Tim Berners-Lee’s Plan to Save the Internet: Give Us Back Control of Our Data

By Pieter Verdegem, Senior Lecturer, School of Media and Communication, University of Westminster Originally published at The Conversation.

Releasing his creation for free 30 years ago, the inventor of the world wide web, Tim Berners-Lee, famously declared: “this is for everyone”. Today, his invention is used by billions – but it also hosts the authoritarian crackdowns of antidemocratic governments, and supports the infrastructure of the most wealthy and powerful companies on Earth.

Now, in an effort to return the internet to the golden age that existed before its current incarnation as Web 2.0 – characterised by invasive data harvesting by governments and corporations – Berners-Lee has devised a plan to save his invention.

This involves his brand of “data sovereignty” – which means giving users power over their data – and it means wrestling back control of the personal information we surrendered to big tech many years ago.

Berners-Lee’s latest intervention comes as increasing numbers of people regard the online world as a landscape dominated by a few tech giants, thriving on a system of “surveillance capitalism” – which sees our personal data extracted and harvested by online giants before being used to target advertisements at us as we browse the web.

Courts in the US and the EU have filed cases against big tech as part of what’s been dubbed the “techlash” against their growing power. But Berners-Lee’s answer to big tech’s overreach is far simpler: to give individuals the power to control their own data.

Net Gains

The idea of data sovereignty has its roots in the claims of the world’s indigenous people, who have leveraged the concept to protect the intellectual property of their cultural heritage.

Applied to all web users, data sovereignty means giving individuals complete authority over their personal data. This includes the self-determination of which elements of our personal data we permit to be collected, and how we allow it to be analysed, stored, owned and used.

This would be in stark contrast to the current data practices that underpin big tech’s business models. The practice of “data extraction”, for instance, refers to personal information that is taken from people surfing the web without their meaningful consent or fair compensation. This depends on a model in which your data is not regarded as being your property.

Scholars argue that data extraction, combined with “network effects”, has led to teach monopolies. Network effects are seen when a platform becomes dominant, encouraging even more users join and use it. This allows the dominant platform more possibilities to extract data, which they use to produce better services. In turn, these better services attract even more users. This tends to amplify the power (and database size) of dominant firms at the expense of smaller ones.

This monopolisation tendency explains why the data extraction and ownership landscape is dominated by the so-called GAFAM – Google, Apple, Facebook, Amazon and Microsoft – in the US and the so-called BAT – Baidu, Alibaba and Tencent – in China. In addition to companies, governments also have monopoly power over their citizens’ data.

“Data sovereignty” has been proposed as a promising means of reversing this monopolising tendency. It’s an idea that’s been kicked about on the fringes of internet debates for some time, but its backing by Tim Berners-Lee will mean it garners much greater attention.

Building Data Vaults

Berners-Lee isn’t just backing data sovereignty: he’s building the tech to support it. He recently set up Inrupt, a company with the express goal of moving towards the kind of world wide web that its inventor had originally envisioned. Inrupt plans to do that through a new system called “pods” – personal online data stores.

Pods work like personal data safes. By storing their data in a pod, individuals retain ownership and control of their own data, rather than transferring this to digital platforms. Under this system, companies can request access to an individual’s pod, offering certain services in return – but they cannot extract or sell that data onwards.

Inrupt has built these pods as part of its Solid project, which has followed the form of a Silicon Valley startup – though with the express objective of making pods accessible for all. All websites or apps a user with a pod visits will require authentication by Solid before being allowed to request an individual’s personal data. If pods are like safes, Solid acts like the bank in which the safe is stored.

One of the criticisms of the idea of pods is that it approaches data as a commodity. The concept of “data markets” has been mooted, for instance, as a system that enables companies to make micro-payments in exchange for our data. The fundamental flaw of such a system is that data is of little value when it is bought and sold on its own: the value of data only emerges from its aggregation and analysis, accrued via network effects.

Common Good

An alternative to the commodification of data could lie in categorising data as “commons”. The idea of the commons was first popularised by the work of Nobel Prize-winning political economist Elinor Ostrom.

A commons approach to data would regard it as owned not by individuals or by companies, but as something that’s owned by society. Data as commons is an emerging idea which could unlock the value of data as a public good, keeping ownership in the hands of the community.

