Versions Compared

Old Version 30

changes.mady.by.user Mark Lizar

Saved on

compared with

New Version 31

changes.mady.by.user Mark Lizar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The protocol requires that the ANCR Record be referenced each time a directed, or altruistic consent is generated, or when decentralized data governance is required. This is done in order to verify the PII Controller Identity and ensure sufficient (any) security for the privacy state that is, and can then be, expected by the PII Principal.

...

Security Assurance

The transparency performance indicators (TPIs) provide transparency and security assurance to the PII Controller before the Controller processes personal information.

...

  1. Blinded Identity Taxonomy (BiT)

    1. PII field security measure that is used to blind attributes that are identifiable, for example, the attributes presented in ISO/IEC 29100 section 4.4.2

    2. A BiT attribute is encrypted with the PII Principals private key- so as not be usable in any data set without the corresponding authority required to unencrypt the field for a specified purpose and treatment.

    3. In this specification BIT is used by the PII Principle to encrypt and blind the ANCR record ID field. Which is in the private notice record, the pseudonymized identifier generated/provided by the PII Principals (client security protocol)

  2. Pseudonymized Identifier

    1. The ANCR record id refers to the PII Controller legal identity captured with a notice record, and once a notice record is collected it can be signed to become added to digital wallet (or pod), it can be signed to become a micro-credential, and used to communicate to the PII Controller, to manage rights and control processing of digital identifiers and associated information.

    2. Conceptually, the ANCR Id is a reverse use cookie, in that it is used by the PII Principle to remember the privacy state and track the PII Controller through different service environments, domains and jurisdictions.

  3. Verifiable Private Notice Record signed to be a micro-credential

    1. The PII Principal as the holder of the notice record can use it to a verify the presentation a PII Controller Identity

    2. Holders of a signed notice record (proof of notice) can generate a verifiable presentation of this proof by;

      1. signing a copy of the notice-record

        1. (transforms record into a micro-credential)

      2. exchanging this with the other stakeholder (PII Principle or Controller) as a signed consent receipt in order to tokenize the exchange of attribute level private record data on a per processing session basis.

        1. (W3C Verified Credential Data Model, www.w3.org/TR/vc-data-model/#what-is-a-verifiable-credential)

  4. Differential Transparency – operational transparency signaling

    1. Operational transparency – notice record ‘trust’ protocol for active state technical object. Achieved by comparing the expected privacy state (purpose and credential) each technical session to authorize an instance of processing, whereby a notification signal is generated only if there has been a change in the expected, and known active state of privacy.

    2. Differential Transparency (DT) is a contextual transparency enhancing notification protocol that uses record serialization in order to sequence data control points. Used to maintain a shared understanding of privacy and conversely security expectations.

    3. Implemented by comparing than Anchored Notice Record with a newly minted anchored consent notice receipt. To detect if there has been a change in this expected state. Achieved through self-asserted changes, or through monitoring authoritative public data sources.

    4. Differential Transparency is used by the PII Principal to automate the verification of trust, monitoring the active state of the PII Controller Legal identity and technical security performance. Prior to authorizing data processing activities by signing a consent notice receipt.

      1. Utilizing the Transparency Performance Indicator’s in the introduction of this specification to transform a consent receipt into a consent token. (Individual authority and providence default controls to implement rights)

    5. Automating Operational Transparency

      1. Human centric notice protocol to keep a record of controllers and context of processing, for each session/interaction, so that these contextual records, controlled owned and secured by the PII Principal, can remember the active state of privacy and verify the PII Control and Privacy state without interrupting the service-user flow.

      2. Notice Signal Layer: For operational transparency at a glance using digital signaling to indicate with concentric labeling what is expected, and what is not.

Case Study: Differential Privacy as a mechanism for Data Control

For discussion with security and privacy community. Like digital identity management, how sovereign data control can be measured is by identifying which PII Stakeholder is in control of the personal data and personal data process; who benefits from processing personal data; and how dynamic are the personal data controls? The analysis results indicate which stakeholder can authorise the use of the tool, and for which purpose(s)

  1. Differential Privacy [ not to be confused with Differential Transparency]

    1. A method to produce noise in a personal data profile, and data sets so that the output cannot be used as conclusive evidence, or used to attack systems. A safeguard that is described as a way to provide a ‘buffer’ to protect the PII Principal from harms.

      1. A relevant topic defined in the ANCR Record used in a different context, not as a tool used by a PII Controller, but as a control for PII Principal to use when engaging with PII Controller Services,

    2. Synthetic personal data can be generated from the Anchored Private Notice record and linked eConsent receipts with the use of verified micro-credentialing

    3. These records and receipts can be used to provide safe environments to model future personal data, anonymize PII Principles own data before use, provide statistical data to services and trusts, safeguard Altruistic Consent (see concentric data types) can be employed to open certain data types for a specific purpose to help people and society.

    4. Differential privacy can be used to evaluate structural deficiencies in existing data models (online profiles), and invalidate data sets through access rights which are near universal.

    5. Differential privacy tools can generate synthetic personal data to increase the size of a personal data set, to employ machine learning systems on behalf of the PII Principal to diffuse data in order to address privacy harms which exists with use of big data, with out transparency or consent. Like any other tool it can be used in good and bad ways.

