Bob Blakeley, who writes frequently about identity issues has an interesting post entitled On The Absurdity of "Owning One's Identity" in response to Kim Cameron's first law. The first law states: Technical identity systems must only reveal information identifying a user with the user's consent. Bob, rightly, recognizes that this really isn't a law and goes on to give various reasons why it's unenforceable. Drummond Reed points out, that Kim's talking about "technical" systems, not the processes that might be built on top of them.
Even so, there are some interesting issues here that point out why identity and user-control can be so sticky. Recognize that relationships matter. Individual attributes about me are only of concern when their linked to me. Data in aggregate (another form of relationship) has value (both to me and to others) that is more than linearly proportional to the size of the collection. In some cases, leaving out data can make the whole collection worthless (think of your credit score with all the "bad" data excluded.)
While first law is good, it doesn't solve every issue:
- The first law doesn't have to let users excluded some data in an aggregation that has been requested by a relying party. User control doesn't have to mean that users have a line-item veto.
- The first law can't protect users from a relying party slowly accumulating identity data. eBay can still nickel and dime you to death and if you agree each time, they will amass a large collection of data.
- The first law doesn't keep a relying party or identity provider from releasing identity data regarding transactions to which they were a party. I've written before about symmetric treatment of transaction data.
A lot of people claim that anything related to them is "identity data" and that's part of the problem. Records of your transactions with a lender is not identity data; it's transaction data. Your credit score isn't identity data; it's reputation. This gets to one of Bob's key points: you don't own my story about you. But, then again, your story's not identity.
I think many, but not all, of Bob's issues with the first law, go away when we start to reclassify data as transactional and reputational, rather than lumping it all in as "identity."