W3C home > Mailing lists > Public > public-dpvcg@w3.org > August 2021

Re: [projectvrm] Re: Self-Soverign Rights Vs. Self Soverign Identity

From: Devon Loffreto <devon.loffreto@gmail.com>
Date: Sat, 14 Aug 2021 10:51:17 -0400
Message-ID: <CAHAPcL26pp-upTThp+mSUSqMBoAq-dMrX3sWC8ZbZi5dQ87kMQ@mail.gmail.com>
To: Mark Lizar <mark@openconsent.com>
Cc: "wg-ancr@kantarainitiative.org" <wg-ancr@kantarainitiative.org>, ProjectVRM list <projectvrm@eon.law.harvard.edu>, Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
"Self-Sovereign" ___ "authority" comes from people as innate expressions of
free will, and an inherent accuracy for source of all human rights. This
contextual meaning pointed at by specific words indicates where all
authority is derived from in any civil system purporting to represent
people accurately. Accuracy is a critical component for the integrity of
operations in civil systems.

ID artifacts are applicable to a source being represented by those ID
artifacts. As it is stated that all people have a Right to Sovereignty, as
well as an Identity, the source of authority in establishing both Sovereign
Rights and ID artifacts is critical to the accurate functioning of civil
systems.

Thinking problems, embedded in the language and literature of modern "civil
society" return outcome dysfunctions, allowing "We The People" to be
translated and interpreted incorrectly, or not accurately enough for use by
people. To this end, Individuals never cede their Individual Rights to a
"We" construct not present in nature in any manner other than an
abstraction or derived aggregation of Individual people and their actions
which emit derived data. People, of blood, mud and local only living
authority are also not the same as "people", a literary output used to
justify incorrect structural interpretations of Rights that apply to people
in the real world.

As I scan the kantara docs, I see very limited use of "Self-Sovereign" in
any meaningful work. There is a big difference between the accurate use of
structural requirements for human authority to be processed by any/all
civil systems or technical systems, and the use of these words as marketing
artifacts, such as seems to be the case here, and generally in the SSI
community.

Hot words do not inherently yield hot takes.

I like the approach to consent you are taking, but wonder about the
socialized interpretation of "self-Sovereign", and derived authority
of-by-for people, yielding structural outcomes that need not care or be
concerned about social processes. Root authority, belonging to real people,
is a structural constraint on the accurate interpretation of law-based
literature, and clearly is not done well enough as of 2021. Law schools
socialize this problem of interpretation with their backwards thinking
dependencies.. ie the law is never smart enough for the time it exists to
serve.

Not sure what kantara can do about that, but I'd suggest sticking to your
focus of consent, rather than using meaningful structural words as
marketing fodder, as pointed at by people you spotlight and others.
Thinking disorders cause all kind of problems for people. People own root
authority, even if Individuals have to fight for them from time to time.

"Civil Society" remains elusive in the absence of accurate use of language
and literature to derive civil-technical systems "of, by, for" people,
Individuals all.

Devon
~ Self-Sovereign Root Authority
https://www.moxytongue.com/2021/08/self-sovereign-rights.html


On Fri, Aug 13, 2021 at 11:08 AM Mark Lizar <mark@openconsent.com> wrote:

