GDPR is a regulation set in Europe, mainly to protect personal data by setting out the rules on how to deal with/transfer data. However, the tricky part is that this regulation goes beyond the border if you deal with personal data linked to users residing within EEA. Comment

Japan is also one of the biggest countries which has numerous business activities between Europe, and we see an increasing awareness of GDPR in Japan. On 27th February, we had an opportunity to give a webinar at Project DS run by Mr. Hiroshi Sonoda from Yamato Logistics, and we introduced the narrative of GDPR in the European context, and how Consento as a startup supported by NGI Ledger program is trying to offer the solution.

“Background of GDPR and European Values on Privacy - Europe’s Frontline Attempt to Create a New Internet Space”#

Since the General Data Protection Regulation (GDPR) was officially launched in Europe in 2018, there has been a lot of focus in Europe on data privacy considerations and the use of decentralized networks such as blockchain. Considering the huge fines for violations and the risk of damaging company’s reputation, it is important that not only European companies but also Japanese companies that exchange data with Europe take action. With presenting the example of Consento developing GDPR compliant data privacy apps, we discussed on the current data privacy situation in Europe right now.

What’s Project DS?#

Project DS is a closed community of 100+ people in various businesses to foster digital transformation in Japan, and the aim is to learn from each other through presentations and networking.

The organizer, Mr. Sonoda is a member of the SAAJ (System Auditors Association Japan), the Institute of Actuaries of Japan, and the ITPS (Japan Management Association). After working for Meiji Yasuda Life Insurance Company’s Information Systems Department, The Meijiseimei Asset Management of America INC (NY), and Yamato Autoworks Co. He has worked as a Board Member, PM, PMO, and Solution Consultant for general-purpose computer system development, Open system development, and AI evangelist. He is also an auditor for an architectural company, a consultant for an IT-related company, a representative for a DX project, and an advisor for public insurance. He has a strong passion for fostering Digital Transformation in Japan.

About 30+ DX enthusiasts participated in our webinar, and we had some very interesting discussions on the Japanese values on data privacy and the issues on privacy mark (The biggest 3rd party certification for data privacy in Japan).

We implemented a survey using 5-point scale after the webinar. According to the feedbacks, 53% of the participants feel the strong relevancy of GDPR to their business and daily work-flow, and 60% feel Japan should implement the strong data privacy policy as GDPR.

Many of them see challenges in Japan’s data privacy compliance policy, and here are some interesting feedbacks.

Perspectives of the webinar participants on privacy data handling in Japan#

Question : "What do you think is a challenge in the way the Japanese government handles data?"

• I have been advocating the need for this for 3 years now, but I feel that there is still a lack of awareness in Japan. I think it will be difficult to penetrate the market unless the government presents a solid sample. The opt-in/out system is not thoroughly implemented, and this can be seen in both of the person presenting and the receiving end. (System Auditor)*
• It costs us a lot of money just to obtain and maintain the Privacy Mark. However, the content of the Privacy Mark seems to be quite late compared to the case study presented here, and the Privacy Mark will probably not be approved if it has to comply with GDPR. The Privacy Mark is supposed to be an organization that examines whether or not personal information is being used in a safe and secure manner, but I felt again that the purpose of the Privacy Mark has become more about collecting money. (IT Coordinator)
• I feel that the protection of personal information in the Diet’s answer is too much, and we should have a discussion on how much we are using big data and whether it is allowed. (Recruiter)
• There are a lot of ambiguous policies, and I get the feeling that the user side is not getting the message. (Sales)
• I think it is necessary to put people in charge who are not dragged down by the organization with specialized knowledge and create a system that transcends interests. (System Engineer)
• Data privacy policy will be a hot topic in the coming years, as governments are expected to shift paper-less.(Administrative Lawyer)
• I feel we tend to care about privacy only when the crisis hits. I also think that the current legal system is too inadequate, and not ready. (Anonymous)
• I felt it would be interesting to differentiate ourselves from Europe by creating a society where data is open and can be used by anyone.(Managing Director)

The benefits of Consento#

All in all, we felt the strong need to show the uncomplicated solution for the Japanese market. Consento provides a user-centric Human Factor Authentication process to secure operations collaboratively based on “Shamir’s Secret Sharing” without the need for passwords and across organizations. Here are the 3 main key features;

1. Decentralized: Consento is a decentralized solution based on peer-to-peer and distributed ledger technologies. There is no centralized server or cloud infrastructure.
2. Password-less: Consento turns your devices into a key, and enables you to build your private MFA (multi-factor-authentication) workflow with your own devices and your trusted relations.
3. No single-point-of-failure: Consento makes authentication more secure through partial keys distributed within your organization (and to your suppliers or customers). No single user is left as a potential point of failure of the system as a whole.

