Individual Identity Rights

Tags: , ,


I wrote about new business opportunities for financial services incumbents, specifically banks, in my previous post. More notably, I posited that 1) because banks were in the Trust Business 2) they have an opportunity to expand their offerings by 3) protecting their customers’ IDENTITY and DATA much like they protect customer’s money today.

Soon after I published that post, I came across a short video by Tyler Cowen (see here) in which he discusses the importance of trust in the banking relationship. He points out that trust is made possible by a shared understanding that individual property rights exist and will be enforced by the state.  A bank that takes customer money can’t just keep it, and has legal obligations to protect it. Tyler’s video reminded me the multifaceted aspects of trust and that I had only touched on the trust between a bank and its customers.

Given that I believe in how technology is and will enable individuals to utilize their identities contextually and enable them to monetize their own data, that video spurred me to think about data and identity ownership. To be clear, this post is not about exploring new business models, rather it is about understanding what data means legally to us and the implications of ownership and rights associated with data.

Our lives are increasingly defined by the electronic data stored in third party databases that is generated by day to day activities, for which limited records existed even a decade ago.  Drive your car, by groceries, visit a web-site, pay a toll electronically – data is harvested, data is stored. When aggregated, these prosaic electronic breadcrumbs have massive economic value. Indeed, considering that our economies are undergoing a massive realignment and restructuring, moving away from the industrial age towards the digital age, it is easy to realize that the data and metadata we generate (about ourselves, our behaviors, our habits, our consumptions) or that of our own physical assets generate will be increasingly valuable.

And the amount of data we generate is increasing, not decreasing. If our data and our identities are already valuable today, they will be more so tomorrow. At this particular historical moment, the commercial value of consumer data is a one-way street. Once a business has your data, they may have legal obligations to you, depending on the state or country where you live (HIPPA and Graham Leach Bliley are two U.S. examples). But you don’t have a financial stake in the data.  Say, (for example) that an advertiser makes money by sending an ad targeted to you because of knowledge about your purchasing preference. You’re not going to receive a commission for the use of or reliance on your data. Where does personal data fit into the framework of traditional property law?  This is an admittedly broad question, but we can make some general observations. Why does this matter?  Most economists – or so I hope – agree that a strong protection of property is one of the most important vectors driving economic activity and wealth creation. Western industrial capitalism is premised on the understanding that individuals have the right to enjoy their private property without fearing it being stolen or misappropriated by a third party, let alone a government.

Generally speaking, there are two types of property. Tangible property, refers to physical things, (a house, a plot of land, a car, physical cash, gold…). Intangible Property, refers to incorporeal assets (intellectual property (“IP”, copyrights, patents, trademarks), corporate good will, securities, security interests,  and dematerialized investments, money, …).

So – what is “personal data”, the stuff that makes up our identities. It’s definitely intangible, but it is certainly not a dematerialized investment or money. Could it and should it be considered and individual’s IP? The answer is most probably not. Could it be a corporation’s IP? Maybe so. The lack of clarity on data and its ownership is indeed tricky.

The Merriam-Webster dictionary defines IP as “something (such as an idea, invention or process) that comes from a person’s mind”. Modern IP laws arose out of the need to protect personal creation. The printing press, mass media, the internet are technology vectors that increased the value of one’s creation. Commercial interests required strong protection and licensing laws. As such, traditional IP comes out of active creation.

Can we say the same of all the data and metadata associated with our health our payments history, our interactions with our social media/networks, our apps, our smartphones and IoT? Or are we faced with passive creation. Would these types of data and metadata be treated as IP or are they in a class of their own? My non-legal-expert view is that we are dealing with a new class of property borne out of new ways to create it, enabled by new technologies and ultimately supporting new economic activity which demands new legal constructs.

The same questions and comments apply to our Identities – physical, digital, private, health, financial.

Clarity on what personal data is leads to clarity on what types of rights can be associated with it, and to the extent there are gaps, what types of rights should be developed.