>
> Thank you (to those that have provided quick feedback) - there  is a lot
> of context missing.
>
> To clarify
>
> 1.  this is a draft proposal to the ANCR WG, and to the communities of
> interest from which this work is originating,  (not a matured output)
>
> The aim of the proposal is to illustrate an overarching (universal for
> humans) consent based governance model, its purpose and approach has
> evolved from the day VRM was started by Doc, when the Identity Trust
> Charter (@IDCommons)  <http://wiki.idcommons.org/Identity_Trust_Charter>was established
> and is still a community interest effort.   The SSI community (esp,
> Drummond, Kaliya and Phil) have done an incredible/monument  job in
> creating a space for this discussion to even be had over the last 15+ yrs..
> Which is when and how I first stumbled across this community.  Ultimately
> around this topics of control, security and privacy in the industry of
> identity management.
>
> 2.  The rules for identity governance have been inspired by the
> contribution of the NGI-Trust Privacy as Expected Project
> <https://privacy-as-expected.org> to the ANCR WG.   for sovereign Consent
> Receipt Signalling protocol, as a candidate  global privacy rights protocol
> that can be used as a conformity assessment for ID and Surveillance
>  Schemes through Trust Framework providers.
>
> 3. The purpose is to
> A). invite collaboration and call for champions interested in global
> privacy infrastructure
> B) To lobby for ISO/IEC 27560 to keep the standard editing to a
> self-sovereign rights record format ( not turn it into (solely) an
> enterprise ‘consent management’ add on for an Identity and Access
> Management solution)
>
> If people want to get involved there is a meeting in the ANCR WG next Wed
> at 10:30 est  <https://kantarainitiative.org/confluence/display/WA>and
> every second (next) Thursday at 11: ToiP in the Notice and Consent Task
> Force
> <https://wiki.trustoverip.org/display/HOME/Notice+and+Consent+Task+Force>
>   if  you are interested and have something to add you are invited ! Come
> and say hi, or even send me a note about your use case and we can see how
> and where it might apply.
>
> Best Regards,
>
> Mark
>
> For Example - Open consent Group Use Cases in development this summer
> according to jurisdiction.
>
> 1. To create a universal privacy rights access button for children, youth
> and parents.  (For ID Schemes in the UK)
> 2. Program to stop the data breach and surveillance of children and their
> data by eLearning platforms   (For ID Scheme in US)
> 3.  A Pilot to enable students to use consent to autonomously generate
> micro-credentials with eIDAS and the PCTF,  (For ID Schemes in Canada)
>
>
> ANCR'ing Data Sovereignty for Self-Soverign Rights    (SSR)
>
> This is the start of the first ANCR WG blog post directed at the amazing
> (ground up)  identity management community  and commons, focused on
> understanding management of consent with digital identifier management
> systems.   Highlighting and contrasting the difference between  a digital
> identifier and access management systems (known as Self Soverign Identity)
> and  consent management referred to here as the use of Self-Soverign Rights
> system.
>
> The aim of this draft blog is start a set of rules (the identity community
> rule book) for respecting consent in digital identity, from the perspective
> and use of a Consent Receipt, which is a record format for capturing the
> state of consent grant to an identity management system through its
> observed implementation.
>
> For many it might be too long to read (apologies) the next version should
> be more concise.
>
> Thanks for all the help getting this work this far..  (you all know who
> you are)
>
> Best Regards,
>
> Mark
>
> PS- pls excuse the errors -
>
> *******  What is SSR?
>
> Technically its consent, which is the use of a privacy right, its a
> socially created legal artifact, when produced correctly it provides proof
> of notice to a service provider, and evidence of the use of privacy rights
> to govern ones own persona data.
>
>
> A Consent Receipt represents a legal Consent Record structure for a fancy
> concept called decentralized data governance, meaning people consent to
> manage and control their own data, independently of digital identity
> management systems.   It is generated by, or on behalf of the Individual to
> demonstrate proof of notice, and proof of using privacy rights so they can
> scale in online environments.  It addresses a key global challenge of
> asserting privacy rights online and with the GDPR can be used to supersede
> contracted terms and definitions, linked to a privacy policy, written  by
> service providers, and managed with digital identity. (Or SSI)
>
> A consent receipt and the individual's right to manage their own consent
> for processing personally identifiable information MUST NOT be confused
> with digital identifier management systems, software and user agents.  In
> this regard, there are a number of rules for the use of consent receipts
> and the implementation of the consent record information structure, which I
> (we) in Kantara ANCR WG, champion in the identity management industry
> through the Kantara Initiative, through IIW, W3C DPV, at ISO/IEC, and with
> the privacy controller credential specification at Trust over IP.  Where
> multiple community driven efforts collaborate on developing the consent
> record information structure.
>
