Back in August I introduced the concept of Identity Rights Agreements. Over the last few weeks, I've been chatting about the idea a bit more seriously with Dizzy and Jer. So in line with Jer's post on 2006 as The Year of I, I thought I'd provide some insight into our thinking.
Recall the concept: I need the ability to specify how my information is to be used by online entities I interact with. But how? Ideally, someone would develop a way of tagging information so that I could, for example, tell an ecommerce site that my personal preferences are not to be shared with partners. Dizzy, Jer, and I have started to work on the concept in hopes of bringing it closer to reality. The basic idea is a kind of photographic negative of Creative Commons: rather than saying "here's something I've created, feel free to do anything with you want with it except for X", when it comes to my personally identifying information I want to say "here's some information about me and you must not do anything with it except Y". When that statement is instantiated in code (such as an HTML form I submit), we're calling it an Identity Privacy Contract (IDPC).
So what are the equivalent in IDPCs of the well-known Creative Commons licenses? We see two dimensions here: whether you can store my information, and whether (and with whom) you can share it. Boiling that down has yielded five options:
Let's look at each of these in a bit more depth...
"Don't Store, Don't Share" means I'm providing this information to you only for the length of this transaction, where the time to live (TTL) of this transaction is zero. I think of the stores that ask for my ZIP code when I complete a cash transation: they don't store that information and they don't share it with anyone, although in some computer system there's a counter that's incremented by one every time someone in my ZIP code buys something (conclusion: aggregation is OK). Similar functionality might be used by online polls and such. This ties your hands with regard to using my information, but sometimes that's what I want.
"Store, Don't Share" means that you can keep a record of my information (e.g., in a database or cookie) and associate it with me (e.g., with my email address), but you can't share it with anyone else, not even other subsidiaries of your company. Your hands are tied less tightly here (perhaps you need to store the information to provide me with a better user experience or whatever) but the potential damage is limited since you can't share my information with anyone else. Note also that unlike "Don't Store, Don't Share", there is something of a real contract here, which needs to be time-limited (you can store this data for 2 hours or 2 weeks or 2 years); finally a real-life use for TTLs on cookies!
"Store, Share Internally" opens the door a little wider: now you can share the information with other subsidiaries. The data still has a TTL, but you can use it to offer a more seamless service (or blast me with marketing messages).
"Store, Share With Partners" gives you even greater freedom (now you can make money by selling this information to your partners or doing some co-marketing). But we stipulate that you must name your partners (good for small partner networks, not good for big partner networks) or describe the network (e.g., "all companies in the VISA network, all members of this federation, all subscribers to this mailing list"). But those partners must not share my information -- if they want to do anything with my information, they must negotiate directly with me.
"Store, Share With Anyone" might seem strange -- why would I let you share my personally identifying information with literally anyone? Yet I think there is precedent here: consider blog comments or forum posts, where I provide an email address or URL that is under my control and you link to it from your blog or forum. You've stored it and you're sharing it with the world.
There is still much to work out here -- definitions of "aggregation", "transaction", "partner", "personally identifying information", and even "store", what counts as an address (required so that you can renegotiate with me or so that a partner can negotiate with me), and much more. But I think we're on to something. Stay tuned for more details...
Peter Saint-Andre > Journal