Tim Berners-Lee’s intervention in debates about the destiny of the internet is a welcome development. Governments and communities are coming to realise that big tech’s data-driven digital dominance is unhealthy for society. Pods represent one answer among many to the question of how we should respond.


Print Friendly, PDF & Email


  1. Mikerw0

    This may be more important than implied. These large monopolies get a critical raw material, cost of goods sold, for free. This gives them a profit model, regardless of how they choose to report it, that allows them to have a competitive advantage that other companies can’t match. While their direct destructive actions are well documented (e.g., Amazon seeing companies sell then directly competing with them) this stifles the growth of new potentially more interesting businesses.

    An elegant solution, though I am not holding my breath. I guess the question will be for a period is the effectiveness of the big tech monopolies in lobbying the halls fo power to protect their current business models. Big oil, big Ag, Wall Street and pharma, for example, do a spectacular job of this.

    Maybe more likely will be a war among the big techs. Is the brewing Apple – Facebook dust up real or a distraction?

  2. Aaron

    I am not buying the whole “pods” idea. It seems like a way to get all our data in one place. If they have that, they don’t need to bother with all the cookies since everything we do in the internet will be tied to a unique ID, neatly packaged and labeled.

    This seems like another end run by Big Tech around the increasing data privacy legislation everywhere. If they can convince the lawmakers and activists that they are really doing something to protect personal data, they can stop the legislation in its tracks. If the custodian of the vault is a private entity or a big-tech funded nonprofit, there is no guarantee that only the necessary data will be accessed.

    For example, till a few years ago, Amazon did not require you to sign in to buy something. You can use a “guest access” and give your name, address, email and telephone to buy something. Then they removed it, and forced you to login with an email id/phone number. Why? To make accessing your browsing/purchase habits easier!

    Another one is the “accept cookies” prompts you get in every site. They show some cookies as essential (you cannot opt out of them) and some as optional (you can opt out). But how do we know if they are really essential? Can we take their word? What if it is just an eyewash to give you an illusion of choice in protecting your privacy.

    Yet another one is Google starting a paid news platform in Australia to forestall the new law forcing them to pay news publishers for sharing news content. They will make a show of paying some news outlets for news content, then the law will die a stillbirth. Then a few months later, they can go back to business as usual.


    (To be fair to Google, at least partially, the bill forces them to pay even if a link is shared. Not just for snippets or whole content. Interestingly, Tim-Berners Lee spoke specifically spoke against this aspect of making them pay for linking. He agreed with every other aspect of the bill, but the news twisted it into “Creator of web is against Australia’s new law”)

    Google’s “cookie-free web” is already a prelude to this. No more third party cookies. Everyone has to pay Google to access our browsing habit data.

    The problematic bit is this: “Under this system, companies can request access to an individual’s pod, offering certain services in return – but they cannot extract or sell that data onwards.”

    What if every company says, “Give me access to your pod, or no service”?. And if we do give access, how do we control what data is accessed by them? This sounds really nice in paper, but the devil could be in the fine print.

    I realize I come off as too paranoid here, but I have become too skeptical of “Tech” solutions these days. I am open to debate on this.

    1. Carolinian

      While one hates to disagree with the founder of the internet I think you may be right. Jimmy Carter said that if you want your communication to be secure use a stamp. Given the power of hackerworld it seems dubious that there will ever be full privacy protection for critical data short of keeping it off the internet altogether. Some of us believe the mania for “the cloud” was intended to defeat this attitude.

      And even if one is not concerned about hackers be assured that the government will vehemently oppose any effort to put personal data beyond their surveillance on the grounds of “terrorism” or whatnot.

      The web has always been about communication access and convenience, not privacy. The danger is perhaps less that companies do this than that the general public doesn’t know the score.

      1. Carla

        Jimmy Carter could not foresee Louis DeJoy. Maybe — maybe — DeJoy doesn’t open our mail, but he’s managed to make sure it doesn’t reach its destination.

        1. drumlin woodchuckles

          It should be easy for Pres. Biden to fire DeJoy and fire every member of the Postal Oversight Board ( or whatever it is called), and replace them all with pro Postal Service people.

