Layertech Software Labs: TRACE.R

TRACE.R  allows data subjects to track, be notified, and withdraw consent, whenever linked data is accessed or modified.

For the past few years, government data breaches have raised concern in the Philippines. In 2016, the Commission on Elections database on voters was leaked and posted online, including personally-identifiable sensitive information of affected voters. In the following years, we also encountered a number of issues involving identity theft leading to financial theft, which ultimately affected ordinary citizens.

Layertech believes that the data subject has to have control over his/her information. And for them to that they must be empowered, they must understand the implications and dangers of breaching data privacy, they must have the mechanisms that allow them to do so, and enabling policies to allow such mechanisms to be in place.

The 2012 Data Privacy act of the Philippines states that data subjects are allowed to the right of data portability,  right to be informed, right to object, right to dispute inaccuracy, right to withdraw consent, and  the right to indemnification should the personal data has been misused. Despite these laws however, we lack mechanisms to effectively, efficiently, and inclusively enforce these rights.  

Having worked with various grassroot communities in a number of civic technology projects, Layertech is developing TRACE.R, a tracking mechanism which allows data subjects to control their personal data.

TRACE.R is a free to download mobile application in android (and soon in iOS)  that allows users to track which government agency their data is being kept and how it is used using the user’s own unique ‘fingerprint’ hash code, which is generated upon submission of data to the agency. Should the government modify the data or share the data to another government agency, the user will be instantly notified about the changes and will be explicitly asked for his/her consent, if necessary.

The technical backbone of the system is actually very simple. It lies with generation of polymorphic encryption, with a unique hash code of the user. For every modification, the encryption morphs according to a corresponding function. This will not be decoded unless you have the ‘fingerprint’ hash of the owner, making the transmission secure when hijacked by hackers.

When the code of the user does not match the code of the government when the system connects, then it means that changes were made and the user’s end is updated, instantly notifying him/her of the changes, as well as the permissions the law needs the user to give.

TRACE.R empowers users to be informed, and exercise their rights of data privacy.

Many tech-based grassroot solutions end up widening access gap. The team is strongly aware of this.

TRACE.R is designed to focus on user experience and inclusivity. It is localized, user-friendly and intuitive,  with little to no connectivity required in data transmissions. TRACE.R focuses on strengthening connections between governments and citizens, with special attention to security mechanisms. We assume that during transmission, the likelihood of data packets interecpted is very high. Our authentication design relies on an RSA-encryption like scheme, which renders packets unreadable if read with an authentication key that is not from the owner of the data.

TRACE.R strongly implements the core principles of “Privacy By Design” through transparency, pro-active data protection mechanisms via encryption schemes, user empowerment by specifically focusing on grassroot users in developing countries.

In the team’s past civic technology initiatives, we have observed first hand that there are several barriers, such as the lack of effective and inclusive mechanisms, that inhibit citizens from exercising their right to data protection. In addition, these gaps enable some people to take advantage of the inability to assert citizens’ own identities and lack of voice in the community.

TRACE.R ensures that data subjects will have control over their personal information. Furthermore, the system ensures that users will be empowered to exercise their right to data protection, right to be informed of the law’s specifics, and right to modify their personal information, and right to establish their own identity in the community.

If and only if we have informed and empowered citizenry, can we properly say that there is democracy and that the rule of law is being implemented.

TRACE.R makes use of lightweight and universal plug-ins (e.g. JSON) which makes it highly Integra table with Digital Identification Systems. A sample use case would be, TRACE.R admin software will be installed along with existing Digital Identification System in a government agency. The software will then generate encrypted JSON files which will bundle with the existing database of user information (RDBMS).  Whenever a user submits his/her personal information, the software will generate a unique hash code, made available to the data subject only. Then, the polymorphic encryption mechanism will start, continuously encrypting the user’s data via JSON file every time a modification or transfer is made by the government agency. Once a change has been made, the system will sync with the data subject’s mobile app, request for the unique hash code, and notify the user of the status of his/her data. The app will explicitly request for the user’s consent (if necessary) and offers an option to display localized explanations of his/her rights relating to the modification. The components used are very universal and interoperable in the current technological landscape.

Layertech strictly follows a user-centric design principle, especially that most of our projects focus on the use of grassroot and vulnerable communities. With TRACE.R, we will be using localized, simple and intuitive interfaces focusing on user experience. This is not only for the benefit of the end users in the grassroots, but also to help the target government agency that uses a current identification system, to better adapt to the system, significantly reducing the learning curve needed. Our firsthand experience convincing Local Government Units in the Philippines to adopt our tech innovations will greatly help in achieving this objective.

TRACE.R uses universal, lightweight and interoperable core components such as JSON and HTML/PHP. Only separate endpoint user applications for android and iOS will be developed separately, but the two uses the same transmission backbone. After a successful pilot, the team is planning to release an API for the system to allow open source programmers to develop their own plug-ins and endpoints for the system in various platforms, for as long as security measures and protocols are observed.

Layertech has years of experience working with technology deployment in communities with low connectivity, literacy and numeracy in Philippines. That’s why information dissemination campaigns will be conducted in parallel with technology development and deployment.

Our initial mapping in 2015-2016 revealed that 98% of users in our pilot risk-prone communities have mobile phones, 95% have access to internet through data and ‘free data’ schemes.  With TRACE.R’s offline encryption system, it requires very little to no internet for the system to be updated. Only when changes in the hash codes will the files be downloaded, consuming ‘mobile data’ for the end user.

The team is currently working on the ideation and prototyping stage, estimated to run for about one year with funding. For this, we plan to engage the National Privacy Commission (NPC) for guidance and support. The NPC may also act as the pilot agency for the system, which can start immediately after the prototyping stage is finished. After a successful pilot for about 2-3 years, the team will start engaging other agencies for scale-out to increase the data coverage of TRACE.R.

In our other civic technology projects, we are closely working with Bicol University and Southern Luzon Technological College. We have partnerships with the research and development of various civic tech solutions.

Layertech specializes in Civic Technology research and development. Over the years, the team has received various national and international awards and recognition on ICT and Data Driven Governance. The team is mostly composed of programmers, data scientists, and social scientists. The team is in partnership with various CSOs, members of the Academe, Local Government Units and the Private Sector.

For the sustainability of TRACE.R, a possible revenue stream would be for conducting training and capacity building sessions for interested groups and agencies. The set-up for scale out will also be charged from the budget of the organization or government agency. 

The idea is still in the ideation and prototype page. While there is a proven need for data privacy, it can be difficult to develop one without a network of innovators and organizations that can guide you to it. Mission Billion Challenge can offer a network which will allow us to perfect the idea, draft a concrete implementation plan, and execute it.

The two biggest issues is the lack of funding and the lack of network to implement this. First, the project requires full-time technical staff and researchers to dedicate time working on the project for at least two years. Second, the team needs to connect with privacy technical experts and mentors who will help us better hone the prototype.