Granting direct access to data

[hugoroy]

Nadia suggested to modify the "grant direct access" bit with:

Users should be explicitly given the opportunity to make an informed decision about who has direct access to their data […]

however, this is a problem because the user data manifesto does not cover cases beyong what a user has done.

For instance:

I use a service or a local program that lets me share a file with Bob. I decide to grant Bob direct access to that data, but once Bob has the data, how can the service/program control Bob's own decision to let Alice access the data?

In our current version: I can only control granting direct access to Bob, but I cannot control Bob's own control. If we were to choose Nadia's version, then that means I could also control Bob's actions to grant access to others.

In other words: we assume that the software or the service should treat all users equally and not treat one user better because this is the "original" user.

However, it does not mean that a user should not be able to express their intent, through a license for instance. But the system should not enforce the license (because that's DRM). Humans should enforce licences, not technological systems.

Thus I'm sticking to the current version:

Data explicitly and willingly uploaded by a user should be under the
ultimate control of the user. Users should be able to decide whom to grant
direct access to their data and with which permissions and licenses such
access should be granted.

[karlitschek]

makes sense 👍