          It would be harder to repeal the so-called “Postal Accountability and Enhancement Act” of 2006 and set the Postal Service re-free to adopt normal levels of retiree pension pre-funding, and use the rest of the money to repair and restore Postal Service functionality.

          Harder because the stealthy slow bleed-out extermination of the Postal Service is still a BiPartisan Depublicrat objective. It would take a lonely few rebel legislators to try making it an issue. Perhaps highlighting the role of Diane Feinstein’s husband in monetizing the slow murder of the Postal Service would be a place to start recruiting public interest in saving their public Post Office from the Biparty Depublicratic conspiracy to destroy the public’s Post Office.

      2. Bawb the Revelator

        “While one hates to disagree with the founder of the internet I think you may be right. Jimmy Carter said that if you want your communication to be secure use a stamp. Given the power of hackerworld it seems dubious that there will ever be full privacy protection for critical data short of keeping it off the internet altogether. Some of us believe the mania for “the cloud” was intended to defeat this attitude.”

        This could bring back Writing With A Pencil and First-Class Mail at the Post Office but maybe I’ve been on a Seriously Good News starvation diet for too long. One can hope for the best, may not one? ;)

    2. Pelham

      Excellent points. In my work, I have to use a great number of industry and news websites and sometimes get the cookie prompt or a “we value your privacy” prompt that requires me to accept whatever they want to access content. I have little choice but to do so.

      But even when browsing on my own I never elect not to agree to these requests. The invisible and minimal-in-the-moment consequences of signing away my privacy is far outweighed by the immediate goal. I believe the only real solution is to ban tracking of any kind altogether.

    3. Ergo Sum

      “Just because you’re paranoid doesn’t mean they aren’t after you.”

      In my view, we are way too far in the proverbial rabbit-hole to turn back now. This is a multi-billion, if not trillion, dollars business; some of the businesses built their existence on this business model. Microsoft had been probably the last one joining the fray, with their Windows 10 “built-in telemetry” that had been retrofitted to Windows 7 and 8.x. The Office 365 is even worse, all of your documents syncronized to One Drive alongside of the telemetry data.

      Was it really worth for Microsoft to join the fray? During the last six year, MS has been loosing marketshare for its browser, platform, etc. Despite that… In July, 2015 the MSFT stock value was $45; last Friday it has closed @ $242. It certainly had been worth for Microsoft…

    4. Lambert Strether

      > I am not buying the whole “pods” idea. It seems like a way to get all our data in one place.

      From the Solid Site:

      Solid lets people store their data securely in decentralized data stores called Pods. Pods are like secure personal web servers for data. All data in a pod is accessible via the Solid Protocol. When data is stored in someone’s pod, they control who and what can access it.

      It’s OK not to be sold on something, but is it too much to ask that you check the product specificqtion first?

  3. arkansasangie

    I want to charge advertisers for advertising to me. I want to select companies that I will view ads from and block (aka boycott) anyone I want to.

    If anybody is going to make money off of me … I am. Access to me is via Me! Walmart … Google … even the IRS, for that matter, do not own me.

    Prove I’m me? Screw you. Prove your you to me. Thank you very much.

    1. Lambert Strether

      > I want to charge advertisers for advertising to me.

      That’s how it should. Does anybody remember “Green Stamps”? (Of course, there has to be an identity to send the Green Stamps too, but….)

  4. Barbara

    unless how we connect to the internet changes, I don’t see how this works. In the beginning there was dial-up and our internet usage was connected to our phone number. Now with wifi our computers are identified in myriad ways from our wifi supplier and our computer’s unique identification. If identifying information is out there before we connect to pod??

    In order for this to work, we have to get to the pod without any leaking of personal information. I think.
    I’m not an expert.

    1. Lambert Strether

      > If identifying information is out there before we connect to pod??

      From the FAQ, Solid seems to have the notion of an “identity provider”:

      I just signed up but have two profile locations, what is the difference between the two?
      Solid specifications can be implemented by a variety of identity providers, Pod providers, and apps. This allows you to use services from a variety of providers and take the data along with you when you switch i.e. they are compatible.

      You can find out the differences between each of the service providers by looking at their respective websites and terms and conditions.

