I like the idea and I think (and hope) someone (hopefully not a FAANG) will manage to build a product.
As for schluss.org specifically, I don't see any reason to trust them.
Well, "hacking is not allowed in the Netherlands".
But honestly, I think what they're trying to say is, we're happy if you report issues, but please don't commit a legal offense. This policy will not absolve you.
Good idea in general, the term for this category of products is personal information management system (PIMS). digi.me is the largest player but even they can't seem to get any reasonable traction, as it's an uphill battle to convince third parties to integrate with you. Classical chicken & egg problem: If you have many users the integrations will come naturally, but users will only come when there are enough integrations.
A large company like Apple would be in a better position to do something like this, and in principle Apple Pay does it already as merchants can e.g. request your shipping or billing address through that system.
The problem with these approaches is that no significant company is going to do this voluntarily. And this is not going to make a dent until Meta, Apple and friends do it. They are not going to do it because it doesn't give them an advantage, it only makes their lifes harder. It makes it harder even if they don't use the data for anything, because of increased technical complexity etc.
So, this is not a technology problem, but a legal/political problem. Just as the EU is forcing big messaging apps to ensure interoperability now, the only thing that will make a difference here is a law that disallows companies from saving customer data in their own databases. A GDPR 2.0. If you want to make a difference in this space, you need to spend your time pushing new legislation.
I'm sure that in time the EU will get there. And then we will need good tech like Schluss or Solid. But before then, it's not going to do anything.
Does Solid have a concrete working example? I've tried getting into it, but it seems very academic and with the nitty-gritty details conveniently left out, it gets frustrating trying to work out what exactly Solid _is_.
I don't think Tim Berners-Lee is trying to sell us some vaporware, so has anyone got any pointer?
Solid is a specification that allows for decentralized data storage in so-called pods. The idea is that consumer applications don't store a copy of your information in their own silo - thereby having many copies of your data floating around with 3rd parties - but instead query your pod. That's the ownership / self-control aspect of the idea.
The crux is that you can self-host your own solid server with your own pods, or choose to rely on a hosting provider. That's the decentralized aspect of the idea.
The big question is how this plugs into an economic model with real world incentives, interests, distribution of power / leverage, trust / credit, and so on.
Tim Berners-Lee's startup Inrupt [0] is essentially trying to partner with companies to sell an enterprise version of the Solid Project software. Their website suggests they've partnered with some large-ish companies already[1]. I could see a webpage prompting you for a release of your certain parts of your 'pod' rather than use cookies perhaps.
I agree that this won’t change anything significant until the law makes it mandatory, however a huge step towards getting the lawmakers to do so is tho have the tech already out there and working well with hundreds of smaller players. That will save us years of lobbyists claiming it’s unworkable, to expensive, technically impossible, etc.
So, let's take all of our personal info that is being harvested by many organizations and further defragment & centralize it by giving it to one organization?
What could go wrong?
I like the idea of getting it out of control of the current harvesting orgs, but what makes this group more trustworthy? They seem great now, but when you are dealing with a corporation, things can change - their situation andmor leadership changes and the formerly trustworthy organization is now extracting everything they can from you.
A much better model would be to store the data locally with your equipment (maybe offering e2e encrypted cloud backup such that they can't read it), and their service provides a hub controlling the gathering & distribution of info according to your rules/permissions.
Hi all, I work at Schluss, came across this topic and found it very informative. Thanks for all your comments and thoughts!
We share your distrust against anyone making big claims. We also have been disappointed more than once. So, we get where you come from. We believe in dialogue. Therefore, we take each and every one of you serious. With what we are trying to achieve we know we have a major challenge up ahead. We take it to the extreme: Schluss does not want to have any knowledge about its users and usage. The company at this moment is a foundation (no shares!) with the sole purpose to become a cooperative. This way every user is co-owner. On the technical side, the system must be decentralized and distributed and we want to stay away from vendor lock-ins. You as a user will own and control what is yours. No one will know of your existence or have access to your data unless you want so. This is complex and difficult to achieve because there is so much to take into account. And even though we're building a few years already, we know we're just getting started. Our software is, of course, open source and BSD licensed. See our repo's here: https://gitlab.com/schluss.
