Who Stewards the Personal Data Question? Org Chart

Below is a diagram showing the non-profit organizations (note: no for-profits, conferences or governmental orgs were included) that are stewarding pieces of the Personal Data Ecosystem. I wanted to show how the orgs are relating to the problem of how to remake our digital lives, through more user-driven personal data, for more equal transactions throughout our lives with companies, the online world, and our government.

The orgs have been divided into four areas: technical, market, policy and individual advocates. While all the orgs have an interest and are doing some thinking in all the areas, these divisions show the foundational mission of the orgs. If each org, through its foundation mission, succeeded, they would be heros for sure. The problem is, mission creep. This is a problem for startups as well, where companies don't focus and get their piece right to succeed, but rather think competitively and try to take too many pieces of the market, leading to failure. So too will the large number of problems, plus mission creep, cause any of these orgs to fail at their mission.

Ideally, we'll see all the orgs working together in inter-disciplinary and multi-disciplinary ways, relating each of their solutions to the others, but keeping focused and executing their piece of this vast and Byzantine puzzle to solve the Personal Data Ecosystem. In creating this "org chart" I talked with folks like Kevin Marks of Microformats and Activity Streams, Harry Halpin of the Federated Social Web, Scott David, Don Thibeau of OIX and OpenID, Drummond Reed (who has worked with OASIS extensively), Doc Searls of VRM, Craig Burton, Steve Rappetti and Phil Wolff of Data Portability project, Dazza Greenwood of ID Cubed, Judi Clark and Joe Andrieu of Information Sharing Working Group, among others.

So here is a picture of who is doing what in the Personal Data space:

Below is more information on these organizations.

Individual Solutions

Customer Commons -- recently formed by Doc and Joyce Searls, Renee Lloyd, Joe Andrieu, Dean Landsman, Markus Sabadello, Judi Clark, Iain Henderson, Craig Burton, and me, as well as a few others in the room that, I apologize, I'm forgetting. Customer Commons' mission is: a community of customers, funded only by customers, serving the interests and aspirations of customers.

Market Solutions

Personal Data Ecosystem Consortium -- is a trade association for startups and big companies that agree to a set of principles for user-driven personal data. 19 companies (currently) have joined, and PDEC's mission is to support market solutions to the personal data question. Kaliya Hamlin is Executive Director and I am Chair of the Board.

PDEC also has just formed a Legal Town Hall, a monthly call starting January 11, 2012, to be led by Judi Clark, to talk about what kind of policies are needed when individuals share their data.

World Economic Forum -- WEF has been working with lots of early thinkers in the Personal Data space for the past 18 months to "rethink personal data." They put out a report: Personal Data: a New Asset Class last February and continue to have monthly calls to prepare for a presentation of the working groups' efforts at Davos in January.

Project VRM -- Vendor Relationships Management, the brainchild of Doc Searls created during his fellowship at the Berkman Center, is a discussion group with a very active maillist, a movement for user-driven relationships with entities, and a steward of developers coding to bear out the group's vision.

Policy Solutions

OIX: Open Identity Exchange -- Don Thibeau is Chair of their Board, and Scott David is their counsel. OIX's mission is to build trust in the exchange of identity credentials online. They do this through the open, standardization of Trust Frameworks. They don't make trust frameworks, but rather their mission is to be the home of other's trust frameworks for the sharing of personal data, login credentials, and other types of private or controlled information. For example, the company Drummond Reed co-founded, Respect Trust Framework at OIX, who publishes it for others to point to as a public declaration of the trust framework. And, the U.S. FICAM Trust Framework was the first open identity trust framework to be listed by OIX

Information Sharing Working Group -- From the ISWG: The ISWG works with the Kantara Initiative, Identity Commons, Project VRM, the Personal Data Ecosystem Consortium, and Customer Commons. Run by co-chairs, Joe Andrieu and Iain Henderson and secretary Judi Clark, ISWG's formal mission is "to identify and document the use cases and scenarios that illustrate the various sub-sets of user driven information, the benefits therein, and specify the policy and technology enablers that should be put in place to enable this information to flow."

