The internet has a big privacy problem: you don’t control your data, and laws or alone aren’t going to fix it, and here’s why:

In a recent data leak at a commercial COVID-19 test lab thousands of names, addresses and contact information of the company’s recent clients were publicly accessible. On top of that it was old information that should’ve been erased after 30 days, according to their privacy policy. However, they didn’t. The managing director promises that client data will be erased after 30 days from now on.

The biggest problem here isn’t the data leak itself nor that they violated their own privacy policy by not erasing data after 30 days. It’s that you can’t enforce how your data is used:

  • You don’t control with which third parties it is shared (malicious or non-malicious).
  • You don’t control which of the company’s employees can see (or mutate) it.
  • You don’t control how long it is kept.
  • You probably don’t have a receipt to prove you shared it (so the company can just lose your data or plainly lie about not having it).

While each of these issues can be addressed in law (e.g. GDPR in the EU) or a company’s privacy policy this doesn’t guarantee your data won’t actually be leaked or misused. Each of these issues need a technical solution to really prevent misuse of your personal data.

SSI (self-sovereign identities) is good starting point for solving these issues since it allows you to have more fine-grained control over what you reveal to whom. The hardest problems to solve is limiting who can read your data and for how long.

There is interesting research upcoming to only let holders of a certain attribute (e.g. older than 18, working at the customer department, physically checked-in at the office) decrypt the data your share, applied on the Dutch IRMA (I Reveal My Attributes) SSI solution.

This doesn’t solve all the issues (e.g. how long a party can read your data): we still more, new solutions to improve our privacy.