Remote workers bear a great stress in collectively handling the privacy of company data.#

For many of us, remote working is here to stay
Beyond the inconveniency of mixing up personal and professional spheres 24/7, remote working brings along another source of stress for remote workers, and to those in charge of maintaining the company data privacy. Now that devices are connected and used outside the company network, the risk of mishandling passwords or using unsecure networks has become higher than ever.

Ownership v/s Controllability - "(data) ownership has turned out be a double-edged sword. It can be taken to motivate marketization, to harness the economic potential of data, and to put data subjects in a position to sell their data and thereby to receive a share in the value that gets generated from it. But at the same time, at least some versions of data ownership also pose significant constraints on this undertaking. Two worries are that intimate things are being alienated, and that losses of control loom for data subjects once their data is introduced into the market. As a consequence, care should be taken that marketization aligns with—rather than undercuts—the ideal of controllability." (Hummel, Braun & Dabrock ; 2020:26)

Who should bear the stress of company data privacy?
No matter how much technology the company might invest in, the human factor remains a key point of failure for the company data security. It is also the key to company data security itself.

With Consento, distribute and manage the responsibility of confidential data security.#

With Consento app, access to confidential data and company services is secured with the help of co-workers. Even for the work done outside the company secured network, the responsibility of handling company secrets is distributed and the stress of a single person mishandling it is reduced. Consento app enables HR and IT departments to easily onboard all employees, if not suppliers and business partners.

User-centric + co-responsibility + access control in your workplace management.#

Out of the box certified#

Consento will work on your current devices and online services.#

Being the custodian for contractors' CV or identities adds to the burden of coordinating agencies.#

Having to hold the custody of other's digital identities is timely, if not costly in human error.
Most of companies relie on a netwrok of external contractors and suppliers, for translation work, transcription, accounting, legal work, etc. Building a trustworthy partnership often starts with verified credentials, or asking for referals, in order to discard fraudulent candidates. Eventually, these verified CVs and confidential data about contractors become too valuable to be losely shared over emails or cloud services. The agency's reputation depends on it.

Translation Scammers - "As a whole, CV theft and translator impersonation are some of the most widespread scams. In 2017 alone, Translation Scammer exposed 5,055 new scammer IDs. That’s 36 new scammer IDs per month." (Word Connection Japanlization ; 2020:26)

The contractor should not ruin the agency's privacy efforts by using online tools either.
How often do freelance translators or transcriptors end up using online tools by conveniency? In doing so, they put the agency's efforts to keep data confidential at risk. Onboarding freelancers to develop a simple security and privacy hygiene ends up being costly. In the end, the agency resolves to share the information and guidances and just hopes for the best.

With Consento, embed data security and authenticity within your network of contractors.#

With Consento app, the verfied credentials of the one at the origin of the CVs or confidential information are linked to the shared files themselves. Consento makes sure that the proofs of identity are kept up-to-date. All the files remains encrypted between parties, accessible only to selected parties, who may access the data only on your consent.

Because security comes as a network, Consento makes it easy to onboard all contractors, even the least tech-savvy. By putting some humanity back into distributed cryptographic technologies, Consento combines high-level encryption and decreases the possibility of human errors.

Consento difuses the agency's stress by lowering the efforts required to manage a pool of contractors, their verified credentials and their data privacy hygiene. With Consento, your reputation is safe.

User-centric + co-responsibility + access control in your confidential files.#

Out of the box certified#

Consento will enable you to easily comply with GDPR regulation. Regulations change over years, and it may cost you efforts to keep an eye on regulatory changes. Relax, Consento will notify you of any relevant changes.

