How to conceive customized applications without storing users data ?

by Andrei Sambra

(@andreisambra)

A bit of personal history...

Status quo?

(centralization is bad)

Governments abuse their power leading to mass surveillance

One stop shop for hackers

143 million accounts

87 million accounts

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Can't prevent good companies being acquired by "bad" ones, and the other way around

Solution: decentralize

Scaling?

Uptime?

Availability?

Metrics?

Far from a perfect solution...

User

Experience

(always think about the user experience)

Is technology alone sufficient?

No.

GDPR

(as of 25 May 2018)

GDPR  "do's"

(TL;DR for developers)

• Right to be forgotten (delete)
  • also notify 3rd parties of erasure
• Restrict processing (data not visible to staff, or even publicly)
• Data portability (art. 20)
  • export human-readable version
  • export machine-readable version
  • APIs (when possible!)
• All user data must always editable by the user
• Request user consent for processing their data (opt-in)​
• Data retention (delete data after processing)
• Encrypt everything (in transit, at rest, backups)
• Keep a record of all activities where you use personal data
• Age checks (wishful thinking)

GDPR  "don't's"

(TL;DR for developers)

• Don't use data for purposes that then ones agreed by the user
• Don't log personal data (IDs are sufficient)
• Don't use forms with more fields than necessary
• Don't rely on 3rd parties being compliant (exercise due diligence)

GDPR is just the begining.

(We need "online" seat belts)

What options do we have today?

Build centralized services

(much more difficult to guarantee GDPR compliance)

Build decentralized services

And the answer that everyone is waiting for...

Let’s use the Blockchain

No.

Use the Web as is, but decouple everything

Device

Data

App (UI)

Why decouple?

We can avoid tech debt by staying up to date with respect to a fast-paced technical evolution

Why decouple?

It allows App developers to focus on what they like the most (building a user experience through UI/UX)

(cont)

Why decouple?

..while removing a lot of headaches most developers face

(cont)

• how to deal with identity management (email) ?
• how to securely store user data ?
• how can I ensure my users' privacy ?
• how can I be GDPR-compliant overall (at least in EU) ?

Our approach at Qwant...

• client-side, peer-to-peer data management
• app data is stored encrypted on the user's devices
• offline-first user experience
• applications need to be authorized to access storage
• encrypted data is synced in real time using PFS
• all code is open sourced (MIT), including the sync service
• optional backup (coming soon™)

#NOCLOUD

https://unsplash.com

Shifting and balancing responsibility

Image credit - https://www.infovista.com

Conclusion

Decentralized governance

Decentralized technology

</Presentation>

Andrei Sambra - @andreisambra

a.sambra@qwant.com

https://slides.com/deiu/clean-data-conf/

(all uncredited images in this presentation come from Wikimedia)