Blog from June, 2024

(this is a draft blog post, pending WG approval)

Support Open ISO Standard to Scale Digital Privacy Transparency and make privacy and consent free

Working Group 5, with which Kantara has had a liaison agreement since … at its most recent in-person meeting in Manchester, is taking action with regards to publicly available standards.

The Anchored Notice and Consent Work Group (ANCR WG) unanimously approved a request to the Leadership Council (LC) to support efforts to restore ISO/IEC 29100 Information Technology - Security Techniques - Privacy Framework as an open standard.

It incorporates basic privacy principles stemming from the 1970’s and the Fair Information Practice Principles (FIPPs). At present the standard is no longer publicly available and has been updated to a 2024 version. Action is being taken to make this open again. As a workgroup we strongly support this recommendation and action.

In addition, there is an effort to make ISO/IEC 27560:2024 Consent record information structure and open standard. As a workgroup we also request support of the LC in this effort as well, and only if this is done in combination with ISO/IEC 29184:2020 Online privacy notices and consent. The notice and consent specification provides critical transparency requirements and security and privacy controls that can be used by people to manage their digital identities. These 3 standards together provide an operational transparency framework and architecture enabling security for infrastructure and services with privacy and consent by default.

Why open access matters
29184 was developed to supplement the freely accessible ISO/IEC 29100 security and privacy techniques framework. Our work at the Kantara Initiative has long focused on standardizing notice to enable managed consent and control over data access on a large scale. This effort began more than a decade ago at the W3C - Do Not Track and Beyond conference The need for notice and transparency standards in online security and privacy.

The business case for standardizing digital transparency
There is a compelling business case for ISO/IEC to lead in standardizing digital transparency for security, privacy, and digital identity management. A robust set of international transparency standards would compel industries to adopt ISO/IEC’s paid security standards, such as 27001, 27002, and 27701. These standards provide specific requirements and guidance for establishing a Privacy Information Management System (PIMS).  Acting now to facilitate data governance and security interoperability will enable ISO/IEC to lead this competitive practice internationally. 

International impact and interoperability
Our commitment to this project is driven by 29100’s influence in developing international privacy instruments that are interoperable with GDPR, and importantly for Canada, and elsewhere, is the CoE Convention 108+. Expected to be ratified by 2025 Convention 108+ will provide an international data governance instrument for security and privacy across the Commonwealth, encompassing 56 countries and 2.5 billion people. Convention 108+ mirrors the GDPR Chapter 1 Transparency Modalities section, and 29100. It has been used as a primary standard to create transnational transparency requirements that establish a legal basis for consent leading to and not determined by identity and access management systems.

Scaling Digital Privacy Transparency of Your Identity
The ANCR WG effort at Kantara Initiative specifies notice and consent receipts which focus on this combination of standards, laws, and current market dynamics to create a regulatory tool to provide PII Principles with digital transparency over processing personal data.

ANCR WG tools assess the transparency conformance and compliance of PII Controllers security, privacy and transparency. The notice record and receipts are digital identity credentials that benchmark compliance utilizing 29100, 29184, and 27560 natively. These standards when required to be open make it possible to scale standardized digital privacy transparency in the international Commonwealth.

For 'Digital Identity Surveillance and Trust' this means people can see and therefore have the opportunity to trust, when personal data is processed by digital identity technologies and agents. Solving security and trust issues involved in identifying ones self for service processing personal data.

The Call to Action

For ISO this enhances the adoption of paid for standards, and for Kantara the opportunity to enable a 100% completely inclusive trust technology to enable the ethical and secure use of digital identity management and its society surveillance. This means in ANCR WG we are able to assess the transparency, mis-information and compliance of any identity management framework, protocol, technology or notice, for how trustworthy it is for the individual.

The ANCR WG’s draft Transparency Performance Scheme for creating conformant PII Controller records are a legal record of processing that provides proof of knowledge, missing online today. Without knowledge and transparency over the choices we make online and who benefits from them, we act without truth or digital freedom.

To further this work and utilize 29184 we invite Kantara Initiative to support an international standard for digital privacy transparency and digital identity that complies with consent. Lets demand notice record and consent receipts together.

Support the vision of the ANCR WG, help people can see the impact their choices have on themselves, family, community and society, so that we can collectively address the challenges we face in digital identity management today.