By Aurel Stenzel
Elinor Ostrom established a polycentric approach to governing common goods, without top-down regulation or privatisation. Data, however, carries very particular characteristics and raises the question how Ostrom’s work can be applied to data sharing. This article gives an introduction to her influential design principles and applies them to the special characteristics of data.
The first design principle requires a clear differentiation between legitimate users and non-users as well as a clear separation of the specific common-pool resource from a larger social-ecological system. For example, the names of farmers who are allowed to use the land need to be declared. Farmers can be easily identified (by just knowing them in a small village or by publicly available IDs). Contrary, on the web, identities can be easily obtained, changed, and also faked. It is therefore important to find a way to provide a digital identity to share data effectively. The ability to identify users of a common resource is crucial for most of the design principles to follow. Nonetheless, the ID of the user does not necessarily need to be the same in all of their activities if we apply cryptographical innovations like blind signature. With this, anonymity can be maintained even when certain characteristics are identified.
Provision rules define necessary activities to maintain and nurture the resource while appropriation rules define how the common resource is used. Both rules need to be congruent with the local social and environmental conditions. For data, this means that all users of the resource (e.g. a data union) need to be aligned with who provides what data and when and how this data can be used. The benefits for the users which data is used need to be proportionate to the costs of the user for providing the data.
In this design principle, Ostrom requires that the people affected by a resource regime are authorised to participate in making and modifying its rules. So far, we have not been able to participate in decisions about how our data can be used. The General Data Protection Regulation (GDPR) was an important first step but is rather considered to be annoying (remember the last time you clicked “accept” just to make a cookie pop-up quickly disappear) with questionable impact. Norberg et al. (2007) experimentally showed a discrepancy between individuals’ intentions to protect their privacy and how they actually behave on the web. There are different explanations for this so-called privacy paradox, e.g. that people have difficulties associating value to their data (and therefore do not see a reason to protect it), that people do not consider certain data to be their own or that people assume that the internet platforms already know everything anyway.
Within a cryptographically protected data union, we can apply all three design principles. A group of identified users (clear user boundary) set their data sharing rules, e.g. which data can be shared with whom (collective choice arrangements on appropriation and provision rules) and for which price (proportional benefits). As the data is cryptographically protected, the shared data cannot be replicated, stored, or reused (clear resource boundary).
In order to organise well-functioning commons, its members must implement an accountable monitoring system that ensures its protection. Ostrom analysed self-governed water irrigation systems in Nepal. As rice is very sensitive to drying, farmers use large amounts of water to keep their rice paddies flooded continuously. It keeps their weeds under control but could be used more efficiently by other farmers to yield a larger quantity of rice. Therefore, there is a strong temptation for the farmers to extract more water than authorised. They implemented a monitoring system carried out by their members themselves to ensure that no member extracts more water than allowed. The monitoring leads to two consequences: first, the monitored members stick to the rule, and second, and even more importantly, seeing the other members sticking to the rules increases the willingness of the monitorer to also stick to the rules.
This design principle is supported by the groundbreaking work of Fehr and Gächter (2002) who experimentally demonstrated that cooperation flourishes if altruistic punishment is possible. Altruistic punishment means that people punish, even though the punishment is costly for them and yields no material gain. For the water irrigation system in Nepal, if a member is caught (by another member) breaking the rules, they are punished. The sanctions start at a low level but are exacerbated in case of repeated violations. Harsh sanctions from the very beginning are counterproductive to the identification with the rules of the group. One powerful sanction is to exclude a member from future rounds. There are many different nuances to that — a few suggestions:
The design principles discussed in this article are somewhat incorporated in Token-Curated Registries. Challenges (ergo monitoring) against candidates for a TCR in their application period, or against already registered listees may be initiated by other members. If a challenge is initiated, voting of the other members starts and at the vote’s conclusion, either the challenger or candidate’s deposit is forfeited (ergo, exclusion as sanctioning) or not. Voting is an elegant way for a low-cost dispute resolution — the last design principle.
This design principle might be one of the hardest to implement within a data-sharing ecosystem. Imagine the following scenario: you are a member of a data-sharing system that incentivizes data provision for targeted advertising. A friend asks you if (s)he can use your smartphone to google something. (S)he looks up a product and the search query is stored in your data wallet. The next time you browse the web, an ad is shown to you based on the data entry made due to your friend. Should you be sanctioned for this? You should not. However, data is easily created or manipulated. By blind web crawling, a bot can create large data assets and provide this data to the ecosystem in order to increase his/her profits. We could apply the voting mechanism of TCRs to this data-sharing problem. However, in order for other members to verify the data, they need access to it which obviously leads to data privacy issues. Again, the latest innovations from cryptography can help, e.g., homomorphic encryption. Combined with reputation systems, cryptography can help us to implement powerful monitoring and sanctioning mechanisms, just as Nojoumian et al. (2012) combined Game Theory, Cryptography, and Reputation Systems.
A slightly modified version of this article was first published on the Fractal blog.