Identity Rights Agreements


In my Digital Identity book, I mention that even though most people hate digital rights management (DRM) schemes on digital goods like software and music, that's exactly what we'd all like for our identity information. For example, I'd love to be able to control how my bank uses, stores, shares, etc. my SSN when I'm forced to give it to them.

On the train from OSCON to the airport, I was talking with Doc, Dizzy, and St. Peter about identity and Dizzy brought up the idea of doing something like Creative Commons (CC) for identity--essentially a voluntary DRM not unlike a non-disclosure agreement. We started calling it an Identity Rights Agreement (IRA). Here's some thoughts:

IRA's should come in a limited set of configurations, like CC. This makes it easy for people to choose and become familiar with what they mean. So, they might be:

  • Post publicly (broadcast)
  • Share with anyone, but can't broadcast
  • Share with self and partners with which you have a legal agreement to honor this agreement
  • Keep to self
  • Stored encrypted
  • Use for this purpose and destroy

These are just suggestions. There might be more and they certainly need better names and descriptions.

Another issue surrounds granularity. Ideally, each assertion on the identity would be able to be separately licensed. I am glad to have my URL shouted from the rooftops, but I want my phone number kept, but not shared. My SSN, I want used and then destroyed, or at least stored in encrypted form. Just off the top of my head, I think some kind of microformat would be the right thing here since it could be layered onto other mark-up and be displayable as well.

The IRAs would be voluntary in the sense that not technology or system enforces them, but they could be made legally binding by the use of electronic (not digital) signatures. By federal law, an action (clicking on a Web page, for example) can be legally binding under certain circumstances. A request for identity information could return the agreement (in machine and human readable form) and then the request for the actual identity attributes would constitute the agreement.

Certainly, much of this would have to be worked out by those more expert in the law than I. You can't really have a functioning Identity 2.0 infrastructure, however, without some way of attaching hints and rules for acceptable usage to attributes.