Data privacy regulations require a new class of data: rather than mere records in a database, we need data that can be trusted.
Legal frameworks such as the EU’s General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR), and the California Consumer Privacy Act (CCPA), limit what we can do with personal data. In particular, we must get an individual’s permission to use their data, and then we can only use it in the manner for which they gave their permission.
The regulations are not well interpreted by those using private data and they are routinely flouted. Change is inevitable as these regulations become more tightly enforced. For example, the UK’s Information Commissioner’s Office’s Update report into adtech and real time bidding 20 June 2019 provides a detailed analysis of how the adtech industry abuses individuals’ data.
Typically, advertisers do not explain what they will do with the data when they obtain consent. Every time they auction an online ad spot, as they do hundreds of billions of times a day, they pass on the private information to hundreds of potential bidders. This is usually done with no back-to-back obligations on how the data is used, and when it must be deleted; detailed records of how data is used are rarely kept. If they are kept, they cannot be trusted because they could be incorrect or manipulated.
It is this last aspect that interests us: creating a data trail that can be trusted.
The MiFID II regulation in the finance sector provides some pointers as to where the information management role is inevitably headed. In financial markets, transactions must be demonstrated to be timestamped correctly, so that the sequence of events between servers, each referencing different clocks, can be confidently proven. “Sequence of events” may not be so important for the data protection community, but “confidently proven” definitely is.
Specifically, when an event happens on a computer that will have an effect in the real world, it must be recorded in such a way that we can audit the data to confirm when and where the digital event happened. Right down to the Edge, which might be a consumer’s web browser or an IoT device whose data is used as evidence in court. Otherwise the records have no support. It must be possible to audit the digital business world in as much detail as accountants audit the physical business world today.
This problem can be tackled by combining three elements: traceable time, traceable place, and data immutability.
Traceable time is time that is known to be correct by way of an unbroken chain of comparisons back to the national standards institutes who maintain Universal Time. While this has been necessary in other industries for some time, such as telecoms and power generation, it was only with the introduction of the MiFID II regulations that it was applied to digital events. Achieving this is difficult to do resiliently, globally and at low cost. But it is possible.
Traceable place is trickier still. How do you prove where digital events happened? The answer is to turn place into time – time and space are inextricably linked. If a server tells some of its neighbours about an event, and the round-trip time of the message is measured and ledgered, we can be confident that the event happened where the server claims it did.
Data immutability is not as hard. We use hash ledgers. A hash ledger is like blockchain, except that each entry is entered individually into the ledger by hashing it with the previous entry at the time it occurred using a local traceable clock.
Time and place can be recorded in the ledger at regular intervals irrespective of digital events, to prove a ledger’s identity. Hash ledgers are only self-consistent, they are not identical to each other, so there is no proof of work burden.
Confidence of immutability is derived from the fact that hashing ensures that the sequence of events in a ledger cannot have happened in a different order; an entire ledger cannot be fabricated because it is interwoven with other ledgers. Real-world events, such as the inclusion of unpredictable data (e.g. news feeds) to prove “impossible before”, and the publication in indelible ledgers of record (e.g. advertising in print) to prove “impossible after”.
Bringing traceable time to digital processes creates data that can be trusted
By Richard Hoptroff, Founder and CTO at Hoptroff London
Richard is a long-term technology inventor, investor and entrepreneur. He holds a Physics PhD from King’s College London for work in optical computing and artificial intelligence. In 1992, he founded Right Information Systems, a neural net forecasting software company, and then sold it (1997) to Cognos Inc (part of IBM). In 2016 he founded Hoptroff London to focus on accountability in the digital world.
Traceable Time as a Service (TTaaS®) corrects and verifies inaccurate server clocks to microsecond accuracy so timestamp records of computer transactions are trustworthy, helping electronic deals execute, reducing fraud, regulatory risk and the cost of business for Financial Services and Media.
Hoptroff is an established SaaS compliance solution in Financial Service for MIFID II and CAT regulations, utilising our global network of atomic clocks to deliver highly accurate time to any data centre around the world.