Web 3.0 is fundamentally altering the digital infrastructure, challenging current business practices around the collection, retention, protection, and sharing of sensitive (PII) data. Priyadarshi Prasad, co-founder and chief product officer of LightBeam.ai, discusses three timeless considerations that can help transform the challenges into an opportunity for strengthening customers’ trust.Â
Growing up in a small town in India, whenever we needed something, I’d visit one of the local mom ‘n’ pop stores. After a bit of chit-chat, the transaction involved currency notes, a receipt, and the goods. Looked at from the lens of privacy, there were three (desirable) characteristics of such transactions:
- The entire transaction could be “trustless.†There was no central identity verification system. Because identity was not central to the transaction, identity verification did not come in the way of a business transaction. This helped the sellers.
- Even if the seller knew me, the trust was established visually, rather than on paper or any storage device. This helped the buyers and secured them from any risk of sensitive information exposure on the seller side.
- Marketers had access to aggregate data, but not personal data. They didn’t know if it was me who was buying all the chocolates. Only that a particular shop was selling a lot of them.
That was Web 0.0. A lot of the literature on Web 3.0 promises the same level of privacy to users. And there are a lot of technical jargons thrown around to support that claim, each jargon explaining how privacy will be different with Web 3.0. The challenge in chasing the differences is that they are not settled yet – there is no consensus. As a business executive, this can be a complex and unpredictable territory to navigate. By the time consensus emerges, your team might already be down a path that’s unsupported. You also don’t want to get into analysis-paralysis lest your competitors gain an insurmountable technological advantage.
So what should you do? In situations like these, it pays to ask the question differently. Instead of asking how things would be different, ask what considerations might remain the same. Here are three timeless considerations:
- CARRIAGES TO CARS: The nature of sensitive data might change, but your business will still carry sensitive information about your customers.
- CUSTOMER 360: Your marketing and business folks would still want a very close relationship with your customers. Knowing your customers/users really well would continue to be a massive competitive advantage.
- BREACHES & BEACHES (EXPOSURE): Assume that breaches would still happen. In fact, assume that even your business might get breached one day. Plan, implement and exercise a breach protocol vs. hoping to stay lucky forever.
See More: How Data Observability Can Help Companies Win The Data Race
Let’s dive deeper into each of these points. Â
1. CARRIAGES TO CARS
A lot of Web 3.0 geekspeak centers around cryptography and blockchain. Secure communication and distributed ledgers for storing records are great, but they are transactional constructs. Privacy is personal and is linked to identity. Think of it this way – Amazon already knows about nearly all of my transactions. We have no problem mortgaging our transactional data, but when a business (or state) peeks into our personal space like the Orwellian 1984 or The Lives of Others, our red flags go up. With Web 3.0, there are two competing architectural solutions being proposed for user privacy:
- A secure global web identity for each user managed by a zero-trust (?) Okta-like platform. Companies that have built their entire trillion-dollar businesses selling user data to the highest bidders are really trying hard to make this approach a reality. This is why every time you hear zero-trust, what you should read is “just trust me.†“Cookie-less†just means someone else controls the cookie jar.
- Federated identities for each user where every user-service pair has a new identity. Users interact with businesses/services using unique tokens for each service. For the same user, two different services would be using two different tokens. This is very promising indeed, although a lot of the details need to be worked through, starting with who helps a user create and maintain federated identities.
The above are two extremes and it is yet unclear which way the solutions might veer. However, no matter which way it goes, unless you are willing to completely rely on a 3rd party to act as an intermediary between you and your customer (why would you? how does that help customers?), you would still need to store their “identity-related†sensitive information. In fact, depending on the type of business you are in, you may have to store much more – payment info, health info, shipping info, and so on. Of course, you could link all of them to a pseudo-anonymized identity but here is where your business/marketing folks might throw a fit.
Timeless consideration #1: By virtue of being a business, you are doing something that society values. Data associated with that business would still need to be secured, and that will still be your responsibility.Â
2. CUSTOMER 360
The business of business is to engender trust amongst its consumers. Everything else follows. Engendering trust starts with mutual respect and transparency. Businesses want to know who they are doing business with. Sometimes it is even a regulatory requirement (e.g. to protect themselves against money laundering laws). None of this changes with Web 3.0. So what does that mean to you as a business? Let’s take a look at the two extremes from the lens of engendering trust:
- In a world where someone like Google controls global identities for every individual, you would be at the mercy of Google to get information about your consumers. This is not a good thing. Ask the 3rd party vendors on AmazonOpens a new window who sometimes complain about Amazon creating a competing product based on insights gained from their platform.Â
- In a world with federated identities, you might want to be transparent about the information you carry about your consumers. If I can see what information you have about me, how long do you keep such information, how do you use that, who do you share it with, and so on; and if I have complete control over that information where I can delete it in an instant vs. asking for your permission, then I might be fine giving you some information about me so you can serve me better.
Timeless consideration #2 – start thinking about building an infrastructure that gives consumers direct control over what you know/keep about them. Don’t wait for regulations to force you. Make transparency your competitive advantage, and trust will follow.
See More: Make Sure Your SaaS Data is Covered: Back It Up!
3. BREACHES & BEACHES (EXPOSURE)
Yes, we get it that you have an ultra-secure system where no information is ever at risk of getting breached. Kudos to you. But let’s ask a simple question – how about your partners? I know of organizations that have never been breached (yet) but whose sensitive information still got compromised because their partners got breached. Cross-business interactions are not going away in this increasingly connected world, and Web 3.0 is unlikely to change that. Yes, all information exchange might become more secure, but you’d still be exchanging information. You can tokenize and pseudo-anonymize exchanged information to a certain extent but not completely. It is easy to see this in healthcare, financial services/fintech, shipping, retail, etc., but no matter the industry, your teams are likely sharing sensitive information with your partners.Â
As seriously as you take breach prevention, take breach recovery equally seriously. Did you know exactly whose information you shared with the partner who got breached? If not, start putting such systems in place. Then, treat every customer individually, not just as a part of some mass market campaign. Tell them what you had shared with the partner that got breached, what actions do they (the users) need to take, and how you will make it right/easy for them. Sometimes, a disaster is the perfect time to show how much you care, and caring about customers is unlikely to go out of fashion with Web 3.0.
Timeless consideration #3 – Breach protocol, like disaster recovery planning, should be timeless. Don’t forget to actually test your breach protocols every now and then (I’d recommend at least once a quarter).
We are all quite curious as to how the tech stack evolves with WEB 3.0. The typical push-and-pull is going on. Among other things, the fates of only the largest companies in the history of the world are at stake, and so no doubt, it might take some time for a consensus to emerge (or not). In the meantime, you have a business to run, customers to take care of, and their sensitive data to protect. Focusing on the above three should get you started on a solid foundation.