Identity Rights Management

From P2P Foundation
Jump to: navigation, search

= how my identity information can be shared when I release it to a website or other Internet service.


"Just as the CC licenses specify that you can do anything with what I create (except, depending on the license, that you must share and share alike, attribute it to me, etc.), when I release identity information to a website I'd love to stipulate that it may not do anything with it (except, depending on the identity rights agreement, that it may share it with its subsidiaries or partners, or even post it on their website if I so agree, such as at a blog or Wiki). Developing the vocabulary and straightforward set of ~5 options for identity rights agreements will require collaboration among technologists, lawyers, and other interested parties." (


Peter Saint-Andre at

"We see two dimensions here: whether you can store my information, and whether (and with whom) you can share it. Boiling that down has yielded five options:

  1. Don’t Store, Don’t Share
  2. Store, But Don’t Share
  3. Store, Share Internally
  4. Store, Share With Partners
  5. Store, Share With Anyone

Let’s look at each of these in a bit more depth…

1.“Don’t Store, Don’t Share” means I’m providing this information to you only for the length of this transaction, where the time to live (TTL) of this transaction is zero. I think of the stores that ask for my ZIP code when I complete a cash transation: they don’t store that information and they don’t share it with anyone, although in some computer system there’s a counter that’s incremented by one every time someone in my ZIP code buys something (conclusion: aggregation is OK). Similar functionality might be used by online polls and such. This ties your hands with regard to using my information, but sometimes that’s what I want.

2.“Store, Don’t Share” means that you can keep a record of my information (e.g., in a database or cookie) and associate it with me (e.g., with my email address), but you can’t share it with anyone else, not even other subsidiaries of your company. Your hands are tied less tightly here (perhaps you need to store the information to provide me with a better user experience or whatever) but the potential damage is limited since you can’t share my information with anyone else. Note also that unlike “Don’t Store, Don’t Share”, there is something of a real contract here, which needs to be time-limited (you can store this data for 2 hours or 2 weeks or 2 years); finally a real-life use for TTLs on cookies!

3. “Store, Share Internally” opens the door a little wider: now you can share the information with other subsidiaries. The data still has a TTL, but you can use it to offer a more seamless service (or blast me with marketing messages).

4. “Store, Share With Partners” gives you even greater freedom (now you can make money by selling this information to your partners or doing some co-marketing). But we stipulate that you must name your partners (good for small partner networks, not good for big partner networks) or describe the network (e.g., “all companies in the VISA network, all members of this federation, all subscribers to this mailing list”). But those partners must not share my information — if they want to do anything with my information, they must negotiate directly with me.

5. “Store, Share With Anyone” might seem strange — why would I let you share my personally identifying information with literally anyone? Yet I think there is precedent here: consider blog comments or forum posts, where I provide an email address or URL that is under my control and you link to it from your blog or forum. You’ve stored it and you’re sharing it with the world. (

More Information

See the entry on Identity