...

Non-national standards are used in this specification to mediate transborder data controls and policies and provide extra-territorial governance. National standards are limited in terms of governance policy.

  • This specification advocates for using international standards for measuring adequacy, mapping the rules, vocabulary and semantics presented in this specification to the national standards and regional privacy regulation.

  • eConsent is a security access control that is required to make a record that a PII Principal signs by engaging with a Two Factor Notice (2FN)

A code of conduct in this specification refers to regulation and/or Regulator approved set of rules, which are enforceable. As oppose to a transparency code of practice, which refers to a certifiable best practice used to implement a code of conduct, for example, requiring the use of two factor notice.

ISO/IEC Security and Privacy Techniques Framework

  • ISO/IEC 29100 - Security and Privacy schema, information structure

    • Mature, mutually exclusive, and collectively exhaustive framework used to identify security and privacy stakeholder roles in data governance

    • The ANCR record is specified to propose a standard method, to secure records that can be self-asserted by people to control, use, and trust online.

    • It is envisioned that the only data ever seen by the PII Principal and accessible only via verification are those specifically delegated as such by the PII Principal.

  • PII Controller uses privacy stakeholders as a mutually inclusive and collectively exhaustive technology governance framework for cross-border identifier exchanges

  • All data processing is required to be transparent by default and provide notice, notifications, and disclosures, all of which can be automated with this specification.

    • Transparency defaults are provided in relation to adequacy with international best practice in order to be interoperable with EU-GDPR and Convention 108 to operationalize transparency with enforcement.

  • Every non-person entity, or delegate, processing personal data is a PII Controller. An unidentified PII Controller, is a 3rd Party, and requires PII Controller Category with a scope of authority for the context of processing personal data.

    • The PII Controller can have many roles, according to context of processing (e.g., Joint Controller, PII Processor, and PII-Sub-processor. 3rd Party

  • 3rd Party Recipients,

    • All 3rd parties MUST be identified as a PII Controller

    • A stakeholder without a Controller ID, or role in direct purpose of processing is required to provide the legitimate legal justification and specified purpose.

    • Monitoring of non-identified controllers should include using a different legal justification, without authority could further be analyzed for mis-information and fraud detection.

    • Assurances that 3rd parties, can also be identified as a PII Controller.

    • Assurances that all PII Joint Controllers, Processors or Sub-Processors, are accountable and identifiable as a PII Controller.

    • PII Controller Identity credential (is required to produce a consent notice receipt for verification, validation and authorisation by the PII Principle.

    • There are interoperable with IAM system roles 0 Holder, Verifier, and Issuer in Self Sovereign Identifiers (SSIs) and Distributed Identifiers (DIDs) can be directly mapped to PII Controller roles.

  • ANCR notice records can be generated by the PII Principal and notarized by a 3rd Party authority, on behalf of the PII Principal, for use independently of a PII Controller.

  • Differential Privacy

    • An editorial use case – in which the questions is asked? who controls the choice to use differential privacy? Is it the PII Principal or the PII Controller, or both? Presented in the context that the PII Principal is in control of record and the choice to use the method. As opposed to the PII Controller being in control and deciding when to use this without proof in the form of electronic notice and consent.

    • To address a security gap – dis-empowering 3rd Party data processing without consent, the creation of an identifier for system access and management, any type of tracking, is referred to as profiling, which constitutes a high-risk privacy activity.

    • To mitigate the substantial risks of digital identifier management technologies, any secondary use of the data – including ‘Differential Privacy’ must a) be transparent (specified with the consent information structure) and b) consented with a proof of notice receipt for evidence of consent,

    • This means processing is specific to purpose of the consent (Note: unless derogated in law which is also provided in notice and a represented in a code of practice, for the service.

    • Best Practice - Consent for the service to re-use a PII Principal profile for a secondary purpose, is a specific explicit consent, not an opt-in, or out governance control.

Trustworthy ID

...

Trustworthy identity requires notice and transparency defaults, or else it is very difficult for people trust the use of digital identity technology. As oppose to every jurisdiction and organisation deciding what is transparent, with T&C’s services just change without notice.

  • The defaults for operational transparency are presented in this industry publication “Adequacy of Identity Governance Transparency” with 23 default transparency for notice, notification and disclosures, which are required for a ZPN code of conduct.4

...

eConsent is a critical and missing component in the generation of identifiers the use of PII for big-data, machine learning, including differential privacy is arguably a breach of PII and clearly un-ethical as it violates the privacy expectations of the Individual, creating records people don’t control, and can’t see when they are used.

...

In this regard, ethical use of differential privacy would require a record of consent to identify and profile and personal identity, then, an explicit consent for the purpose of use.

  • In this way PII Principals can be secure, safeguarded, and empower their choices through the control of who benefits from their personal and why.

...

For an anchored notice record, it is recommended that PII Principal identifying information never be included in a record without being secured at the attribute level in the record. When a eConsent receipt is provided, all PII Principal identifiers MUST be blinded except for the legitimate required stakeholders.

...

Anchor
_Toc114497468
_Toc114497468
Notice Record Extensions (for a Consent Record information structure)

...