of the future and outlining solutions, we must ask ourselves: How did it come to this?
Absence of an identity layer
The answer to this question can be found in a simple fact:
“The Internet was created without an identity layer”.
This increasingly popular quote from Kim Cameron, Chief Architect of Identity for Microsoft, leads to the root cause that can make network effects a counterproductive force. Although the triumphant progress of the internet brought the information age to a new level, it led digital business models towards the described impasse. Whereas the Hypertext Transfer Protocol (HTTP) as the underlying protocol used by the World Wide Web led to the unpanelled, successful growth of the Internet, the web community failed to establish an adequate system to assign and verify identity. How the internet works fundamentally differs from how identity on the web works. The latter is a network of connected devices. Each device connected to a network is centrally assigned a numerical label, the Internet Protocol address. Instead of identifying human beings as endpoints on the network, the system connects physical devices. That’s why it is nearly impossible today to identify people and authenticate their messages uniquely. In addition, we currently define and authenticate accounts not necessarily tied to real people or organizations. We do this often separately for each service. For the sake of convenience, we even allow giants like Facebook or Google to authenticate our identities on third-party platforms. This leads to the unfavourable side effect that online identities can dramatically differ from real-world identities and that information spread in digital communication might not be true. Politics has established new expressions such as “alternative facts” or “fake news” to describe this phenomenon better.
A certain degree of anonymity in digital communication is not harmful by nature. Anonymity may lower barriers to engaging in discussions and, therefore, to participate in a network. It can support the rapid growth of networks and its positive externalities. This effect describes the fact that an additional node in a network positively affects the value of this network to others. Anonymity also drives the success of many use cases on the blockchain. Bitcoin is one of them. Due to inherent anonymity, the most prominent among the new cryptocurrencies is also used for shady transactions. Without anonymity, the rapid adoption of Bitcoin would not have happened, and its value would have been much lower.
Another aspect that sheds a bad light on anonymity is the popular assumption that online anonymity is one of the principal factors that promote aggression. This must not necessarily be the case. Anonymity can produce the “stranger on a train” phenomenon, wherein people share intimate self-disclosures with strangers. They do not expect a reunion and, hence, do not fear any risks and constraints (Bargh et al., 2002). Recent studies in social norm theory show that non-anonymous individuals are more aggressive than anonymous individuals in the context of online firestorms (Rost et al., 2016). When introducing an identity layer for the web, the major focus should not be making anonymity a thing of the past. It should rather lay on enabling and supporting authenticity and, eventually, data veracity. In this context, authentication can be defined as the act of confirming the truth of an attribute. If we could more easily and reliably authenticate data on the web, the degree to which data we use to make decisions is accurate, precise and trusted will be much higher.
Another side effect of the missing identity layer on the World Wide Web is the fact that personal data is easily accessible for service providers and that this data can be monetized without clear consent and the remuneration of the owner. Dealing with personal data is complicated and gets increasingly toxic for companies of all industries. Here is why:
- The amount of data is growing at an astonishing rate. Users leave traces with every activity and generate countless data points along the customer journey
- Although the cost of data storage is shrinking, the cost to acquire, manage, analyse and protect vast volumes of user data is increasing
- Digital identities bear the risk of correlation. If a user is to use one identifier in multiple places, those places might collude to correlate that identifier and amass significant data about the individual without consent.
- Central data stores are honeypots for hackers. With new data regulations coming into force this year, storing personal data can become illegal. With data breaches’ high risk and impact, capturing data becomes toxic.
- Generally, the responsibility and complexity of managing personal data cannot be outsourced to the user. They prefer easy-to-remember passwords compared to excessively safe passwords. The usability of authentication systems remains key.
- Low data quality and veracity can lead to wrong decisions and damaged trust
There is a common understanding of the strategic thrust mandatory to further develop digital business models: “A new approach to personal data is needed that is flexible and adaptive to encourage innovation, but also protects the rights of individuals. Notice and consent must be reconsidered to be equipped for this changing world.” (WEF, 2013). Extracting insight from consumer data requires respectful and farsighted handling of personal data. The first step in this approach is to establish a new paradigm to manage digital identities. Similar to handling personal data, the control over identity needs to be returned to the individual. Individual identity shall have administrative autonomy regardless of its location in digital space.
The missing identity layer of the internet is a well-known issue. That’s why there have been countless attempts to close this gap. The task has been left to applications and services. While these apps do their job quite well for a clearly defined area, they can hardly be applied across silos. Furthermore, they all rely on a central authority. These are all facts that make current identity systems imperfect and also vulnerable to abuse.
