Auth: Remind that some data _about_ users shouldn't be _theirs_.

mk-pmb · mk-pmb · commit ad5352e519ce · 2017-06-10T14:36:41.000+02:00
diff --git a/articles/authentication-and-authorization/index.md b/articles/authentication-and-authorization/index.md
@@ -1,4 +1,5 @@
 ---
+---
 layout: post
 title: Authentication and Authorization
 prev:
@@ -44,6 +45,20 @@ your development time up with unreasonable security constraints. If a user tries
 in the process destroys their own user account data, that's not a problem. It's only when actions
 might affect, compromise, or destroy the data of other users that you need to worry.
 
+That said, think twice about who should own which data.
+In lots of websites there's data **about** a user that affects how the
+site owners, their servers and their customer service agents will act:
+
+* Email addresses.
+* Payment history.
+* Premium subscription level and expiration date.
+* Confirmed orders' shipping addresses.
+* You can probably think of more.
+
+So even though this data is **about** a user, it shouldn't be considered
+**theirs** in authorization context.
+
+
 ### Temporary Revocable Access Credentials
 
 Unless you are building an offline-only application designed to store data only in the local browser,
