Re: VOTE: Credentials CG Charter

Hi Manu,

I’ve edited the document slightly 

A conversation that happened on the WebWeWant thread in February.  I’ve (and somewhat anonymised the text) relating to the concept of whether the web we want campaign can adopt the principle of “personal control over personal data”.  Below is a copy/paste of the conversation (for the most part - i wrote a long thing, but don’t feel it’s necessary…)…

I’ve described one concept of how to apply the concept of ‘data rights’ to a credentials standard in this MindMup  which i’ve also shared 

Another method might be to engage who are writing “the open digital rights language”, which may provide a means to describe these sorts of rights in connection to a credential.

Beyond the use-cases of how the credentials are used, how they’re discoverable, etc. : Is the requirement to maintain the capacity for individuals to use internet, free of any identity documents - which in-turn MEANS - the right for persona.

This is a very difficult area of policy decision making, that is highlighted in the sphere of the IGF and the recent NETmundial event  ( ), where global internet governance is the topic, given some changes in that area.  

What we are attempting to define in this community group, in providing a means for identity - lawful identification, fundamentally - as a citizen : is incredibly important.  Yet, we need to ensure it is not made useful for pervasive, and therefore at times nefarious purpose.  The sad fact in this territory of science is; that often acts become criminal, sometime after such behaviours become so widespread that causation to act and describe such science grows to surpass a measure of critical mass.   Even then, lawmakers find it difficult to target appropriate scientific language as to ensure the rule-book has no unreasonably prevalent consequential adverse and/or unforeseen consequences.

I note the topics that are “out of scope” and use the concepts described to suggest, that in this effort to maintain a level of ‘universality’, these concepts of pseudo anonymity, persona, data rights all become even more important, as it does not appear these functions are currently supported through various means available today; and that,

The development and application of Credentials, if successful, will impact this area of science significantly.

My final suggestion (beyond reading the below text) is that the vote on this charter be delayed until after the input of the IGF Session - WS69: The Payment-Privacy-Policing Paradox in Web Payments Systems (link: + Link to remote participation info: ) as to ensure our scoping and document definition process attends to the maximum possible community input available to us, within the scope of agenda and timelines required for this very important milestone.

Timothy Holborn.


(not sure what correct procedure for raising this is but...)

I see UK opposition leader Ed Miliband makes a keynote policy speech
with the call:

*"First, people should own information about themselves"  *The web we want
has global and cross-party consensus on this theme I reckon. But I think
"ownership" is a problematic way to express this. It's really about

Can "The Web We Want" vision explicitly include the notion of *personal
control over personal data*? How do we get that in the core principles?

This then continued 
"Ownership" or "property" is a problematic way to empower people's control
over their data.
That's the reason why the protection is articulated around the concept of
If data refers to you, you have certain rights over it, even if you are not
the owner of such data.

I wonder if we're getting hung up on semantics here?  If everyday digital
citizens are going to take action for themselves they'll need to know that
something is being taken away from them. The easiest way to communicate this
is 'loss of ownership'. We each create and 'own' our own data.  We already
'trade' it as fair exchange for reward (e.g. access to services or cash) in
communities that we inhabit (schools, towns, countries, workplaces etc).  


By extension, if a third party asks to access and store our data - for
example a supermarket loyalty card - we 'lease' a version of that data in
fair exchange (fair, as long as the terms are very clear to us) for our
benefit.   If we cancel the loyalty card, the 'lease' of the data should
auto-expire and the data be deleted by the supermarket so that 'ownership


By further extension, if a person or company takes personal data without
permission, that's theft.  If an entity harvests personal data by using
ambiguous terms, that's fraud. If an employee steals customer data from
their employer, it's embezzlement.  As a concept a right to 'ownership of
self' easy for everyone to understand. 


so would a "wiki" model where one can freely access  , amend  , efface / add
to ourselves be enough ?
Hi Prakash, some data needs to be validated by third parties.  For example,
your Doctor would likely have an issue if you asked to amend your own
medical records. :) 