Ownership is equally important. Who owns our data? In some instances we do, in others we cede control as part of a Term of Service we barely read, and in yet others we probably wade in a grey area where those that use and monetize our data are more than content to keep the status quo and not explicitly spell out ownership.

I strongly believe data ownership frameworks need to be brought up to the level of sophistication of data privacy laws. How our data can be used, how it should be protected data is a national and international discourse our governments, the corporations we interact with and ourselves are engaged in continuously and for many good reasons. No one can use or misuse private information without prior consent, no one can handle our private information carelessly. We already have the right to digital seclusion (i can restrict access to my Facebook or Twitter identity to a handful of trusted friends, or altogether shut it completely) and are slowly gaining the right to be forgotten digitally.

Rights associated with having, owning and securing a personal identity are intertwined with self-determination, basic human rights and freedom of speech.

Up to now the sum total of rights associated with data, which I label Individual Identity Rights have not coalesced into a systemic societal issue. Too many interested parties want their hands on our data with as little friction as possible. Enterprises because of monetization potential, Governments because of their thirst for transparency and control. The early stage of the digital age have mirrored the industrial age from a centralization point of view. Large intermediators such as Ebay, Facebook, Amazon or Google have dominated – and will continue to do so for many years to come. Be that as it may, the potential of blockchain technology is enabling decentralized business models to emerge. Soon we may have the choice to conduct our private business (sharing with friends, buying, selling, creating) with a decentralized marketplace, a decentralized social network, a decentralized search engine – the list goes on. The data we generate on these platforms will be our own, and we better have ownership rights that reflect such an unequivocal fact.

Up to now the ways and frequency we have needed to produce a form of identity to gain access to a service, a product or a place has been limited. Both will increase and with them the complexity of provisioning and managing our identities. The multiple identities we will create and inhabit better have the same ownership rights that reflect how central identity will be in our post-industrial world.

Up to now we have not paid much attention to our data and have been more than content to cede its monetization to third parties in exchange for convenience or entertainment. As data will rise as one of the central vectors of our economic and social engines we will want to control and share in the wealth creation, we will demand more transparency with regards to who will use our data, for how long and in what capacity, and we better have ownership rights that reflect these value chains.

Individual property rights have been essential to wealth creation in the industrial age. Individual identity rights will be essential to wealth creation in the digital age.


I would like to thank Stephen Palley for helping me think through my arguments, providing invaluable feedback and editorial support.

Pascal Bouvier

Life and work experiences have given Pascal an unmatched vantage point, seeing things as both venture capitalist and aspiring entrepreneur. He currently is a Venture Partner with Santander Innoventures – Santander Group’s Global Fintech fund.

  • Raul
    Posted at 10:00h, 16 August Reply

    Personal data is covered by data privacy protection laws that are have different objectives and scope of intellectual property laws. See for example (in the EU): https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
    You identify well the differences between active personal creations (IP) and passive personal data collected by electronic devices. This has been recognised by the lawmakers and that’s why personal data protection and IP have distinct regulations and laws.
    The OECD has published seven principles to write effective data protection laws:
    1) Notice—data subjects should be given notice when their data is being collected;
    2) Purpose—data should only be used for the purpose stated and not for any other purposes;
    3) Consent—data should not be disclosed without the data subject’s consent;
    4) Security—collected data should be kept secure from any potential abuses;
    5) Disclosure—data subjects should be informed as to who is collecting their data;
    6) Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and
    7) Accountability—data subjects should have a method available to them to hold data collectors accountable for not following the above principles.
    This paper from 2000 discusses the appeal and limitations of applying a property law similar to IP protection to personal data: http://people.ischool.berkeley.edu/~pam/papers/privasip_draft.pdf

    • Pascal Bouvier
      Posted at 08:31h, 04 September Reply

      thank you for pointing me to this paper. do you know of any work being done around ownership of personal data?

