This is the edited text of a talk that I gave during the first plenary session of the MyData Online 2020 Conference. I was asked relatively last minute to join this session which was headlined by Siddharth Shetty talking about Designing the new normal: India Stack. In 2019 I was a New America India-US Public Interest Technology Fellow and traveled to India to India to study the UIDAI the Unique Identification Authority of India the entity that enrolls Indians via their biometrics into a system and then issues them an Aadhaar Number. You can read that research here. While there I met many critics of the system that had been silenced and an amazing crew of security researchers who organize in a collective called Kaarana.
I didn’t have time to do a deep dive and research the latest on the India Stack and the new Date Empowerment Protection Architectures. What I did have time to do was based on what I learned almost 2 years ago on that trip was to put forward some hard questions that apply to both what is being put forward as a design in India but also for many other systems being developed at this time globally. I hope these Big Questions put forward by myself a technology pragmatist can provide food for thought both at this MyData conference and beyond as we continue to create and build new systems.
Thank you for inviting me here to share my thoughts in this opening plenary
I want to start off by declaring myself a technology pragmatist. Meaning I want to put my self in the middle of the spectrum between what I call neo-luddites on the one hand who never met a technology they didn’t like and are throwing cold water on any innovation mostly because they don’t engage with the details. And, on the other hand the techno-utopians who haven’t met a technology or business model based on neoliberal economic premises the they didn’t like. They say “the future will be great, just trust us.” They don’t really welcome intensive inquiry into how things the details of their systems actually work or discernment about how power flows in their systems
I argue as a technology pragmatist that we need to engage with both types of questions – the details of how things work and how power really flows in these system and will be putting forward in this talk several Big Questions that I think we need to consider.
My starting point as a technology pragmatist is advocating for innovations in technical infrastructure and capabilities so people can be in the center of their digital representation and data lives.
That path is a noble one but NOT an easy one.
I’ve been in the weeds with technical folks hosting the Internet Identity Workshop for 15 years in order to struggle to find technical ways to make this real. I founded the Personal Data Ecosystem Consortium 10 years ago with a vision very similar to the MyData vision to build a movement and momentum for a new way to empower people with their data one that connects consumers with ethical businesses to make it real.
I believe that you can’t the problem with words alone – with “laws”. GDPR was put in place but its authors seemed to lack knowledge and understanding of what was practically possible in technology systems.
It is also true that now 3 years into GDPR there has been very limited enforcement – what does this mean?
Well if you go look at the github repository for the Data Transfer Project in has seen basically no activity in a year – its almost like it has been abandoned.
What good are these “laws” without enforcement?
So as a technical pragmatist I have more questions…
Big Question 1
Can Big Tech Regulate itself?
Two years ago I travelled to India to study the UIDAI the entity that issues Aadhaar numbers. It is entirely self-regulating – there is no outside entity that it is responsible and accountable to.
How does this work if these types of entities because of their self-regulating nature are unresponsive to critics?
Big Question 2.
Can New Technology Emerge and be held accountable?
What happens when critics of new technology are trolled?
This happened in India when critics of the UIDAI where harshly trolled extensively on twitter – it came to light that the one of the main trollers was the co-founder of iSprit.
What happens when critics of new technology have police reports filed against them?
This happened to over 30 people and leaders of NGO organizations that critiqued UIDAI and Aadhaar. These NGOs had it made abundantly clear that if they continued to research, and publicly raise issues with UIDAI and related emerging technology around the India stack they would have their status as NGOs threatened and their ability to do their work severely limited.
This raises questions about the ability of civil society to meaningfully engage in raising questions and seeking accountability in these new systems.
Big Question 3.
Can an ecosystem emerge when there is only ONE of a thing?
There is only one DigiLocker provider (the locker service to store your government issued ID in the cloud)
When I was in India speaking to government officials working on it they said they were being overwhelmed trying to manage all the requests from educational institutions to make a direct “hard” connection to the service to both upload student achievements and download them records from prospective from students. It was clear that expanding this to even more sectors might not be doable because it would mean that every single institution in the country would have to directly federate into this bottle neck.
Is it a sustainable model if every institution must connect to “one thing”?
Can an ecosystem emerge when there is one identity provider that matters and you must authenticate (phone home) to it – to access services? iSprit’s model and vision of how the India Stack works puts Aadhaar in the middle of everything.
UPI is a remarkable system – it totally disrupted the credit card payment rails and effectively made a ultra-low cost payments clearing system the whole economy can leverage.
UPI also “sees” everything so it potentially gives the government total transparency into the economy/ what’s happening. [to be fair it is clear that some government agencies in other economies watch international bank transfers in networks like SWIFT]
On the positive side It also works at scale.
There is with the creation with Account Aggregators and the Data Empowerment Protection Architecture the movement of financial data … and will likely get it working
but I go back to earlier questions I have what about critics –
- What about the lack of recourse when things go wrong?
