Consumer Privacy

Simon Morse Practice Director Security at Versent

Simon Morse

Security Architect, Versent

June 19, 2017

Around 10 years ago, a couple of mates and I had a bright idea that we could (perhaps singlehandedly) transform the face of electronic banking. We put together a prototype based at that stage on a pre-Australian release iPhone (it was still hardwired to the US AT&T network!) that in terms of ease of use, functionality, and navigation was pretty much equivalent to where the current crop of apps have landed today. We were pretty proud of the slickness and general look and feel of the app and had high hopes of landing a big deal that would allow us to give up our day jobs and work on commercialising the solution for adoption by a variety of banks.

In this article I’d like to explore what I think is the core problem here – that organisations are tightly controlling access to consumer data, not just for large retailers, but also government institutions and smaller businesses.

For my particular project, the sad reality was that we were looking for equity investment at the point the global financial crisis hit. This was a double whammy – we couldn’t get any capital, and the target market for our product (banks) was 100% focused on keeping their heads above water rather than investing in future technology. One bank in particular that we were talking to was a fair way down the track with what they thought would be the next evolution in consumer banking (SMS banking), and at that stage had already invested many times our proposed budget internally to try and get this working. We were flabbergasted and, needless to say, we were right and they were wrong in terms of predicting the future of retail banking, but that was cold comfort.

More significantly though for me was that for all of the improvements in the user interface, it dawned on us pretty early that the key innovation in our approach was not related to the ease of use, but in empowering customers to take more control of their information. To a large extent, this has still not been tackled comprehensively by traditional organisations – they still treat the information as “theirs” and are reflexively suspicious of any attempts at empowering their customer base.

To a certain extent, they have a valid concern. There are significant issues around maintaining an authoritative copy of data such as transactions when you are allowing greater participation by consumers than has been the traditional approach to banking and other apps – if Joe wants to transfer some funds to Mary, how can their respective financial institutions confirm that Joe has sufficient funds and then that the funds are successfully transferred to Mary, unless they maintain 100% control?

This is a specific example of what I would suggest is a more philosophical technology and mindset problem. How do you interact with customers without losing control of the relationship? More fundamentally, how do you enable this interaction given that all of your existing systems are based on a “command and control” model where tight management of the data is held internally within the organisation? It requires a complete revolution in the way in which organisations deal with their customers. In our case, perhaps our naivety in dealing with large organisations blinded us from the fact that our solution probably would not have been a great fit, even if the investment landscape had been able to support a new digital channel for forward thinking organisations.

This is not to say that I’ve given up on the approach though. The key principle is to support a model where consumers are able to master information and institutions become merely a custodian. We had envisioned this operating in the financial arena, and I can imagine nay-sayers complaining that consumers are unable to take responsibility due to the difficulty of the task and regulators insisting that the integrity of the banking system requires tight centralised control. I’m unconvinced. A good example of where a devolved system currently operates is with medical records, which are arguably equally or more sensitive and may have a large amount of technical overlay. Even in the financial domain, customers are frequently more directly involved than a “hands-off” banking arrangement for self-managed investment and insurance products or may involve third party brokerage services into the relationship to dilute the control that centralised institutions have over consumer data. As such, I would suggest that the current regulatory approach is in place because there has not been an obvious alternative and this suits the banks just fine.

I won’t go into the details of how the technical scheme we’d developed for our product was designed (to be honest it was a while ago and the details are fading with the onset of middle age), but this is just the enabler. The technical landscape has moved on since then and will continue to evolve. Most notably, block-chain technology is a key innovation that has emerged as a general purpose way of establishing a verifiable chain of evidence and could form a key plank in the technical underpinning for the scheme. There is still maturation as the application here at present is focussed around crypto currency, and a more flexible messaging scheme is required – e.g. problems around how to incentivise consumers to do the computational work (as is the case with “bit coin mining”) would need to be solved, so that interactions between say an energy wholesaler, retailer, and consumer are equally protected.

With a secure and reliable way for individuals to interact with defined counterparties, there are a host of opportunities that arise for government and commercial organisations as they interact with citizens, customers and suppliers – the significant characteristic is where it is desirable to have distributed ownership of data and the likelihood that the owner uses this data to interact with multiple parties. Aside from the examples above, consider how many times an individual is forced to rely on unrelated identification material such as a driver’s license, and what will happen to this scheme should the assumption of ubiquitous self-ownership of cars that underpins this scheme become increasingly invalid.

Returning to the original point around privacy though, the key advantage for consumers is not simply efficiency, they are able to reclaim control and ultimate ownership of their data. These two goals need no longer be held in tension, but both achieved to create a win-win experience for government, business and consumers.


Great Tech-Spectations

Great Tech-Spectations

The Versent & AWS Great Tech-Spectations report explores how Aussies feel about tech in their everyday lives and how it measures up to expectations. Download the report now for a blueprint on how to meet consumer’s growing demands.