Privacy as Expected is a legal standard, explained technically as legal standard for human expectation used here to apply rights in Online context.    This use case for proving a general took for identity and trust governance interoperability.  E.g. the use of rights based controls
le decentralized identity and data governance semantic standards for notice and consent.  (Human centric Identity & Trust)  The ISO standardized notice and consent definition and terms provide an international basis for legal notice and consent governance semantics and interabioity.   These are used to standardize (or provider transparency over) system identity permissions and data controls, independent of the service, to provide a privacy as  expected signs.  

Simply put, standardized notice infrastructure, for messaging  (aka receipt) architectures.   These semantics standards are usable to enhance  privacy policies with semantics made with privacy law.  

As humans we are decentralized, in the physical world the trust framework is local to a person.    To extend this digitally, these set of interoperable semantic standards ( are used to provide a broadcasted identity and trust  UI) that is human 'Consent Centric" and a legal baseline for notice and consent receipts.   

This PaE signalling operates on a  public set of rules/laws that  people can use locally to see, share and communicate about data surveillance, security and privacy risks. Independently of a digital identity management system or protocol.  Another term for this, is co-regulation.

Signalling Protocol for Active State for dynamic Risk Transparency

...

The privacy and consent is what is expected.  The first step, is display the  PII Controller's credential for a specific service and data processing context.  Privacy as Expected, can also be seen as a legal expression of the active state of notice relative to the individual, so the person can see if this the privacy they expect.  

Online, these privacy risks extend to digital identity, surveillance and the security of the surveillance.  Without transparency over these relationships, the technology is un-trustworthy.

To achieve this a first consent receipt is generated and this then provides the baseline for the active state of the controller.   This is then compared against the current state of privacy by comparing the next notice receipt state to that of the anchor receipt.   This produces a standards based active state security signal, that can scale trust to consent. This is demonstrated with the PaE:Consent Gateway project funded by the EU NGI Trust grant. here as a notice signalling protocol for the managing human expectation for personal data processing.

Signalling Protocol for the Active State of Transparency and Control

https://privacy-as-expected.org/

...

In the PaE.G project we specify the use of the Active State Tranparency Transparency Privacy Risk signal for use with web browsers , and aim to show the active state of Surveillance capitalism is what people expect, and to provide a way for people to use their rights (with a receipt) independent of the websiteand demonstrated transparency over  the active state of the PII Controller in order to present a privacy as expected signal, which include disclosures,  to managed what people can  expect. The PasE protocol is designed to implement operational transparency over access to privacy rights, as a default,  and usable so that an individual can directly manage their own privacy expectations.  

What is the Challenge?

The internet (full of restful api's) is missing the active state , or context of a verified organization and its accountable person, also known as the privacy controller credential (see ToiP) , which is an online privacy security measure, especially for  context of people, and most identity management efforts are about activating the identifier for the individual. Representing the  signalling gap required to indicate a level of (trustworthiness)/transparency - independent of the service provider.  Specific to context.  An online privacy policy or static document doesn't provide active state information about the legal entity, purpose and context of use's identity management system.  

T&C's and their association online privacy policies dont implement privacy rights, and are not written with standards.  Currently what is called An online privacy policy is a static document that facilitates contract of adhesions and ignores data soverignty and providence.    It is not useable to enable dynamic use of privacy rights, as it is missing the active privacy state information required to use rights.   All of which is required in privacy legislation globally and a core considerations for security standards in one way or another. 

For this challenge we have a simple but very powerful technology called a receipt.  Which is a notice of a record for an active state, for example, a record of transaction can be capture with a receipt.  this technology was developed when shipping goods so the receiver could see if the stock received was the same as the stock shipped. 

In essence, it is this technology that is advance for active state for online services, which like money on a credit card is invisible to the person in context.  The receipt fulfils the same purpose of a record and it required an international standard so that it can be used across technical, legal and social domains. 

UI : Basic Active State - Visual Signal Specification for human Identity  and Trust 

...

a person generates  a notice receipt for an online website based interaction, and then when returning to this website,  generates another receipt.  The 2 receipts are compared for changes in the known active state.    This then provides the active state signal to indicate if privacy is as expected, (or not). 