      Having two WebIDs with two different identity providers or the same identity provider is very much like having two email addresses. These WebIDs are unrelated to each other, and can have different data sharing preferences attached to them, e.g. one allowed to access your company documents, and the other your health record.

      So there’s a layer of indirection between you in RL and you in the PodVerse (or whatever it’s called) provided by the identity providing entity. I can see that entity being attacked by cops, say, but I don’t see how that’s different from what we have today.

  5. MartyH

    For reference, see the work of Ted Nelson. It’s best discussed in “Computer Lib” and spawned his Xanadu Project. It was a centralized as Facebook but understood IP much more deeply. Sir Tim’s approach recognizes the potential for decentralization but it’s not YET clear we understand how to maintain the “Network Effect” and “Privacy/Ownership” at the same time.

  6. lyman alpha blob

    This allows the dominant platform more possibilities to extract data, which they use to produce better services.

    Do they really though? We’ve all talked about google’s crapified search. You used to be able to go to Amazon, look up a book, and receive the copy you wanted. Now you can hardly tell what product a review is even referring to.

    The purpose of extracting more data is clearly not to produce better services as so many services have become demonstrably worse. The purpose is to convince the C suite rubes in other companies that moar=better, get them to overpay for ads, and walk away with a few billion as your company comes to dominate those that they are ostensibly ‘helping’.

    Snowden talks in his book about the golden age of the internet in the 90s and it really was a much better experience. It wasn’t hard to wander around and read about anything and everything. Now you can’t even find an article you know is there, and it’s increasingly difficult to get out of the silos the big tech companies try to trap you in.

    We do need a much better internet and I’d love to see it. This article is a little short on the details of how that might happen though. Whats to keep big tech from figuring out how to bust into my pod? I’ve seen this kind of thing from Berners-Lee for a few years now and I’m not convinced it will work, and with no will from the political class, I’m really not sure how you ever bottle up these data sucking genies.

  7. John B

    I have not read the details of Berners-Lee’s plan, but merely putting critical data in one place does not guarantee any access control concept. It gives one authority, presumably a pseudo-NGO proclaiming its virtues (but actually or eventually controlled by money power) the right to do whatever it pleases with the data.

    Take a look at ICANN which controls internet names and licenses registrars of names. They freely license known scoundrels as registrars, who invent names and use them for scamming/phishing/harassment operations without traceability to the criminals. Complaints to ICANN go unanswered: they set up a complaint process, do nothing, and deny all responsibility of themselves and their crooked registrars, You can be sure that they are all crooks working for the highest bidder, solidly in the brotherhood of scammers themselves, and probably controlled by the secret agencies.

    To have an honest government or agency serving the people, it is necessary to establish rigorous controls as part of the organization: redundant cross-checking committees with rotating memberships, all administrators and their relatives monitored in possessions and cashflows for life, etc. Simply hiding behind the tribalist notion that we’re all nice guys here does not protect the institution from corruption. As soon as it has something the rich wish to control, there will be overwhelming efforts to control it.

  8. Aaron

    This sounds positively Luddite, even to me, but let me put it out there. Why collect so much of our data at all? Why does the internet have to be free and paid for by our usage data? Why don’t we pay for all the internet services like we do (or used to) for the offline versions – newspapers, videotapes/CDs, phone calls, mail, etc. The irony here is, people do pay for it. Newspapers have paywalls, businesses pay for email (and office applications they use), there is a premium version of every site cropping up now.
    So why not cut out the intrusive data collection and charge the economical cost? If you do want to use data, use it like DuckDuckGo does – just ads served up based on your search keywords and country. They seem to do just fine. No cross referencing with what you told your wife (that your smart speaker overheard), or your browsing history, etc.
    Google made 181 billion last year, most of it from search ads. If we assume they can only get 10% of that without collecting our personal data, the remaining 163 billion works out to something like 40 odd dollars for each of the 4.5 billion or so internet users globally. If Google makes a piddly 40 bucks for each user, then it is time to question whether their business model is really viable (which also partly explains Big Tech’s desperation to hoover up more and more of our data). And this is after spreading to every corner of the world, and using every trick in the book to avoid taxes.
    Internet seems to have degenerated from something that exists for people’s convenience to something for the sake of itself. I would not mind having a smaller internet that we can afford. I haven’t thought through the implications of that, of course. But I will say that the whole thing feels like a house of cards.

  9. Tom Pfotzer

    I think this is a good idea, for several reasons:

    a. It gives the individual control over who gets access to the personal data of that individual
    b. It re-affirms the principle that my info belongs to me
    c. It requires the acquirer of that personal data to give something in exchange for it…before the acquirer gets that data
    d. It provides an opportunity to negotiate a binding “terms of use” for that personal data, and that is a contract, and it’s enforceable. The contract could specify harsh terms for misuse
    e. It’s conceptually simple, and may be simple in implementation
    f. It can provide a modest revenue stream to the individual. If you buy a lot of stuff, your data is valuable
    g. It is a powerful tool that can be used to disrupt the surveillance operators. It could have a very significant impact on their profitability
    h. It’s called Inrupt. Good karma

    The issue I see is “who owns the technology behind the product”. Companies have a way of starting out with good intentions, and good people. Then things happen, and the great idea gets … un-rupted. First thing you know, instead of “don’t be evil”, it’s the instrument of a lot of unhelpful and predatory behavior. Goodle comes to mind.

    If Inrupt charged a modest annual fee and used that money to set up a Legal Defense Fund, proceeds used to sue companies who don’t abide by the Terms of Use contract, that would be a game-changer. Especially if some of the settlement money was distributed back to the victims of the crime.

    1. Mikel

      “It gives the individual control over who gets access to the personal data of that individual…”

      No it doesn’t. It gives the creator the POD control over data.

      You shouln’t have to send all the information of everything you do on the internet to a central location.

      Privacy and soveriegnity is you deciding what gets saved, stored, and transmitted. There is no default to storage – only a choice made by the user. And not talking about waivers in user agreements.

      1. Lambert Strether

        > You shouln’t have to send all the information of everything you do on the internet to a central location.

        How is the Pod User sending it? I don’t see preventing Big Tech from hosing up metadata as being within the scope of the project.

        > not talking about waivers in user agreements

        TBL seems to have a less jaundiced view of the market than some NC readers might have.

        To me, Solid looks something like a Trojan horse for the Semantic Web, TBL’s long-time hobby horse. From the site:

        Any kind of data can be stored in a Solid pod, including regular files that you might store in a Google Drive or Dropbox folder, but it is the ability to store Linked Data that makes Solid special.

        Linked Data gives Solid a common way to describe things and how they relate to each other, in a way that other people and machines can understand. This means that the data stored by Solid is portable and completely interoperable

        The underlined part is by no means a solved problem, although TBL seems to think it is.

  10. vlade

    I don’t get this idea.
    – it proposes that people put all their data in one place. That’s just a big nice thing in front of all hackers and what have you.
    – data is infinitely copiable. Once the data is out of the pod, it can be copied as many time as the user wants. Arguably, the pod will get new data all the time, but still..
    – given that most users will just click “yes” anyways, why does it matter at all? Especially if they will be given only a similar choice like now “accept cookies or you’ll get nothing”.

    TBH, I prefer a few other things:
    – regionality ala GDPR. I.e. it doesn’t matter where you provide a service from, but who to. No running into a law-less jurisdiction.
    – all data collection must be explicit. No “one-pixel FB cookies” for non-FB users and similar. A company can collect data _only_ on its users, with their explicit approval
    – opt-out from user-as-product business model. All users must have an option to pay for the service, where the price is set as the average revenue on the pay-with-data user (i.e. all classes of the users must have the same costs) . Paying user’s data cannot be used for any commercial purposes.

    Even that does not solve all the problems, as many of us left a large public history of our doings on the internet, which I would be hard to protect, since we made it explicitly public. If someone quotes this comment somewhere else, in five year’s time, or uses it in any other way, I can’t see how (and arguably even why) it should be protected.

    1. Calypso Facto

      I have a longer comment in purgatory outlining what I think the ‘actual’ biz model/point of this is, but I agree that it won’t solve the problem as presented and also doesn’t really matter.