The Information Sharing Work Group helps individuals take control of the information we share online. The Standard Information Sharing Agreement is a contract for the use of your information, agreed to BEFORE you share it. It has two parts. A basic agreement covers all the default terms, things like “don’t redistribute my information without my permission”, which all recipients agree to. Then, for each individual instance of sharing, a data transaction agreement with just the bare essentials: who gets what data for what purpose. By moving all the complicated legalese into the basic agreement, we’ve dramatically simplified each specific transaction agreement.

Now, when you want to know what’s happening with your data, it’s presented simply and concisely in easy-to-understand terms… while the basic agreement defines how recipients must treat your data appropriately. The Sharing Agreement is designed to make it easy to understand and make informed decisions about sharing information online.

ID Cubed (ID3) -- a newly formed research and developement group affiliated with MIT and led by John Clippinger, Executive Director and CEO, (who started the Law Lab at Berkman/Harvard a couple of years ago and the Social Physics project a couple of years before that, also at Berkman) and Henrik Sandell, COO and CTO of ID3. ID3's mission is to "oversee the development of a multi-disciplinary center founded to research the role of law in facilitating cooperation and entrepreneurial innovation." Their major focus based upon the website seems to be Trust Framework development. Dazza Greenwood is also involved, as is Mike Schwartz of Gluu is doing some technical work for them.

Technical Solutions

Data Portability Project -- "Aims to consult, design, educate and advocate interoperable data portability to users, developers and vendors." They don't make standards but they help steward them to support more data portability, including protocols like OpenID, OAuth, RSS, Microformats and RDF among others. Steve Repetti is their Chair and Phil Wolff is very active as a public speaker for them. Here is some additional information about their mission.

Federated Social Web -- has recently become a working group of W3C, and is stewarded by many including Evan Prodromou and Harry Halpin. FSW is stewarding work on federated social web software and protocols, including things like PubSubHubBub, OpenID, Activity Streams, OAuth, among many protocols.

Activity Streams -- developed a protocol for how user's share personal data, using both JSON and Atom based streams of metadata. Monica Wilkinson and Kevin Marks actively steward the project. Activity Streams works on the Microformats model, proposing standards around activities already heaving in used online.

Microformats -- Microformats have been created for many pieces of data shared, such as hcard or hcalendar. Stewards of this project include Tantek Celik and Kevin Marks.

OpenID -- Created protocol for a federated login with OpenID 2.0 spec. OpenID Foundation is currently working with Microsoft, Google and Facebook on OpenID Connect, as well as on Account Chooser, an open standard for web sign-in ease switching between multiple accounts on a website. OpenID Foundation's chair is Don Thibeau.

ID Trust, OASIS -- from their website: "...promotes greater understanding and adoption of standards-based identity and trusted infrastructure technologies, policies, and practices. The group provides a neutral setting where government agencies, companies, research institutes, and individuals work together to advance the use of trusted infrastructures, including the Public Key Infrastructure (PKI)."

XDI.org -- responsible for the XRI / XDI standard, currently for pointing to data and creating link contracts. From their website: "XDI.ORG is an international non-profit public trust organization governing open public XRI and XDI infrastructure. XRI (Extensible Resource Identifier) and XDI (XRI Data Interchange) are open standards for digital identity addressing and trusted data sharing developed at OASIS, the leading XML e-business standards body. XRI and XDI infrastructure enables individuals and organizations to establish persistent, privacy-protected Internet identities and form long-term, trusted peer-to-peer data sharing relationships." Drummond Reed co-chaired the group with well, Gabe Wachob, of the XRI TC at OASIS and Andy Dale, Markus Sabadello, Mike Schwartz we involved in developing the standard.

W3C -- Umbrella standards body stewarding a number of standards for personal data use and control including the Do Not Track proposal. The Federated Social Web, and all their combined efforts including Activity Streams, recently landed at W3C.

ITU (International Telecommunications Unit) -- making infocommunications standards since 1865. Yes.. that's really 1865.

User Managed Access (UMA), a Kantara working group -- develops specs to allow individuals to "control the authorization of data sharing and service access made between online services on the individual's behalf, and to facilitate interoperable implementations of the specs." UMA group chair is Eve Maler.

The Direct Project -- From their website: "The Direct Project specifies a simple, secure, scalable, standards-based way for participants to send authenticated, encrypted health information directly to known, trusted recipients over the Internet."

IETF (Internet Engineering Task Force) -- Working on a number of standards around identity and data portability.

