Success Story: Building the Platform Relationship Management for Personal Data, by Decentralizing OAuth protocol to remove lock-in-by-designdaps

by ALIAS team

The Challenge

Users’ personal data is stored in third-party services they use, historically for convenience, but companies have been using it to develop control lock-in on their users, asymmetry of information and unfair advantages with other platform services. This data is locked in because of the design of the main authorization protocol used on the web, that is OAuth. This protocol enables companies to keep too much power hosting the data associated with the service. Another design, enabled with recent cryptography technologies, would be to reverse it, enabling a user to have a Platform Relationship Management for Personal data, enabling to keep control and visibility at any time. The goal was to decentralize OAuth, enabling this value proposition to be technically feasible, easy to implement by developers and user friendly for citizens.

The Solution

In the DAPSI programme, we developed a platform enabling users to ask for their data from different data providers and platforms via different means, either email or via a portability chatbot. Once the users got their data back, they are able to share this data with different public research project to “Datafund” them. It contributes to a more human-centric internet, because it puts the user at the centre of the data sharing mechanism and process. Nothing can be done without the user’s consent, and everything can be undone by the user.

DAPSI support

DAPSI has helped us to:

– Strengthen the team that started the project

– Mature the technology

– Turn the project into a company

– To get legitimacy in the Personal data ecosystem

– Attract investors, private and public

DAPSI journey – Achievements from the first phase of the DAPSI programme

By helping 50 citizens to get back their data as a research project, we managed to check 400+ current portability legal processes and the real implementation of GDPR article 20 by main digital and brick-and-mortar companies. We summed them up in a global report about “the state of GDPR portability”, available for download here.

We understood the main challenges of collecting personal data for users and how to solve them.

On the technical side, we developed a technology based on OAuth protocol, but decentralized and also augmented with GDPR contracts, enabling portability to happen keeping all the GDPR context and history between the two entities thanks to the GDPR OAuth token. Also, as the contracts are decentrally signed and verifiable, there is no lock-in by design for a user who would like his data to be managed by someone else.

Code repository is accessible here.

We also developed a hashing technology enabling us to be able to anonymize documents while keeping their hash, really useful when you need to anonymize documents but to keep their history of version up to date.

We are applying the technology in a project to fund public research with your personal data, called Datafunding (a kind of Kickstarter based on GDPR Portability) soon to be released, where you can sign up to access the beta.

Last but not least, we developed a series of tools to implement GDPR portability for companies, to give back data to users without any potential excuses. You can find out more about these developer tools that we have baptised the DevRegOps approach for GDPR.

DAPSI journey – Achievements from the second phase of the DAPSI programme

During the programme, we had some achievements. We registered a patent and registered trademarks to be sure to promote our brand and technology internationally safely.

During DAPSI, we expanded our team by 3 members and onboarded new advisors, who successfully found and sold their company in the data protection space. We also have been joined by new private Investors for 600k€ as a pre-seed investment and have joined the INRIA Startup Studio.

As part of our DAPSI programme, we made a first study getting feedback from users and companies. From these, we published an Industry publication: “GDPR portability the Forgotten right” – Report on Data portability that has been downloaded 75,000+ times so far. With our successful report on GDPR Portability, we have been invited to participate in 4 events about our research during the DAPSI programme.

Last but not least, we won more Institutional Credibility as we won the French National Research and Technology competition (organized by French Ministry Research and Higher Education) for a prize of 250k€.

Lessons learnt

We learnt that GDPR portability tooling ecosystem is not sufficient, neither on the users/citizen side nor on the platform provider side. We overcome these challenges by developing these tools for them.
If we had to do it again, we would spend more time on understanding why providers struggle to deliver portability, except the few who deliberately don’t want to do it.

What’s next

Build the next generation of GDPR tools, for portability and beyond, to make personal data accessible and owned by their users, and enable honest companies to stay honest with personal data.

More information

You can find more information about our work on and