      I will also add, from my professional experience behind the curtain at multiple clouds and non-cloud platforms, that GDPR regs are one of the few with teeth that the companies actually adhere to and build their systems around (not even if they expand into the EU market, like you say, it’s about where the user is not the service). And further that this regulation is almost entirely the reason for the stronger startup scene in EU vs US currently (I tried to leave the biz and change careers but I couldn’t stand remote learning and am back, but now at a European not US startup, and I was a little surprised by the health/difference between US startup culture).

      1. vlade

        Yes, it does – the pod.

        Sure, in theory people can have multiple pods, but how many actually will? Will we then have a super-pod to watch the pods and select the right one as people have password managers now?

        It doesn’t not matter whether the pod is in the cloud with Google, or with the user on their machine. In fact, breaking into people’s machines is, in general, so much easier than into ASW – because if ASW loses the data, it can be made (at least in theory) liable.

        Decentralisation by “it’s on people’s PCs” doesn’t work because most people’s computers are full of security holes. Right now, the major “commercial” break-ins into user’s PCs are to slave them and sell the capacity for DDoS etc. attacks. Otherwise, the data on the PCs have little commercial value – in general (that doesn’t mean you can’t harvest data, but it’s not worth the effort). With this, you’d make it worthwhile.

        As an counter example. There are, even now, ways to make email secure. PGP has been around for decades, and privides both signature as well as full encryption. Uptake is trivial, and even MS’s “veriefied sender” via outlook has not a huge one.

        Because it’s hard for people to go to something entirely new, to change how they work in full. Which goes to the heart of the problem.

        A technological solution that is not part of the built-in infrastructure so that people do not have to do anything (or very little) to adopt it, will not get adopted, “just because it’s better”. Most people don’t give a toss about their privacy (until it burns them), and those who do, can deal with it even now.

        Privacy and security aren’t technological problems. The are people problem, and interface problem, which tends to turn into people problem, because you can’t have ease-of-use and security at the same time.

        It’s almost Augustinian – “Gods of technology, make me safe and private, but only at no effort to me.”

  11. Calypso Facto

    The pod idea is a start but I’d like to explain a bit about system choke points and why this will not ‘save the internet’, only create new tollbooths while creating an illusion of security. I’ve bolded a key line:

    Inrupt has built these pods as part of its Solid project, which has followed the form of a Silicon Valley startup – though with the express objective of making pods accessible for all. All websites or apps a user with a pod visits will require authentication by Solid before being allowed to request an individual’s personal data. If pods are like safes, Solid acts like the bank in which the safe is stored.

    Let us imagine two business cards: Card A is black text on white stock with a business name, contact information, and a short description of services offered and times available. Card B is one of those visual puzzle images that looks like a mess of colored static dots, and when you put on a pair of red-blue paper glasses, you can see the business details same as the other card – but only if you have the red-blue glasses.

    In this analogy, Card A represents a general user with no security or privacy precautions, as seen by the entities on the other side viewing the user’s traffic through the internet. Card B represents a user with fully encrypted presence. The red-blue goggles represent a crypto key or other means that can successfully decode Card B.

    What Inrupt/Solid are proposing is a protocol which will enable them to be the single trusted point of authority to decrypt their protocol. They want to be the only trusted pair of red-blue goggles, and to force the other players to play by their perceived rules of fairness. The personal data in the ‘pod’ is kept on the user’s device, so they’re proposing a means so that the companies interested in the data may view it if they have permission but cannot store it. Okay, noble goal, two questions to ponder:

    – Do you trust TB-L/Inrupt/Solid more or less than Amazon/Google/Microsoft? They already have authentication key store services which will allow anyone to spin up their own secure key store no different from what Solid is proposing. The pod idea itself is not a big deal, most browsers and clients cache some data already – this would just standardize the protocol and force everyone to abide by the standard.

    – What happens when Solid’s authentication system goes down, or are they planning to build a single system for the entire global internet? Perhaps the idea is to have Solid-as-a-Service running on the global clouds, and we trust that TB-L and crew are savvy enough to resist the security arms race around their product and stay on top of their own tooling so that it can be secure on top of an insecure platform?