You are a crypto-millionaire! If only you hadn't lost your crypto wallet key...#

Have you heard how many bitcoin users would have become millionaires, only if they hadn't lost theit password? Bitcoins and distributed ledgers technologies opened amazing opportunities to secure transactions online. Although their technicality makes most end-users a bit chill. Moreover, they transform the end-user into the "single point of failure".

Password managers are presented as the solution. But they just postpone the problem... Password manager services seem to solve the everyday authentication issue. But actually, they just postpone the problem; either end-users forget about their master password; either their precious vault with all their precious passwords becomes a centralised vault worth hacking!

With Consento, secure your wallet credentials for years, without putting all your eggs in the same basket.#

With Consento, split your access key in parts and keep them safely stored on the devices you chose, yours and those of your trusted ones. To authenticate, Consento gathers the pieces on your request. No need to remember your password.

To keep your access under control, Consento makes sure the partial keys are taken care of and notifies you if any action is required from you to ensure your data security.

Long-lasting + sovereign + hight-level security for your digital keys.#

Out of the box certified#

Consento will work with your prefered Crypto Wallets.#

Consento will compete at the SxSW 2021 Startup Contest. Let's meet there!

The technology behind Consento has a bit of a magic. So we made a video to share that.

Thank you for watching.

About the thinking behind Consento and how it is supporting the plan to stay in control of data we need to stay in control.

Giving up responsibility is comfortable. We know this because giving up the responsibility of making good backups, structuring our data and publishing articles responsibly is something we gladly hand off to online platforms.

There are many common "best practices" how to minimize the exploitation of your data by big companies: Have multiple e-Mail addresses, use a password manager, don't share too much on social media etc. But this feels like a drop in the ocean. You still need to accept the rules of the system and hope not to get caught.

But how could a better system look like? How comfortable and powerful does a system need to be for us to maintain autonomy? We have been asking thinking and tinkering around these questions for more than a year and have received support from the NGI Ledger program a half a year ahead of our current, global challenges.

Here is the set of important requirements we identified:

Under the name of Consento, we started with a mobile application that exchanges consent requests through a completely private network with anonymized identities. You can take it for a test-ride by downloading our latest release.

As a team, we started to work on this issue with Georepublic being the primary entity. We hope that now, as we are getting to something more concrete, others will join our effort and help us make it a reality. → https://github.com/consento-org

As a society, we are not at a place where we as individuals can take on our "data-responsibility" yet. That's why we aim to raise awareness for this topic and also reach out to non-tech-savvy people, because the issues we want to solve concern everyone!

While the topics of the NGI Leder program are broadly spread, many of our sibling projects work on complementary goals: Cobox has been building the software infrastructure that allows us to exchange content. Iuvia has been working on a hardware one-fits-all solution that can be used as a server in house, building with similar building blocks, both necessary to take control over data storage sovereignty (read more in Jaya's post). oneHealth works on a responsible collection of medical data (think Fitbit; but also doctors offices) and Worldbrain's Memex is moving browsing information to a decentralized place.

If you can take this as an opportunity to support all of us by sharing our work, asking us questions or contributing to our efforts, that would make our day.

Thank you for reading.

The concept behind Consento - Human-Factor Authentication - requires trust. Consento aims at delivering a novel way to securely store confidential data encrypted without central cloud solution, and access them without depending on complex passwords. Instead, with Consento users can request the consents of peers they have decided to rely on. Such a new way to secure confidential data requires appropriate UX (user experience) & UI (user interface) to guide users in handling data privacy. But before discussing about the right UX/UI, we need to discuss a bit about a fundamental object: trust.

Indeed, before it comes to build trust in the UI, we need to build trust in the system. And before the system, there is the belief in the system. Consento story requires quite some thoughts about various forms of trust: trust in the system build by the web of devices, and in the other peers who act as trustees, if not also trust in the Consento business and team itself. So, to start with, what do we speak about when we speak about trust?

Trust#

We like the definition of trust as "a psychological state comprising the intention to accept vulnerability based on positive expectations of the intentions or behaviour of another"(Rousseau et al., 1998). Trust depends both on the individual abilities to trust and on the trustworthiness another is able to display.