> To this end, and in advanced of the ISO/IEC Consent record structure
> comments due (aug 16), we are working on set of rules for human consent in
> order to clarify the different between Self Soverign Rights, and concepts
> of  Self-Soverign Identity.
>
> SSR - Rule #1 - People are not users.  In  identity management industry
> and systems, people are  most commonly referred to as users. This is a
> infrastructure centric term, not a human centric term.    Technically,
> people use software, or technical agents, to interact with services and
> systems.  Wether that system   Referred to in this work as User Agent.  The
> easiest way to see if a system provides self-soverign rights aka respects
> your consent is if you are referrer to as a User.
>
> People are not users, they may use, User Agents, Software Clients or
> Servers, or be the user of service through a technical intermediary called
> software/user agent.
>
> Rule # 2 Consent is Managed by the Individual, permissions are managed by
> digital identifier management systems,. (See above)
>
> Rule # 3 - Consent is interoperability for humans
>
> Consent is an intrinsic human action, it is specified in privacy law,
> constitutional law and human rights law.   It is the essence of human
> interoperability between people and  between a person and a technical
> system. Consent facilitates personalized consensus and operational
> efficiency gained through interoperability.
>
>  (e.g.  Imagine going into a coffee shop without speaking or knowing how
> to read the language / numbers used in the shop, on sign.  From pulling to
> pushing the door to get in, to asking if you can order a coffee from
> someone, to negotiating payment and getting the coffee made the way you
> like. ) all of this would take a lot longer to get served, there would be
> significantly less assurance that your coffee would be to your taste and it
> would be a lot hard to build trust in ordering a coffee with the
> person/people serving it).
>
> 4. Notice for Consent is the security and integrity infrastructure of
> Decentralized Data Governance
>
> If a person doesn’t have a digital notice of WHO controls their data - it
> is not consent, it is a personal permission or preference for an implied
> consent that already exists in the context of use.  For
> services administered online, the privacy notice of WHO controls your
> personal data is the first security consideration  to check to see if a
> purpose specification with produce a valid consent grant.
>
> In the Kantara Initiative ANCR Work Group, a person is the sovereign
> controller of their own record of the relationship called an Anchor
> Record.  It contains the privacy controller credential, that is used to
> generate, verify validate, and notarize privacy rights claims online.   In
> Self Soverign Rights based systems it is the individual who controls the
> use and generation of consent receipts - not a digital identifier
> management system controlled and run by a corporation.
>
> Before a purpose is valid, or privacy compliant a notice  containing the
> controller credential is required. This is true in all privacy legislation.
> If this is not present before, at the time of processing, or a soon as
> processing starts the consent is not valid, the online service./ system is
> not safe or secure for Chidren.
>
> Rule # 5 - Consent is specified for a Purpose (only) Not for Permissions
> or preferences
>
> Consent is a grant of permission for a specific and specified purpose.
>  (That is it)  A  purpose is a human centric way for people to agree to
> data processing activities, as it provides a consistent way for all humans
> to grant permission scopes to companies  in ways people understand and are
> meaningful.   The ANCR Consent Receipt Framework utilizes the W3C Data
> Privacy Vocabulary controls for specifying a purpose so that the semantics
> of a consent receipt are standardized, this is the key component of the
> consent receipt record structure that produces integrity and something
> people can understand as trustworthy.
>
> (Note to reader: The Consent Receipt, and the Consent Record Structure, or
> what was ISO/IEC 27560 WD 1, is/was in a common international format for
> specifying a purpose with a standardized field format.  It can be extended
> and used at ISO/IEC with 29184 Online Privacy Notice and Consent, which
> provides content controls (for the filed data in the Consent Receipt) as
> well as additional consent record structure, for the identity management
> industry.
>
>
> Rule # 6 Consent is a Human Centric Legal  Paradigm
>
> The Consent Receipt v1.1 Specification, which was adopted into  ISO/IEC as
>  27560 WD 1,  was formulated  to differentiate itself from identifier
> management systems, comprised of a database of identifiers, access logs,
> and role based access controls.   Designed, and generated by enterprise,
> which is easily recognized with opt-in tick-boxes in a form, referring to
> contract terms that people have never read (known as the biggest lie on the
> internet) and cannot possibly enforce in context, especially with American
> style contacts that require a law suit to adjust.
>
> Self Soverign Rights are implemented with Privacy Agreements  (referring
> to legal frameworks like GDPR and CoE 108+) not privacy policies meant for
> Terms and Conditions which are contracts.  In the ANCR Consent Record
> Information Structure all interactions begin with Consent and then are