    Note, also, this is effectively only targeting the type of information used for things such as targeted advertising – the ‘personal identifying information’ that is not explicitly defined as legal PII but may be constructed from the various cookies and javascript used to track users around the public internet. Would you pay for a monthly service to obscure yourself from that? Why not just make targeted advertising illegal and force the platforms to clean up their own f—-ng mess?!?!

    Also before anyone suggests nationalizing the trusted keystore I would think the NSA would love to hear that since then they could stop leaning on AT&T and the clouds to retain copies of the data for their later use. Whoever has the trusted keys has access to the kingdom, after all.

    1. vlade

      Indeed. And as I point above:
      – it does not actually secure the user. It provides the data to anyone who has the right key (glasses). We know that the major breaks in security are human drive – weak password, misslaid password, phishing what have you. That would become a major industry IMO.
      – related to that, another thing occured to me. Pod spoofing. How do you truly verify that the pod is you, and you only? And how do you differentiate thousands of John Smiths, who move around, lose their pods, passwords and what have you? Robot clicks are a major problem in the ad industry now, and if you’d someone to pay more for this, I don’t see how unless you managed to get this down (and it’s also related to the first one).

      This is just showing a major problem of many many technologits, they assume that the world of technology IS the real world. It’s not, it exists in its own universe, with its own rules. Any technological system will be only as good as its weakest point – and the weakest point in relation to the real world will always be the interface to the real world. There’s no point in having a perfect system if the data entering it can be spoofed, and, due to the nature of those two system, that will _always_ be the possibility.

      1. Calypso Facto

        Yep exactly. They’re truly just proposing a new tollbooth (possibly on the companies, not the users) where they can exert chokepoint pressures and extract a rent from someone. I imagine the actual business play is akin to regulatory capture, ie they hope to be invested with the power of a state agency to act as the secure key broker for a regulated targeted ad market.

        How do you truly verify that the pod is you, and you only?

        They’d likely have individual users authenticate a session to their servers, just like Google or another cloud. That is what I mean by my comments above about the NSA loving a single trusted authority for something like this, because it would be relatively trivial to give access functions within a client library on Solid’s side for a user access role just for the security services. They wouldn’t even technically be in violation of any of their security claims, either. And everyone using it would be validating on their side that they are indeed the owner of all of this traffic on these multiple devices. Even if it was ‘just’ for blocking digital fingerprinting/targeted ad/cookie data, it would be enough to construct a fairly accurate picture of most people’s device ownership and internet usage patterns.

    2. Lambert Strether

      > What Inrupt/Solid are proposing is a protocol which will enable them to be the single trusted point of authority to decrypt their protocol.

      No, they are not. Solid is not a business entity. It’s a set of protocols. From the FAQ:

      As any standard, Solid only describes the interaction model the system must be compliant with. The Pod Provider only exposes a REST read-write interface to the clients, to which the storage technology is irrelevant, as it is in most Web-based systems. How this interface binds with the storage is specific to each Pod Provider.

      Inrupt is the business entity that uses Solid Protoocols (see documentation). Any other business entity that uses Solid Protocols can compete with Inrupt.

      1. Calypso Facto

        So I’ve got 9 tabs from Solid’s documentation up to disprove your statements, alas, I need to work and I have a rule about not replying here when I’m pre-coffee and post-correction from a mod. So partial response with more to come, in the meantime:

        Here is the standard for the authentication protocol for Solid. Authentication is ‘user has privileges’.

        Here is the standard for ACL for Solid. ACL (Access Control) is what roles/rights a user has.

        > What Inrupt/Solid are proposing is a protocol which will enable them to be the single trusted point of authority to decrypt their protocol.

        No, they are not. Solid is not a business entity. It’s a set of protocols.

        Yes, it is a protocol which enables their authentication servers – which will be built on top of existing cloud platforms – see the OIDC standard abstract linked above, This document aims to address that challenge by building on top of current and future web standards, to allow entities to authenticate within a Solid ecosystem) – to validate each user’s identity and ACL for sharing data with others. The authentication servers are the ‘single point of authority’, not using that statement in a biz sense.

