A new class of data
Author: Richard Hoptroff, CTO and Founder, Hoptroff
Data privacy regulations require a new class of data: rather than mere records in a database, we need data that can be trusted.
Legal frameworks such as the EU’s General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR), and the California Consumer Privacy Act (CCPA), limit what we can do with personal data. In particular, we must get an individual’s permission to use their data, and then we can only use it in the manner for which they gave their permission.
The regulations are not well interpreted by those using private data and they are routinely flouted. Change is inevitable as these regulations become more tightly enforced. For example, in 2019 the UK’s Information Commissioner’s Office provided a detailed analysis of how the adtech industry and real-time bidding abuses individuals’ data.
Typically, advertisers do not explain what they will do with the data when they obtain consent. Every time they auction an online ad spot, as they do hundreds of billions of times a day, they pass on the private information to hundreds of potential bidders.
This is usually done with no back-to-back obligations on how the data is used, when it must be deleted, where the detailed records of how data is used are kept, and whether these records could be incorrect or manipulated.
It is this last aspect that interests us: creating a data trail that can be trusted.
The MiFID II regulation in the finance sector provides some pointers as to where the information management role is inevitably headed. In financial markets, transactions must be demonstrated to be timestamped correctly, so that the sequence of events between servers, each referencing different clocks, can be confidently proven. The sequence of events may not be so important for the data protection community, but “confidently proven” definitely is.
Specifically, when an event happens on a computer that will have an effect in the real world, it must be recorded in such a way that we can audit the data to confirm when and where the digital event happened. Right down to the edge, which might be a web browser or an IoT device whose data is used as evidence in court. Otherwise, the records have no support. It must be possible to audit the digital business world in as much detail as accountants audit the physical business world today.
This problem can be tackled by combining three elements:
1. Traceable time
Traceable time is time that is known to be correct by way of an unbroken chain of comparisons back to the national standards institutes that maintain Universal Time. While this has been necessary for other industries for some time, such as telecoms and power generation, it was only with the introduction of the MiFID II regulations that it was applied to digital events. Achieving this is difficult to do resiliently, globally, and at a low cost. But it is possible.
2. Traceable place
The traceable place is trickier still. How do you prove where digital events happened? The answer is to turn place into time – time and space are inextricably linked. If a server tells some of its neighbours about an event, and the round-trip time of the message is measured and ledgered, we can be confident that the event happened where the server claims it did.
3. Data immutability
Data immutability is not as hard. We use hash ledgers. A hash ledger is like blockchain, except that each entry is entered individually into the ledger by hashing it with the previous entry at the time it occurred using a local traceable clock.
Time and place can be recorded in the ledger at regular intervals irrespective of digital events, to prove a ledger’s identity. Hash ledgers are only self-consistent, they are not identical to each other, so there is no proof of work burden.
Confidence in immutability is derived from the fact that hashing ensures that the sequence of events in a ledger cannot have happened in a different order; an entire ledger cannot be fabricated because it is interwoven with other ledgers. Real-world events, such as the inclusion of unpredictable data (e.g. news feeds) to prove impossible before, and the publication in indelible ledgers of record (e.g. advertising in print) to prove impossible after.
Ready to learn more?
Hoptroff Traceable Time as a Service (TTaaS®) is a range of network and software-based timing solutions that are simple, resilient, and cost-effective.
Whether you need the security of verifiable time for compliance, protection from risk and fraud, or want transparency and efficiency, our obsession with accuracy will transform your business.