Said otherwise, trust is neither a cognitive process nor an innate human feature, it is both (Mújdricza, 2019). Studies have shown that trust is an a priori given human faculty, and therefore the possibility of trust is always present. But visual cues, human contexts and past experiences affect positively or negatively the level of trust. Trust happens to be 'learned' more than 'earned', and it requires a certain affective warmth for a start.

Contemporary online experiences of trust#

Internet users experience online services as a fast pace changing context. They regularly confront with new offerings, new companies, new standards, etc. In such an uncertain context, the aspect of trustworthiness can be built on social constructs like reliability and on individual constructs like integrity (Rousseau et al., 1998).

Among the services internet users experience online (van der Werff et al., 2019), display of trustworthiness emerge on levels such as reputation systems, third party endorsement, transparency mechanisms, etc. And novel ones keep on emerging.

• The reputation systems provide a hint about trustworthiness based on other peers' previous experiences, as well as an incentive to behave trustworthy. Think for instance about peer-to-peer platforms tw-ways rating systems.

In the case of a decentralised architecture like Consento, with no central platform enforcing the rules, that system in itself might be less effective than the reputation in real life of these peers. Research (Nielsen, 2012) have demonstrated also that despite a tendency to trust more people who are similar to us, high reputation of peers (and stakeholders) eventually beats strong similarity among peers.

• The endorsement by third parties such as insurance companies, governmental institutions or civil origins is never a discrediting thing to get. Commercial companies also rely on customers' endorsements. However, studies report that online consumers pay little attention to endorsement itself. Third party endorsements bring on credibility more than trust.

• The transparency mechanisms rely on disclosing the code, the information about the company activity or the team members' affiliations. Fairphone for instance, discloses its full supply chain as a token for its commitment to transparency. On this aspect, Consento intends to embed transparency at its core, even though transparency _might be a concept antinomic with keeping data confidentially _hidden (this will be the topic of the next article eventually).

• Third party endorsement and transparency can be complemented by public self-assessments of governance.

Digital and in-real-life consents#

As for one's ability to trust, it is constantly reassessed depending on the lived experiences, online and offline. A personal dramatic event, or a worldwide pandemic for instance, do impact people's ability to trust each other or their institutions. Even if Consento is first a digital tool, we remain aware that the evolution of people's trust capacities happens mainly off-line.

The 'nudge' approach represent an interesting look into that matter. Humans are inherently biased cognitively. For instance, we would rather avoid loosing than risking to win, we weight the same information differently depending on the credits we give to the speaker, we assess value differently depending on the initial frame given to us to look at the matter, etc.

We have to remember that Cass Sustein and Richard Thaller approach spurred discussion on how much governments or corporations should be allowed to 'nudge' us to do what they want us to do. But when we speak about trust, we should not dismiss our cognitive biases, because before being rational, we are first human.

Roadmap#

So here are the track on which we'll work and test our assumptions : build on peer's IRL reputation, third party endorsement and transparency mechanisms. On these aspects, if you have any comments or recommendations of relevant actions for Consento team to take on, we are open to suggestions.

Else, what do you think? Is there any other ways of trust building we should keep in mind while developing Consento?

About why we chose a mobile app as a start for Consento, what challenges we encountered and what we learned on our way−so you don't need to.

Around June of 2019, we were discussing and thinking hard about an initial version of Consento would look like−a MVP. We had a few long and hard discussions, trying to tie down what is necessary for us to figure out. Our priority No. 1 eventually landed on daily usability. We wanted to make sure that whatever product we are building will be useful in everyday life. Ultimately, it means that this has to be on a mobile device; a mobile app.

This was a problem for us. Yes, we are developers and−yes−we have experience with desktop and server software, but no: our strength is not in mobile apps. We had to learn quickly and make choices. To make this an informed choice we looked at our requirements:

1. We need it to be JavaScript based to stay compatible with the dat ecosystem.
2. We do not want for the user interface to stutter. This means our code needs to run separately from the UI (in a different thread).

Of the two popular choices we found, we went with React Native over NativeScript. It seems easier to find people with React Native experience. It has a pretty good reputation and we wanted to use React for the user interface. Choosing it seemed the straight-forward choice.

React Native can be used as-is, but for quicker development we learned that Expo.io is really comfortable. Expo limits React Native to a pre-defined set of extensions. This restriction allows the immediate installation on any device, quickly. No need to wait for slow build or publishing processes. − Cool, we definitely want that!

