Using Creative Commons-type Legal Framework for Privacy / Ownership Rights
Mike Pearson
require approximately US$200k to get it to launch, and an endowment of
twice that to support it perpetually.
If some of the larger companies wish to support such a public good
initiative, perhaps they can discuss it with Creative Commons
directly. My opinion would be that an existing 501(c)(3) tax-exempt
charitable corporation, that has already gone through the process once
for Content, and has a working infrastructure, would be better than a
completely new initiative.
Repeating parts of the relevent posts on the topic, FYI:
When I sign up to a new web service, could I be presented with a CC
plain-english statement of the User Data rights I am handing over e.g.
* Ownership. We will own this copy of your data and we will have
exclusive rights over its publication, use and deletion.
* Commercial. We will sell your data for profit, allowing others
to use your data for direct marketing purposes
* Matching. We will match your data with data other people hold
about you.
* No Derivatives. Your data will not be sold separately.
[NOTE: For governments this might look slightly different]
* Ownership. We will share this copy of your data with you and we
will have shared rights over its use.
* Public Value. We will use your data to increase public value.
* Matching. We will lawfully match your data with other data that
we hold about you
* No Derivatives. Your data will not be sold separately.
Later, when my data (as part of a database) is sold to someone else,
how could these rights be transferred with the data?
How could I seek redress, if subsequent use of my data breaches the
original agreement.
I have just started emailing Lawrence Lessig (Creative Commons) and
Jordan S. Hatcher (Open Data Commons) on this topic. The emerging
risk is that we end up with different ways to describe (technically)
the different dimensions of data rights.
In response to my question, "Could the Creative Commons framework
support our requirement?",
Lawrence replies "In principle, yes, but we'd have to find a structure
of support for it. The architecture of this (from the legal
perspective) is significantly different, so we'd need to do some
significant work to get it going. Is there an institution likely to
support this?"
Chris Saad
There is a lot of movement for a Policy Blueprint (in tandem to a
Technical Blueprint) - There is a page stub here:
http://groups.google.com/group/dataportability-public/web/dataportability-policy-reference-design
I have also heard interest from Jon and Mike from Creative Commons
(copied in) as well as authoritative EU lawyers Adriana and David
(they have some of the tightest data privacy laws) who are willing to
help contribute to the discussion and the policy document.
I believe that Jon, Mike, Adriana and David (as well as a few others)
could form the sub-group for the Policy Blueprint and any supporting
legal frameworks. Are you guys in?
Also, while Vendors are NOT allowed to join the Workgroup directly
(only interest individual) - Vendors are welcome to potentially
sponsor the initiative so we can pay for things like this (among other
things). A number of Vendors have asked me to get involved with
sponsorship..
The Board mentioned on the Roadmap (http://groups.google.com/group/
dataportability-public/web/workgroup-roadmap) will form the legal
entity and ratify where the funds will be directed.
Chris
Robert O'Brien
*rights*. Even an email address/phone number is not strictly owned but
leased. That said an Idcommons working group has been set up to work
on this as Identity Rights Agreements (IRA).
<http://wiki.idcommons.net/index.php/Identity_Rights_Agreements>.
A good background paper to the ideas of IRAs is here
<http://www.windley.com/essays/2006/identity_rights_agreements>
Mary Rundle from the Berkman Center for Internet & Society has also
been proposing the need for a Privacy Commons and has made a first
attempt at a set of icons and associated meanings:
* You agree not to use this data for marketing purposes
* You agree not to trade or sell this data
* You agree to submit to a third-party audit program on data use; if
government has requested access to my data, you agree to involve my
government ombudsman
* You agree to make available to me the data that you have on me
without my having to pay for it/at a minimal charge
* you allow me to address inaccuracies in the data and request its removal
* You agree to take reasonable steps to keep my data secure
* You agree to arrange with X organization to help resolve any
disputes we have over you treatment of this data.
Mary's also has an initial set of icons in the following presentation/paper.
