- From: Tim Holborn <timothy.holborn@gmail.com>
- Date: Sat, 30 Aug 2014 13:40:50 +1000
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: W3C Credentials Community Group <public-credentials@w3.org>, public-webid <public-webid@w3.org>
- Message-Id: <AF5F91B9-D561-4D81-B4AE-760BCB81D3C9@gmail.com>
Hi Manu, I’ve edited the document slightly https://docs.google.com/document/d/1FD6V_GcU2lWOr1fqLa0WtFgqjdNXVyOzZIQnqpfXiCw/edit# A conversation that happened on the WebWeWant thread in February. I’ve (and somewhat anonymised the text) relating to the concept of whether the web we want campaign can adopt the principle of “personal control over personal data”. Below is a copy/paste of the conversation (for the most part - i wrote a long thing, but don’t feel it’s necessary…)… I’ve described one concept of how to apply the concept of ‘data rights’ to a credentials standard in this MindMup https://www.mindmup.com/#m:a1c130b1900d9a01320be50ecffad778f1 which i’ve also shared https://drive.google.com/file/d/0B_-AWWDVv3V2bGlkY2FtS2VDa3M/edit?usp=sharing Another method might be to engage http://www.w3.org/community/odrl/ who are writing “the open digital rights language”, which may provide a means to describe these sorts of rights in connection to a credential. Beyond the use-cases of how the credentials are used, how they’re discoverable, etc. : Is the requirement to maintain the capacity for individuals to use internet, free of any identity documents - which in-turn MEANS - the right for persona. This is a very difficult area of policy decision making, that is highlighted in the sphere of the IGF and the recent NETmundial event (http://new.livestream.com/wef/events/3320009 ), where global internet governance is the topic, given some changes in that area. What we are attempting to define in this community group, in providing a means for identity - lawful identification, fundamentally - as a citizen : is incredibly important. Yet, we need to ensure it is not made useful for pervasive, and therefore at times nefarious purpose. The sad fact in this territory of science is; that often acts become criminal, sometime after such behaviours become so widespread that causation to act and describe such science grows to surpass a measure of critical mass. Even then, lawmakers find it difficult to target appropriate scientific language as to ensure the rule-book has no unreasonably prevalent consequential adverse and/or unforeseen consequences. I note the topics that are “out of scope” and use the concepts described to suggest, that in this effort to maintain a level of ‘universality’, these concepts of pseudo anonymity, persona, data rights all become even more important, as it does not appear these functions are currently supported through various means available today; and that, The development and application of Credentials, if successful, will impact this area of science significantly. My final suggestion (beyond reading the below text) is that the vote on this charter be delayed until after the input of the IGF Session - WS69: The Payment-Privacy-Policing Paradox in Web Payments Systems (link: http://sched.co/1k5zj4K + Link to remote participation info: http://www.intgovforum.org/cms/documents/igf-meeting/igf-2014-istanbul/remote-participation/210-igf-remote-participation-manual-2014/file ) as to ensure our scoping and document definition process attends to the maximum possible community input available to us, within the scope of agenda and timelines required for this very important milestone. Timothy Holborn. https://twitter.com/WebCivics ________________ (not sure what correct procedure for raising this is but...) I see UK opposition leader Ed Miliband makes a keynote policy speech tomorrow<http://www.theguardian.com/commentisfree/2014/feb/09/ed-miliband-power-unaccountable-public-private>, with the call: *"First, people should own information about themselves" *The web we want has global and cross-party consensus on this theme I reckon. But I think "ownership" is a problematic way to express this. It's really about control. Can "The Web We Want" vision explicitly include the notion of *personal control over personal data*? How do we get that in the core principles? ________________ This then continued "Ownership" or "property" is a problematic way to empower people's control over their data. That's the reason why the protection is articulated around the concept of "reference". If data refers to you, you have certain rights over it, even if you are not the owner of such data. _____________________ I wonder if we're getting hung up on semantics here? If everyday digital citizens are going to take action for themselves they'll need to know that something is being taken away from them. The easiest way to communicate this is 'loss of ownership'. We each create and 'own' our own data. We already 'trade' it as fair exchange for reward (e.g. access to services or cash) in communities that we inhabit (schools, towns, countries, workplaces etc). By extension, if a third party asks to access and store our data - for example a supermarket loyalty card - we 'lease' a version of that data in fair exchange (fair, as long as the terms are very clear to us) for our benefit. If we cancel the loyalty card, the 'lease' of the data should auto-expire and the data be deleted by the supermarket so that 'ownership reverts'. By further extension, if a person or company takes personal data without permission, that's theft. If an entity harvests personal data by using ambiguous terms, that's fraud. If an employee steals customer data from their employer, it's embezzlement. As a concept a right to 'ownership of self' easy for everyone to understand. ____________________________ so would a "wiki" model where one can freely access , amend , efface / add to ourselves be enough ? ____________________________ Hi Prakash, some data needs to be validated by third parties. For example, your Doctor would likely have an issue if you asked to amend your own medical records. :) ____________________________ It is impossible to see this debate as right v. no-rights. Even if I have right to control my info, there are several cases in which data must be accesible for third parties. I cannot figure out how tax administration would work without accessing certain data in spite of taxpayers' desires. Precisely, for that reason, regulation not only provide for a set of rights, but also certain exemptions that allow certain limited processing of data without data subject's authorization. Unfortnately, very often governments (as well as private entities) take advantages of poorly drafted regime of exceptions. ____________________________ And your bank would have a much bigger issue if you asked to edit your bank balance. ____________________________ But again, I want the ability to monitor what the bank is doing with my funds, to require errors to be repaired, to be protected from fraud, and to control who has access to my banking records. This isn't about necessary agents having access to the information - it's about my right to control who those agents are and what they can and can't do. ____________________________ Transparency is an essential first step toward control. If we establish a global 'right to self' this should extend to having real-time visibility of any data held in machine readable format (I had a chat with one of EU data commission about this in October - a printed PDF in the post is NOT digital transparency! :) ) The second step is the ability to update and amend data - and change terms of use for that data where appropriate. There will, of course, be legal exceptions. For example, I think most digital citizens would agree that an organised criminal shouldn't have access to ongoing investigation information about him/her. But again, appropriate laws need to be established and amended to frame these exceptions. ____________________________ But you'd also be pretty upset if you didn't have control over who gets to see your medical records. I also think individuals should be able to see the own medical records, copy them, print them, and chose to share them. More and more patient health online portals are being developed in which patients can, in fact, enter information (blood pressure, blood glucose measurements, etc), track their conditions, ask questions, and communicate with their doctors. Patient-centered health is gaining a lot of traction in medicine today and patients should be involved in their own care. As a medical librarian, understanding patient information needs is of great importance and something I have studied. People want to understand what's happening to themselves and their loved ones and be involved in making those critical decisions. There's recently been a developing scandal in the UK over the NHS potentially making patient information accessible to the government without patient consent. This is the kind of thing that needs to be stopped. Effective security for personal, particularly patient, information is absolutely vital. I do a HIPAA training and exam annually to be able to work in the hospital here; we take the protection of PHI seriously. I strongly agree that personal control over personal data should be an explicit core principle in the web. ____________________________ Taking a more legal stance there is an issue with defining what this data is and how we as citizens ask to control it. It seems an academic debate if we should "own" or "control" information about ourselves. One practical starting point are non-disclosure agreements (through which one party receives confidential information from the other and promises to keep it safe, limiting its distribution, its use etc). In an NDA there are two key challenges: 1) defining the data (usually it has to be marked as "confidential", so that not public data cannot be considered confidental) 2) the mechanism for destroying the confidential data. For our case, its easy to see that both 1 and 2 are not going to be easy. Should we not debate how to solve 1 and 2 rather than if the matter in hand is about "ownership" or "control" or which field its important and why? ____________________________ Simple process is to create info banks where account holders (the people) can store data about themselves, their interactions. This is a critical democratic issue. ____________________________ I agree Tim, I think it’s the biggest civil rights issue of our time. It’s a critical democratic issue for people living in democracies - and for the millions who don’t, establishing a universal right to self might just help bring improve their situation too. ____________________________ I agree with Jennifer about strong commitment on the right to control personal data. I don`t think any government will reject such language. In fact there are several instruments already providing that support (OECD, European Union, APEC, UN, and so on). In my opinion, the problem is getting into details. Who must be forced to comply with that regulation? What will be the enforcement mechanism? Should we assume everyone authorizes processing of his/her personal data in advance? Or should we assume the opposite? What is a reasonable exception for both government and businesses? Again... a general principle won`t be opposed by anybody, since there are already several instruments articulating that. Shouldn`t we push for more than a mere general statement on the matter? ____________________________ In US healthcare, when you seek care, you are given information sheets to read about privacy and who has access to your data, then you have to sign permission. You receive a copy of the documents also (if they are doing their job properly). I'm sure some don't do it as well as others and there are significant 'informed consent' issues with people's ability to read and understand what they are signing. Basic reading literacy remains a serious issue and many of these documents are very poorly written. However, at least it is done. Data privacy and accessibility policies should be made clearly and succinctly available by any institution that has access to personal data. Start there, at the very least.Of course, as a fervent advocate for literacy, both general and health, I'd like to see readability and alternative mediums (audio, video, etc.) brought into serious consideration too. Long, boring legalize that no one has time to read or ability to understand is a failure. That kind of thing is a major issue in clinical trial informed consent procedures, especially with the increase in use of electronic informed consent. I've done some work on these issues. But putting aside my own concerns, surely it can't be that difficult to insist on such statements. Most banks and financial institutions provide them (pretty much unreadable fine print) but they do provide them. ____________________________ Yes, informed consent and understanding is a huge issue. People rarely, if ever, read the terms of service - which allows the unscrupulous (or desperate) to abuse. We're building on some of the excellent work already done by people like Tosdr.org and justdelete.me to provide traffic lighting of terms which will hopefully help. I guess the concept could also be used for offline contracts like medical forms or credit card small print too. Our biggest concern is that local, country specific, legislators will take years to catch up with what's needed. Thinking about ourselves as global digital citizens first simplifies things a little :) ____________________________ True. I'm just as guilty as anyone else of not reading TOS because of the length and density of the 'small print.' It seems that we all agree about the importance of personal control of personal data - the 'devil is in the details.' I'd add to Kristoffer's key issues to make the following five: 1) defining the data (usually it has to be marked as "confidential", so that not public data cannot be considered confidental) 2) defining who beyond the individual needs to have access, whether for business or legal purposes, and how that access is provided (for example, the idea of "minimal necessary") 3) designing effective and readable statements/policies 4) redress for violations (this also includes the issue of oversight) 5) mechanisms for destroying the confidential data #2 above might also include issues of portability, i.e. when you change providers (whether a bank, phone carrier, physician or whatever) or that might be a sixth issue as it affects number 5 also. ____________________________ If you want to control it, not own it, what happens when it's a telephone recording ("for training purposes only") with a gov organisation? What happens when the junior doctor misunderstands and writes the wrong thing in the file? Having the right to identity and all those things related to it doesn't give you the right to simply change reality, other than through negotiation with others. Problem ATM, is that you have no rights. It is based on the risk management agenda or the organisation creating the data about you. ____________________________ Data is a form of knowledge capital. Ownership is an ok term, I think in defining the term to mean not required to license as a result of creating or communicating with others. Data.fm is one means being developed to support natural legal entities rights to data at a comparable or preferred level to the rights of an incorporated entity, particularly concerning data that relates specifically to a natural legal entity. ____________________________ Thanks for responses. They beg a host of futher questions and responses that make we want to meet up in a pub with beer. But let's just get a feel for a) whether we want such a principle, and - if so - b) what the right articulation of that principle is. There may also be a time and place for more privacy vs ownership vs control discussions but the quick point it would be great to establish is whether there is the appetite to see some such principle as core part of "the Web we Want" and whether there any objection to the basic principle of "personal control over personal data" or indeed "people own their own data" ____________________________ (LINK FOR THOSE WHO CAN ACCESS IT: http://mailman.gn.apc.org/mailman/private/campaign-webwewant/2014-February/ On 30 Aug 2014, at 7:17 am, Manu Sporny <msporny@digitalbazaar.com> wrote: > This is an official vote on the Credentials CG Charter, which can be > found here: > > http://www.w3.org/community/credentials/charter/ > > The voting poll is here: > > http://doodle.com/cdcnge9qzwfhbamn > > When voting, please enter your name and your vote. Only one vote per > organization, please. If you want to vote pseudo-anonymously, put in a > random string like '8fh3ksfh' and then email msporny@digitalbazaar.com > with who you are. Your name will not be released to anyone, but will > rather be used to ensure no double-votes. > > -- manu > > -- > Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) > Founder/CEO - Digital Bazaar, Inc. > blog: High-Stakes Credentials and Web Login > http://manu.sporny.org/2014/identity-credentials/ >
Received on Saturday, 30 August 2014 03:46:02 UTC