  • Pierre Wolff
    Posted at 01:26h, 10 November Reply

    Identity issues have been on my mind for a very long time, and I have evolved my thinking a few times on the matter, and will probably do so again over time. As you’ve correctly stated, it’s complicated. While I see tremendous value in requiring companies to better secure data about their members/users/customers/etc. I don’t subscribe to the notion that *we* own our data or should. Specifically, ownership is generally derived from creation or acquisition/purchase, and in most cases end-users do no such things.

    Let’s take creation first. Have you ever looked at how and what information about their users most Web sites keep. Sure, you may recognize some explicit info in the form of a name or a place, but when it comes to tracking activity, this information is generally highly coded for expediency’s sake. It’s also information that is generated in support of a particular use or has relevance to the site, not information that is generally useful to an end-user or that would make sense for them to give someone else, given the differing business needs of other sites. Different sites also segment their visitors or users by different criteria, again to satisfy their business needs. All this to say, that the creation of the information is actually purely in the hands of the site or service, and while it may be a reflection of our activities there, it was not created by us in any sense of the word. In other words, I would distinguish this as being information *about* us rather than say that it was our information.

    As it relates to purchase, we can hardly claim that since in most cases we use online services for free. Even in cases where we might purchase goods and services from various sites, but what we’re not paying for is the use of the site. To the extent that we’re freeloaders, that comes with tradeoffs, and one of those is that we can’t start demanding stuff that isn’t ours 😉 Sure, Facebook knows how to monetize us, but it required the development of a very expensive and sophisticated infrastructure to do this efficiently enough that they could build a business from it. Had people agreed to pay for the service then perhaps they could have tried to stake claims on information and data about themselves, but that’s not how the online world developed.

    Your claim that information about us is being rampantly monetized, that’s only because of the aggregated value of that information, not because of the value it could generate for any single person. If you could monetize 10 million people at $10/yr that’s a heck of a lot of money, but $10/yr to each of those people is not likely to make a dent, especially where the tradeoff would likely require them to be active managers of their information. There have been several experiments around these ideas over the past 15 yrs, and none yielded any meaningful economic benefit on a per end-user basis. It’s not hard to realize this when you see CPM rates in $2-10 range converting in the sub-0.5% levels, to understand how many interactions need to take place for this to generate any meaningful value *even* on an aggregated basis. The fact is that today individuals do monetize their information through loyalty programs, where in exchange for providing more information to the merchant or service provider they receive discounts or special offers not available to people not involved with the loyalty program.

    Now let’s face facts, the customer for identity systems and solutions, the ones that really need this and will pay for it, are not the end-users, it’s businesses. I know what I need to know about myself and control that as much as I need to. When I choose to go online, I do so w/the caveats that I’m giving up my control in various degrees depending on the service I’m choosing to use. If I’d prefer to have ultimate control, then I’ll avoid interacting with services where I lose that control. Identity services are of importance to businesses that have objectives that need to be met through the use of their users’ data. Whether it be for mandated activities (ie. KYC), to enable more effective navigation on their site, or to provide more effective leads to their advertisers, it’s sites that need identity solutions and for whom these are crafted. They *are* the customer for identity systems, and it’s their needs that have to be met, not the end-users,

    Now let’s assume that there was a way to enable end-users to have control over their data, there’s nothing to prevent sites continuing their practices of tracking behavior of where on a site a user went, as a natural course of their business. In other words, this notion that digital identity should be sovereign OR in an end-users exclusive control is ludicrous in a world where end-users do not pay for usage of sites. It’s tantamount to saying that I’d like there to be indoor places that are fully free for me to just come in and hangout for as long as I want, that they should provide me with things to do and ways for me to entertain myself and my friends, all for free.