It is impossible to see this debate as right v. no-rights. Even if I have
right to control my info, there are several cases in which data must be
accesible for third parties. I cannot figure out how tax administration
would work without accessing certain data in spite of taxpayers' desires.
Precisely, for that reason, regulation not only provide for a set of
rights, but also certain exemptions that allow certain limited processing
of data without data subject's authorization. Unfortnately, very often
governments (as well as private entities) take advantages of poorly drafted
regime of exceptions.
And your bank would have a much bigger issue if you asked to edit your bank
But again, I want the ability to monitor what the bank is doing with my
funds, to require errors to be repaired, to be protected from fraud, and to
control who has access to my banking records. This isn't about necessary
agents having access to the information - it's about my right to control
who those agents are and what they can and can't do.
Transparency is an essential first step toward control. If we establish a
global 'right to self' this should extend to having real-time visibility of
any data held in machine readable format (I had a chat with one of EU data
commission about this in October - a printed PDF in the post is NOT digital
transparency! :) )


The second step is the ability to update and amend data - and change terms
of use for that data where appropriate. 


There will, of course, be legal exceptions. For example, I think most
digital citizens would agree that an organised criminal shouldn't have
access to ongoing investigation information about him/her. But again,
appropriate laws need to be established and amended to frame these
But you'd also be pretty upset if you didn't have control over who gets to
see your medical records. I also think individuals should be able to see
the own medical records, copy them, print them, and chose to share them.

More and more patient health online portals are being developed in which
patients can, in fact, enter information (blood pressure, blood glucose
measurements, etc), track their conditions, ask questions, and communicate
with their doctors. Patient-centered health is gaining a lot of traction in
medicine today and patients should be involved in their own care. As a
medical librarian, understanding patient information needs is of great
importance and something I have studied. People want to understand what's
happening to themselves and their loved ones and be involved in making
those critical decisions.

There's recently been a developing scandal in the UK over the NHS
potentially making patient information accessible to the government without
patient consent. This is the kind of thing that needs to be stopped.
Effective security for personal, particularly patient, information is
absolutely vital. I do a HIPAA training and exam annually to be able to
work in the hospital here; we take the protection of PHI seriously.

I strongly agree that personal control over personal data should be an
explicit core principle in the web.

Taking a more legal stance there is an issue with defining what this data is and how we as citizens ask to control it. It seems an academic debate if we should "own" or "control" information about ourselves.

One practical starting point are non-disclosure agreements (through which one party receives confidential information from the other and promises to keep it safe, limiting its distribution, its use etc).

In an NDA there are two key challenges:
1) defining the data (usually it has to be marked as "confidential", so that not public data cannot be considered confidental)
2) the mechanism for destroying the confidential data.

For our case, its easy to see that both 1 and 2 are not going to be easy. Should we not debate how to solve 1 and 2 rather than if the matter in hand is about "ownership" or "control" or which field its important and why? 
Simple process is to create info banks where account holders (the people) can store data about themselves, their interactions.

This is a critical democratic issue.
I agree Tim, I think it’s the biggest civil rights issue of our time. 

