As well, this post has inspired me to think of changing the Identity Legal Framework to Identity Data Legal Framework which may be more appropriate. Perhaps @Johnathan, @Elias, @Dennis, you have an idea of how to organise this effort in a better way?

I have proposed this group because I felt it uncovered something very important that was lacking.

Portability might also mean moving around data in certain scenarios. Think of virtual worlds where an object can really be moved around from server to server (depending on the implementation). We struggle with the implications of this right now over the Grid Interoperability Working Group. Maybe think also of MP3s or so.

Probably it all depends on definition of course but I think here the question is where we define the scope of what we work on (for now) in the DP Group. I guess priority probably has profile or social graph information which is either copied or referenced.

As for privacy I am not sure we should discuss it on a philosophical level but more so on the individual fields we are working on. E.g. if I have my email address in a profile how should I be able to control who can read it? And even if I allow some friend to read or export it how can I make sure that it’s not spreading from there? (of course I cannot control that, it’s mostly a question of trust here. BTW again the same problemn we have in Second Life ).

In our age, news of the affair may spill out of these limited conditions and begin to be embellished on countless myspace and facebook pages. Who knows, stakeouts with digital cameras may commence! At this point, the persistence of innuendo completely alters the equation. One search changes everything!

This is probably not the best example, but it illustrates the point. It forces us to become more aware of our privacy, and thus to discover appropriate boundaries and precautions.

The MCAF seems to be the type of thing I was alluding to earlier with my comment about a robots.txt for personal info. I would like to have fine-grained access control for some of my personal information. For instance, I have public and private phone numbers and e-mail addresses. The XDI people seem to have thought a lot about accommodating this control. Let’s hear more!

@Mark: I’m interested in participating in the Identity & Trust working group, but fear I may not have the legal background to help much. IANAL, but I have spent hundreds of hours reading relevant threads on Slashdot. Does that count for anything?

If people could see their privacy they would care a lot more. For instance Identity Mapping meaning knowledge of where ones personal information is and for what purpose it is being used. Privacy as a concept at this time seems just too abstract to be relevant, which I think gives the impression that people don’t care. I think people really do care.

I have just proposed a working group at Identity Commons called Identity & Trust http://wiki.idcommons.net/index.php/Identity_Rights_Agreements.

Basically, a policy work group, but there hasn’t been much interest as of yet. Hence my excitement with this post and a focus of policy in data portability.

As for investigating the MCAF, let me know when.

@Mark: Ownership and control is another good point. And I couldn’t agree more that “privacy is not eroding but being discovered”.

MCAF is something that looks interesting, and I will note it formally down so we can investigate it.

What relationship do you have with the other identity frameworks, like Identity commons and the Higgins project?

@Dennis: The reason people don’t care is because they don’t understand it. I can assure you, the average person is freaked out about privacy issues, but it’s only in the context of practical examples like what people see with their Facebook profile (if they even have one). On a deeper philosophical level, by function you become elitist, but it’s not like we are stopping anyone else from contributing! Please don’t let apathy and ignorance be the cause of you not contributing.

I have a few comments to that blog post and finally a place to put them. First is that I disagree with Jonathan (but only a little bit). Not in principle but in method. I think control is the big issue and that privacy is not eroding but being discovered.

I once started off with the idea of owning data as well. The short story is that the year of my life spent chasing ownership brought a realisation that owning information isn’t a solution that will ever work.

It is also very clear that data portability is the name of a function, and for that information to be useful, the context of information is very important (I very much agree). To me these thoughts over the past few years has evolved into a understanding that there needs to be a policy which accompanies the data and this policy dictates the hierarchy of control.

Underneath this policy there is only one solid infrastructure that works, and that is the law. One thing that is really missing, is the ability to see what these policies are in a way that are usable. Until then everything is just confusing, un quantified, ect.

In order for tools to be made where ‘people can see’ the context of data usage and control, there needs to be a framework that is common and standardising. This is something I am calling the ‘Identity Legal Framework’ which can be used to build a technical and legal infrastructure for liability and control while freeing information. To me there is an explicit difference between ownership and control of data.

As for privacy, most of our information, like our name or address or what we are doing has never been private, it just has never been easily accessible. Now technology provides access making it easy and giving the illusion of eroded privacy, but in fact we never owned our identity, information now is just less of a secret. I think that put in the right perspective this can be the path to a data portability solution. It does seem like this is a massive hill to climb with the the traditional power structures not inclined to be open minded. Although to me it is inevitable that a solution of control and data empowerment will be distributed to the masses. The reason for this is the data subject has the high ground with legal protected rights of access, and notice for explicit consent. These are the tools that can really make things happen.

To this end there is something I have been calling the ‘Master Controller Access Framework’(MCAF) a hybrid legal & technical, concept that uses the hierarchy of data use from something like the ‘identity legal framework’ as a vehicle for the creator of information (aka the data subject) to make policy that provides control and facilitates the choice of privacy.

Are these concepts something that can be used to answer your question?

It’s silly to suppose that Facebook or Myspace own our relationships, but they do own means of making them useful (just to use one example.) I have hesitated to invest much time in these, and most other communities, because I am wary of not being able to be able to use the information I give them in ways that suit me. Hence, my interest in Data Portability. I’ll take a useful set of open standards that allow me to pipe and filter information over a walled garden any day.

Overall I think the concept of “owning” information is a bankrupt idea (lighting a candle, yadda yadda.). Technology has rendered it useless. By making it so easy to copy and distribute information, those who seek to own it are forced to throw up technical hurdles to limit the flow.

At the same time, technology has undermined our ideas of privacy. I say ideas because many different cultures hold different views on expectations of privacy. Indeed, we probably all hold diverse, sometimes contradictory, notions of privacy as individuals. This erosion of privacy, to me, is more interesting than ownership of information.

I once was denied a job I was sure I would get. Everything went well. I was highly qualified for the position. Then I find out I didn’t get the job. I received a copy of the background report sent to the company and was shocked to find a list of criminal offenses in states I had never even visited! There was no way for me to prove that the company didn’t hire me as a result of the report but the whole episode soured me on how many decisions are made based on the wide dissemination of personal data. Credit and health issues are even more troublesome.

In this way, privacy is intrinsically related to “ownership” of data. We want to control who can access certain information about us. We might not care if our friends know we partied last weekend, but might not want current or future employers to know. The ease of search coupled with the sheer persistence of data (erroneous or not) indicate troubled times for privacy.

Ultimately, what I’m saying is that rather than discuss ownership of data (which seems meaningless,) the conversation should focus on access control. We need to develop standards relating to how data access is mediated. This is by no means a simple task for there are many gradations and grey-zones. But developing some kind of robots.txt for personal data is important.

I hope I didn’t get too far off track . . .