Follow Jeff Sayre on Twitter

Thinking Outside the Privacy Box


When it comes to issues of privacy and identity, the Web continues to experience growing pains. People speak of privacy and identity management as if they were separate issues. I believe that managing your personal identity is tantamount to managing your privacy. In effect, what is termed Privacy 2.0 and Identity 2.0 are really one and the same thing.

There are differing software tools, protocols, and specifications in the Privacy 2.0 and Identity 2.0 realms. There are also differences between how corporations address privacy policy and identity management. But these are just semantically-packaged terms used for the convenience and profit of startups, conference organizers, rights advocates, and the gurus who coined the terms.Identity is not your OpenID, WebID, Facebook, or Twitter account. Those are simply identifiers, of which a user may have many different ones across the Web

The reality is that, when looking at these supposedly disparate issues from the viewpoint of the individual, the differences disappear. And when looking at the topics of privacy and identity, in my opinion, the only viewpoint that matters is that of the individual.

So, privacy management tools and protocols are nothing more than identity management tools and protocols. Why is this the case?

Defining Identity

In David Kirkpatrick’s book, The Facebook Effect, Facebook founder Mark Zuckerberg states that “Having two identities for yourself is an example of a lack of integrity.” What Zuckerberg is actually saying is that having two accounts on Facebook, or any other social network, is a problem. Whereas this can be a real issue, Zuckerberg makes the same mistake that most people make—conflating a user’s account with their identity.

Identity is not a username and password combination. Identity is not your OpenID, WebID, Facebook, or Twitter account. Those are simply identifiers, of which a user may have many different ones across the Web, one for each social network site. In fact, as mentioned above, it is possible that a given individual might have more than one account, more than one identifier, at a given social network. These alternate accounts (referred to as alts for alternate “identities”), are just another aspect of the individual’s overall identity. Alts are not separate identities—no matter how much the owner of an alt identifier tries to make it.

The IdentitySpace is that part of a user’s identity graph that they personally generated. It is the subset of their identity graph that they create, and therefore should own and have sole access to controlling.Now, even if a user has carefully selected to join only those sites that offer the option to register via OpenID Connect, their single OpenID is not their identity. It is just an identifier. So, OpenID Providers are not identity providers, they are identifier providers.

What is identity on the Web, then? Identity is your presence strewn throughout the Web. It is the sum total of all your verified activity on the Web (blog, forum, and social network posts, video, music, and photo uploads, etcetera), your associated interactions with others, and their comments about and interactions with you. That makes up what can best be thought of as your identity graph.

When we talk about privacy control on the Web, then, we are not talking about the ability of users to totally control their identity graph. Obviously, a given user can theoretically control only part of their identity graph. Why is this the case? Because each user can exert only so much control over what someone on the Web thinks and says about them. That part of their identity graph is controlled by others.

So what are we trying to accomplish by allowing users partial access to and control over their identity graph? What kind of privacy, identity controls can reasonably be provided to users?

The IdentitySpace: Privacy and Identity in a Semantic World

From a user’s perspective, identity control on the Web is about offering fine-grained control over the data that they personally generate. It is not about offering tools to control their entire identity graph, to control the subset of their identity graph generated by others.

The IdentitySpace is that part of a user’s identity graph that they personally generated. It is the subset of their identity graph that they create, and therefore should own and have sole access to controlling.

Do users have any options for managing that part of their identity graph that is created and controlled by others? Yes. It is called reputation management and there are some fee-based services that offer users some concrete means with which to do just that. But in a free society whenever two or more people are involved in creating an identity graph, it will never be possible for each individual to be able to control their entire identity graph.

This last issue is where a user’s Web of Trust (WOT) can help. By carefully choosing with whom a user interacts, they can build a network, a web, of trusted individuals. This web of trusted individuals can more easily vouch for the user’s reputation than a more loosely defined network of associates. This Web of Trust can also be used as part of an authorization framework that utilizes FOAF+SSL and WebIDs.

In my perfect Web world, the IdentitySpace would be a global, distributed, decentralized dataspace which any one person, corporation, or government could access. The ACLs of each unique IdentitySpace–the datasets created, owned, and controlled by an individual user–would determine what subset of data a given query would return and how and where that data could be used. Individuals would be free to release more of their data for use, or restrict its consumption.

The key here is that users remain in control of their primary, personal data no matter where their Internet journeys and sojourns may take them. While a user would have little control over what other people may post about them, they would maintain control and ownership over the data that they personally generate. They would control their IdentitySpace.

There are existing ontologies and protocols in the Semantic Web stack that can readily be adopted to offer users the fine-grained identity management that they desire. A wonderful summation of these technologies can be found here.

My Related Articles

  1. Flowing Your Identity Through the Social Web
  2. Web 3.0: Powering Startups to Become Smartups
  3. Repackaging the Promise of the Social Semantic Web
  4. Regaining Control of Privacy and Identity: It’s up to Each Individual
  5. Privacy in the Facebook Era

See Also:

A thought-provoking presentation on open source, freedom, privacy, and identity. It’s by Eben Moglen, the founder, Director-Counsel, and Chairman of the Software Freedom Law Center.

Article Comments

  1. Nathan says:

    Fully and totally agree, from the off you nail the crucial points one by one.

    The key point being that which you mentioned almost immediately; there is no Privacy without Identity, and unless you manage your own IdentitySpace you have no Privacy.

    The only additional point I’d personally like to add to this fine post, is to point out the crucial role which SSL plays in this.