Presentation at 28th International Data Protection and Privacy
Commissioners' Conference (2006) < http://tinyurl.com/2a6k3q >
W3C Position Paper (2006):
<www.w3.org/2006/07/privacy-ws/papers/21-rundle-data-protection-and-idm-tools/>
Cheers
Robert
Chris Saad
Is there any reason why we can't use this wholesale as part of the DP
Policy Blueprint just like we use existing open standards as part of
the Technical Blueprint?
They seem to have the same approach as DP in terms of both dealing
with the logistical and branding issues at the same time.
Also it seems like there is a metadata component (that might be
verifiable somehow?) that we could use as part of the DP validation
process (when we build one).
Is someone connected to Mary?
Chris
>
> Cheers
> Robert
Robert O'Brien
On 12/01/2008, Chris Saad <chris...@gmail.com> wrote:
> Is there any reason why we can't use this wholesale as part of the DP
> Policy Blueprint just like we use existing open standards as part of
> the Technical Blueprint?
I guess you could except there really isn't anything even remotely
standardised as yet. Mary's terms are the best they are at the moment.
It would certainly fit with the basic agenda of dataportability to
factor this out into a separate independent project that is included
as part of the "reference" model.
> They seem to have the same approach as DP in terms of both dealing
> with the logistical and branding issues at the same time.
IRA/Privacy Commons type of work needs both since the success of the
IRAs will be driven by the human factor hence the importance of the
icons as info branding.
> Also it seems like there is a metadata component (that might be
> verifiable somehow?) that we could use as part of the DP validation
> process (when we build one).
Absolutely. The legal and branding aspects aside, the idea behind IRAs
are driven primarily from the power of XDI which is basically XRI+RDF
(think RDF's graph model). IHMO XDI is a *very* powerful approach but
far from prime time ready - there is no standard to speak of. I'd also
say that it would scare many away, at the moment, since it is more top
down than bottom up; model rather format.
> Is someone connected to Mary?
ProjectVRM have been discussing the need for a "Privacy Commons" and
that is being lead by Doc Searl's as part of his Berkman Center
fellowship:
"At Berkman, one question is what do we break off from VRM to create a
working group, especially in areas of law. Perhaps a privacy commons
is the right approach."
<http://cyber.law.harvard.edu/projectvrm/Meeting_notes_2007_05_16>
Robert.
Chris Saad
a friend of mine. They also have been discussing using APML
(www.apml.org) as part of their work which is, of course, one of my
babies (of course it is many other people's baby also).
The first revision of the DP site included a link to ProjectVRM
because really that is part of the economic incentive for all this
work and one of the logical outcomes.
And I agree that Mary's ongoing work could be included in the Policy
Blueprint in much the same way that the open standards are included in
the Technical Blueprint.
Chris
Frederick Giasson
> Absolutely. The legal and branding aspects aside, the idea behind IRAs
> are driven primarily from the power of XDI which is basically XRI+RDF
> (think RDF's graph model). IHMO XDI is a *very* powerful approach but
> far from prime time ready - there is no standard to speak of. I'd also
> say that it would scare many away, at the moment, since it is more top
> down than bottom up; model rather format.
>
I am really not familiar with the XDI Oasis project, however could you
explain me what you mean by XDI+RDF?
The thing with the semweb is that there are methods to local rdf data on
the web (or other networks) depending if URIs are resolvable
(dereferencable) on these URI networks (mainly the Web). Also there are
a lot of tools (both open sources and commercial) that manage this
communication, manage the data, synch and keep it up to date).
For example, there is a list of such tools (650) that has been compiled
by my friend Mike Bergman:
http://www.mkbergman.com/?page_id=325
So it is why I would like a better definition of XDI+RDF (what it means,
etc).
Thanks,
Take care,
Fred
Dennis D. McDonald
Thanks for referencing Mary Rundle's paper. I'm going to check that
out.
I started thinking about these concepts a couple of years ago when I
realized that the concept of personal data privacy was probably
changed irrevocably by the Web, yet I resented the fact that others
could -- and did -- make money by aggregating data about me and
various types of transactions I engaged in.