> derogated with additional legal justifications for processing or by
> specified exemptions in law.
>
> This means that the location of the person who reads the notice of control
> is used to specify what Privacy rights rule book applies for that context,
>  which supersedes  Terms and Conditions (code is not law and does not
> provide self-soverign rights)
>
> A person uses privacy law to consent, a system uses contract law to
> implement that consent with other systems, repersented by Data Processors
> or 3rd Parties. Almost all of the time with digital identity systems a
> consent grant from a person, also requires a contract with a system.
>
> Contract requires civil litigation to enforce, privacy rights required a
> complaint to a regulator to enforce.  People in mid flow of using a
> service, cannot expect to have to stop and start a law suit to enforce
> their privacy rights.   To punctuate this point, 1/3rd of internet service
> users are Children who cannot legally agree to terms, provide permissions
> or enforce their rights without their parents.
>
> Tick boxes on websites for terms and conditions, and similar mechanisms
> are permission or prefernence setting devices that further specify a
> person’s preferences for the existing consent, which for example is implied
> when a person clicks a link to a website, or fills in a form with personal
> data.  Online, in a web-browser, consent is already inferred, and notice
> already provided when a person uses a website browser, connects to a
> network and starts a device.  It is not created in an identifier management
> system.
>
> This is why a consent notice  receipt is used to add additional legal
> justification for processing to maintain a shared expectation of privacy.
> Additional legal justifications are layered onto of consent.
>
> #7 Self-Soverign Rights are used independently of service providers
>
> The  focus of the CISWG, and now the ANCR-WG specification work  has been
> the CR framework for developing self-soverign rights infrastructure. It is
> specified with a legal use case needed in order to provide the requirements
> for the specification of the receipt fields.
>
> This work is interoperable with all privacy laws, and principles.  It is
> intended to be used as a conformance tool for people and for systems to map
> a privacy law with mature set of standards.  ISO 29100 in particular, (open
> and free)  that define all the stakeholders and terms, and  built with the
> American vocabulary for use in Internet and identifier management
> Governance.
>
> #8 Privacy should always be as Expected, Consent is King
>
> The number one thing a system should do is start with what people expect -
> aka - the purpose for which the person wants to use a service.
>
> Interoperable technical specification, vocabularies and standards
> facilitate the consent record information structure and refer to privacy
> law vocabulary or the ISO 29100 terms and definitions are interoperable, so
> consent grants can scale online.    As a result, over the last decade,
> different community efforts have undertaken important work to develop the
> consent record structure that is used in the ANCR Framework.
>
> For example, W3C Data Privacy Vocabulary has included in the vocabulary
> the CR v1.1 / ISO 29100 terms and definitions.  Trust over IP: Notice &
> Consent Task Force, specifies how an Individual can generate a Privacy
> Controller Credential (ANCR Record) to  assert privacy rights with consent.
>
> Combined these specifications can be used to implement Privacy Assurance
> Frameworks - for the ANCR WG - Privacy as Expected Protocol (a global
> privacy rights UI signalling specification) design for consented
> surveillance in  digital identity systems. Once implemented SSR can enable
> dynamic data control, for all legal justification for processing (like
> breaking glass emergency scenarios)  It is a protocol that produces a
> signal so people can immediately see if privacy is what they expect, or not
> with a quick glance, or sound.
>
>
>
> — Thats it for this first draft on Self Soverign Rights vs Self Soverign
> Identity -
>
> To find out more about this great work, and to see more Self-Soverign
> Rights - Rules for  Consent Receipts stay tuned, or get involved in one of
> groups working on global privacy infrastructure.
>
> Kantara ANCR WG <https://kantarainitiative.org/confluence/display/WA>
> ToiP -Notice & Consent Task Force
> <https://wiki.trustoverip.org/display/HOME/Notice+and+Consent+Task+Force>
> W3C-  Data Privacy Vocabulary C <https://dpvcg.github.io/dpv/>G
>
>
>

-- 

*Devon Loffreto*

Founder/ Developer/ Mentor

kidOYO <http://www.kidoyo.com>/ OYOclass.com <https://www.oyoclass.com>



------------------------------
Important: This electronic mail message and any attached files contain
information intended for the exclusive use of the party or parties to whom
it is addressed and may contain information that is proprietary,
privileged, confidential and/or exempt from disclosure under applicable
law. If you are not an intended recipient, you are hereby notified that any
viewing, copying, disclosure or distribution of this information may be
subject to legal restriction or sanction. Please notify the sender, by
electronic mail or telephone, of any unintended recipients and delete the
original message without making any copies.
Received on Monday, 16 August 2021 08:42:38 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:28:00 UTC