Fair use in identity
I notice that Phil Becker was talking about the idea of Identity Fair Use back in 2002.
One of the most easily seen cases of identity "fair use" is in business. If a company honestly wishes to provide superior customer service, and provide the products its customers really want, it must learn about those customers as to their wants and needs. For example, if a product that a company sells has a problem (after many of them have been sold) and the company wishes to replace all of those products it sold with one that is "better" because it doesn't have the problem, they must have a database that indicates who bought the product and how they can be contacted to replace it. If they do, then the company can proactively contact those who bought the defective widget, and send them a replacement. This is clearly good for the customer, and by building their relationship with their customers as "a company that takes care of customers", it is also good for the company.
The problem is, that this database is digital identity data -- data that may be deemed to be owned by the customer and not the company. Thus the keeping of such records in a database may be said in the strictest sense to be a violation of the customer's privacy rights. This might be able to be circumvented by having customers explicitly "opt-in" to such a database, but then what is the company's liability if the defective widget is so bad that it might kill a customer? If the company has been explicitly prohibited from ever finding that customer, will its liability be reduced? I suspect not.
I'm not sure about this liability aspect. For example I have an Apple Powerbook with a battery which is being replaced because it might catch fire. But I didn't get an email from Apple about this even though I registered my email address with them when I bought it (and many times subsequently).
But the issue about having my email address is that if we're in a relationship where I am a customer of yours I will allow you to have access to (appropriate) contact details. If our relationship changes such that I no longer wish you to be able to contact me for marketing purposes then I amend our license agreement such that you can only contact me to notify me of product recalls.
Shrinkwrap software licenses always contain clauses that allow the vendor to change the terms at their discretion. I see no reason why my personal-EULA shouldn't have a similar term. As a business that I no longer wish to deal with you'll get a notification about a change in our license terms for my information which you can either accept or reject. If you reject it then I should have no redress with you about product recalls later on (and our audit trails will support that).
Identity fair use is an important concept to recognize. Using the analogy of fair use in copyright law may be a helpful way to view it, and illuminating as well. But however we do it, identity fair use is a concept that we must identify and discuss as digital identity rolls out. Because if we do not have a vigorous conversation about the concept of identity fair use, we will see many unintended consequences as we attempt to codify privacy rules into law.
We're beginning to roll out now and, as I have said before, our principle is about giving the user convenience with control. I see this ability to assert ones rights over ones information as a key part of having that control.