Transparency Trust Metrics
Editors: Sharon Polsky, Mark Lizar
...
Suggested Citation: (upon WG approval)
ANCR Specification v0.9
NOTICE
This document has been prepared by participants of Kantara Initiative Inc. Permission is hereby granted to use the document solely for the purpose of implementing the Specification. No rights are granted to prepare derivative works of this Specification. Entities seeking permission to reproduce this document, in whole or in part, for other uses must contact the Kantara Initiative to determine whether an appropriate license for such use is available.
Implementation or use of certain elements of this document may require licenses under third party intellectual property rights, including without limitation, patent rights. The Participants and any other contributors to the Specification are not and shall not be held responsible in any manner for identifying or failing to identify any or all such third-party intellectual property rights. This Specification is provided "AS IS," and no Participant in Kantara Initiative makes any warranty of any kind, expressed or implied, including any implied warranties of merchantability, non-infringement of third-party intellectual property rights, or fitness for a particular purpose. Implementers of this Specification are advised to review Kantara Initiative’s website (http://www.kantarainitiative.org ) for information concerning any Necessary Claims Disclosure Notices that have been received by the Kantara Initiative Board of Directors.
Dear reader,
Thank you for downloading this publication prepared by the international community of experts that comprise the Kantara Initiative. Kantara is a global non-profit ‘commons’ dedicated to improving trustworthy use of digital identity and personal data through innovation, standardization and good practice.
...
Copyright: The content of this document is copyright of Kantara Initiative, Inc.
© 2022 Kantara Initiative, Inc.
Introduction
Transparency Performance Indicator’s (TPI’s) are used to identify capture the performance of digital transparency with a scale includes and allows for dynamic transparency performance,measuring how dynamic the performance of transparency is for digital services.
These TPI’s are used designed to quickly ascertain the trust performance in accordance with standard privacy law, and human capacity to ‘trust’ requirementsmeasure operational performance, compliance and trustability of publicly required digital service information.
TPI’s are recorded with a Notice Record, also known , fully filled in, it is useable as a Consent Receipt or Controller Credential, which is a common record format derived with and from the used to generate a Consent Receipt.[1] A standardized record format for the capture of attributes that are required by law for the legal and trustworthy processing of personal identifiers.
The format is defined with ISO/IEC 29100 security and privacy techniques framework. This format is used to collect the digital identity identifier and session based attributes, notice, notification or and disclosure text , and the associated metadata (digital context information) mapped directly to the the analogue (brick and mortar) legal requirements, in a standardized TPI process.
The TPI’s once collected in this Notice record format are can also be used to measure conformance with ISO/IEC 29184 Online privacy notice and consent standard (2020), in which, the Consent Notice Receipt can be found is provided in Appendix B.
to capture a record of notice text and meta-data, digital required describes the creation and use of the ISO/IEC 29100 Privacy Framework for processing (personal) data and to illustrate the use of ISO/IEC 29184 controls to assess performance of this record. The associated notice controller credential and its associated record is regulated with international privacy laws, principals and standards, As a result of the record’s basis on the ISO privacy and security frameworks, the record and associated data fields provide a globally binding and standardized governance framework for creating records. Importantly it provides the transparency legally required for trustworthy ‘consented data access’, for adequate data transfers internationally; and can also provide an opportunity to implement a low-cost digital (twin) record and receipt mechanism. The use of the associated notices, receipts and records dramatically improve the security of personal data control, significantly increasing transparency and as a result greatly improves the scale and effectiveness of cyber physical security and digital privacy.
...
The Notice Record generated from TPI’s are designed to enable operational ‘online’ transparency guided by the use of the controls in ISO/IEC 29184 Online Privacy Notices and Consent and evidenced with anchored notice and mirrored (digitally twinned) notice consent receipts [ISO/IEC 29184, Appendix B], which can be generated from a TPI record.
Why was this specification written?
TPI’s aim to help standardized digital transparency and dramatically improve safety and security usability of digital transparency for people, by providing a set of metrics to quickly assess how operational digital privacy is.
