VRM Adoption Case Study – MYDEX

From IIW

Session Topic: VRM Adoptions Case Study: MYDEX cic (How we tell it; where we are; what Mydex looks like including: peek at UK IDAP)

Wednesday 2A

Convener: William Heath

Notes-taker(s): William Heath

Tags for this session – Technology discussed/ideas considered: PDS Personal clouds trust frameworks VRM

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Mydex CIC is a social-enterprise VRM platform, live at http://pds.mydex.org and with contracts in UK market including UK government ID assurance provider. Having a national government agreeing to contract with individuals based on credentials held by the individual is potentially a significant VRM breakthrough.

First we heard how Mydex presents the big VRM picture to the uninitiated (which is still the majority). “Personal control over personal data” does not much resonate with consumers but there is a real political consensus about the fact there is a problem and personal control over personal data is a policy each British political party is committed to.

All the pols agree on that. But what they don’t get is how to implement personal control over personal data, and what the implications of it be. Aim is to set this out and to explain why it is a win-win for all parties: it’s a global problem, which affects organisations and individuals.

What Mydex does

Mydex offers personal data stores and connections, wrapped in a legal & technical trust framework.

The community needs diversity and interoperability in PDS providers. Key differentiating determinants of trust will be

1. governance & legal form: Mydex takes the legal form of Community Interest Company, limited by shares, highly transparent, asset locked and regulated in the returns it can offer shareholders.

2. Commercial (or business) model: Mydex is free in perpetuity to individuals, making a small micropayment charge to connecting organisations and apps

3. Legal basis: Mydex uses contract law and places the individual in the role of “data controller” in data protection law

4. Technical: Mydex has turned away from esoteric and untested tech and moved pretty much entirely to open course tech and standard tools, supporting multiple ID protocols (OpenID, Mozilla Persona, SAML, Shibboleth)

Market adoption has started with contracts in finance, media, local government and housing; also a potentially very significant contract for UK government ID assurance services. The proposition to individuals is convenence, control, trust and value. To organisations it’s cost savings, reduced regulatory overhead and opening the path to new services.

What Mydex does

We did a live walkthrough of the sandbox site (which replicates the live service) populate with dummy data. This showed data entry, management, connections, visualisations of the data and account management including “download my data” to enable switching to a different service.

The live sites are:

- sbx.mydex.org: the Mydex sandbox where you can use dummy data

- dev.mydex.org - developer resources eg data schema, new data schema requests, API resources

- pds.mydex.org where people can get a personal data store.

Place in the market

The contracted connections are still in the process of implementation. For this reason user numbers are still only in the hundreds (ie people curious to see what Mydex looks like, even though they are not yet able to use it to connect). We also saw an outline of the UK government ID assurance service user journey, based on a mixed information set keyed in by the user. The UK government ID assurance programme rolls out in the course of 2014.