Most of us are aware that large tech companies such as Google, Facebook, Apple, Microsoft, Twitter, Netflix and Spotify have massive amounts of data about our online behaviour, so they almost know us better than we do. But who else has access to your personal information? It’s almost impossible to know, and a new EU-supported project in which DTU is involved wants to change that.
“The problem is that our data is everywhere, and it is difficult to find out which companies have access to it and have sold it on. We want to make it all more transparent," says Weizhi Meng, associate professor in cyber security at DTU Compute.
DataVaults can be seen as a digital safe where you can store your personal data and control who has access and when. You are notified when companies, authorities or others access your information, and the platform can assess the risks associated with sharing your information in various contexts.
Personal data such as your age, gender and address may seem entirely innocent, but if all those details fall into the wrong hands, it can have serious consequences.
"In a digitalized world, personal data is the most important asset. If your data has been leaked, hackers can use it to create a false identity of you. They can potentially create fake passports or credit cards in your name or send you targeted phishing emails based on what they already know. That is why it is so important to protect our personal data,” says Weizhi Meng.
It’s impossible to discuss data privacy without mentioning GDPR. The EU's legislation on the protection of personal data shook the IT world when it was introduced in 2018 and is still a cause of confusion to many companies. DataVaults can help not only individuals but also companies that can use the platform to collect information in a secure and legal manner about everything from employees to customers and business partners.
"It’s a big challenge for many companies to comply with GDPR. They don't know how to implement the GDPR guidelines because it's very complicated,” says Weizhi Meng.
A survey by the Council for Digital Security has shown that almost half of all small and medium-sized companies are challenged by the legal requirements for personal data protection, and 67% believe it is difficult to assess how data can be used ethically.
"There is no doubt that it has been an uphill battle for the vast majority of companies," says Henning Mortensen, chairman of the Council for Digital Security.
Most recently, the so-called Schrems II ruling in the EU has created uncertainty. In practice, it makes it problematic for businesses to use American cloud services and platforms, such as Google Analytics, because they may transfer personal data to their parent company in the US which is against GDPR regulations.
"It’s a huge problem for all companies and also authorities, which can make GDPR regulations a major barrier for them. At best, it is unclear what to do when using international services, especially cloud services, and at worst, they cannot use them at all," says Henning Mortensen.
That’s why he welcomes an initiative like DataVaults.
"There is clearly a need for solutions that can collect data in a way that protects our personal data. It could help create a greater willingness to make one's data available for public benefit," says Henning Mortensen.
In essence, DataVaults wants to build up our trust so we can confidently share data without fear of it being misused. There is great potential in big data, where large data sets are used to see new connections, but it must be done responsibly. One of the project's partners is the French healthcare platform Andaman7, which uses DataVaults to collect data on patients that they use for clinical research.
"If you want to look at how many people suffer from a certain disease, we can collect the results but anonymize the individuals," says Weizhi Meng.
Similarly, a Spanish solar cell manufacturer participates in the project and uses DataVaults to obtain data on users' electricity consumption to predict the demand for electricity at different times of the day.
But DataVaults also wants to give back the financial incentives to us. Whereas Google and Facebook bring in billions of ad dollars from harvesting our data, users of DataVaults can be rewarded for sharing their data. It could be monetary, but also as the Italian municipality of Prato is doing by rewarding residents who share their cultural preferences and habits with tickets to a performance for instance.
However, DataVaults cannot do anything about the information we have already freely given away.
"We can protect the data in the DataVaults, but if Google and Facebook already have it, then there is not much we can do," says Weizhi Meng.
After three years, the DataVaults project is coming to an end, and the platform’s beta version is now ready. Long term the hope is that the EU or another authority will be interested in taking ownership of the platform, as it requires consumer trust and resources to handle the personal data of potentially millions of people.
“The more people using DataVaults, the better it will be. When it comes to big data, it obviously works best with as many users as possible," says Weizhi Meng.
In the future, the pressure on our personal data will only increase, and the DTU associate professor believes that, although GDPR is a good start, there is a need to continue to improve the rules and solutions within the protection of personal data.
“It will only become more important in the future. Suppose we enter the era of the metaverse (virtual worlds in 3D), then personal data becomes the top priority. When everything becomes digitalized, those who have data can control everything,” says Weizhi Meng.