Currently, there is no standard (digital) way for people to see who is monitoring, tracking them and surveilling personal data and digital identifiers. As a result, people are required to use external processes with regulation to access, control and monitor the processing of personal data. This second order, public system is not dynamic, not reciprocal, or systematically useable or meaningful for people. Meanwhile service providers can monitor, disclose and copy personal data real-time, without individuals knowing, circumventing governance, people, and society. Refereed to as surveillance capitalism. This is a significant issue humankind faces, as it enables people to be maniupulated, provides for weak security, enables mis-information, and a pervailing lack of accountability for all stakeholder, even the PII Principalhow digital exposed people are in context. Data control, access and privacy rights requests requiring a 30 day response time, TPI’s indicate if the digital information provided upon contact with a digital service is capable of meeting this requirement and capable of dynamic data access and controls.
Without standardized digital transparency it is difficult if not impossible to see who is monitoring, tracking and surveilling personal data and digital identifiers.
As a result, people do not have insights to expertise data rights and controls in a meaningful manner.
Why Transparency Performance Indicator’s?
TPI’s provide a way to quickly see if digital privacy or security measures are in place in line with human, legal and analogue requirements the Individual can under stand and expect.
The are designed from legal and social research gained through implementation and capture of records for legal proof of notice (knowledge) and digital consent with a receipts used to provide people with their own evidence of notice in digital surveillance and consent contextsa data records.
TPI’s capture the corresponding digital representations of physical / human requirements for digital transparency, and when required digital consent. .
What should you expect to find in this document?
Transparency Performance Indicator’s are a way for all stakeholders to measure the performance of digital transparency, digtial privacy and digital consent.
TPI’s provide a human and consent centric digital privacy transparency framework, that people can use tp see and understand who and how, their personal information and identity is controlled.
of online services measuring self-asserted self-asserted identifiers, attributes and meta-data in terms of how dynamic their performance is, against well known requirements, for people, not service providers to assess trustworthiness according to Soverign reasoning. (ref) There are 4 TPI’s specified here focused on point of contact transparency for public accessible digital services. This is publicly required, self asserted information for in surveillance signs, security notices and privacy notifications. Information that provides the same assurance as
TPI 1 - Measuring the Timing of Notice:
This TPI captures when the Controllers legal entity digital identifiers and accountable Privacy Officer is notified; Before, just in time, at the time of, or after personal data is captured. Ensuring to capture if Dynamic transparency is systematically provided before data is captured and processed, or not. Providing a way for an individual to assess if they can trust a service or not.
Note: This is the most common legislated privacy element in the world, required in all privacy legislation and instruments. (ISTPA 2007)
TPI 2 - Measures
...
Required
...
Data Elements
Required for all data processing (except for explicit legal derogation) in every privacy instruments a Notice of who is processing your data, who is a accountable and the privacy contact information for access to personal information.
Notice of who is processing your data is required for all legal justifications for processing personal data in privacy law to identify the legal entity and the accountable person.
TPI 3 - Measure of Transparency Accessibility
Measure the performance of transparency accessibility by capturing how avaialbe the required information in TPI 2 is. For example, is the information presented in a pop-up notice, or is it required to click a link, e.g. to a standard transparency / privacy policy, (where it is known only 3% of users go to secondary links). Is it at a bottom of a multi-screen display, or at the top of the first screen.
TPI 4 - Measures security information
...
integrity
...
Capture of the SSL certificate or security key to compare its meta-data against the required information in TPI 2. For example, does the SSL certificate Organization Unit field and location Jurisdiction fields match the Controller captured legal entity information?
The capture is with an ANCR Notice Record, the record is captured using ISO/IEC 29100 Security and Privacy (international framework). It’s captured can be compared agains the ISO/IEC 29184 Online privacy notice and consent receipt standard format, controls and conditions, to demonstrate conformance, and is mapped to CoE 108 + and the GDPR in the Notice Record Framework.
