Academic journal article Journal of Information Ethics

The Right to Be Forgotten and the Domains of Identity

Academic journal article Journal of Information Ethics

The Right to Be Forgotten and the Domains of Identity

Article excerpt


I have spent the last 15 years working on user-centric digital identity. In 2005, I co-founded the Internet Identity Workshop and have continued to convene the event every six months for the last 13 years. Our community has been focused on creating a new layer of the Internet for people to be able to control their digital identifiers to serve as an anchor to exert control over their personal data. Attending a range of technology, law, and policy events over this time, I often ask what people mean by the word "privacy" and frequently the answer back is control. Control of who can see what information about me the individual and power to do something about it.

Those coming from the legal area often think that the rules, policies and laws put into place will somehow "make it so." Things only become real in the technology world if code is written to actually run systems in accordance with these laws. Despite the passage of GDPR a fine set of principles about how data should be managed with the consent of the individual, the technical capacity to make these laws real presents an enormous gap in the real word. Questions of identity and personal data cover a massive swath of types of data and places where identity information is collected and shared.

Digital information systems have achieved widespread adoption with institutions of all types throughout our society. Our personally identifiable information, the type of information protected by GDPR and around which the right to be forgotten orient, is shared with more and more institutions. New technology innovations are needed to support individuals owning and controlling for themselves with their own roots of control. A new set of technologies is coming out of the Internet identity Workshop called Self-Sovereign Identity. I recently completed a Comprehensive guide to Self-Sovereign Identity about these technologies for C-Level Executives. However, this paper is not about these new technologies that offer a lot of promise in terms of technologies that could actually empower individuals to own their own identifiers and control how data is shared with institutions in new ways.

In December 2017, I completed a Master of Science in Identity Management and Security at UT Austin and Domains of Identity was my report. There is an enormous amount of personally identifiable information that is collected and stored in databases in a whole variety of contexts. The Domains of Identity is a framework for thinking clearly about different types of contexts and activities that lead to personally identifiable material ending up in databases. I believe it provides a framework for thoughtful consideration of how the right to be forgotten might be applied differently in different domains. Not all contexts are the same. My reading of the scholarly work on the Right to Be Forgotten and GDPR is that the authors of the regulations did not put a whole lot of thinking into in which contexts they should be applied or how different contexts might be different.

* What happens to accounts and data created by the subject when they are created within a service or institution?

* What happens to data directly shared with the service or institution?

* What happens to data that is inferred via surveillance of the subject while interacting with the service or institution?

* What happens to data in services about subjects in institutions that have had no direct relationship with the subject?

* How are database systems that people know they are enrolled in and then interact with in an ongoing way different from the contexts where people's PII (personally identifiable information) is found in unstructured ways in things like news articles?

* How should this Right to Be Forgotten apply to PII found in news articles indexed in databases that are used to serve up information in search engines? This use case is effectively the result of two levels of surveillance. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.