How does the Safe Network Address Privacy?

It was good to see @jimcollinson addressing a question regarding privacy from @dimitar:

@jimcollinson recognises that there are systemic problems with privacy, but is not clear how the Safe Network addresses these in practice.

He uses an example where Megacorp persuades consumers to share data through the lure of ‘free’ services.

Consumers know Megacorp cannot be trusted, but share their data anyway to use the service.

How does the Safe Network prevent Megacorp’s continued exploitation of this systemic issue?

I think the simplest answer is that whatever you upload to the network you control. You can grant apps granular permissions to files or folders and when you do that you are granting them access to that data so the UX will say what permissions they are requesting (read, write, publish, etc) and you can always revoke permissions as well.

So it’s like bitcoin in the sense you custody you’re own data, not your keys/not your data.

But in a very friendly user experience and front end environment. No complicated pub/priv keys to manage etc. just your password to get into the network and a SafeID which is basically like an account profile.

There’s also Pay the Developer (PtD) rewards too which the network pays out to apps based off of their use/popularity and that along with no security, scaling, and infrastructure costs is intended to avoid data selling business models, ad based models, subscription based models. The latter will still persist I’m sure but as a competitive market people will most likely choose the “free” apps that just collect PtD but these apps will have to still offer competitive features and nice UX.

Competing with existing models and letting the market decide is acceptable, though the issue of privacy still persists as interoperability between legacy Internet and Safe Network is needed to gain traction.

Permission granularity goes some way to addressing the privacy issue.

Currently Megacorp requests a very broad permission - access to ‘storage’ for example.

The lack of granularity in this example gives access to all files, where the consumer may only want to give access to a single file.

Megacorp has long had this access to data, to the point where vendors & platforms appear complicit in preventing control of low level permissions.

The argument is that granular permissions are difficult to define in the UX because it adds complexity for the consumer. So one size fits all and Megacorp profits.

Example: User needs to only give AppA read access to FileA and AppB Read+Write Access to the same file, but does not need to allow either of those Apps access to other files.

Does or will the Safe Network support such control over permissions?

Check this out but keep in mind seeing all the flows at once gives a sense of overwhelming so it’s important to look them through as a sequence. https://www.figma.com/file/c457wqJtv30WmDgTKuXvqp/Safe-Network-App-MVE-Screens-Flows-and-Feature-Tracker?node-id=1442%3A1463

Figma is experiencing a temporary outage at this exact moment so check back on that link.

Bridges to the clear net through client side proxy’s are probable but they are not something anyone here plans to cater to, to my knowledge. It’s the web reimagined and started anew. I personally hope a partnership with internet archive comes to fruition and for people to be incentivized in some manner to upload current data from the clear net to similar services on Safe Network.

There is a lot there, but nicely visual.

The controls under ‘Security’ look like they could address my concern about granular permissions. I look forward to the test drive.

That said, I did not see anything that prevents a Megacorp type app requesting more permissions than it needs. A method to stop Megacorp (and lazy developers) demanding more permissions than necessary would be to have a permission spoofing mechanism.

As @jimcollinson says, these business models have been around for several decades with their roots in the bureaucratic state. The mindset that ‘there is no alternative’ is all pervasive. As the network grows, entrepreneurs & developers migrating to SAFE Network from the Clearnet will try and implement the tried and tested business models of the Clearnet.

I hope future iterations of the SAFE Network app prevent surveillance based business models getting a foothold on the network.

Maggie Thatcher lives on.

A Megacorp type app can’t be stopped from requesting more permissions than it needs - so how we deter that is a very good and important question. Two centrally important things here will be a culture of developers making apps for and not against users, and a healthy resilient culture of Safe Netizens who care about this kind of thing, and react strongly when their privacy or any other right is threatened or attacked.

I don’t know if you’ve spotted the bamboo garden fund on the forum here? A very good moment for the first of these two things - it’s overwhelmingly likely that the apps the fund goes into developing will be in the interests of the users.

For the second thing then, it’ll be largely up to us, and our fellow humans, how we choose to react. I am hoping that it goes in a good direction, but it’s a big uncertainty. All each of us can do individually is try engage in the kinds of behaviours and discussions that we’d like to see happen, and encourage others to do the same.

You can’t prevent apps from asking. Spoofing helps a bit, but if that was the norm developers would figure out ways to detect it, so it isn’t really a solution. I think on Android/iOS that’s the best we could get, and would be an improvement, but I don’t think it can solve the issue.