It’s a critical democratic issue for people living in democracies - and for the millions who don’t, establishing a universal right to self might just help bring improve their situation too.
I agree with Jennifer about strong commitment on the right to control
personal data.
I don`t think any government will reject such language. In fact there are
several instruments already providing that support (OECD, European Union,
APEC, UN, and so on).
In my opinion, the problem is getting into details. Who must be forced to
comply with that regulation? What will be the enforcement mechanism? Should
we assume everyone authorizes processing of his/her personal data in
advance? Or should we assume the opposite? What is a reasonable exception
for both government and businesses?
Again... a general principle won`t be opposed by anybody, since there are
already several instruments articulating that. Shouldn`t we push for more
than a mere general statement on the matter?
In US healthcare, when you seek care, you are given information sheets to
read about privacy and who has access to your data, then you have to sign
permission. You receive a copy of the documents also (if they are doing
their job properly). I'm sure some don't do it as well as others and there
are significant 'informed consent' issues with people's ability to read and
understand what they are signing. Basic reading literacy remains a serious
issue and many of these documents are very poorly written. However, at
least it is done. Data privacy and accessibility policies should be made
clearly and succinctly available by any institution that has access to
personal data. Start there, at the very least.Of course, as a fervent
advocate for literacy, both general and health, I'd like to see readability
and alternative mediums (audio, video, etc.) brought into serious
consideration too. Long, boring legalize that no one has time to read or
ability to understand is a failure. That kind of thing is a major issue in
clinical trial informed consent procedures, especially with the increase in
use of electronic informed consent. I've done some work on these issues.
But putting aside my own concerns, surely it can't be that difficult to
insist on such statements. Most banks and financial institutions provide
them (pretty much unreadable fine print) but they do provide them.

Yes, informed consent and understanding is a huge issue.  People rarely, if
ever, read the terms of service - which allows the unscrupulous (or
desperate) to abuse.  

We're building on some of the excellent work already done by people like and to provide traffic lighting of terms which will
hopefully help. I guess the concept could also be used for offline contracts
like medical forms or credit card small print too. 

Our biggest concern is that local, country specific, legislators will take
years to catch up with what's needed.  Thinking about ourselves as global
digital citizens first simplifies things a little :) 
True. I'm just as guilty as anyone else of not reading TOS because of the
length and density of the 'small print.' It seems that we all agree about
the importance of personal control of personal data - the 'devil is in the

I'd add to Kristoffer's key issues to make the following five:

1) defining the data (usually it has to be marked as "confidential", so
that not public data cannot be considered confidental)
2) defining who beyond the individual needs to have access, whether for
business or legal purposes, and how that access is provided (for example,
the idea of "minimal necessary")
3) designing effective and readable statements/policies
4) redress for violations (this also includes the issue of oversight)
5) mechanisms for destroying the confidential data
#2 above might also include issues of portability, i.e. when you change
providers (whether a bank, phone carrier, physician or whatever) or that
might be a sixth issue as it affects number 5 also.
If you want to control it, not own it, what happens when it's a telephone recording ("for training purposes only") with a gov organisation? 

What happens when the junior doctor misunderstands and writes the wrong thing in the file? 
Having the right to identity and all those things related to it doesn't give you the right to simply change reality, other than through negotiation with others.  Problem ATM, is that you have no rights.  It is based on the risk management agenda or the organisation creating the data about you.
Data is a form of knowledge capital.  Ownership is an ok term, I think in defining the term to mean not required to license as a result of creating or communicating with others. is one means being developed to support natural legal entities rights to data at a comparable or preferred level to the rights of an incorporated entity, particularly concerning data that relates specifically to a natural legal entity.    
Thanks for responses. They beg a host of futher questions and responses
that make we want to meet up in a pub with beer. But let's just get a feel

a) whether we want such a principle, and - if so -
b) what the right articulation of that principle is.

There may also be a time and place for more privacy vs ownership vs control
discussions but the quick point it would be great to establish is whether
there is the appetite to see some such principle as core part of "the Web
we Want" and whether there any objection to the basic principle of
"personal control over personal data" or indeed "people own their own data"

On 30 Aug 2014, at 7:17 am, Manu Sporny <> wrote:

> This is an official vote on the Credentials CG Charter, which can be
> found here:
> The voting poll is here:
> When voting, please enter your name and your vote. Only one vote per
> organization, please. If you want to vote pseudo-anonymously, put in a
> random string like '8fh3ksfh' and then email
> with who you are. Your name will not be released to anyone, but will
> rather be used to ensure no double-votes.
> -- manu
> -- 
> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
> Founder/CEO - Digital Bazaar, Inc.
> blog: High-Stakes Credentials and Web Login

Received on Saturday, 30 August 2014 03:46:02 UTC