Claims Agent Working Group -- is working on development of standards-based, interoperable, verified claims agent implementations. Is at IDCommons and was originally proposed by Paul Trevithick, though many people are part of the group.

Open Web Foundation -- is "independent non-profit dedicated to the development and protection of open, non-proprietary specifications for web technologies" and uses an open source model similar to the Apache Foundation. Their leadership includes Tantek Celik, Chris Messina & David Recordon.

Update: I've added the following item to technical:

SWIFT -- a non-profit based in Brussels that provides messaging standards around banking wires, is proposing a new infrastructure layer called the "Digital Asset Grid." The DAG would provide the metadata for all data transactions (including personal data), not just money wires, as well as a hardened, full duplex transaction layer for security, flexible identity and certified data. (Full disclosure, I'm on the team that proposed the Digital Asset Grid to SWIFT).

If you have more information about these groups, people involved, or corrections, please leave them in the comments and I'll update the post. Thanks!

Personal Data Ecosystem Consortium 2011 Recap, Part I

Personal Data Ecosystem Consortium, or PDEC, is an org I've been involved with for a year. I'm chairing the Board. We just sent out a Year in Review recap of our activities for 2011, Part I (first half of the year).

My involvement in PDEC included (these are quotes from our newsletter -- to read the whole newsletter see our PDEC post here our link):

NSTIC (National Strategy on Trusted Identities in Cyberspace) National Program Office Announcement
January 7th, 2011 -- Stanford, Palo Alto, CA
Mary Hodder and Kaliya Hamlin attended the NSTIC National Program Office Announcement at Standford University. Commerce Secretary Gary Locke and   Commerce Secretary Gary Locke and  White House Cybersecurity Coordinator Howard Schmidt both spoke. 

Department of Commerce Green Paper Response Due
January 28, 2011
Kaliya Hamlin and Mary Hodder submitted the PDEC Green Paper response to the DOC and the National Telecommuncations and Information Administration (NIST) on the DOC proposals around identity and personal data, and the Do Not Track proposal by the FTC.
Read it here at the DOC site.

Strata, Data Camp
February 1, 2011 -- Santa Clara
Mary Hodder led a session at Data Camp, Strata for developers on the Personal Data Ecosystem.

Conversational Commerce Conference (C3)
February 2-3, 2011 -- San Francisco
Mary Hodder spoke at the C3 Event, on a panel with Michael Becker, Dean Landesman, Prakash Kondepudi (of Intellius) and Julian Gay (Orange) on CRM, VRM and Personal Data. Kaliya Hamiln also attended.

FTC Do Not Track Event
February 9, 2011 -- Berkeley, CA
Mary Hodder attended the FTC all day meeting on Do Not Track.
I asked the only audience question of the day, about models other than DNT and business as usual: whether a Personal Data Ecosystem would create a market solution to solve user discontent with the current state of online tracking and user data.

Applied Brilliance Salon
February 17, 2011 -- San Francisco
I attended the salon, regarding Personal Data topics, hosted by Jerry Michalski. I asked the first audience question about a Personal Data Ecosystem solution.

Federal Trade Commission Paper Response Due
February 18, 2011
Mary Hodder submitted the PDEC response to the FTC on Do Not Track proposal.
Read it here at the FTC site.

Tracking Do Not Track panel, Morris + King
April 26, 2011 -- NYC
Mary Hodder spoke on a panel with Brian Morrisey of Digiday, David Norris of Blue Cava, Dan Jaffe of the National Association of Advertisers and Helen Nissenbaum of NYU.
Read more about the panel here at PDEC.

W3C Privacy and Tracking
April 28-29, 2011 -- Princeton, NJ
Mary Hodder attended the W3C event about privacy and tracking. Mostly the event focused on Do Not Track as the only solution, but I tried to ask as many questions as possible to open up thinking about a possible Personal Data Ecosystem approach.

12th Internet Identity Workshop including Yukon Day
May 3-5, 2011 -- Mountain View, CA
PDEC led a number of sessions on Personal Data as well as participate in other sessions on Trust Frameworks (presented by Drummond Reed and Scott David) and VRM (by Doc Searls).
Mary Hodder and Kaliya Hamlin held a session on the Personal Data Ecosystem Consortium.
Kaliya Hamlin hosted Personal Data Stores Lockers Vaults
Mary Hodder led a session on The State of Personal Data today.
Mary Hodder and Heather Schlegel led two sessions on What Part is Identity and What Part is Personal Data?

