.Nat Zone

Digital Identity et al.

[projectvrm] Policy and criteria?

      2008/11/28

Based on the discussion this afternoon at iiw#7, here is my initial thoughts on the “policy/principle” and “criteria” that a VRM compliant service should fulfill. They actually are the underling abstract model of the proposed OpenID TX extension (now renamed to be something like CX, contract exchange), OpenID CX being a profile of it onto the OpenID framework.

Policy/principle:

  • User owns his own data – he has full authority and control over them.

Criteria:

  • User offers his own data to the vendors for a particular purpose on consent to meet his/her needs.
  • Vender/Service must present a very specific data usage purpose clearly and must abide to it.
  • Duration for the data usage and storage must be defined.
  • User must be able to cancel the contract with an appropriate wind down time.
  • User must be able to download all his data in a standard format from the vendor/service.
  • User is able to delete his data at the vendor/service anytime he wishes except for the data the vendor is required to keep for legal compliance.
  • Notification method should the violation to the contract term arise for each party must be defined.
  • Restitution measures must be defined for the cases of inappropriate data usage and data leakage.

Tools*1:

  • All the above must be included in the relationship contract and mutually digitally signed with date.
  • For long-term contracts, third party time stamping (digital signature with newer algorithms and date) must be done regularly to cope with algorithm compromise risk.
  • All the data transfer/exchange must occur based on this contract.

In OpenID CX (formally TX), there will be a mutually digitally signed contract format defined with request-response protocol for creating it. All the subsequent data exchange will occur based on this contract. It would appear to me that the r-button state with joined sideway Us are nothing but the state that the above contract is in effect.

Note: An extremely long thread has started off from this message of mine to the ProjectVRM list. You may want to see them as well.

*1 I have modified the original message a bit by separating out the Tools from the Criteria. Paul Madsen pointed out that it would be better not conflate Criteria with Tools and I fully agree. Thanks Paul!

 - Uncategorized