Instead of providing an entity, e.g., a company, with your personal information, provide a URL to a server providing your information. The data could be hosted on a personal server that you control. When you wish to remove permission for that company to have and use your personal information, simply remove the information from that URL. You should provide each different company a different URL for your information, in order to be able to selectively retract permission.
A promise not to download and cache your personal information is done by legal agreements and audits.
If you are lazy or don't care to protect your information, you can provide a data URI containing your information directly.
Probably also negotiate a cryptographic key so that only the designated company can decrypt the information posted at the URL, not anyone eavesdropping in between. Easiest would be to use a public key of the company, the same one used in the SSL HTTPS certificate to establish the identity of the company. That is a key the company will credibly protect.
No comments :
Post a Comment