W3C home > Mailing lists > Public > public-dpvcg@w3.org > August 2021

Self-Soverign Rights Vs. Self Soverign Identity

From: Mark Lizar <mark@openconsent.com>
Date: Thu, 12 Aug 2021 16:16:35 +0000
To: "wg-ancr@kantarainitiative.org" <wg-ancr@kantarainitiative.org>
CC: ProjectVRM list <projectvrm@eon.law.harvard.edu>, Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
Message-ID: <4C495084-7EE6-431D-B68D-00F1D6C2ABE3@openconsent.com>
ANCR'ing Data Sovereignty for Self-Soverign Rights    (SSR)

This is the start of the first ANCR WG blog post directed at the amazing (ground up)  identity management community  and commons, focused on understanding management of consent with digital identifier management systems.   Highlighting and contrasting the difference between  a digital identifier and access management systems (known as Self Soverign Identity) and  consent management referred to here as the use of Self-Soverign Rights system.

The aim of this draft blog is start a set of rules (the identity community rule book) for respecting consent in digital identity, from the perspective and use of a Consent Receipt, which is a record format for capturing the state of consent grant to an identity management system through its observed implementation.

For many it might be too long to read (apologies) the next version should be more concise.

Thanks for all the help getting this work this far..  (you all know who you are)

Best Regards,

Mark

PS- pls excuse the errors -

*******  What is SSR?

Technically its consent, which is the use of a privacy right, its a socially created legal artifact, when produced correctly it provide proof of notice to a service provider, and evidence of the use of privacy rights to govern ones own persona data to an Indivi.

A Consent Receipt represents a legal Consent Record structure for a fancy concept called decentralized data governance, meaning people consent to manage and control their own data, independently of digital identity management systems.   It is generated by, or on behalf of the Individual to demonstrate proof of notice, and proof of using privacy rights so they can scale in online environments.  It addresses a key global challenge of asserting privacy rights online and with the GDPR can be used to supersede contracted terms and definitions, linked to a privacy policy, written  by service providers, and managed with digital identity. (Or SSI)

A consent receipt and the individual right to manage their own consent for processing personally identifiable information MUST NOT be confused with digital identifier management systems, software and user agents.  In this regard, there are a number of rules for the use of consent receipts and the implementation of the consent record information structure, which I (we) in Kantara ANCR WG, champion in the identity management industry through the Kantara Initiative, through IIW, W3C DPV, at ISO/IEC, and with the privacy controller credential specification at Trust over IP.  Where multiple community driven efforts collaborate on developing the consent record information structure.

To this end, and in advanced of the ISO/IEC Consent record structure comments due (aug 16), we are working on set of rules for human consent in order to clarify the different between Self Soverign Rights, and concepts of  Self-Soverign Identity.

SSR - Rule #1 - People are not users.  In  identity management industry and systems, people are  most commonly referred to as users. This is a infrastructure centric term, not a human centric term.    Technically, people use software, or technical agents, to interact with services and systems.  Wether that system   Referred to in this work as User Agent.  The easiest way to see if a system provides self-soverign rights aka respects your consent is if you are referrer to as a User.

People are not users, they may use, User Agents, Software Clients or Servers, or be the user of service through a technical intermediary called software/user agent.

Rule # 2 Consent is Managed by the Individual, permissions are managed by digital identifier management systems,. (See above)

Rule # 3 - Consent is interoperability for humans

Consent is an intrinsic human action, it is specified in privacy law, constitutional law and human rights law.   It is the essence of human interoperability between people and  between a person and a technical system. Consent facilitates personalized consensus and operational efficiency gained through interoperability.

 (e.g.  Imagine going into a coffee shop without speaking or knowing how to read the language / numbers used in the shop, on sign.  From pulling to pushing the door to get in, to asking if you can order a coffee from someone, to negotiating payment and getting the coffee made the way you like. ) all of this would take a lot longer to get served, there would be significantly less assurance that your coffee would be to your taste and it would be a lot hard to build trust in ordering a coffee with the person/people serving it).

4. Notice for Consent is the security and integrity infrastructure of Decentralized Data Governance

If a person doesn’t have a digital notice of WHO controls their data - it is not consent, it is a personal permission or preference for an implied consent that already exists in the context of use.  For services administered online, the privacy notice of WHO controls your personal data is the first security consideration  to check to see if a purpose specification with produce a valid consent grant.

In the Kantara Initiative ANCR Work Group, a person is the sovereign controller of their own record of the relationship called an Anchor Record.  It contains the privacy controller credential, that is used to generate, verify validate, and notarize privacy rights claims online.   In Self Soverign Rights based systems it is the individual who controls the use and generation of consent receipts - not a digital identifier management system controlled and run by a corporation.

Before a purpose is valid, or privacy compliant a notice  containing the controller credential is required. This is true in all privacy legislation. If this is not present before, at the time of processing, or a soon as processing starts the consent is not valid, the online service./ system is not safe or secure for Chidren.

