It’s no secret that personal data has become the key commodity of the online business world. The Internet giants – Facebook, Google, etc. – all provide their services “free”, but make money from the detailed profiles they create of our activity as we use social networks and move around the Web. Since we don’t have any choice in whether to allow this if we want to access the services, most people simple accept the practice as an inevitable if regrettable fact of digital life.

But the consequences of doing so are serious. It means most of our activities online are tracked and stored – principally by companies, but also by governments that can draw on that data, using both front and back door access. It means that information about our supposed interests and preferences is fed back into the services to shape the content we see, and the ads that are displayed. It also means that intimate knowledge gleaned from the data can be used to manipulate us in subtle ways. But does it have to be like this? A project funded by the European Union called Decode (DEcentralised Citizen Owned Data Ecosystems) is exploring that question, in the hope that the answer is “no”:

“DECODE is about giving people ownership of their personal data so they can secure their privacy and reclaim their digital sovereignty. It will create new technologies which put them in control of how their data is used so they can decide who has access, and for what purposes. In doing so, DECODE will create a new digital economy ecosystem, enabling in particular the rise of more localised, democratic models for pooling and sharing data. These new technologies will be piloted in Amsterdam and Barcelona. A key principle of this will be the pursuit of social value over purely economic return. It will also enable governments to be more responsive to citizen needs.”

That comes from a major new report released by the Decode team entitled: “Me, my data and I: The future of the personal data economy”. As well as explaining all the problems with the current model of treating personal data as something that can be owned and mined by the digital extractivists like Facebook and Google, the new report does something unusual: it offers an alternative vision for our digital future.

“In 2035, the majority of people now have their own personal data portals. These are in effect small servers, often located in their homes or a secure location of their choosing, which store all their personal data. This gives them control over how this data is used.”

An alternative to servers located in the home is to store all this personal data in the cloud, perhaps fragmented and scattered across multiple server farms in an encrypted form for added security and resilience. But wherever and however it is held, the key element is that personal data remains under the control of the individual at all times. Thereafter, today’s Internet services would be granted access to some of that data in a very controlled, and precise way.

So if a service was only available to those over 18, proof of just that fact would be sent, rather than details such as date of birth, or other unnecessary personal information, a technique known as Attribute Based Credentials. Intelligence could be built in to the personal data stores such that important information would only be released in certain circumstances – for example, health data in a medical emergency. Decode calls these “Smart Rules”. One interesting idea is to combine Smart Rules with distributed ledger technologies, like Bitcoin:

“In the case of DECODE, the ledger will be made up of the permissions which users attach to their personal data as Smart Rules. By storing these rules in a public distributed ledger, the Smart Rules will be highly transparent (in terms of showing where data is and who has had access to it) as well as tamper proof. It’s said that distributed ledgers’ key characteristics could provide a foundational protocol for a fairer digital identity system on the web. Beyond its application for digital currencies, distributed ledgers could provide a new set of technical standards for transparency, openness and user consent, on top of which a whole new generation of services might be built.”

Putting individuals firmly in control of their own data opens up another possibility: the voluntary aggregation of personal data to create a “data commons”, managed by the community, which can be used for the public good. The idea is that a community of data donors agrees overall rules for how the blended data can be used. Since people are able to establish with others how their data is accessed and analyzed, they are more likely to grant permission than they are today, when they are rightly suspicious of what will happen to highly-personal information that is no longer under their control. The shift to personal data servers could therefore liberate important data, and lead to far wider use of sensitive medical and genomic information, say, with a corresponding increase in breakthroughs and treatments for all.

Decode suggests that there is another, rather unexpected benefit for businesses if they give up their monopoly control of personal data. The report points out that the new EU General Data Protection Regulation (GDPR) that will come into force next year includes extremely harsh financial penalties – up to 4% of global turnover – for companies that fail to protect personal data. Decode believes that it will soon become too risky for companies operating in the EU to hold huge quantities of personal data. Instead, personal data servers that grant appropriate permissions to companies needing information would allow them to operate largely as today, but without the problems that the GDPR and similar legislation will bring.

That’s one of the most important points in this new report. It means that the current tension between companies that want full control of people’s data, and the individuals who want their privacy to be respected, will disappear. Once the dangers of holding personal data on-site outweigh the benefits, the Decode team believes companies will shift across to the new approach based around accessing personal data servers, wherever they might be located.

It’s an optimistic vision, and a necessary one. In the wake of massive data losses, like the recent Equifax disaster, and a growing realization that Facebook is using personal data for some very questionable business deals – for example, selling advertising to a Russian troll farm during the US election – there is growing resistance to the current model. The Decode project not only points the way to a better alternative, but aims to create and release as open source software that will start to turn it into reality.