"We dream of a world in which your information is yours once more" I don't recall when my information was really mine. Like ever. In pre-internet days I didn't even knew who had what about me. Well, anyway... They are offering ability to manage data accessibility - all that by my self! Seems like another good part of my life gone doing just that and worrying if I set everything correctly.
Finally, I assume that once the 'pod' infrastructure goes down I can't use any of the apps - commercial or govt, right? naah, thanks
I don’t see this going anywhere unless a) it becomes costly/risky to hold customer data, b) it’s mandated by law, or c) there is massive customer demand
Unfortunately I don’t see any of those on the horizon…
If it’s German, it’s weird. In German “Schluss” is an end.
It has different connotations from the other word for end, “das Ende”, which is more literally “the end”: “Schluss” is something like “it’s over, pack it up!”
Technically it does come from a declination of “schließen”, which mostly means “close”, so I assume that’s where the idea comes from, but in this form it does not reflect normal usage. “Lock” would be “abschließen”, but “Abschluss” as a substantive also rather means “the end of something”.
As a free standing word it’s just… weird.
If it’s Dutch maybe it makes sense, don’t know Dutch!
I still don't understand how one can retract access once given. If I share my purchase history with some financial web app and later decide to retract access the web app will no longer get new data, but how can I be sure they don't keep a copy of my old data around? Same with GDPR. I often ask companies to remove my data, and legally they should, but I highly doubt many of them do indeed scrap all my data. I still need to trust the other party to honor my wishes (and follow the law) which makes me wonder if Solid or Schluss can help removing my data.
The solution is social, not technical. The relevant authorities have the right to audit the process and do so in certain cases.
Keeping your data after this request has a tiny benefit to the company - not that many people retract access, and one individual's data is not that valuable. On the other hand, intentionally keeping and using that carries significant financial risk of fines if found out; so a prudent organization simply won't do that - otherwise, it'll just be a huge expense for no good reason after e.g. some disgruntled ex-employee blows the whistle on this practice.
Recently I've been exploring an idea of extension of authorization frameworks like OAuth or GNAP where you can authorize not only access to your data directly but execution of specific computation (be it a specific revision of container image) on it. You would review, in advance, what would be done your data and if suspicious just reject. Ideally the web service pulls the container image and run it on their host, then return the result of the computation to the third-party, keeping the original your data secret. You wouldn't have to give the plain data which would easily be copied in first place. The problem is, I'm not sure if the class of application that can be implemented in this scheme is large enough to be useful.
Agree, you're basically adding another middleman which now also has all your data.
> Same with GDPR. I often ask companies to remove my data, and legally they should, but I highly doubt many of them do indeed scrap all my data
Anecdotal: When GDPR came, the companies I worked with/in took it REALLY serious and spent huge amounts of money and resources to change ALL of their processes to label and clearly isolate data with customer-identified and identifiable content. Not necessarily because they had a change of mind about privacy, but because the risk and the penalty if found non-compliant was so high ("up to €20 million, or 4% of worldwide turnover for the preceding financial year – whichever is HIGHER (!)", PER incident!).
Some level of user-data privacy was already in place, but suddenly all understood the risk of not sufficiently isolating identifiable data (data which in itself is not personal information, but could be combined with other data to identify the user)
So at least in my direct experience GDPR caused a huge shift in many company mindsets from "let's store now and review later" to "wait, what is this data?", and all departments which store data from the field had to start answering to a data protection entity within the company about all the data they have or intend to collect.
It literally forced companies which always played with the idea of one day utilizing harvested data to create some undefined value in the future to challenge themselves. And many companies concluded "we don't know what type of data we have, it's too risky/expensive, scrape the servers and delete it".
Those were all large international companies though, maybe smaller companies acted differently. And for sure your typical data-collecting companies (FAANG) are a completely different story.
But the complexity for a small company with smaller processes to become GDPR-compliant is much lower, with the penalty risking to not just hurt you but immediately send you into bancrupcy. So for a small company especially in Europe it would be plain-stupid to not have GDPR-compliant processes...
Of course there is still trust involved. Every time you cooperate with somebody else booth of you have some assumption what the other will do. You trust that a webshop will send you your product after you have bought it, etc. To give a foundation for this trust we have laws. It would be illegal to sell you a product and just keep the money without giving you the product.
