Today, I came across this post “Are shoeboxes better than Flickr?” and it got me wondering (again) whether it is time to define open privacy standards much like OpenID did for identity and OAuth did for authentication / authorization.
I come across such privacy discussions frequently but nowhere have I seen any consensus on privacy standards other than broad sweeping statements or wishes such as (quoting from the above article)
I have a policy which I assert over my stuff that I control, which is this protected zone in the cloud. And I have some real control over how I define policies over that thing and who gets access to it and on what terms. And I get to audit that access in a coherent way.
As I said in a comment on the above post, this is a loaded statement or perhaps the devil is in the details. It’s not like people haven’t tried, I know for a fact that there were several such discussions at dataportability.org that never reached any consensus (check out the policy group threads), plus numerous posts by Michael Arrington, Robert Scoble, Marc Canter, Steve Gillmor, etc. My personal take on it “user privacy is a personal and individual thing and is also dependent on the context of usage“. I attempted to define some levels of privacy controls that make sense but it is far from complete. Marc Canter has a similar idea and calls it dynamic privacy.
I understand that this is a difficult area to tackle but I think it is time to define open privacy standards much like the approach taken by OpenID and OAuth. Let’s start with something small and tangible for 1.0 version and build on it based on real-world usage on what works and what doesn’t work, essentially going it the agile way.