Consumer trust of businesses has never been great. But it’s demonstrably at an ebb in the post-Snowden era when it comes to personal data. There’s qualitative and quantitative evidence telling the story.
Spotify shows how businesses can lose when you can’t sustain trustworthiness Cash economy means you might have had only a single customer interaction – digital economy nearly always means repeated interactions This makes the game theoretical stakes higher In a moment we’ll talk about the upside potential What about the compliance costs and penalties? They’re more substantial than ever (GDPR: up to 4% of worldwide turnover, DPO, etc.) But they’re clearly not about relationships with customers and end-users
Use health, including consumer and clinical health devices, as an example The HEART Work Group at OpenID Foundation is working on a use case I’m a co-chair of the group Alice Selectively Shares Health-Related Data with Physicians and Others For example, one flow enables Alice to choose to share basic data about herself with a doctor before her first visit Another lets Alice monitor and control access There’s a flow involving Alice sharing the list of her medications with her spouse And one where Alice agrees to donate data to clinical research in deidentified fashion
(See: Economics of Privacy: p. 15: “strategic consumers may make a firm worse off in the context of dynamic targeted pricing”) (See: https://bitbucket.org/openid/heart/wiki/Alice_Shares_with_Physicians_and_Others_UMA_FHIR)
Okay, so why enable personal data sharing? Data quality and accuracy -- one US study: only 5% agreement between medications listed in EHRs and what patients actually take This gap affects cost, efficiency, and satisfaction as well Improved clinical research sets – one UK study: over half the respondents supported use of their data by commercial organizations for research A floor of 17% were not willing to share data at all Better care – Philips did a study with Banner Health Patients with chronic disease using a smart device and an app would tend to leverage continuously monitored vital signs Shorter, less expensive, less ER-intensive stay: savings averaged 10 days/year and $27K/year
So that’s a business-based reward-centric viewpoint Beyond the business-based risk-centric viewpoint of regulatory compliance, why should businesses do what individuals want regarding personal control? The IoT brings new volumes and sources of data, and new use cases for people wanting to share that data CareKit added person-to-person sharing in the Apple ecosystem Dumb socks vs. smart socks – need a solution in wider ecosystems
How can we meet these needs? Are the tools and technologies we have available actually ready? ForgeRock asked companies if current methods such as opt-in checkboxes and cookie acknowledgment flows can adapt Only 9% think they can However, all is not lost.
It’s a good thing we’re seeing this innovation Recent TRUSTe Safe Harbor Poll: after Safe Harbor invalidated: respondents approximately tripled use of consent for ensuring EU data transfer compliance What could the delegation, consent, and access experience look like in UMA? Let’s look briefly at a consumer health IoT scenario where UMA provides a linchpin for needed capabilities
Is a standard built on OAuth 2.0 Delivers externalized authorization Provides digital consent control to end users Allows to share data and revoke access to data
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts