Current global events have proven that private and reliable digital storage is essential for every citizen, say Mydex specialists.
These days, it is hard to imagine the sheer amount of data each of us stores both online and offline. However, making sure your data stays safe can be a challenge as it is rapidly becoming one of the most valuable assets that cybercriminals are after.
Avoiding these dangers without dedicated protection is rather impossible. Therefore, the Cybernews team has interviewed David Alexander, the CEO and Chief Platform Architect at Mydex, a Cloud-based platform security company focusing on personal and identity data management. Here, he will point out the most important measures we should consider to maintain our data safe online.
How did the idea of Mydex originate in 2007? What has your journey been like?
Mydex founders held two core beliefs: 1) that how personal data was being collected and used by organizations was often unfair. Individuals were being excluded from participating in decisions about their data and were failing to access the benefits of their data; 2) that the resulting loss of trust and conflicts would undermine the efficient workings of the data economy.
We founded Mydex to empower individuals with their data – to provide a foundation for personal safety, trust, and agency.
We have learned since then that practical benefits such as reduced friction, effort, risk, and cost, for both citizens and service providers, are powerful reasons for adopting a different, citizen-empowering approach to the collection and use of data. We have designed our platform to deliver these benefits along with multiple quality improvements e.g. improved access; improved quality of service and outcomes; practical help for people wanting to get things done e.g. applying for something, accessing a new service, or communicating changes in preferences and status.
Our API-based data sharing technologies allow data to be accessed and used without the need to fill out forms or repeat information, and for trust (e.g. metadata about individual pieces of data) to travel with data as it is accessed and used. This enables radical reductions in duplicated effort, cuts out delays, and reduces risks for both parties.
Can you introduce us to what you do? What methods do you use to protect personal data?
At the heart of our platform lies a personal data store that enables individuals to safely assemble electronic copies of data held about them by many different organizations. They can also add information that only they know (for example about plans, goals, and preferences), and can share selected portions of this data with service providers when they need it, and always under their complete control.
Our services are free to individuals. Organizations wishing to interact with these citizens pay subscription fees to do so. Our platform services include:
- Personal Data Services
- Identity Services
- Next-generation two-way engagement services
The protection of personal data is built into everything we do. All data is encrypted in motion and at rest. Each individual’s personal data store is separately encrypted, with each individual holding their key: we do not, and we do not want to, know what data individuals have in their PDSs. By distributing the data rather than creating one big centralized database, we greatly reduce hackers’ incentives to hack while greatly increasing the costs and complexity of their doing so. Mydex as a company has been independently audited and certified under ISO 27001 for Information Security and Management for the last nine years.
In your opinion, what data privacy issues should more people be concerned about?
We think the term “privacy” is often unhelpful when discussing issues relating to the collection and use of personal data. It is much more helpful to think of these issues in human terms of safety, agency, and fairness.
These are the key points to have in mind:
- Agency/utility. Looking at data through the lens of personal utility addresses the universal human need and desire for agency: the need to act effectively in their world.
- Safety/”Safe by Default”. Humans have an instinctive desire for safety. When it comes to the collection and use of personal data this desire is best addressed by adopting “safe by default” processes. Much data sharing occurs as part of the normal provision of services to individuals by service providers.
- Transparency. Transparency is needed for Safe By Default to work effectively: it should be easy and simple for individuals to see which organizations they have shared their data with, and for what purposes.
- Data Empowerment. It should be simple and easy for individuals to exercise their rights under GDPR. For this, they need consent and data management dashboards where they can see all the data relationships they have in one place.
- Fairness. It is best addressed by fair processes – e.g. processes that give individuals the right and the ability to shape what gets done and how to fit their own needs and preferences; that give them effective voice and mechanisms of control/influence.
How do you think the recent global events affected your field of work?
Portable proof of claims and status has never been more important as people migrate across the globe whether driven by conflict or economic hardships. This is a trend that will not change.
Every man, woman, and child needs to be equipped with a portable repository of their lives and the data about their lives that is theirs and theirs for life that can travel with them and be protected from deprivation, loss of access to their devices, or single-point-of-failure reliance on state and local systems. Such a repository is essential to ensuring people are not left destitute or unable to rebuild their lives wherever they end up. Examples of the data held by such repositories are qualifications, experience (e.g. at work), assets, identity, marital status, parental status, DNA, and biometrics.
Recent events have shown that independent cloud-based storage that is resilient and independent of state or commercial actors is a fundamental requirement, as is the protected legal structure for any entity providing citizens with such services.