Design Process#

We want to use Open-Source software for as many tasks as possible, as it allows contributors to join freely and quickly. Sadly, we have not found a free design software that works for us. Sketch is reasonably cheap for a design software, can be used offline, allows some hacking with the format and is overall the only choice we could see−even though it runs only on MacOS. (though .sketch files can be edited using Lunacy on Windows)

With the design ready we need to turn it into code. We wanted to automate that so we also informed ourselves here:

• BuilderX looked professional but has a steep price tag of 15$/month/person and the output wasn't good to use in our opinion. Repeat output would clash with expo and typescript and we had to improve the output by hand.
• Zeplin.io is useful for communication and is okay for a copy & paste process but in the long run was going to be painful for updates: What did we already update? Where is the difference between design and code? How do we add the non-trivial features?
• Sketch-to-react-native does sound promising but it exports to JavaScript (and we work with TypeScript) and the output is not suitable for repeat exports. This would allow us to export once and any future update would be problematic.

After testing a few alternatives we knew what we needed.

1. It needs to be able to change the Sketch file repeatedly without breaking the rest of the code.
2. It needs to output all the things we need: images, fonts, elements.
3. It needs to be free or cheap.

Since we couldn't find any tool to do that, we wrote it ourselves. 🤓 ↓

Hello, expo-export!#

To get the workflow right we built in parallel to our first app expo-export! It is a free and opensource software, that you can add as a plugin to Sketch. It will add a menu button that with one click exports the assets, fonts and components of the layers in that sketch file to relative folders.

In its current version expo-export is rough around many edges but the development has been mostly a breeze and we learned a lot about the capabilities of Sketch. Now, when we create changes in Sketch we can see the updates immediately(-ish) in the mobile app.

Security & Performance#

The last topic for this post is about performance. If you try to use Consento right now on a slower device, Consento will be slow! Particularly when adding a new Relation or adding a new file to a vault. The reason for this performance issue is tied to our initial choices (back in the first section). In order to work with dat, we need to rely on a specific encryption system (libsodium) that is not working fast on react-native.

We thought initially that this should be the smaller issue and will be easily improved later-on but it turns out that encryption on mobile devices is a pretty big deal. The current version works more-or-less but because of time constraints the current solution is not compatible with dat. 😱

Maybe we should have gone with NativeScript as a platform? NativeScript has a synchronous libsodium plugin after all, though without iOS support. A more straight-forward choice might have even been nodejs-mobile, a recommendation we received quickly from the mapeo team, after asking for it far too late.

When we started we also were not aware of publication difficulties in the AppStore (specifically france) due to long-standing rules on cryptographic exports or limitations on importing cryptographic in parts of the world. China also put out new crypto laws.

In short, we need to rethink our strategy for getting dat-compatible and fast cryptography to work on a mobile phone. to our github issue #90 to follow our progress.

You can have a look at the Consento mobile app right now → Releases.

The version v1.0.2 is still a very early preview, but it may inspire you.

In the meanwhile, we will be working on several improvements. You can follow our progress on this blog, using RSS, or in the keybase chat.

The goal of Consento is to provide a free and open technology for humans. Neither free nor open rimes well with profit though, and our initial [team][../team] has been thinking about how to make Consento viable from the start. It was clear to us that we will progress slowly on our own. Through our contacts in the DAT community, we learned about various funding opportunities and eventually found the perfect match with NGI's new LEDGER program.

The Next Generation Internet (NGI) is an EU fund that supports the decentralization of power in the internet and the empowerment of humans in this technology-powered day and age. The LEDGER program of the NGI focuses particularly on this core topic and so we applied. (We first took the character limit for a word limit in the application, and basically we wrote a short book on Consento before we had to cut it down to the essence 😅)

Daniel presented the general concept and the work we did on May 29th in Amsterdam. The event was stuffed with people that spoke the same language with us. This was an exhilarating experience for him, considering that we hardly found someone vaguely familiar with that topic in our physical surroundings.

The NGI saw a lot of potential in Consento and we are now part of the first batch of projects! In this first funding we will be focusing on prototype development (giving you something you can try out) and further UX research.

We are so excited about this and hope you join us on our way to the future!