Basic fairness suggested (a) that I should be able to decide what
about me becomes public, (b) if you're going to transfer my public
data around at minimum its accuracy should be maintained, and (c) if
you make money from my public data I should get some share of that.
In 2005 I envisioned some sort of licensing organization to handle
this ("Identity Theft and the Licensing of Personal Information"
http://www.ddmcd.com/licensing.html) but I have to admit admit my
ideas about applying copyright and data ownership rights were those of
a non-attorney. So I'm really happy to see this attention to data
portability because it forces attention to such issues.
One of my concerns, however, is that paying a lot of attention to use
case development that focuses on defining a wide range of authorized
or licensable uses might cause people to overestimate what is possible
in terms of managing transactions in the real world. Collecting and
tracking usage data costs resources. It might also motivate some to
envision systems that track data use in ways that are opposed to
privacy. For example, if it is true that ISP's might be convinced to
track large file transfers, that has significant privacy implications.
The same would be true of the need to track usage of licensed "private
information."
But I do intend to read the Rundle paper. I'm just concerned that the
complexity of "rights management" might overwhelm the system.
Dennis McDonald
http://www.ddmcd.com
Robert O'Brien
On 13/01/2008, Frederick Giasson <fr...@fgiasson.com> wrote:
> > Absolutely. The legal and branding aspects aside, the idea behind IRAs
> > are driven primarily from the power of XDI which is basically XRI+RDF
> > (think RDF's graph model).
>
> I am really not familiar with the XDI Oasis project, however could you
> explain me what you mean by XDI+RDF?
Oops that typo was meant to read 'XDI is basically XRI+RDF.'
Firstly, XRIs are identifiers based on IRI and have transformation
rules for making them URIs or URLs.
One of the things that interests me about XRI is the ability to
support generative naming. This means you don't have to treat an XRI
as being opaque since they can be structured in a way that can be
interpreted by agents other than the issuing authority as is
theoretically the case for URLs.
As I currently understand it, XDI, esp. the XDI RDF incarnation, uses
the RDF graph model of Subject, Predicate, Object to structure
identifiers and/or the XDI document. XDI Link contracts, a.k.a rights
paths, are XRIs that basically provide the access control model for
accessing data (a leaf or a subgraph) at a data authority. The concept
seems similar to the ideas behind security capabilities and provides a
way of modelling both the data, meta-data and access-control using the
same language/model.
The main *current* document for XDI is the XDI RDF Model
http://www.oasis-open.org/committees/download.php/25531/xdi-rdf-model-v7.pdf
Does that make sense?
Cheers
Robert.
Robert O'Brien
On 13/01/2008, Dennis D. McDonald <dd...@yahoo.com> wrote:
> I started thinking about these concepts a couple of years ago when I
> realized that the concept of personal data privacy was probably
> changed irrevocably by the Web, yet I resented the fact that others
> could -- and did -- make money by aggregating data about me and
> various types of transactions I engaged in.
And this very notion of "collecting" intelligence to make money is
fundamental to marketing and product design as we currently know it
today. It is also a very big aspect of Web2.0 companies - collective
intelligence.
Intelligence gathering is rather inescapable in today's environment,
but it does not need to end up as a dystopia. I think it requires a
mind set change on a number of fronts. This is what UCI and VRM are
about, changing our mindset about our identity and our commercial
relationships. Philosophies. A similar mindset change is needed for
thinking about Privacy - at least in the digital realm.
I kinda like where Chris Messina is coming from
http://tinyurl.com/3yttep though I don't agree with the idea of
flooding/jamming the network with PII about ones self in order to
control the information.
One aspect of Privacy is control. I don't see Privacy being about
ownership. More about rights. At the moment when we hand over some
identifying information, an email address, our click stream etc we
have no subsequent control to determine what happens next, no rights,
but perhaps more importantly we don't know what derivative information
is being collected/aggregated about us. That is why I like things like
APML, attentionlabs.com, and Reading trend information gReader. They
show and shed light on what the other party in the relationship knows
about me, that way at least I know what I'm giving up.