Another solution is to separate apps from data. Not easy either. The reason it can work is that if apps become interoperable (ie different apps can create, edit, understand data from each other), people can easily switch apps when they don’t behave the way they want, or when a better app comes along. It also makes it possible to create much more useful apps, than if data is kept restricted to individual apps.

This encourages developers to create apps that are better for those using them, rather than trying to control people by capturing their data and using it to keep people captive - except by being the best app.

This is the easiest and best solution imo. The safe file system in your account can have access controls similar to android/posix. Each app can have it’s own folder and is treated like a separate ‘user’. All writes by the app stay in the app folder and a read access outside the app folder is restricted by default. Keep file attributes and access control simple, ie. read/write/execute/private/shared/public.

I think this is orthogonal to interoperability, by which I mean different apps being able to access and understand each other’s data.

Isn’t this simply a common file format, or a good import/export function? How does libreOffice interoperate with MSWord?

That’s a level of interoperability sure. Better is to use a format which is designed to “explain itself” and also be easier for developers to support. Application specific formats vary in how difficult or easy they are to handle, and will lack libraries and tools to make support easier.

The really hard part about all this is getting developers to support common formats.

A way to tackle this is for the Safe Network APIs to adopt something that is good for this purpose, and to provide demonstration apps that make use of it. Demonstrating this route was part of what my Solid on Safe work and MaidSafe’s own work on using Safe WebID were about (and the corresponding demo apps and presentations).

@jimcollinson (in the video) responds to a question from @dimitar about regaining control of personal data.

He posits that the problems with existing business models are inherent in the system and that the Safe Network will return control to the consumer.

At the moment, I don’t see how.

The consumer has always had control of personal data. They may not understand the full implications of their actions when accepting Megacorp’s terms and conditions, but they are fully aware that they have no recourse on what Megacorp do with the data.

The consumer does not have time to learn and re-learn the system every time it changes in order to safeguard their privacy. Megacorp relies on this to keep the consumer in the dark.

An autonomous network which places the consumers privacy at its core should do this natively.

Once an app is established with a large user set, it becomes difficult to displace and easier for the vendor to abuse the consumer.

Better to de-incentivise abusive behaviours or prevent them altogether.

No…

@digipl The consumer can choose not to use the service, this is control of personal data.

Though you’re technically correct, having a complete lack of choices and being offered a free service and disregarding pages of T&Cs means there weren’t really many options besides being “left behind” in some sense.

Safe just makes it the default and makes it part of the proposition and narrative.

@Nigel is correct, the reason we want Safe is because people don’t have enough choice and do have very little control over their personal data, and less each day. You’ve already acknowledged this @yippeeyo so it’s not clear why you then suggest we do.

Regardless, what this means is that to have more control over our data, what we need is more choice. One of the ways to improve this is to switch from winner takes all models which end up like Facebook, to a model where we don’t give over control of our data to the service were using. With Safe that is built in - you don’t need permission to take your data away, because you already have it, and can withdraw permission to access it whenever you want. And you can give access to a new app instead.

I hope that gives you some ideas of how Safe Network gives users more control over data and makes it much easier to decide what and how much of their privacy they give up, to whom, and for how long.

That is an over simplification. No because its never really a black/white situation where they can choose easily. There are things they have to weigh up. Like the only way to keep in (timely) touch with a group they want/need to is through facebook say. Yes I know its not the best example but people are always weighing up the pros and cons, even if not aware they are doing so.

Now I expect the only way we can see people not being sucked into the megacorps promise of xyz if you use their service is to educate, encourage people to use Apps that will do what they want but not need to give up their privacy etc.

Facebook on Safe will be a definition of datasets and how they are used. THen any number of Apps can be used to provide the equivalent of facebook without the person giving up their privacy to some company.

Thanks for watching the video @yippeeyo, and for the questions.

It was very much addressing the why but not the how. It ended up being nearly 10 minutes even at that (it’s such a big subject!) so I’ll sure have to get into detail on it in future videos.

As far as the macro picture goes, and I’m sure this is obvious to everyone here, the current state of things means that, almost universally, the business model mechanics revolve around gathering vast quantities of user data via free services, and literally controlling it by having it on company servers, and then figuring out how to exploit control of that data later via hawking it to advertisers, or other interested 3rd parties. In fact, to build a massive business in Silicon Valley you don’t even need to have a plan for how you are going to exploit the data, or who you are going to sell it to, or what you are going to do with it, from the outset. All that matters is gathering and hoarding as much of it as you can; that’s what drives a valuation. So employing all the dark and addictive design patterns you can and make sure it’s as difficult as possible for a user disentangle themselves from your service—that’s the path to business success.