TPI’s are generated through the capture of a notice, and its assessment for the time
TPI Capture
intro text
TPI’s are generated in sequence, the timing of notice presentation(1) in relations to first data capture, the contents of the notification (2), the accessibility of the notice access for use (3), and the digital trust/security of the notice (4), all of which are required for digital privacy interoperability utilizing a standard concentric notice transparency framework, whereby proof of notice and evidence of consent is required for permissions to process and disclose personal and identifying digital identifier’s.
These (aforementioned 4) transparency performance indicators (TPIs) are used together to automate a digital privacy transparency performance baseline, The notice records created through interaction with standardized online notifications demonstrate next generation digital privacy.
The indicators and associated report utilize a standard information structure, notice and consent record format, and controls for digital privacy rules and regulations and their performance measurement.
Transparency Performance Indicators
There are 4 TPI’s that are used to asses public service data at an assurance level 0 (self asserted) of 4 privacy assurance levels identified in the ANCR Framework. (ref)
...
Once the capacity for the active state of digital privacy is ascertained, the fourth performance indicator is used to verify the cybersecurity certificate (or token key) to see if the security matches digital privacy information.
TPI 1: Timing of Notice vs Data Collection Transparency
TP1 requires monitoring the technical end point to see if PII is captured in relation to when a notice is provided. This measures the notice regulatory performance against legal and human usability requirements.
TPI: 2 PII Controller: Required PII Controller Data Transparency
Assess if the required information for transparency over who is in control of notice is ‘provided’
The MUST fields identify elements that are required in legislation that MUST be present.
TPI 3: Transparency Accessibility
How accessible is the PII Controller and Privacy Contact information?
For example, in the context of a website or a mobile device, how difficult was it to access the ‘provided’ information. How many clicks, or screens, away is the required information?
TPI 3–Example — Accessibility Measurement Rating
This transparency accessibility rating score of [1,0, -1 or –3] reflects the number of steps, screens, or clicks required to find the ‘provided’ information within a mobile application or webpage providing the client user interface.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
Rating | Description | Instruction |
|---|---|---|
+1 | Controller identity is embedded as a credential linked to authoritative registries. | PII Controller credential is displayed, using a standard format with machine readable language and linked, for example, in an http header in a browser |
0 | PII Controller Identity prominently displayed on first view – prior to processing first page of viewing, the assessment question would be | PII Controller Identity or credential is provided in first notice |
-1 | Privacy signal Is not first presented – but is linked and one click and screen away | The Controller Identity, or screen with the Controller Identity is one screen and click away. For example, the privacy policy link in the footer of a webpage |
- 3 | Identity or credential is two or more screens of view away | PII Controller Identity is not accessible enough to be considered ‘provided’ |
TPI 4: Certificate (and/or Key) Security Transparency
This security performance indicator requires that the notice record session certificate is collected and used to check if the PII Controller Identity information is the same or linked to the controlling entity in the associated security certificate. For example, does the SSL (secure software layer) certificate identify the Controller, and is it secured for the DNS and localization expectation and corresponding jurisdictional information (a ZPN required digital security for privacy measure to implement the international governance interoperability with legal adequacy with eConsent)
Certificate status, and transparency performance, are used to establish session security prior to the collection, use and processing of PII. The security TPI is used to measure the certificate and or cryptographic keys for a specified organizational unit to corroborate and validate the PII Controller’s digital integrity.
| Anchor | ||||
|---|---|---|---|---|
|
Field Name | Field Description | Requirement: Must | TPI 1 Not Available | TPI 2 Rate: +1, 0, -1, -3, | TPI 3 |
|---|---|---|---|---|---|
Notice Location | Location the notice was read/observed | MUST | Present | +1 | found |
PII Controller Name | Name of presented organization | MUST | Present | 0 | Match |
PII Controller Address | Physical organization Address | MUST | Present | 0 | Not match |
Privacy Contact Point | Location/address of Contact Point | MUST | Present | 1 | Not match |
Privacy Contact Method | Contact method for correspondence with PII Controller | MUST | Present | -1 | No Match |
Session key or Certificate | A certificate for monitored practice | MUST | Present (or Not-found) | 1 (or –3 ) | Present (or No Security Detected) |
...