So mike, what are your thoughts on the issues I raised?
Below are comments posted on my blog, for the policy group to take
note
http://liako.biz/2008/03/control-doesnt-necessarily-mean-access/
# Charlie
Mar 5th, 2008 at 3:23 am Edit
Brings a certain Seinfeld episode to mind...
# 2 NathanaelB
Mar 5th, 2008 at 8:46 am Edit
To quote Councillor Harmann from Matrix Reloaded: "That's control,
isn't it? If we wanted we could smash them to bits" :-)
http://liako.biz/2008/03/can-you-answer-my-question/
# Jonathan
Mar 5th, 2008 at 2:52 pm Edit
It's certainly a good question. There's such a staggering array of
data that exists for each one of us, however, that the data itself is
essentially worthless. I'm inclined to think a better question might
be "what's the best way to make sense of all this data?" What you
define as information is what is truly important. Who owns the methods
for managing the information is what counts. Those who work on Data
Portability are generally concerned with making sure the public itself
owns those methods.
It's silly to suppose that Facebook or Myspace own our relationships,
but they do own means of making them useful (just to use one example.)
I have hesitated to invest much time in these, and most other
communities, because I am wary of not being able to be able to use the
information I give them in ways that suit me. Hence, my interest in
Data Portability. I'll take a useful set of open standards that allow
me to pipe and filter information over a walled garden any day.
Overall I think the concept of "owning" information is a bankrupt idea
(lighting a candle, yadda yadda.). Technology has rendered it useless.
By making it so easy to copy and distribute information, those who
seek to own it are forced to throw up technical hurdles to limit the
flow.
At the same time, technology has undermined our ideas of privacy. I
say ideas because many different cultures hold different views on
expectations of privacy. Indeed, we probably all hold diverse,
sometimes contradictory, notions of privacy as individuals. This
erosion of privacy, to me, is more interesting than ownership of
information.
I once was denied a job I was sure I would get. Everything went well.
I was highly qualified for the position. Then I find out I didn't get
the job. I received a copy of the background report sent to the
company and was shocked to find a list of criminal offenses in states
I had never even visited! There was no way for me to prove that the
company didn't hire me as a result of the report but the whole episode
soured me on how many decisions are made based on the wide
dissemination of personal data. Credit and health issues are even more
troublesome.
In this way, privacy is intrinsically related to "ownership" of data.
We want to control who can access certain information about us. We
might not care if our friends know we partied last weekend, but might
not want current or future employers to know. The ease of search
coupled with the sheer persistence of data (erroneous or not) indicate
troubled times for privacy.
Ultimately, what I'm saying is that rather than discuss ownership of
data (which seems meaningless,) the conversation should focus on
access control. We need to develop standards relating to how data
access is mediated. This is by no means a simple task for there are
many gradations and grey-zones. But developing some kind of robots.txt
for personal data is important.
I hope I didn't get too far off track . . .
# 2 Mark Lizar
Mar 6th, 2008 at 3:50 am Edit
Wow, what a great discussion.
I have a few comments to that blog post and finally a place to put
them. First is that I disagree with Jonathan (but only a little bit).
Not in principle but in method. I think control is the big issue and
that privacy is not eroding but being discovered.
I once started off with the idea of owning data as well. The short
story is that the year of my life spent chasing ownership brought a
realisation that owning information isn't a solution that will ever
work.
It is also very clear that data portability is the name of a function,
and for that information to be useful, the context of information is
very important (I very much agree). To me these thoughts over the past
few years has evolved into a understanding that there needs to be a
policy which accompanies the data and this policy dictates the
hierarchy of control.
Underneath this policy there is only one solid infrastructure that
works, and that is the law. One thing that is really missing, is the
ability to see what these policies are in a way that are usable. Until
then everything is just confusing, un quantified, ect.
In order for tools to be made where 'people can see' the context of
data usage and control, there needs to be a framework that is common
and standardising. This is something I am calling the 'Identity Legal
Framework' which can be used to build a technical and legal
infrastructure for liability and control while freeing information. To
me there is an explicit difference between ownership and control of
data.
As for privacy, most of our information, like our name or address or
what we are doing has never been private, it just has never been
easily accessible. Now technology provides access making it easy and
giving the illusion of eroded privacy, but in fact we never owned our
identity, information now is just less of a secret. I think that put
in the right perspective this can be the path to a data portability
solution. It does seem like this is a massive hill to climb with the
the traditional power structures not inclined to be open minded.
Although to me it is inevitable that a solution of control and data
empowerment will be distributed to the masses. The reason for this is
the data subject has the high ground with legal protected rights of
access, and notice for explicit consent. These are the tools that can
really make things happen.
To this end there is something I have been calling the 'Master
Controller Access Framework'(MCAF) a hybrid legal & technical, concept
that uses the hierarchy of data use from something like the 'identity
legal framework' as a vehicle for the creator of information (aka the
data subject) to make policy that provides control and facilitates the
choice of privacy.
Are these concepts something that can be used to answer your question?
