Who Owns and Controls Identity Data?
It seems that several conversations regarding identity and identity-related data seem to be converging today. First, Robert “r0ml” Lefkowitz writes about his latest venture, root.net, and the belief that consumers should be able to control how shopping and purchase data collected by retailers can be used. He points to AttentionTrust.org, whose mission is in part to:
Empower people to exert greater control over their “attention data,” i.e. any records reflecting what they have paid attention to and what they have ignored. We accomplish this by promoting the principles of user control, by distributing our Attention Recorder, and by supporting the development of other appropriate tools, standards and practices.
This echoes Kim Cameron’s first law of identity, which brings me to the second converging conversation. In his identity management newsletter, Dave Kearns discusses a lengthy post by Bob “Not-a-Bob” Blakely, in which he says:
Remember the wording of Kim’s First Law:
Technical identity systems must only reveal information identifying a user with the user’s consent.
It’s clear that this “First Law requirement” isn’t feasible – a system which actually obeyed this law would be illegal (because it would withold information in cases in which the law requires it to disclose information without the data subject’s consent), and it would be dangerous to the data subject (because it would withold personal information even in critical situations if consent couldn’t be obtained – for example when the data subject is unconscious and injured after an accident).
If you agree with most or all of what I’ve written above, you’ll agree that the “First Law requirement” isn’t desirable either, because it creates a lot of work for the individual without really solving the privacy problem.
The reason the First Law doesn’t work is actually very deep and subtle, and I’ll write more about it soon.
Can’t wait.
So on one side are the advocates of user consent and control of their attention data, and on the other, the view that, in practice, this would be unworkable and undesirable. So where do I stand? Firmly somewhere in between, in the messy middle. And so does r0ml:
Assuming the legalities can be worked out to inject the individual into this transaction, then we confront the financial question. When Costco offers to buy the consumer data — who gets the money? Is it Walmart? or the 100,000 consumers who said “Yes� After all, Walmart actually went to the trouble of collecting it, storing it, and making it available, so they are certainly entitled to some compensation. In fact, the data wouldn’t exist at all if Walmart didn’t collect it, so perhaps Walmart is entitled to the money, but the consumer is entitled to the decision. Or vice versa. Or somewhere in between. It looks like it’s shaping up to be a multi-party transaction — with the need to protect the anonymity of some/most/all of the participants. In the financial world, that role is called a “broker†— who takes a commission for facilitating the transaction.
Which is exactly what root.net aims to be. This is another example of a federated identity provider, a new business opportunity for those willing to tackle these issues. Most enterprises won’t be willing to navigate the legal intricacies in negotiating multi-party data control and consent issues, especially when the legal principles involved aren’t entirely settled. But they can’t avoid needing to share identity data, and so would be willing to pay someone to solve this problem for them.
While r0ml and others seem to be going after the retail shopping use case, the health care industry, with its need to share sensitive medical record data while complying with HIPAA, seems to be the more compelling vertical. Covisint, an early entrant into federated identity services, seems to agree. It seems to me that any service provider that can solve these issues for RHIOs in health care will be in a great position to move into the retail industry as well.
Should be interesting.