Date
2018-09-2027
Status of Minutes
DRAFT
Approved at: <<Insert link to minutes showing approval>>
Attendees
Voting
- Andrew Hughes
- Oscar Santolalla
- Iain HendersonRichard Gomer
- Jim Pasquale
- Mark LizarOscar Santolalla
Non-Voting
- Derek Munneke (Meeco)
- David Turner
- Marvin van Wingerde
- Colin Wallis
- Brent
Regrets
Quorum Status
Meeting was <<<>>> quorate
...
Time | Item | Who | Notes |
|---|
| 4 mins | | | |
| 5 min | | All | Please review these blogs offline for current status on Kantara and all the DG/WG: There is a new wiki page that will hold all the known implementations of Consent Receipts - Please update the page or inform Andrew of your implementation. Planning a Member Plenary meeting October 26-ish San Francisco (Friday after IIW) - Are there specific cross-group items you'd like to propose to work on?
|
| 30 15 min | Interoperable Consent Receipt roadmap ideas | All | See the data flow sketch that Andrew circulated by email
Image Removed
This diagram shows ALL data flows, despite the legitimate basis for processing. The idea is that given this data flow diagram, what are the functions, nouns and verbs for each of the legitimate bases?
Q: How would enforcement work?
Q: What's the difference between 'observe' and 'surveil'? A: Depends on if the user is aware of it or not.
Also see from our archives:
https://kantarainitiative.org/iain-henderson-the-personal-data-eco-system/
The 'my data', 'our data', 'their data' view
Comment Brent: in a social network, what roles do the different actors take? eg if I share an image, what role does the website take, what role do the users who can view my image take? also, how do I represent those rules where I restrict access to my data based on roles or groups I assign to my connections? how do I represent that implicit consent using consent receipts without knowing explicitly who I am granting permission to?
Comment: This picture looks very corporate - must ensure that the individual's perspective is very clear
Comment: The 'interface' for the individual should not be the 'consent receipt' itself - but rather the interaction with the service.
JLINC perspective: Alice grants permission and organization seeks consent. Alice only sees permissions.
Comment: this discussion is oriented towards 'explicit' consent. But all interaction has some level of agreement.
Iain: the highest value work item is the lexicon work
| 0 min | Permissions v User Consent discussion notes from From 2018-09-13 call | All | Proposal: Permission = Authorization to act Data Permissions = the functional actions that are allowed on information (database: Create, Read, Update, Delete; communications: Copy, Transmit, Store; data flow: Collect, Use, Disclose) or resources. User Consent = Voluntary agreement by the person to take an action. GDPR includes 'unambiguous' - So, a system might be authorized to act on personal data with or without a user's agreement. A person may grant permission or authorize a system to act on personal data.
Questions: - Is an OAuth 'consent' / 'authorization' / 'permission' dialog box truly 'user consent'?
- If it is not 'user consent' then why not?
- So: the process of obtaining agreement from the user in the OAuth dialog box is "User Consent". What the user has agreed that you can do with their resources is "authorization" in the sense that they give you 'permission' to take actions.
- How does this apply to Collection, Use and Disclosure of information? (these are the data flow words)
- To tease out the usable definition of 'authorization': What is the difference between Authorization and Access Control? (data & systems-context)
- Authorization is the granted right to proceed (a.k.a 'permission')
- Access control is the functional actions that are allowed
Alternative proposal: - Permission is a general authorization to act. Authorization may be granted by actors that are not the data subject.
- Consent is a specific agreement to act in a limited case.
Note: - Permission / authorization as a verb can be granted through an act of user consent.
Another proposal: - Should the terms should be Authorization and User consent
|
| 5 Demo status | All | Demo was well received at CIAM USA Seattle last week - Meeco and WSO2 are interested in getting added to the demo - maybe by Amsterdam, definately by EIC 2019 in May
|
| 15 min | W3C workshop on User Consent and Permissions September 26, 2018 | Andrew | https://www.w3.org/Privacy/permissions-ws-2018/schedule.html Interesting - there is an intersection and a chance for common discussion
|
| 5 min | Adding feature requests to next version of spec family | All | |
| AOB |
| Jim: suggests that we formally agree on the 'permissions v user consent' descriptions/explanations and circulate to other interested associations and working groups. Iain: let's resurface our existing lexicon/terms that have been developed over time and publish |
| Next meeting |
| 2018-0910-27 04 Same time same number (Andrew not available next 2 weeks)
|
...