This is the same with data protection and GDPR. They could just say that they deleted it and keep a copy on their own. BUT using such systems or asking them (in a documented way) to delete your data is a really strong signal from your side what your assumptions are. This will make the fines much higher if a data protection authority would find out that a company kept the data when you have already shown your strong request to delete it. So in a way these mechanism should make it easier for you to trust the other side to do their part because the fines will just get bigger.
> Same with GDPR. I often ask companies to remove my data, and legally they should, but I highly doubt many of them do
I was talking once with a friend who deals with GDPR issues at their company. They said that they’re required to keep a record of deletion requests so it can be spelunked through vendors for a full deletion. This often creates more data than was originally deleted.
"Information wants to be free (freely copied)", even when it's information about you. Freely copied means stored in many places. GDPR is in essence reverse-DRM. Normal DRM prevents you from copying and storing some company's information. GDPR prevents companies from copying and storing information about you. And we all know how good DRM works.
[+] [-] tagyro|3 years ago|reply
On a side note, I also find their "Responsible Disclosure" page at https://schluss.org/responsible-disclosure/ to say the least, funny:
- "Your reward. We work as a community, in which you contribute to improve Schluss. With this you contribute to a better internet."
- "If you meet all conditions, we will not submit legal proceedings against you."
- "Any abuse of our systems in any way will be punished."
[+] [-] cyberei|3 years ago|reply
But honestly, I think what they're trying to say is, we're happy if you report issues, but please don't commit a legal offense. This policy will not absolve you.
[+] [-] z3c0|3 years ago|reply
[+] [-] ThePhysicist|3 years ago|reply
A large company like Apple would be in a better position to do something like this, and in principle Apple Pay does it already as merchants can e.g. request your shipping or billing address through that system.
[+] [-] Agamus|3 years ago|reply
Why on earth would anyone in their right mind do this? I use things like noScript to specifically avoid this kind of thing.
Do I need a service between me and Schluss, to ensure that they are following my laws?
[+] [-] shafyy|3 years ago|reply
The problem with these approaches is that no significant company is going to do this voluntarily. And this is not going to make a dent until Meta, Apple and friends do it. They are not going to do it because it doesn't give them an advantage, it only makes their lifes harder. It makes it harder even if they don't use the data for anything, because of increased technical complexity etc.
So, this is not a technology problem, but a legal/political problem. Just as the EU is forcing big messaging apps to ensure interoperability now, the only thing that will make a difference here is a law that disallows companies from saving customer data in their own databases. A GDPR 2.0. If you want to make a difference in this space, you need to spend your time pushing new legislation.
I'm sure that in time the EU will get there. And then we will need good tech like Schluss or Solid. But before then, it's not going to do anything.
[+] [-] sph|3 years ago|reply
I don't think Tim Berners-Lee is trying to sell us some vaporware, so has anyone got any pointer?
[+] [-] CaptArmchair|3 years ago|reply
The crux is that you can self-host your own solid server with your own pods, or choose to rely on a hosting provider. That's the decentralized aspect of the idea.
The big question is how this plugs into an economic model with real world incentives, interests, distribution of power / leverage, trust / credit, and so on.
[+] [-] ButterWashed|3 years ago|reply
[0] https://inrupt.com/ [1] https://inrupt.com/solid-enterprise-natwest-bbc
[+] [-] Swenrekcah|3 years ago|reply
[+] [-] toss1|3 years ago|reply
What could go wrong?
I like the idea of getting it out of control of the current harvesting orgs, but what makes this group more trustworthy? They seem great now, but when you are dealing with a corporation, things can change - their situation andmor leadership changes and the formerly trustworthy organization is now extracting everything they can from you.
A much better model would be to store the data locally with your equipment (maybe offering e2e encrypted cloud backup such that they can't read it), and their service provides a hub controlling the gathering & distribution of info according to your rules/permissions.
EDIT Typo in 1st line
[+] [-] Agamus|3 years ago|reply
The second thought was, "basta!"
[+] [-] bobhageman|3 years ago|reply
We share your distrust against anyone making big claims. We also have been disappointed more than once. So, we get where you come from. We believe in dialogue. Therefore, we take each and every one of you serious. With what we are trying to achieve we know we have a major challenge up ahead. We take it to the extreme: Schluss does not want to have any knowledge about its users and usage. The company at this moment is a foundation (no shares!) with the sole purpose to become a cooperative. This way every user is co-owner. On the technical side, the system must be decentralized and distributed and we want to stay away from vendor lock-ins. You as a user will own and control what is yours. No one will know of your existence or have access to your data unless you want so. This is complex and difficult to achieve because there is so much to take into account. And even though we're building a few years already, we know we're just getting started. Our software is, of course, open source and BSD licensed. See our repo's here: https://gitlab.com/schluss.