Rule # 5 - Consent is specified for a Purpose (only) Not for Permissions or preferences

Consent is a grant of permission for a specific and specified purpose.  (That is it)  A  purpose is a human centric way for people to agree to data processing activities, as it provides a consistent way for all humans to grant permission scopes to companies  in ways people understand and are meaningful.   The ANCR Consent Receipt Framework utilizes the W3C Data Privacy Vocabulary controls for specifying a purpose so that the semantics of a consent receipt are standardized, this is the key component of the consent receipt record structure that produces integrity and something people can understand as trustworthy.

(Note to reader: The Consent Receipt, and the Consent Record Structure, or what was ISO/IEC 27560 WD 1, is/was in a common international format for specifying a purpose with a standardized field format.  It can be extended and used at ISO/IEC with 29184 Online Privacy Notice and Consent, which provides content controls (for the filed data in the Consent Receipt) as well as additional consent record structure, for the identity management industry.


Rule # 6 Consent is a Human Centric Legal  Paradigm

The Consent Receipt v1.1 Specification, which was adopted into  ISO/IEC as  27560 WD 1,  was formulated  to differentiate itself from identifier management systems, comprised of a database of identifiers, access logs, and role based access controls.   Designed, and generated by enterprise, which is easily recognized with opt-in tick-boxes in a form, referring to contract terms that people have never read (known as the biggest lie on the internet) and cannot possibly enforce in context, especially with American style contacts that require a law suit to adjust.

Self Soverign Rights are implemented with Privacy Agreements  (referring to legal frameworks like GDPR and CoE 108+) not privacy policies meant for Terms and Conditions which are contracts.  In the ANCR Consent Record Information Structure all interactions begin with Consent and then are derogated with additional legal justifications for processing or by specified exemptions in law.

This means that the location of the person who reads the notice of control is used to specify what Privacy rights rule book applies for that context,  which supersedes  Terms and Conditions (code is not law and does not provide self-soverign rights)

A person uses privacy law to consent, a system uses contract law to implement that consent with other systems, repersented by Data Processors or 3rd Parties. Almost all of the time with digital identity systems a consent grant from a person, also requires a contract with a system.

Contract requires civil litigation to enforce, privacy rights required a complaint to a regulator to enforce.  People in mid flow of using a service, cannot expect to have to stop and start a law suit to enforce their privacy rights.   To punctuate this point, 1/3rd of internet service users are Children who cannot legally agree to terms, provide permissions or enforce their rights without their parents.

Tick boxes on websites for terms and conditions, and similar mechanisms are permission or prefernence setting devices that further specify a person’s preferences for the existing consent, which for example is implied when a person clicks a link to a website, or fills in a form with personal data.  Online, in a web-browser, consent is already inferred, and notice already provided when a person uses a website browser, connects to a network and starts a device.  It is not created in an identifier management system.

This is why a consent notice  receipt is used to add additional legal justification for processing to maintain a shared expectation of privacy.  Additional legal justifications are layered onto of consent.

#7 Self-Soverign Rights are used independently of service providers

The  focus of the CISWG, and now the ANCR-WG specification work  has been the CR framework for developing self-soverign rights infrastructure. It is specified with a legal use case needed in order to provide the requirements for the specification of the receipt fields.

This work is interoperable with all privacy laws, and principles.  It is intended to be used as a conformance tool for people and for systems to map a privacy law with mature set of standards.  ISO 29100 in particular, (open and free)  that define all the stakeholders and terms, and  built with the American vocabulary for use in Internet and identifier management Governance.

#8 Privacy should always be as Expected, Consent is King

The number one thing a system should do is start with what people expect - aka - the purpose for which the person wants to use a service.

Interoperable technical specification, vocabularies and standards facilitate the consent record information structure and refer to privacy law vocabulary or the ISO 29100 terms and definitions are interoperable, so consent grants can scale online.    As a result, over the last decade, different community efforts have undertaken important work to develop the consent record structure that is used in the ANCR Framework.

For example, W3C Data Privacy Vocabulary has included in the vocabulary the CR v1.1 / ISO 29100 terms and definitions.  Trust over IP: Notice & Consent Task Force, specifies how an Individual can generate a Privacy Controller Credential (ANCR Record) to  assert privacy rights with consent.

Combined these specifications can be used to implement Privacy Assurance Frameworks - for the ANCR WG - Privacy as Expected Protocol (a global privacy rights UI signalling specification) design for consented surveillance in  digital identity systems. Once implemented SSR can enable dynamic data control, for all legal justification for processing (like breaking glass emergency scenarios)  It is a protocol that produces a signal so people can immediately see if privacy is what they expect, or not with a quick glance, or sound.

— Thats it for this first draft on Self Soverign Rights vs Self Soverign Identity -

To find out more about this great work, and to see more Self-Soverign Rights - Rules for  Consent Receipts stay tuned, or get involved in one of groups working on global privacy infrastructure.

Kantara ANCR WG<https://kantarainitiative.org/confluence/display/WA>
ToiP -Notice & Consent Task Force<https://wiki.trustoverip.org/display/HOME/Notice+and+Consent+Task+Force>
W3C-  Data Privacy Vocabulary C<https://dpvcg.github.io/dpv/>G


Received on Thursday, 12 August 2021 16:16:54 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:28:00 UTC