The first step towards a better solution is establishing a solid mental layer that addresses the challenges described. Such a layer requires a common understanding of the problem, a common language (ontology), and a clear commitment of participants to support this idea and obey the specific rules of the game (codex).
Many interesting attempts have been made in the last few years. Among them are trust networks such as the Secure Access For Everyone (Safe) network (https://safenetwork.org) or the respect network. The latter launched its platform globally in 2014 with around 50 founding partners, including Neustar, Swisscom, and NEC. In a nutshell, these trust frameworks provide a set of guidelines, rules and tools together with an assessment and enforcement infrastructure that operationalizes them. In addition, trust networks usually rely on decentralized concepts for data storage. The individual shall own their data using Personal Data Services or Personal Data Stores (PDS). These services let the individual store, manage and deploy their key personal data in a highly secure and structured way.
However, despite all efforts and well-intentioned ideas, it is a cumbersome endeavour to establish such a new type of contract that may legally bind the trust community members to the policies. It is, therefore, not a big surprise that many attempts have failed so far to get traction and eventually establish a well-anticipated industry standard.
Why the timing is right now
Great ideas often fail because they are ahead of their time. But the wind is about to change. Two forces can set the timing to establish a reliable identity layer just right: The implementation of the General Data Protection Regulation (GDPR) in Europe and the increasing importance and anticipation of blockchain technology.
With the upcoming introduction of new data regulation standards in Europe, the discussion about the necessity of a resilient identity layer for the web and the demand for individual empowerment has gained momentum. The regulation demands that the control about personal data is given back to the individual. This implies that the identity should again belong to the individual. It must never be possible for a centralized authority to alter an identity or to take it away. Such a self-sovereign identity can only exist in a decentralized system. A stringent requirement to establish self-sovereign identity is a web of trust with its decentralized trust model – a valid alternative to the centralized trust model of a public key infrastructure, which relies exclusively on a certificate authority.
The impressive global popularity of cryptocurrencies brings a much better understanding of the principles of decentralized systems. Blockchain technology could be the missing link for successfully implementing a decentralized trust network. Countless projects demonstrate that Blockchain technology is tremendously powerful in overcoming the trust barrier. Its trust-less systems might be the answer. With its distributed ledger, the Blockchain is the ideal backbone of a resilient web of trust. It reliably connects the described prerequisites, such as policies, through smart contacts and personal data stores in decentralized applications (dApps). Now that the timing seems to be right, it’s no surprise that a high number of projects enter the game. They have learned from previous failures and often anticipate the culture of open source and open data. They know they can only succeed if their solution is open and if they seamlessly integrate into the bigger picture that draws the self-sovereign identity.
The potential of blockchain technology as a framework for personal data management warrants critical examination. While its decentralized architecture and cryptographic security mechanisms offer promising features for identity management (Dunphy & Petitcolas, 2018), a comprehensive analysis of its capabilities and limitations is essential. The technology’s inherent properties of immutability and distributed consensus present both opportunities and challenges for personal data handling (Yang et al., 2019).
- The distributed ledger is forged by consensus. Therefore, it misses by design a strong governance. To improve the codebase or fix an issue, the community around the Blockchain may decide to change the protocol. Such a hard fork would dramatically impair identity schemes.
- Personal data could be stored on the ledger. This would quickly result in a breach of the new data protection regulations.
- Transferring information across Blockchains can be difficult. Portability and interoperability may be impaired.
- The fact that a unique identifier would have to be defined and stored on the ledger would again trigger an immediate correlation risk.
- Identity information on the Blockchain cannot easily be revoked. This is a critical requirement to manage claims and entitlements.
Following this argumentation, it stands to reason that the complexity of an identity layer can only be solved by drawing on multiple concepts and technologies. While a robust trust framework in terms of binding commitments to the rules of the game remains essential, the mechanisms of the blockchain can be leveraged to access personal data stores and handle value transfers in particular. There will not be a single, centrally owned solution or architecture but rather a consortium of different, autonomous solution providers with their interoperable components.
References Chapter 6:
Acquisti, A., Taylor, C., & Wagman, L. (2016). The Economics of Privacy. Journal of Economic Literature, 54(2), 442-492.