[+] [-] torm|3 years ago|reply
[+] [-] _uy6i|3 years ago|reply
Unfortunately I don’t see any of those on the horizon…
[+] [-] tyingq|3 years ago|reply
[+] [-] anyfoo|3 years ago|reply
It has different connotations from the other word for end, “das Ende”, which is more literally “the end”: “Schluss” is something like “it’s over, pack it up!”
Technically it does come from a declination of “schließen”, which mostly means “close”, so I assume that’s where the idea comes from, but in this form it does not reflect normal usage. “Lock” would be “abschließen”, but “Abschluss” as a substantive also rather means “the end of something”.
As a free standing word it’s just… weird.
If it’s Dutch maybe it makes sense, don’t know Dutch!
[+] [-] cimm|3 years ago|reply
[+] [-] PeterisP|3 years ago|reply
Keeping your data after this request has a tiny benefit to the company - not that many people retract access, and one individual's data is not that valuable. On the other hand, intentionally keeping and using that carries significant financial risk of fines if found out; so a prudent organization simply won't do that - otherwise, it'll just be a huge expense for no good reason after e.g. some disgruntled ex-employee blows the whistle on this practice.
[+] [-] tnzk|3 years ago|reply
[+] [-] rickdeckard|3 years ago|reply
> Same with GDPR. I often ask companies to remove my data, and legally they should, but I highly doubt many of them do indeed scrap all my data
Anecdotal: When GDPR came, the companies I worked with/in took it REALLY serious and spent huge amounts of money and resources to change ALL of their processes to label and clearly isolate data with customer-identified and identifiable content. Not necessarily because they had a change of mind about privacy, but because the risk and the penalty if found non-compliant was so high ("up to €20 million, or 4% of worldwide turnover for the preceding financial year – whichever is HIGHER (!)", PER incident!). Some level of user-data privacy was already in place, but suddenly all understood the risk of not sufficiently isolating identifiable data (data which in itself is not personal information, but could be combined with other data to identify the user)
So at least in my direct experience GDPR caused a huge shift in many company mindsets from "let's store now and review later" to "wait, what is this data?", and all departments which store data from the field had to start answering to a data protection entity within the company about all the data they have or intend to collect.
It literally forced companies which always played with the idea of one day utilizing harvested data to create some undefined value in the future to challenge themselves. And many companies concluded "we don't know what type of data we have, it's too risky/expensive, scrape the servers and delete it".
Those were all large international companies though, maybe smaller companies acted differently. And for sure your typical data-collecting companies (FAANG) are a completely different story.
But the complexity for a small company with smaller processes to become GDPR-compliant is much lower, with the penalty risking to not just hurt you but immediately send you into bancrupcy. So for a small company especially in Europe it would be plain-stupid to not have GDPR-compliant processes...
[+] [-] TrailMixRaisin|3 years ago|reply
This is the same with data protection and GDPR. They could just say that they deleted it and keep a copy on their own. BUT using such systems or asking them (in a documented way) to delete your data is a really strong signal from your side what your assumptions are. This will make the fines much higher if a data protection authority would find out that a company kept the data when you have already shown your strong request to delete it. So in a way these mechanism should make it easier for you to trust the other side to do their part because the fines will just get bigger.
[+] [-] Swizec|3 years ago|reply
I was talking once with a friend who deals with GDPR issues at their company. They said that they’re required to keep a record of deletion requests so it can be spelunked through vendors for a full deletion. This often creates more data than was originally deleted.
[+] [-] marcodiego|3 years ago|reply
[+] [-] Kinrany|3 years ago|reply
[+] [-] sjamaan|3 years ago|reply
[+] [-] arberx|3 years ago|reply
[+] [-] AlanYx|3 years ago|reply
[+] [-] makach|3 years ago|reply
[+] [-] smcin|3 years ago|reply
[+] [-] smm11|3 years ago|reply
[+] [-] yetihehe|3 years ago|reply
[+] [-] croes|3 years ago|reply