W3C Identity in the Browser Workshop
May 24th -- Mountain View, CA
Mary Hodder presented the Personal Data Ecosystem philosophy. More can be found about the workshop here.

Quantified Self
May 28, 2011 -- Mountain View, CA
Mary Hodder attended QS and led a session on Developing Health / QS Apps in a Personal Data Ecosystem model. Read more about it here in my post on the event.

Next Monday we'll be sending out Part II of this.. recapping our activities this fall.

Should an Actress be Suing IMDB Because She Doesn't Want Her Age Posted?

Brad McCarty of The Next Web thinks the IMDb: Age-publishing lawsuit is “a frivolous abuse” and should be dropped.

Reading his piece, I can see that on first glance, it sounds silly. An actress anonymously sues the Amazon-owned IMDB folks because they won't remove her birthdate, claiming that it will adversely affect her career. And now, IMBD has asked the judge to only allow the lawsuit to move forward if her name is made public:

"Truth and justice are philosophical pillars of this Court. The perpetuation of fraud, even for an actor's career, is inconsistent with these principals. Plaintiff's attempt to manipulate the federal court system so she can censor iMDb's display of her birth date and pretend to the world that she is not 40 years old is selfish, contrary to the public interest and a frivolous abuse of this Court's resources."

But this argument between IMDB and the actress points to a much bigger issue, and it's not the one about IMDB making its living trading on other's data, whether from Hollywood or the users who add to the IMDB system for free, which I would understand is a fairly selfish undertaking by IMDB.

Why should IMDB be able to operate "selfishly" by publishing people's personal data, outside their discretion, and the actress in question not be able to "selfishly" make a living by trading in her looks for salary? I would say IMDB is pretty hypocritical here. And do they really think the Judge, the public, or the Hollywood set they make money from, are that stupid that we wouldn't understand that IMDB is selfish too?

I understand from reading the Hollywood Reporter article that the IMDB believes she may be the same actress that years ago tried to change her birthday, submitted by a previous agent to IMDB. Since IMDB believes this is an issue of fraud (they have no proof), they now want the identity of the actress made public. But since the old information isn't part of the case, does it really matter? Yes, I get that actresses have lied about their ages for a long time, but is it really "in the public interest" to out this woman? It's definitely in her economic interest not to out her, so i just think Amazon-IMDB are being nasty and frankly it seems frivolous of them to try to out her.

But this is really beside the point.

The Larger Issue

I believe people should be able to choose what personal information is shown about them on websites.. especially data that isn't or wasn't before the past 10 years, public. It's easy to dismiss this as vanity or frivolous.. but as more and more personal data is out there, and as people lose control of it.. it points to a much larger issue: how do individuals control information about them that doesn't really need to be public?

I can see that by having her age obscured, the people who hire her would just think of her age based upon appearance.. which is actually for an actress or actor, probably a good measure. Giving the specific age will plant that in producer's and public's heads. So I can see her point.

Rather than get into a discussion of harms and "how bad is it" about one or another data breaches, I think the real question is:

What kind of society do we want to have, where everyone's data is public and out of their control? What does it do to us, to devolve into a totalitarian model where everyone is afraid because frankly, everyone has something to hide? Or maybe their friends do.

Right now, life and health insurance companies are telling the press and their investors that they are screening people in Facebook. And it's not just you under scrutiny. It's your friends. This was covered extensively in the Wall Street Journal "what they know" series a year ago. There are also finance companies that are telling users to "unfriend" anyone they are connected to in Facebook with bad credit... because when you are reviewed, friends with bad credit will reflect on you.

This issue of personal data and control is much larger than an actress and her age being displayed without her consent.

It's about how we allow others to show information about us, verses having control of it ourselves. I think for a civil and democratic society to work, we can't leave that up to companies with no oversight and a big profit motive, but instead need to think about giving the individual ultimate control over certain types of personal data.

So while the actress may be vain, may be trying to gloss over her age, or may just be reflecting the economic realities of her profession, which i do think are real, and we may poo-poo this as silly, this lawsuit reflects the much greater tension about personal data and control and actually could be a really interesting test case, given that we don't have much privacy law in the US.