[OpenID] Users have policies, too

[SitG Admin]

The following are just three example use-cases:

1) A privacy-oriented individual has configured their OP to not send 
an E-mail address to any RP, but, differing from a mere "the OP does 
not know the user's E-mail address because the user does not wish the 
OP to be able to take advantage of this information", the user is 
actually unwilling to give *any* E-mail address to any RP.

2) A group of photography hobbyists are looking for a website to host 
their pictures at during the move to digital. They do plan to have 
their own website ready, in a few months, when the site's design is 
finished and most of their portfolios have been converted, they are 
just looking for some interim hosting so there's no delay. Since they 
are actively pursuing plans to distribute on their own, they are not 
reliant on 3rd-party sites to go digital at all, so they intend to 
fully retain their legal rights during the move.

3) A parent has created OpenID's for each child, but has restricted 
the OP to not give out personal information such as name, telephone 
number, or street address. The children know not to give out this 
data on their own, either.

In all these cases, there is a one-way relationship where RP's 
present policies (unobtrusive asterisks by the fields that MUST be 
filled out to continue, checkbox by "user has read, and agrees to, 
these linked-to terms") and the burden rests on *users* to figure out 
whether there is a mismatch between what each party demands versus 
what the other party is willing to provide, duly terminating that 
transaction if they cannot come to an agreement.

By the time they realize this, it may already be "too late" - the 
website accepts what personal info has been volunteered and then 
returns the form with "please fill out these fields you missed", the 
user's content has already been uploaded with a non-revocable license 
granted to the hosting site, the website's JavaScript detects missing 
data and blocks the Next button before any data can be sent.

With each case, the user has already invested time with the site - I 
read every contract I agree to, as well as quite a few that I end up 
*not* agreeing to (nor using the associated services/software), and 
I'm heartily sick of it. (I once studied contract law and found it 
quite enjoyable, but, seriously, we need to open-source this process 
and standardize some clauses. It's been done to a limited extent with 
Creative Commons, now time to make it modular.) The average user 
simply skips over Terms of Service entirely, agreeing to it so they 
can get to the part they *want*, and often with some (pleasant) 
illusions about how the RP wouldn't do anything *too* outrageous.

RP-side approaches to this dilemma have been mainly focused on 
reducing the inconvenience of starting to do business (and exposing 
your personal info/data) only to realize you have to terminate 
relationships, without being able to regain what you have already 
surrendered. Asterisks are made more obtrusive, necessary fields are 
given their own page with a note that optional data will be requested 
later, the ToS are shoved in the user's face so they have to scroll 
down (and, presumably, read it) before clicking on "I agree". I 
propose that this process be automated, instead.

In a user-centric environment, each user would be an equal party 
among RP's and OP's in transactions, able to "push" out to RP's what 
policies would be acceptable, leaving the RP to either say "These are 
the points we differ on." or "These are the clauses you have not yet 
whitelisted OR blacklisted, that may need to be examined first.", 
instead of leaving the user as sole inspector and passive "consumer" 
of the RP's policies. An inspection they are hardly qualified to 
adequately conduct, effectively renders them powerless because they 
are not sufficiently informed to properly *wield* what little power 
they have (when to say yes, when to say no).

I imagine policy brokers, possibly integrated into OP's (possibly 
available via OAuth at 3rd-party SP's), empowering users to set their 
*own* policies, selected from a list prepared by the broker's 
lawyers, each clause explained in layman's terms so users can 
understand what their decisions entail. Since even different lawyers 
might interpret the same clauses differently, though, and because the 
RP would probably get tired of paying their *own* laywer (if any!) to 
explain their intentions to any number of 3rd parties, pressure might 
be applied upon RP's to use standardized clauses - so they can avoid 
the constant suspicion of "Why did you word that clause in *exactly* 
that way? If it doesn't matter, there's no harm in using the 
standardized wording - but if it *does* matter, what are you trying 
to sneak past us?".

I envision a RP sending new users away to autofill fields with 
OpenID's AX, then receiving a reply that lacks ALL personal info and 
says "not only am I not able to automatically complete this field for 
Real Name, but I must pass on to you the User-Side Policy that their 
Real Name *will not* be given to you by the user manually"; deciding 
that this is unacceptable, the RP sends the user back to their OP 
with information on *which* fields were necessary.

Sharing this information with the OP (or policy broker) is extremely 
valuable for users! The benefit to RP's is obvious (you can go to 
Management and report that 10,000 users began the registration 
process, but then cancelled it, and the only difference in Policy was 
this *one* clause, which may be worth changing), but they don't need 
to share this data with anyone else - still, let's remember that the 
user is an equally important entity in UCI-land!

Now, let's say that their OP (or policy broker) has recorded 30,000 
users who *begin* registration at Flickr (just as an example) but 
never try again after learning of the draconian policies. Let's 
*also* say that they have recorded a handful of users with the same 
policies selected, using some *other* site - and they have classified 
this site as *another* photo-sharing service! Suddenly, all 30,000 
users can be notified of a RP that fulfills Flickr's function, but 
gives them the policy they want - connecting users to the sites they 
haven't found yet, but seem to be looking for.

Also, this may happen *before* Flickr's management is convinced that 
they are missing out on enough users to change their policies - it's 
likely, since, to smaller photo-sharing sites, a significant amount 
of users will be seen before Flickr (having a much larger userbase) 
would have thought it more than a statistical anomaly. Worse, 
potential entrepeneurs may decide that their projected ROI is 
sufficient to justify their up-front investment going into an area of 
business they have just been alerted to a market in! So, not only 
will users have already taken up with non-Flickr sites by the time 
Flickr adjusts, but if there weren't any around, someone might have 
entered the free market specifically to provice that service and fill 
the niche. The mere *possibility* of such competition would pressure 
RP's to decide on their most generous ToS, in advance, but *that* 
would require them to give up some opportunities for future revenue. 
Decisions, decisions!

If the dust settled, I expect we would see that the users had won.

-Shade