    With FOAF+SSL, whenever you are ‘identified’ all communications happen over https, which means all information you send and receive is encrypted across the wire, and further, limited to direct communication between yourself and the other party, who are also identified. This ensures that when you are identified all information sent and received remains private in transit, further ensuring privacy.

    There are many other benefits, out of scope for this reply though.

    Thanks for this post, really good read!


    • Jeff Sayre says:


      Thanks for the comment. You’re spot on in your point about SSL and the role it plays in ensuring an additional privacy layer. I thought it best to keep my post to higher-level concepts and not delve into the equally-important technical considerations and benefits.

      One of my goals of late is to try and craft my messages to a broader audience, providing those users who wish more details with resource links to more in-depth technical descriptions. As I conclude in my article, Repackaging the Promise of the Social Semantic Web:

      The promise of a fully-actualized Social Semantic Web is to firmly place the control of one’s identity and privacy back into the hands of the Web’s citizens. If our work in making that dream come to reality is going to succeed, we must better craft our message, we must better communicate the virtues of a user-centric, user-controlled Social Semantic Web.

      I’m trying to do just that by describing SemWeb benefits in a more general context.

      • Nathan says:

        Apologies then Jeff,

        I must admit I swayed at going in to anything remotely technical, and eventually decided in the wrong direction I fear.

        Admirable work, and very glad to see semweb being crafted towards a broader audience.

        Keep up the good work, I’ll be subscribed from here on for sure!



        • Jeff Sayre says:

          No apologies necessary! I appreciate your comments and insight–not only here, but via Twitter and other places. I believe we all need to work together ( from a technical standpoint and from a marketing standpoint) to bring the promise of the SemWeb to fruition. So, I welcome your input and feedback.

  2. Seth Russell says:

    Well this “Revolution” has a tough road ahead. Today the we are in no way in control of our “identity graphs”, rather we will need to wrestle that control from the FaceBooks and Twitters, the Googles and the MSNs. Thing is there is a conflict between the social synergy those enterprises contribute to our lives, and that very privacy and control that we all assume we must wield. The more the former, the less the latter, and vice versa. This control, which apparently we so desperately deserve, will come at a price.

    • Jeff Sayre says:


      Thanks for the comment. You are correct that convincing the closed-data-silo owners to open up their data stores to user-centric control will not be an easy task. In fact, it may not be possible at all. Huge fortunes are at stake for the few who control the majority of user-generated content.

      I believe that we are at a juncture where users might have to purposely decide to “write off” large swaths of their identity graph–more specifically their IdentitySpace–and move their activities to new Social Web spaces that allow for user-centric ownership and control. The Facebooks, Twitters, Google Buzz’s of the Web will become relicts of an older, less enlightened InterWeb time. Of course, for this to happen, these new Social Web spaces need to materialize and Web citizens need to realize the virtues of breaking away from the current behemoths.

      • Nathan says:

        For a long time I was somewhat worried about this too, in fact until very recently.

        Both of you have (i believe) inadvertently hit on a key point here, all the current social services deal with ‘Users’ and ‘User Accounts’ – whereas we are primarily dealing with a layer above (or below) that, namely the Person.

        Each Person has multiple User Accounts – so what we are doing can tie everything together, without interfering with it, people can adopt and still use Facebook, Twitter, everything else, and slowly migrate across as and when suits.

        Each Person has 1 or more User Accounts, each User Account has a username and password as we do now. Where the personal identification comes in, is if a Person has FOAF+SSL, then they can link their WebID to their UserAccount, and ‘identify’ themselves rather than ‘logging in’; it’s an optional layer atop what is already on the web.

        And slowly but surely, as the benefits of personal identification and open data become apparent, so will the benefits of Privacy, IdentitySpace and decentralisation.

        Twitter, Facebook et al still have an important role, and can easily adapt and change with the web. It’s up to them to seek, invent and adopt new business models that match the changing web, and I think we can rest assured that they will – even if they don’t they’ll simply do a myspace whilst yet unknown entities take over the pack.



        ps: I might be sounding preachy, apologies!

  3. Seth Russell says:

    Well i certainly favor Nathan’s description “people can adopt and still use Facebook, Twitter, everything else, and slowly migrate across as and when suits”. Non-geeks will decide to “write off” a swath of their Identity Space when things in a decentralized “open data” space work better. The Behemoths have a big advantage today … not only do they own all of our data, but they also present coherent behavior to their customers. Perhaps some day when solid libraries emerge, people will find that coherent behavior in the open. I don’t know. Things don’t always work out the way we so passionately desire.

    • Jeff Sayre says:

      The reality is that the Twitters and the Facebooks of the Web will survive in some form or another. Many people will continue to use them whether or not they open up their data silos. It is also the fact that most users of such services do not understand the issues that we so fervently discuss and if they did, it could very well be that many would not care.

      It is the technologists of each new Social Web creation who will decide if open data and user-centric identity control is important to their platform. If they can see some technological benefits to adopting SemWeb protocols and envision solid business benefits in implementing such, then users will be the beneficiaries.

      At this current stage in the SemWeb’s evolution, it is imperative that we convince the technologists of the benefits. It is equally important that we learn how to better craft a more general message so that a broader audience will begin to understand why they should care and ask (even demand) for such technologies.

Share on Twitter
Share on Facebook
Share on FriendFeed
Share on LinkedIn
Share on StumbleUpon
Share on Digg
Share on Delicious
Share on Technorati
Add to Google Bookmarks