# 3 Dennis McDonald
Mar 6th, 2008 at 8:47 am Edit
I too have become much more interested in privacy than portability but
the problem is that most people don't care about privacy till it's too
late. Does that mean I should become an elitist and promote laws,
standards, and systems that increase control by individuals over their
own information, even though they generally don't care?
# 4 Elias Bizannes
Mar 6th, 2008 at 9:42 am Edit
@Jonathan: No, thank you! Off track is still relevant on this
discussion. Access control rather than ownership is something that I
think you are right on the money with.
@Mark: Ownership and control is another good point. And I couldn't
agree more that "privacy is not eroding but being discovered".
MCAF is something that looks interesting, and I will note it formally
down so we can investigate it.
What relationship do you have with the other identity frameworks, like
Identity commons and the Higgins project?
@Dennis: The reason people don't care is because they don't understand
it. I can assure you, the average person is freaked out about privacy
issues, but it's only in the context of practical examples like what
people see with their Facebook profile (if they even have one). On a
deeper philosophical level, by function you become elitist, but it's
not like we are stopping anyone else from contributing! Please don't
let apathy and ignorance be the cause of you not contributing.
# 5 Mark Lizar
Mar 6th, 2008 at 10:11 am Edit
I think privacy is an old world word, that happens to be an anchor to
describe something that is now being better understood and better
defined.
If people could see their privacy they would care a lot more. For
instance Identity Mapping meaning knowledge of where ones personal
information is and for what purpose it is being used. Privacy as a
concept at this time seems just too abstract to be relevant, which I
think gives the impression that people don't care. I think people
really do care.
I have just proposed a working group at Identity Commons called
Identity & Trust
http://wiki.idcommons.net/index.php/Identity_Rights_Agreements.
Basically, a policy work group, but there hasn't been much interest as
of yet. Hence my excitement with this post and a focus of policy in
data portability.
As for investigating the MCAF, let me know when. :-)
# 6 Mark Lizar
Mar 6th, 2008 at 10:13 am Edit
Oops.. That link is wrong it was suppose to be:
http://wiki.idcommons.net/index.php/Identity_Trust_Charter
# 7 Jonathan
Mar 6th, 2008 at 6:08 pm Edit
That privacy is being discovered is an astute observation. And I think
you're right that it's an old world word. To some extent, privacy has
always been an illusion. Folks living in old world villages had to
contend with persistent gossip about habits and events. For the most
part though, this was confined by limits of time and space. While a
rumor might go around that a local teacher was discreetly seeing the
farmer behind the haystacks, the word was generally confined to her
town. Even in the town, word may be limited to a certain group of
adults.
In our age, news of the affair may spill out of these limited
conditions and begin to be embellished on countless myspace and
facebook pages. Who knows, stakeouts with digital cameras may
commence! At this point, the persistence of innuendo completely alters
the equation. One search changes everything!
This is probably not the best example, but it illustrates the point.
It forces us to become more aware of our privacy, and thus to discover
appropriate boundaries and precautions.
The MCAF seems to be the type of thing I was alluding to earlier with
my comment about a robots.txt for personal info. I would like to have
fine-grained access control for some of my personal information. For
instance, I have public and private phone numbers and e-mail
addresses. The XDI people seem to have thought a lot about
accommodating this control. Let's hear more!
@Mark: I'm interested in participating in the Identity & Trust working
group, but fear I may not have the legal background to help much.
IANAL, but I have spent hundreds of hours reading relevant threads on
Slashdot. Does that count for anything? ;)
# 8 Christian Scholz
Mar 6th, 2008 at 8:17 pm Edit
Great post! :-)
I would like to add the following:
Portability might also mean moving around data in certain scenarios.
Think of virtual worlds where an object can really be moved around
from server to server (depending on the implementation). We struggle
with the implications of this right now over the Grid Interoperability
Working Group. Maybe think also of MP3s or so.
Probably it all depends on definition of course but I think here the
question is where we define the scope of what we work on (for now) in
the DP Group. I guess priority probably has profile or social graph
information which is either copied or referenced.
As for privacy I am not sure we should discuss it on a philosophical
level but more so on the individual fields we are working on. E.g. if
I have my email address in a profile how should I be able to control
who can read it? And even if I allow some friend to read or export it
how can I make sure that it's not spreading from there? (of course I
cannot control that, it's mostly a question of trust here. BTW again
the same problemn we have in Second Life ;-) ).
# 9 Mark Lizar
Mar 6th, 2008 at 8:28 pm Edit
Not having a legal background is definitely not an obstacle. In fact,
interest is the number one precursor. This discussion, makes me think
that a combination of the Identity & Trust working group and Data
Portability policy would be a better way to approach this.
As well, this post has inspired me to think of changing the Identity
Legal Framework to Identity Data Legal Framework which may be more
appropriate. Perhaps @Johnathan, @Elias, @Dennis, you have an idea of
how to organise this effort in a better way?
I have proposed this group because I felt it uncovered something very
important that was lacking.