        I’ll attempt to clarify the rest of the confusion about the pods later after coffee if I feel up to it but I have to argue with people all day about technical definitions so I may just leave this here and move on. Looking at the standard they’re just encrypted ‘buckets’ that can be hosted (on amazon natch) or locally or whatever. Again the pods – local, containerized, whatever – will still need to auth to a Solid server to unlock the ACL to share the data with someone requesting it. And if you have security-poisoned brain like I do, you know that a single entity controlling a critical authentication portal has access to add client libraries within that server for their operators to add ACLs to users without their knowledge.

        1. Lambert Strether

          Well, I’m pleased that somebody on this thread is reading the documentation (which I was able to do only briefly).

          That said, a claim that “What Inrupt/Solid are proposing is a protocol which will enable them to be the single trusted point of authority to decrypt their protocol” must show not only that Inrupt, the business entity, uses the protocol established by Solid, but that other business entities cannot emerge that use the same protocol. Otherwise, there are multiple points of authority. In fact, it’s TBL’s idea that other business entities will emerge (an “ecosystem,” to use the horrid term he uses. An ecosystem has no “single trusted point of authority” by definition.

  12. Justin

    Or they could come out from behind their mother’s IP skirt. You can have all of my data, but I will be borrowing yours in return. An eye for an eye; a person for a person…

  13. Mikel

    There shouldn’t have to be a storage for every palce an internet users has travelled on the interne nor everything they’ve ever bought, not even on a “pod”.

    And I have “pods” called external hard drives where I can store any digital information that I need access to. I don’t have to ask anybody’s permission to access or have monthly fees for that. And I deal with gigabyte size files. I buy fresh drives to back up old ones and it’s important that my access to them not be left to the whims of the techno-fasci.

    Ledgers are for your business, not your life.

  14. MJ

    I am still puzzled by the notion that advertising works.

    I can’t think of a single item that I have purchased because I saw it advertised on the internet. Just like my eyes ignored the ads when reading print media, I usually click through ads on YouTube or ignore them on news sites and web searches. I might see an occasional ad that catches my interest but it never results in a purchase.

  15. none

    Unfortunately Tim Berners-Lee seems to have lost the thread many years ago. His signing off on web DRM is another example that flies in the face of people controlling data. The web today is de facto controlled by an advertising and spying company (Google) so of course they will act in the interests of advertisers and spies.

    These people have the right idea, even if there are some details to quibble with:

    * https://gemini.circumlunar.space/

  16. curlydan

    Although the article says, ” ‘Data sovereignty’ has been proposed as a promising means of reversing this monopolising tendency,” I don’t think “data pods” are enough to break a monopoly. I think we have to have anti-trust before any substantial reform can work.

    If we suddenly move all our personal data to “data pods”, then we want to do a quick search or to view a video our friends are talking about, what good is a “data pod” if virtually all the traffic is flowing through Google or YouTube? (note: most people don’t know about Duckduckgo)

    For example, I go to view a video on YouTube, and they immediately tell me: to view this video, we need access to your data pod. Otherwise, it requires YouTube premium.

    Or to do this search on Google, we need access to your data pod. Click ‘I agree’ to proceed or ‘I agree always’ to continually opt in to Google’s use of your data pod….

    The bigs must be broken up or they will continue to use monopoly profits to force people to give up their data based on their market dominance. And these pods might even ensure better data quality for the bigs.

    1. Lambert Strether

      > I think we have to have anti-trust before any substantial reform can work.

      I agree. TBL seems to have a lot more faith in “the market” than is warranted. Nothing prevents Google or Amazon, for example, from being Inrupt customers and imposing whatever terms of service they like.

  17. ben lebsanft

    Their is a small Australian company called “Pure profile” that has been in existence for a while.

    it has been paying for personal data for years through surveys that your profile suits.
    ,yes it then on sells it to marketers etc ,although it doesn’t pay a lot in the form of money /vouchers /experiences , at least it says your worth something!!!!! and your thoughts are to.!!!
    Big Tech should be treated as a Utilities and treated accordingly as that is essentially today what they are.

  18. JohnT

    Really surprised to see the number of people who don’t support data sovereignity. The idea of a commons is deeply flawed. All you have to do is see how the idea of the commons has been applied to land like national parks and how that is abused (i.e. tragedy of the commons). Giving people complete control over their data and allowing them to decide what they want to share and what they want to allow others to collect on them is for me a no brainer because it obviously makes sense.

Comments are closed.