In our last post, we described individualised consent, in which individuals decide how the data they personally contribute to a system will be used. We showed how this approach causes problems when we try to reuse data for the public good, as that consent can only ever be tenuous.

In this post, we’ll examine how that approach, influenced by the individualistic environment in which technology has been developed, causes problems when we consider the material properties of data.

Data is collective

Data rarely describes a single individual. A single individual’s historical location data also reveals the movements of the people they were with at the time. A parental school run recorded by Google Maps, for example, reveals the location of that parent’s children. Data collected from consenting individuals can be used to make inferences about similar people, regardless of whether those similar people have provided consent. Individualised consent pretends data contributed by a single individual describes only that individual.

Parents using Google maps to navigate to school also reveal information about their children.

Many potential problems can only be solved when data adequately represents an entire population. The biases introduced by a small number of individuals choosing not to contribute data can make adequate representation impossible. Individualised consent fails to recognise the disproportionately negative effect on the creation of public value that these individuals may have.

Location data would not exist at its current precision and volume without the Global Positioning System - a system that took significant public investment to create. The decision to invest in that system was made through deliberative, democratic means. The same is true for the underlying systems and hardware behind the consumer products that collect data. Individual consent for data collection ignores the democratic processes that funded the technology we use to generate and collect that data.

The difficulties with individual consent suggest that broader, collective and participatory mechanisms of consent need to be developed. These collective consent mechanisms should balance the needs of individuals, potential benefits to society, and the needs of the commercial entities that often finance the collection of data. One extreme model of collective consent is for a democratically elected official to unilaterally decide how data can be used, on behalf of a population. There’s a spectrum with this model at one end, and individualised consent at the other, between which lies a wide space for innovation.

There’s space for innovation around new consent models.

Collective data needs to be handled responsibly

Participatory systems rely on strong governance and oversight. Collective consent asks participants to make decisions about data that affect not just themselves, but others. This power must be balanced by ensuring data is handled responsibly. Systems that handle data responsibly are built on four interlocking properties.

  1. Transparent. Using data needs to happen with the explicit consent of the population it describes. If that population is to make a meaningful decision, they need to understand the specific problems being solved with that data. To understand those problems, systems need to be transparent. This transparency applies not only to the problems being solved, but the processes to decide how data is to be used themselves.

  2. Specific. Being specific about the problems to be solved allows the use of data to be minimised, reducing risk. Data use can’t be minimised if problems are open-ended and ill-defined.

  3. Private by Design. Minimising the use of data, and being specific about problems, allows the use of privacy preserving technologies. These technologies, such as differential privacy and homomorphic encryption, provide rigorous levels of protection against the leakage of sensitive information.

  4. Auditable. Auditing the use of data by a system, regularly and independently, ensures it keeps the promises made when consent was originally obtained. Transparency, data minimisation and privacy preserving technologies make auditing possible by clearly stating those promises, and reducing the surface area of the system exposed to data.

We don’t yet have perfect implementations of any of these properties. Systems with these properties, handling data responsibly, may still have irresponsible consequences. The properties are a subset of the wider ideas of responsible technology. Together they present an important and exciting opportunity to design and build systems that set a new standard in the handling and use of data. In building these systems, we will enable the use of existing data, currently stuck in the limbo of inadequate approaches, for societal benefit - by making society central to that process.

In this post, we’ve talked about the problems of individual consent, and one possible path forward. In our last post, we’ll look at some projects following that path.