Alaimo, C., & Kallinikos, J. (2017). Computing the Everyday: Social Media as Data Platforms. The Information Society, 33(4), 175-191. https://doi.org/10.1080/01972243.2017.1318327
Barabási, A. L., & Pósfai, M. (2016). Network Science. Cambridge University Press.
Bargh, J. A., McKenna, K. Y. A., & Fitzsimons, G. M. (2002). Can you see the real me? Activation and expression of the “true self” on the Internet. Journal of Social Issues, 58(1), 33–48. https://doi.org/10.1111/1540-4560.00247
Bassi, E., Bandirali, M. (2023). The evolution of Web 3 and decentralized governance. Advances in web technologies and engineering book series, 108–129. http://dx.doi.org/10.4018/978-1-6684-9919-1.ch007
Bernabe, J. B., Canovas, J. L., Hernandez-Ramos, J. L., Moreno, R. T., & Skarmeta, A. (2023). Privacy-preserving solutions for Blockchain: Review and challenges. IEEE Access, 11. http://dx.doi.org/10.1109/ACCESS.2019.2950872
Dunphy, P., & Petitcolas, F. A. (2018). A first look at identity management schemes on the blockchain. IEEE Security & Privacy, 16(4), 20-29. http://dx.doi.org/10.1109/MSP.2018.3111247
European Commission. (2012). General Data Protection Regulation (GDPR). Brussels, Belgium: European Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
Greenleaf, G. (2019). Global Data Privacy Laws 2019: 132 National Laws & Many Bills. Privacy Laws & Business International Report, 157, 14-18.
Hoofnagle, C. J., van der Sloot, B., & Borgesius, F. Z. (2019). The European Union General Data Protection Regulation: What It Is and What It Means. Information & Communications Technology Law, 28(1), 65-98. https://doi.org/10.1080/13600834.2019.1573501
Kenney, M., & Zysman, J. (2020). The Platform Economy: Restructuring the Space of Capitalist Accumulation. Cambridge Journal of Regions, Economy and Society, 13(1), 55-76. http://dx.doi.org/10.1093/cjres/rsaa001
Milgram, S. (1967). The Small-World Problem. Psychology Today, 1(1), 61-67.
Nguyen, C. M.-H., Haynes, P., Maguire, S., & Friedberg, J. (2013). A user-centred approach to the data dilemma: Context, architecture, and policy. In M. Hildebrandt et al. (Eds.), Digital Enlightenment Yearbook 2013. 227–242. IOS Press.
Nieborg, D. B., & Poell, T. (2018). The platformization of cultural production: Theorizing the contingent cultural commodity. New Media & Society, 20(11), 4275-4292. http://dx.doi.org/10.1177/1461444818769694
Preukschat, A., & Reed, D. (2021). Self-Sovereign Identity: Decentralized Digital Identity and Verifiable Credentials. Manning Publications.
Rost, K., Stahel, L., & Frey, B. S. (2016). Digital social norm enforcement: Online firestorms in social media. PLOS ONE, 11(6), e0155923. https://doi.org/10.1371/journal.pone.0155923
Shapiro, C., & Varian, H. R. (1999). Information Rules: A Strategic Guide to the Network Economy. Harvard Business Press.
Srnicek, N. (2017). Platform Capitalism. Polity Press.
Vidal, M., & Cusick, M. E. (2011). Interactome Networks and Human Disease. Cell, 144(6), 986-998.
Wang, F., & De Filippi, P. (2020). Self-Sovereign Identity in a Globalized World: Credentials-Based Identity Systems as a Driver for Economic Inclusion. Frontiers in Blockchain, 2(28). https://doi.org/10.3389/fbloc.2019.00028
World Economic Forum. (2013). Unlocking the value of personal data: From collection to usage. World Economic Forum. https://www.weforum.org/reports/unlocking-the-value-of-personal-data-from-collection-to-usage
Yang, R., Yu, F. R., Si, P., Yang, Z., & Zhang, Y. (2019). Integrated blockchain and edge computing systems: A survey, some research issues and challenges. IEEE Communications Surveys & Tutorials, 21(2), 1508-1532. http://dx.doi.org/10.1109/COMST.2019.2894727
Zheng, Z., Xie, S., Dai, H., Chen, X., & Wang, H. (2018). Blockchain challenges and opportunities: A survey. International Journal of Web and Grid Services, 14(4), 352-375. http://dx.doi.org/10.1504/IJWGS.2018.095647
Zuboff, S. (2019). The Age of Surveillance Capitalism. Public Affairs.
