It depends on what you see as a profile. On any platform where you are not wholly anonymous there is the need to store some information about you, if only your username and/or IP address, email for password recovery, etc.
(Note: A fully anonymous social network should be possible, where your profile is hung up to a (cryptographic) key provided by a trusted 3rd-party that vouches it relates to a real person, similar to what @micheleminno is proposing).
Depending on the features of the app or platform, more profile information is needed. Like e.g. an Email service that maintains a list of stored contacts for your convenience. Still this information could and should (as proposed) be under your full control, and preferably be stored somewhere outside of the platform itself.
In @micheleminno’s proposal I do not think that the monetary part of the solution - the value increase/decrease of the data - is the most relevant. I’d propose to drop that from the solution, as it provides no guarantees.
I see more value in a solution based on a combination of regulation and cryptography:
- As a user of a certain platform or service I define a data contract that:
- Determines which data points the service provider is allowed to use
- Determines for what purposes the service provider may use my data (e.g. prohibit 3rd-party resales)
- This data contract is signed with my personal secret key, and a key from the service provider
- Regulation prescribes that wherever my data is used, it must be accompanied with this signature
- If the signature is missing, or it is invalid, then the data contract is breached and you are in violation of the law
Maybe what I have just described already aligns with Solid from Tim Berners-Lee. Have to check that out still.
Note that I think that this cryptographic solution offers more benefits, e.g. in the fight against fake news. For this last subject I was thinking of creating a separate topic for it, but I can just as well post the outline of the idea here:
Cryptographic Keys and Key Providers
- Every citizen in the world gets the opportunity to create one or more cryptographic keys that are in long-term storage at trusted key providers.
- The key providers are decentralized, and there can be countless no. of providers. I can self-host my own provider, if I want
- Other key providers offer the facility to backup keys from another location, so when you lose your keys, there are backups
- Key providers also offer the ability to revoke and invalidate / delete keys, e.g. when one of them gets compromised / hacked
Keys and Identity
My internet freedoms allow me 3 possible ways to interact with the internet:
- Anonymous identity
- Pseudonymous identity
- Validated identity
- When anonymous, i need no key at all. Whatever information I submit cannot be traced to an identity. This type of information is untrusted. It can be fake news.
- When pseudonymous, the information I submit can be traced to a valid key in a key provider
- The provider may store additional Claims regarding the identity
- Some of the Claims may be obtained / cached from other key providers
- The provider can also have links to other key providers that hold Claims about me
- With a validated identity there is not only a valid key in a key provider, but authoritative Claims that prove my real identity
- The Authority of the key provider needs to be established.
- E.g. only a government key provider may have the authority to issue the claim of my Nationality
Fighting fake news
What is needed to fight fake news is:
- A recognized key identity system as outlined above
- Government regulation and laws for dealing with breaches / violations
- Internet apps (e.g. social media platforms) and hardware basing the veracity of information on Keys + Claims
If I am a journalist, and I film a newsworthy event, then I want to have an USB stick with my Validated identity attached to my camera, so that everything I film is automatically signed, and cannot be altered in any way without becoming invalid.
If I am posting pseudonymous to a social network the Key and Claims could state that I am a real person, living in the UK, and working as professor at Oxford. The key providers at Oxford and of the UK government vouch for that fact.
Control of my profile
Back to the original post: I can use a pseudonymous identity key and have my profile fields as Claims attached to it, either for global use, or for a whitelisted number of platforms & services. If a platform infers some aggregated data from it (using AI or whatever) and does not post back that data to my key provider, then there are no Claims for it. The data is invalid and the platform is in breach of the law.
Before starting a project we need to do some research on what is already happening in this field. Maybe we need to bring existing initiatives closer together. A problem in the space of cryptography and decentralized web, is that it is very fragmented and many developments happen out of view of the mainstream.
A good resource for a Web of Trust is http://www.weboftrust.info/ and especially the research collected in a number of Github repositories:
Additionally there is the W3C Credentials Community Group:
The mission of the W3C Credentials Community Group is to explore the creation, storage, presentation, verification, and user control of credentials. We focus on a verifiable credential (a set of claims) created by an issuer about a subject—a person, group, or thing—and seek solutions inclusive of approaches such as: self-sovereign identity; presentation of proofs by the bearer; data minimization; and centralized, federated, and decentralized registry and identity systems. Our tasks include drafting and incubating Internet specifications for further standardization and prototyping and testing reference implementations.
The working group is evolving a number of standards such as Decentralized Identifiers (DIDs) and Verifiable Claims which elaborates on some indicative use cases:
(Note: Some of the work in this space is related to blockchain technology, which I am not very much a fan of… yet, at least)