Joe’s privacy erodes when two or more parties conspire to merge their model of him together. To frustrate this we have a design principle: avoid handing out a unique identifier. If the library and the video store both index their records by my national id number then the only barrier to merging those records are current law and rapidly evaporating technological inconvenience.
For example I have a number of standing queries at Google. This morning one of these reported that a member of my family seems to have an account at an a certain site; clicking thru revealed a list of the content they had viewed at that site. In this case the unique identifier in my query was their name. Somedays these problems seem a little hopeless.
My idea that groups could empower their members by a letter of introduction scheme to create anonymous persona is one attempt to tackle this problem. Key, in my thinking about that idea, was that the persona would be bootstrapped by the reputation of the group and the user/member of that group.
The letter of anonymous introduction is means of narrowing the model of a user. Creating only a fragment of reputation that can then be used to gain rights in some other community; say the world of open systems.
It’s interesting to note that user model isn’t exactly the same thing as reputation; it’s only a kind of model. Is it the kind of model that creates rights?
Generally reputation accumulates for a persona based on a history of transactions involving that persona. The video store records are an example of just that kind of transaction records. Statistical summaries of those records – stating derived facts are less revealing. So if we know that the 20% of the videos weren’t returned on time we know something different than what we know compared to knowing that 82% of the movies rented were rated PG.
While the letter of anonymous introduction is an interesting edge case all these distillations from fully fleshed out transaction details into statistically abstractions have some slight element of increasing the privacy of what’s getting revealed about the persona involved.
This is similar to the privacy schemes used in the census data that reveal aggregate statistics for a region but not for a household. It’s a step in the right direction.
All this gets me thinking that there might be a middle ground regarding the unique identifier question. That there might be schemes that allow roughly unique identifiers. In a sense that’s what the anonymous letter of introduction scheme is creating. It a means that allows the creation of a persona that says no more than this is Mr. X of Group Y.