It gets so far out of your control, that once you have consented (via unfathomable T&Cs, and/or options that are just theatre, and don’t offer me ay functional control) you have no idea who your data has been shared with, how it’s is being processed, and where it ends up. And the goalposts are regularly moved too.

But of course in return for unfettered access to your personal data, and every move you make on their system, you get access to their product for no upfront charge. That’s the trade.

The Safe Network fundamentally addresses this macro picture through changing the model as a whole: You pay upfront for the data you add to the Network in Safe Network tokens, and it is only accessible to you and other individuals you chose to share it with, by virtue of the fact that only you have the keys to it.

This is perhaps the most significant area where the architecture of the Safe Network enables a fundamentally different model for data access, that breaks down the ‘clearnet’ status quo.

It is not simply about giving users more granular permissions, but addressing the interaction between apps and data in the first place.

Let’s take for example a messaging app, like WhatsApp, or Facebook Messenger. I sign up for it, and then all the messages I send, contacts I add, and a metric ton of other metadata it’s added to Facebooks servers for them to exploit. Yet for the app to function, and do what I expect of it, there is no need for any of this data to be accessible to anyone other than me and the recipients of the messages I send. Zero. The only reason Facebook need it is to support their business model through exploiting for profit it. That’s it.

The equivalent app on the Safe Network would simply be a UI that I use to compose and send messages.

The content of these messages, who I send them too, my list of contacts, and all the metadata isn’t accessible by anyone else, especially not the developer of the messaging app.

It’s as it should be: all the data remains only accessible to me, and the content of messages I send are for the recipient only.

So it’s not about more granular permissions. It’s not the status quo, but with more options, like some cookie permission pop-up nightmare for everything I do. It’s fundamentally different.

In fact, we’ve renamed App Permissions to App Capabilities to order to try and better reflect this. And even then, that is belt and braces stuff.

If data is to be transmitted anywhere outside of my control, then there are separate sharing and publishing permissions. If an app suddenly starts requesting permissions to share data with people I don’t want it shared with, or move it outside of my control, then I can knock it back.

And there should be no reason for most apps to be doing this… messaging apps, email, music, image editing, word processing, fitness tracking, medical records, web browsing, blog publishing, social media (etc etc) none of these require the app developer to have any access to my data. So there is a simple answer to any apps that request: No. I will not be sharing my data with Facebook LLC, because it is completely unnecessary, and I can happily switch to an alternative app that does not request this.

And that’s the thing, and what I was getting at in the video, Safe gives us the tools to fundamentally shift the relationship that apps have with our data. They become about a user interface again, just about me and me alone manipulating my data, and finding the software that suits me best in doing that.

I see another problem, perhaps @yippeeyo thought about it in this way. What if some megacorp releases a very popular (lots of features, great ui, very usable) app on Safe Network, but the permissions (capabilities!) would be, that all the data is accessible also to the company? There is a possibility of choice, but no one will choose alternatives, because the app is sooo sweeeet, everybody would want to use it. They would have their own data format, so even other apps would find it hard to use this data. This is the situation we have now – alternative (open, privacy-aware) apps are simply inferior to most users.

In the Safe Network model, that example wouldn’t be offering capabilities to the app, but opting to Share data with the company, in the same way in the UI you’d share data with another person.

This is possible for companies on the clearnet, almost universally, because there is no alternative. If I want to use a messaging app, I have to give my data to a 3rd party.

On the Safe Network, the same messaging app would be unlikely to again traction and gather many users, because there is simply no need for the corp to request access to my data. I mean, what would be the purpose? Why would I need, and choose to have ‘megacorp’ cc’d on all messages?

It would be so transparent to the user that this is what is happening, and I could simply hit the deny button.

There would need to be pretty compelling reason for this and at least, should the user decide the trade off is worth it, they’d be going into it with their eyes open and they could choose to withdraw access to that data at any time—and know for sure that that tap is turned off. The same cannot be said of clearnet services.

And remember, on the clearnet, data is siloed and belongs to the corp that you entrusted it too: moving it from one app to another is effectively impossible. Not so on the Safe Network… if I want to move to a new messaging app, I just open it, and all my data is right there, because I own it. It becomes ‘portable’. This makes vendor lock-in much more difficult, and allows market forces based on privacy, transparency, trust, user reviews etc. music more powerful.

You are correctly assessing that privacy-aware apps are inferior at the moment. They are very difficult to manage and use, and there is still a significant amount of trust needed in 3rd parties. Both of these issues the Safe Network aims to address.