May 24, 2024 ANCR (PrivMas) WG Report : For International Digital Security and Privacy Community
There is a problem with critical lack of transparency in the use of digital identity governance due to the technologies and the governance of personal data. The lack of systemic transparency about over who is processing your data, under what authority, to what purpose, and to what benefit. All the , and when is hidden. Current security and privacy engineering has been is for institutional and enterprise infrastructure, none of it has been built as infrastructure not for the individual. In the ANCR WG (Anchored Notice and Consent Receipt) we have worked to standardize the record and receipts, so they can be digitally anchored and notarized by the Individual so that everyone can use the same digital transparency on any PII Controller and their services, autonomously. Consent by design defined in the ANCR WG expresses operationally how records and receipts so people self-identify themselves and digitally consenttransparency records and consent receipts.
Known as Records of Processing Activities (RoPA’s) which owned and kept by the individual, anchor the the state of security and privacy in the digital relationship. Standard records and receipts make it for the first time possible to overlay digital privacy over any notice, notification and sign, to enable consent based rights and controls. An individual can use digital transparency to see the state of privacy and consent for all service providers, independently of them.
ANCR’s record framework is Consent by design as it enables the PII Principle self-identify, by adding multiple verified receipt based credentials to a single credential, to provide assurance requied by a service, while still being anonymous.
Introduction
Digital Transparency refers to Record and Receipt specifications for Record of Processing Activities, (contributed as 27560 Consent Record Information Structure to JTC1 WG5 after 6 years of community group @ Identity Commons, called Identity Trust WG )
...
Our focus in the Kantara Initiative and the Digital Transparency Lab has been records an receipts and to demonstrate how to govern mis-information, in digital identity management standards using an ISO/IEC 29100 specified record framework.
Consent by Design is described here specified in a number of ways,
Digital Privacy Transparency, referring to the presentation of notice, notifications and disclosures are presented in a way that mimics the physical how people, notice, permission and consent. In particular, humans manage consent while systems manage permission (an instance of a consented surveillance context)
The PII Controller notice is used to generate a credential, enabling the Controller to be relying party to verify the relationship.
Rather that identifying the individual up front and taking their meta data. The individual can define and present their own digital identity, identifiers, credentials according to context using receipts as verified credentials, for security, safety and trust when interacting online. (AuthC)
Very Canadian approach, in that permission is first required to introduce a new purpose for consent, and the individuals consent is implied by engagement and capture in a notice record.
Notification and disclosure can be capture with standardised record, receipt, semantics, and data privacy legal vocabulary, standard 29100 defined notice record and receipt.
Semantically standard with the W3C Data Privacy Legal Vocabulary, so as to be entirely specified according to not only the standard but in accordance with Convention 108+ machine readable legal semantics. Specified to GDPR which mirrors Chapter 1 of the GDPR Convention 108+ Transparency Modalities, as well as
For and services ANCR’s Records and receipts can be used to demonstrate compliance with Article 30 Records of Processing activities, but also provides extra-territorial logging (Article 80) and controller reporting obligations.The and in Convention 108+. Article 80 Logging.
For individuals a receipt can be used to directly consent (and withdraw consent) to the PII Controller service according to context.
Like in real life, in physical interactions, the individual is anonymous to begin with , and the first interaction with a PII Controller/service is when a PII Controller Notice Record is provided as a consent receipt to the individual.
The individual can define and present their own digital identity, identifiers, credentials according to context and as anonymous PII Principle, when interacting online.
, the sharing of data is through consensus and consent.
Standardised Digital Privacy Transparency(SDPT) is conceptualized much like bank accounts, in which every personal data processing activity is recorded, and where services provide a record to the bank and the receipt to the individual when interacting with currency.
...
SDPT as specified in the ANCR WG, takes into account Data Control, Data Protection, and whether or not the data trust is co-regulated, in order to assess levels of digital transparency technical risk assurance and liability mitigation, that can be provided to the individual in context.
Links to Previous Privmas Events
...
...
May 24 - 2020 - Privacy Jedi Day Workshop