- What about the self regulation and the issues that arise with that lack of external accountability?
Big Question 4.
Can industry innovate modalities of feedback and discernment – – going beyond “voting” for boards of directors.
Could we be leveraging things like
- Innovation Games
- the National Coalition for Dialogue and Deliberation – and all the deliberative and democratic processes that don’t involve voting.
- can we leverage resources like Participedia
- and have more citizens juries.
Imagine randomly selecting users and running citizens (user?) juries and innovation games on a regular basis to engage with customers of a company OR can accountability organizations like MyData seek feedback in this way – going beyond audits and certification as a modality to provide direction and accountability.
I find inspiration for MyData and the movement overall. In the Social Venture Network – this is a community I learned about over 20 years ago and was founded by entrepreneurs like Ben and Jerry to build community amongst ethical/sustainable businesses – it is why I started the Personal Data Ecosystem Consortium
But Governance is Hard…HARD
Big Question 5.
How do we really and meaningfully govern these new ecosystems?
How do we govern them in ways to not super over burden them?
but also not just let things continue on their current trajectory – because it seems GDPR is favoring the big guys.
The trouble with tech is that “intention” is not enough…
“don’t be evil” <— how is that working?
“making the world more open and connected”? <— or this?
One thing I know about this new technology as a technology pragmatist is that the details matter
They matter a lot
The details are where struggle for real user-empowerment and control lie and where current power flows can be shifted to new ones that better align with people and humanity.
How do to get enough / care interest in the details ?
Can people and organization that we trust really see the details and see how things really work for us?
MyData is in tech but not necessarily in the weeds of how it will work…we need to get into them…and not just keep pushing it down the road.
Standards are a huge part of the details that matter – not just open APIs
I will make a note that if we had had seen investment in user-centric digital identity standards between 2003-5 when first proposed by Planetwork in the Augmented Social Network paper that was shipped around to the Ford Foundation and Open Society Institutes we might not be facing these dilemmas now. But they “didn’t get it.”
True technical interop means parts of the ecosystem are replaceable and that there is NOT locking for one stack or provider.
To this end…I co-lead work on the confidential data store specification in the secure data store working group. I’m actively tracking developments in the self-sovereign identity / decentralized identity community. (In the last few weeks I got potentially divergent paths to talk pre-divergence – talking about VCs and object capabilities standard – on the CCG list.)
I also co-chair the DIF interoperability group to push for convergence so that all these amazing things we work on actually work together.
Big Question 6.
Can we with SSI and tech make public key encryption usable by normal people?
Can we really make data private & usable. … I’m feeling like the answer is an optimistic maybe. With all this work.
Big Question 7.
Are we looking far enough into the future?
I also know from talking with folks like Liam Broza the waves of personal data that are about to get exponentially larger with AR and VR headset data – we must have robust user/individual centric containers for this. I’m not sure we are ready.
We must look ahead to where the metaphorical ball is going with technology – massive amounts of data and AI <- can they be personal and work for us?
Will they help us be happier and better aligned with nature? the planet?
This was a key aspect of the originating motivation for Planetwork… to convene and ask itself what missing piece of infrastructure was needed to truly make Information and Communication Technology work for people and the planet
Can we do more with less? OR will they just be motivated by their owners profit making us “consumers” or companies driven by Ayn Rand libertarianism.
Why do we believe people and groups should have access to data?
Can we in the next wave of technology development center those marginalized in the last wave?
Can we listen to those who know what has got wrong with tech because it happened to them already?
I asked a lot of big questions in this talk
- Can Big Tech (government or private sector) regulate itself?
- Can new tech emerge and be held accountable?
- Can an ecosystem emerge when there is only ONE of a thing? Can we get out of solutions with centralized dependencies?
- Can we innovate new modalities of feedback to companies/tools and services? and to systems regulators?
- How do we really and meaningfully govern these new ecosystems? How do to get enough / care interest in the details ?
- Can we with SSI and tech make public key encryption usable by normal people?
- Are we looking far enough into the future?
- Will they help us be happier and better aligned with nature? the planet?
I will leave you with this important question
Why do we think people should be empowered to control the digital representations of themselves and their data?
When we know why. We will have more understanding of what aspects of how (the tech details) that are important.
We must innovate in ways that let new businesses and opportunities bloom.
I believe that open standards, protocols, done right, ones that have maximal expressive capacity will be key.
By expressive capacity they create a set of rules that make them understandable but also within them give enormous freedom to express. I believe that Decentralized Identifiers and Verifiable Credentials also know as SSI provide a good starting point for us to build what we need to fundamentally disrupt the current in current ecosystems from monocultures to an “agroecology of technology”. This is my vision as a technology pragmatist. I know that many of you care about these questions and in various ways many of the sessions will engage with them. I’m looking forward to spending these next three days to our exploring them together here at the MyData 2020 Online Conference.