    While we can agree that data protection should enhanced and encouraged by mandate or regulation, we need to move beyond the naive idea that *we* should be able to control information that others keep about us. It was surprising and absurd to see the E.U. forge forward with the right to be forgotten mandate given how it seems to ignore basic speech rights (eg. if I write about you on my blog is that considered yours or my information, and should you be able to effectively silence my speech by demanding to be forgotten, hence devaluing my content (which could also have economic consequences)?). The abuse potential is also significant where people who have committed heinous acts demand that info about them be effectively censored.

    Identity issues are thorny, but the thorns are for how different sites and different businesses with different needs have to manage and secure that information, not whether we should enter the economic loop gain property rights for things we have neither paid for nor created.

    One final point, in speaking with some folks in the synthetic biology world, they feel that we’re within reach of seeing technology that can detect and identify anyone’s DNA that has walked into a room, even if they didn’t touch anything, simply from the DNA discarded from our bodies into the air. At that point, forget about all your controls on “your” information. Your biggest fears online will soon materialize in “meat space” and there’s nothing people will be able to do about it. Time to rethink use and security, and stop focusing on control.

    • Pascal Bouvier
      Posted at 13:36h, 10 November Reply

      this is a most excellent comment. very much appreciated and provides much food for thought.
      several points for you and i to think about.
      1) one should indeed make a distinction between metadata and data. do we need to own our metadata at the individual level? or should privacy frameworks apply? even though metadata can and is monetized or could be used against us? a for data, the data which we produce and which is not tangible property nor ip, should we own it and if we do so implicitly should it be made explicit much like property rights do as an engine of stability and economic growth. in as much as our data makes our identities, i would tend to say we should explicitly be the owners of said data. currently TOS preside over the “ownership” issue, with some sites/apps being silent (maybe e-commerce) and some being a tad more explicit and stating the data associated with your account, your avatar is yours (social media site or app). I note that for the latter there are not affirmative rights much like with property rights. the same applies to identities, our digital identities, we do not own them outright in the eye of the courts and as a economic growth vector, but we are associated with them in as much as they can be violated (privacy, hack…). something seems to be amiss here, especially as our economies are soon to be fully digital. having said that, which data should be your own and which should not (based on either usability, preference, practicability, market optimization) needs to be further thought through and your points are making me think more. for example, our own transactions (payments or otherwise) create data, we create data on social media, there is an act of creation, different from that of intellectual property which has an intent to “build something new”. do we not have a claim of ownership on that data? seems odd.

      2) monetization of identities and associated data. previous models have failed, you are quite right. the rev sharing, monetization that would accrue to one individual might be quite low, i do agree. neither of these statements invalidate the fact that a data set properly identified with the right level of accuracy and validity is more valuable than one that is not, either in the aggregate across identities, or individually over a period of time. as such giving the right/option to an individual to provide access to “her data sets or sub sets” with the proper validation seems to be a valid business model, more reliable than the current disintermediated models of a credit bureau for example, this in exchange for share of the pie, even if a very small one on a unit basis. after all the interest bearing account bears (let’s abstract the int. rate level) very little to the account holder, yet the account holder does like this income stream and the intermediator finds it to be a valid marketing/customer acquisitions/retention scheme. i would argue that past models did not have the right technology at the build price point nor the right potential market acceptance, hence their failures. worth thinking about imo.

      3) you are right that securing identities/data is paramount, and i am not addressing these issues here – maybe in another post.

      4) as for self sovereign identities, whether in pure form, or in lesser form evolving over time, i note that the Nordic countries (and Estonia in a different way) have made material first steps towards functioning frameworks where an individual owns his “id” and is able to give consent to it and its associated data for access by a variety of third parties. in the nordic case, banks act as repositories of these identities and manage access on a consent basis. this strategic intent towards full self sovereignty across a variety of services is surely to ruffle a few feathers with the likes of Facebook or Google as it wrests ownership (and potentially or ultimately sharing in monetization) with the user/owners as opposed to enterprises. interesting developments to follow to be sure.

Post A Comment