Written by Hunter Gebron, Director of Strategic Initiatives

Belying the surface of the Internet is a data brokers paradise. The ‘free’ platforms we have come to rely on have turned us into the product. And for the last twenty years, it has been an arrangement we have become dissociatively comfortable with. Happy to check our Gmail accounts and post our status to Facebook without much thought about the implications for doing so. But in recent months the conversation about user privacy and data has taken center stage as something we can no longer ignore, the stakes are too high.

The attention on user privacy and data also happens to coincide at the same time as the European Union’s General Data Privacy Regulation (GDPR). On May 25, 2018, the Internet as we know it is going to change. It’s the result of a two-year process by European legislators to create far more stringent regulation regarding data privacy for any natural person within the confines of the European Union.

Data processors will need to get consent for each granular aspect of their data collection, and it must be demarcated by separate opt-in fields. If you have checked your email inbox lately, then you have likely noticed the influx of emails from marketers scrambling to become GDPR compliant. Of course, solving data collection and user privacy is no easy task. The GDPR is an impressive display of legal writing mandating down to technology in near biblical fashion.

But user data is not a neat and tidy affair which can be efficiently sorted by 99 Articles. On the Internet, it’s an absolute mess. And the problem can be boiled down to one cause, identity. There is no universal Internet standard for identity. In the physical world, governments are largely in charge of identity. They issue driver’s licenses, passports, work permits, social security numbers and ID cards. But how many user logins and passwords does the average Internet user have?

Individuals have their physical identities fractured by countless apps, websites, platforms, and services. If you are like me, it’s likely that you have set up so many digital identities you’ve lost track of many of them. Now, due to GDPR, each one of those apps and services is required by law to get consent for collecting data about you. Let the opt-inundation begin!

If the problem of user privacy and data collection boils down to identity then what is the solution? That is a complicated question, but with the advent of blockchain technology, there is new light at the end of the digital identity tunnel. Projects like Uport have rightly realized that the properties inherent to blockchain’s; public and private key cryptography and a shared database where all parties have access to the same information, might provide the perfect backdrop for a universal digital identity framework.

The OAuth protocol allows third-party apps and services to tap into the incumbent Internet giants identity databases. It is the protocol that gives you the option to “Login with Facebook or Google.” It makes the hassle of setting up a unique user login for new websites you visit more tolerable. Third party apps and websites are happy to let Facebook and Google “attest” to your identity. But that brings us right back to the user privacy dilemma that GDPR was designed to address in the first place; huge centralized for profit companies holding all the data cards and choosing how to play them.

A sovereign digital identity that is rooted to a public blockchain and that allows for permission-based access to specific data would represent a sea change for user privacy. The premise is built on the idea that instead of going to apps and services to log in, essentially requesting them to let you access your identity on their platform. Your identity is always 100% in your control and is located in one place. Apps and services would need to ask you for your permission to let them access the various aspects of your data and identity that you feel comfortable sharing. GDPR preferences would only need to be set one time but could be accessed by any number of apps and services. And you as the owner of your data and data preferences could granularly select the elements you wanted to share with third parties based on who they are. For example, you might choose to share different personal information with your healthcare provider than you would Spotify or iTunes.

Attestations are still an important part of creating any framework for decentralized identity. Here token curated registries (TCR’s) could prove particularly useful. “Token-curated registries are decentrally-curated lists with intrinsic economic incentives for token holders to curate the list’s contents judiciously.” In the case of blockchain based identity, a TCR for the most reputable attestors regarding individuals and their off-line/online identities could provide a skeleton for grafting a digital identity.

While Web 2 is mainly about capturing wealth in the form of user data at the application layer. Web 3 is shaping up to be about empowering individuals by unlocking value at the protocol layer. There is still much that needs to be flushed out. But the tracks are being laid for transferring user privacy back into the hands of individual data owners in the form of new identity protocols built on top of the decentralized Internet.