> Basic fairness suggested (a) that I should be able to decide what
> about me becomes public, (b) if you're going to transfer my public
> data around at minimum its accuracy should be maintained, and (c) if
> you make money from my public data I should get some share of that.
I think privacy, as framed, is an illusion. The only thing that is
truly private are the thoughts in my head that I do not share with
anyone else. At least they are for the moment.
In other words the public/private desire is a false dichotomy -
everything is public to some degree. Rather we need to ensure that
information given in one context is not used in another context
without us knowing about it. This enables us to ensure that the
information is used in a way that doesn't contradict the original
contract. But at the moment we can't do this because the agreements
that the *contracts* are based on have not been clearly defined if at
all. Currently the rules are implicit often made up as we travel.
Creative Commons defines the rights agreements for Creative Works as a
starting point. A Privacy Commons needs to define a set of rights
agreements for PII as a starting point even if the initial rights
governed by the agreements are just the seven classifications that
Mary proposes and not back by law.
For example, one way of tracking the use/misuse of information about
me, at least for email, is by using single use or unique email
addresses per relationship. This is what I do now manually. What
Sxipper makes a lot easier to do, manage and track. If the information
Sxipper tracks is then turned into Vendor Reputation Metrics then we
start to have a way, as individuals, to fight back at miss use.
> In 2005 I envisioned some sort of licensing organization to handle
> this ("Identity Theft and the Licensing of Personal Information"
And this is a role I see being fulfilled by Identity Providers/Managers.
> One of my concerns, however, is that paying a lot of attention to use
> case development that focuses on defining a wide range of authorized
> or licensable uses might cause people to overestimate what is possible
> in terms of managing transactions in the real world.
> But I do intend to read the Rundle paper. I'm just concerned that the
> complexity of "rights management" might overwhelm the system.
Actually I think it is solvable by establishing a number of
prototypical agreements that form the base of all individual
agreements and contracts. These papers by Robert Thibadeau discuss
this.
http://dollar.ecom.cmu.edu/p3pcritique/
http://yuan.ecom.cmu.edu/pspnote/
Robert.
Frederick Giasson
>> I am really not familiar with the XDI Oasis project, however could you
>> explain me what you mean by XDI+RDF?
>>
>
> Oops that typo was meant to read 'XDI is basically XRI+RDF.'
>
>
Ok
> Firstly, XRIs are identifiers based on IRI and have transformation
> rules for making them URIs or URLs.
>
> One of the things that interests me about XRI is the ability to
> support generative naming. This means you don't have to treat an XRI
> as being opaque since they can be structured in a way that can be
> interpreted by agents other than the issuing authority as is
> theoretically the case for URLs.
>
> As I currently understand it, XDI, esp. the XDI RDF incarnation, uses
> the RDF graph model of Subject, Predicate, Object to structure
> identifiers and/or the XDI document. XDI Link contracts, a.k.a rights
> paths, are XRIs that basically provide the access control model for
> accessing data (a leaf or a subgraph) at a data authority. The concept
> seems similar to the ideas behind security capabilities and provides a
> way of modelling both the data, meta-data and access-control using the
> same language/model.
>
>
So, after reading the beginning of the XRI spec [1], it seems that what
you are suggesting is using the XRI protocol to dereference RDF
documents for given XRI (that are URI, so URLs dereferencable on the web).
Am I right or completely missed the point?
> Does that make sense?
>
If it is what I said above: yeah sure. However it is not the only
dereferencing method existing. I would really have to read that whole
spec and the paper you linked to in this mail before making my mind.
Also, this draft is another possibility (and the one currently use by
the semweb ommunity; however people still discuss about it and raises
important points vis-a-vis it.) [2]
[1]
http://docs.oasis-open.org/xri/2.0/specs/cd02/xri-resolution-V2.0-cd-02.html
[2] http://www.w3.org/TR/swbp-vocab-pub/
Take care,
Fred