What are some of the worst mistakes organizations tend to make when it comes to handling large amounts of personal data?
These mistakes fall into three categories: mindset, purposes/priorities, and tech design.
Mindset. Many organizations see personal data as a corporate “asset” like any other – to be owned and monetized as efficiently and effectively as possible. But because personal data is about people, these organizations get sucked into treating people like things.
Purposes. Many organizations have fallen for the “insight myth”: the belief that the more data they can gather about an individual the more insights they will generate, making their resulting actions more efficient, effective, and profitable.
However, very often these activities do not require “more” data. They require exactly the right data for the task at hand. This makes data logistics – getting exactly the right data to and from the right people and organizations at the right times – the core driver of data value. Again, we are building the infrastructure and tools to enable this to happen.
Tech design. In their quest to build better customer experiences (and to access more personal data), many organizations expose internal systems that hold large amounts of data to the internet. This may make them part of the web or app experience layer, but most large systems holding high volumes of personal data were never designed to be available to the outside world, have not been designed to work at scale with high volumes of transactions, and often depend on perimeter-based protection which is all too often compromised.
What types of threats do you think can arise in the near future as digital identity becomes a significant part of our lives?
The risks we are currently dealing with are created mainly by this process of transition. The main risks are:
- Linking the wrong person to a set of credentials represents a real risk of fraud, identity theft, and all the bad things that could happen if this process is compromised or poorly executed.
- Not linking a person to a set of verified digital credentials in an interoperable and portable manner that is independent of any specific scheme. In the dash for establishing markets and identity ecosystems, we see states, sectors, and large corporations seeking to define and take control of identity. The underlying proofs are not interoperable or portable across different use cases. This creates risks and huge inefficiencies, mostly arising from unnecessary duplication of effort.
Mitigation of these risks can be achieved by:
- Linking digital identity credentials with different factors (one or more sets of credentials) with other factors such as devices, email addresses, mobile numbers, and biometrics. There is a lot of interest in the processes being undertaken to bind these things together and then make those bindings irrefutable so that they can be trusted and monitored for any changes and used to secure multiple means of authentication.
- Seeking real-world identity assurance linked to digital credentials. This is the next level of consideration where specific forms of proof of existence and status in the real world can be captured in a way that others can trust. These include relationships with the state (central and local government), and service providers (Banks, Credit Cards, Energy Suppliers, Health and Social Care, Third Sector, and Membership organizations).
What are some of the best practices that organizations should adopt to protect their workforce and customer data?
Data should be encrypted in motion and at rest. Following the 12 principles of Fair Data, Trust Mark is a very good place to start. Mydex is certified under FairData as well as ISO27001 for information security management.
The Fair Data principles apply to any organization that works with personal data. Organizations that are certified under FairData are audited independently so they can demonstrate that they work in adherence to these 12 principles.
Talking about individuals, what actions should average Internet users take to protect their data online?
Individuals’ ability to protect themselves online is limited by the nature of the systems they are operating within: the rules and regulations, the policies and priorities adopted by organizations, the technologies used, etc. Most of the necessary solutions lie at the level of system design, not that of individual actions.
Take the parallel of driving a motor car. Individuals can drive safely and carefully or dangerously and recklessly. But they do so within the context of all the safety technologies that have been developed over decades by car manufacturers, and by all the rules and regulations relating to car safety, road safety, road infrastructure, driving tests, etc. Most individuals will do what they can to be safe and responsible. The question is, does the context in which they are operating help them or hinder them in this quest?
The issues we face with personal data are not limited to “online”. Huge amounts of personal data are held in legacy systems “offline”. We need ways forward that address all collection and use of personal data, both online and “offline”.
To this end, every individual should be provided with a personal data store where they can aggregate their data about themselves independently of any of the organizations they are currently dealing with. And they should not share information with any party outside of an authenticated relationship. We need systems and processes that routinely, safely, quickly, and cheaply authenticate the identities of the individuals who are asked to share their data.
Share with us, what’s next for Mydex?
Over the past 15 years, we have built personal data store infrastructure and supporting services that are now in operation and capable of operating at scale.
Scaling up and out is what is next for Mydex – multiplying the number, type, and range of services, organizations, and people using personal data stores as the infrastructure for data collection and use.
As a Community Interest Company, we are asset and mission-locked. We are not chasing a trade sale or flotation. Our only focus is the fulfillment of our mission. As we grow our network expands and more and more citizens and service providers will operate under our trust framework and secure network of platform services. These place the citizen at the center, in control, acting as the point of integration and empowered to get things done faster, better, safer, and easier.