Wednesday, February 11, 2009

Data Portability User Bill of Rights

The following is provided in response to a request from the Data Portability EULA/TOS task force. The intent is to provide the basis for conversation related to identifying and quantifying the specific elements that might make up a user’s DP “Bill of Rights.”

[There is a great related discussion entitled “A Bill of Rights for Users of the Social Web” originated by Joseph Smarr, Robert Scoble, and Michael Arrington; and signed by more than two dozen leading individuals]

More specifically, to me, when I go to a web site I should have a reasonable expectation as to what I can and cannot do with the data that I bring, create, or reference within the site. And, I should also have reasonable understanding as to what the site owners can and cannot due with this collection of data related to me.

On the on hand, it doesn’t really matter what those boundaries are – provided they are disclosed up front and upheld throughout my relationship with the site. In this manner, I can make an informed decision as to whether or not I choose to continue. On the other hand, there must be disclosure, transparency, and accountability for this to work.

Ideally, I would go to a web site and there would prominently sit a Data Portability badge that identified the points of compliance in these areas that I am most concerned about. Display of the badge would provide the disclosure and transparency that I seek allowing me to make an informed decision. Likewise, display of the badge would also demonstrate accountability since the TOS identifying allowable usage of the badge would require compliance.

Further, the badge would not likely simply state compliance or non-compliance, rather “degrees” of participation. In a well structured user bill of rights, it is not likely that every site I choose to participate in will fully support every core tenant of Data Portability. I should be able to quickly identify which of the core elements that most interest me relevant to the site are in fact supported by the site.

Some of the key elements in this matter are directly related to privacy, usage, and control. From this we can then extrapolate a series of compliance statements that hopefully begin to take the shape of a user’s “bill of rights.” Specifically:

Key concepts:
- Data I bring, I have the right to take away
- Data I create, I have the right to share
- I have the right to choose who can and cannot access my data
- I have the right to access my data internally and externally

Specific questions:
- User personal data is private (y/n)
- Private data is secured (y/n)
- Personal data is fully removed upon request (y/n)
- Personal data is not sold or reused without permission (y/n)
- User data is accessible outside of the website (y/n)
- User data is available using industry standard formats (which ones)

Fringe thoughts:
- Public posts can be retracted (y/n)
- Public posts can be anonymous (y/n)

There is certainly more thought required in this area, both from me and others. Love to get everyone else’s opinions on the matter.

No comments: