Designing – ‘Right to forget’

How to do right-to-be-forgetten right (IMHO)

– Create an identity store (with atleast known ids and proxies for ids)
– Create a key pair per identity
– Encrypt private data with the public key
– Decrypt private data with the private key (along with RBAC, Audit, logging and time bound access token)
– Delete the private key when the user exercises his right-to-forget.
– Remember the user’s decision and continue to encrypt private data that comes in future (however this time there is no way to decrypt.)

Note : identity registration, store, public key access for a given id can all be services which may be done in a centralized system. However decentralize encryption process and also the deduplication process for establishing an identity against all known proxies.

This post was later published on LinkedIn here.

Proudly powered by WordPress | Theme: Outfit Blog by Crimson Themes.