• if the signal is green - their is no need for a cookie notice or privacy ritual 

• if the signal is yellow - then legally a notice is required to be provided, the person can ignore, accept, refuse these notices 
• if the signal is red - then a notice is legally required to maintain system permissions and to manage a consent (which is technical no longer valid) for example a data breach. 

...

 Overview Privacy as Expected : Consent Gateway

In this document there is the principle reference and any new/proposed principles for the use of receipts for Active State Transparency with Semantically Standardized Governance language. 

The aim of the PaeCG signalling protocol is to extend existing digital identity security and privacy governance schemes with an overarching privacy operator risk and liability scheme that meets legal and social, security, privacy and surveillance expectations. 

This project is named to indicate a common and standardizable path for a consent gateway for browsers and services online to display an active state of legal entity transparency the standards and law providing a common language for broadcasting. 

Simple in mechanics, the way it works, the first time a notice of the Controller identity is captured it generates an ANCR receipt, which is then linked for any additional receipts for that relationship.  The receipt is identity management/org relationship receipt.  Thisn ANCR receipt is used to provide proof of notice of legal identity, addressing key consent,  provide permission and for a person to manage their own consent.  an identifier relationship is created and tracked, this removes the need to provide the same notice of who the controller is, everytime a person access a website.  

Receipt Signal Protocol

The receipt signal is generated after the first notice is provided and a receipt is stored by the person.  (aka in a Master Identity Controller-plugin) and is usable of a proof of notice.  This first receipt becomes the ANCR receipt id for that relationship for the person and software used for personal data management. 

...

 NGI-Trust - PasE:CG Project Contribution

NGI - Trust project, we focused on developing a privacy rights signalling protocol that is human centric (which means notice based) to implement a protocol that can leverage multiple, standards  ISO/W3C/Kantara/ToiP standards  and specifications, which are semantically interoperable,  for contribution to this Consent Receipt v1.2 Framework  at the Kantara Initiative ANCR WG.  

The rights protocol is called Privacy as Expected (PasE) and is a privacy notice signalling protocol the people can see and trust in order to automate the use of privacy rights in Online environments. 

The PasE protocol implements international (ISO/IEC) standard semantics from the open ISO/IEC 29100 and W3C Data Privacy Vocabulary legal ontology,  to generate semantically standardized and linked record.  A record the person owns and controls that is used to produce Consent Notice Receipts, (published in the appendix of ISO 29184: Online privacy notice and consent standard.  This protocol is implemented as a demo for this projects, and used  the first time a browser add-on interacts with a website data controller  by creating an ANCR record of the controller of the website for automating access to privacy rights. 

Privacy as Expected Signalling

PasE protocol is displayed as a signal the next time a Data Subject uses the same service online, (or encounters the same data controller online).  Using a traffic light colours, green means there is no change in the active state of control, yellow means there was a non-material change (and a notification is waiting), Red means there is a material change, and a notice must be reviewed and accepted to continue using the service. 

Its simple for people, each new session interaction creates a linked consent notice receipt, which is compared against the previous receipt, to show a signal to indicate if privacy is as expected, or not.   Thus providing a point to interact and access the use of privacy rights. 

How it works:

The PasE protocol is implemented with a notice and notification best practice called 2 Factor Notice for Online Meaningful  Consent (2FC).  Demonstrated with a browser add-on in the NGI-PasE Consent Gateway project.  A first layer notification signal that is visual and accessible in context. 

If privacy is as expected the receipt is used to signal a green light in order to streamline the service experience.  The receipt works like a reverse cookie (is an ANCR record owned by the individual), eliminating the need for services to provide repetitive notices, notifications, or to make people read privacy policies to see what their rights are.    As right preferences are kept by the person and asserted in context for more dynamic control of data sharing. 

First Factor 

The first factor notice is provided by the PasE add-on, implementing standardized Notice semantics via the browser (independent of service providers).  The first notice presented confirms, or registers the identity of data controller with a Consent Gateway. 

• The Consent Gateway API, is called to validate the authenticity of notice of the controller (Data Controller identity and contact)  inorder to validate the first factor notice receipt. 

Second Factor

The second factor notice is a capture of the websites privacy notice upon Data Subject interaction (or personal data provision).  e.g. an I agree, submit, cookie notice, privacy policy link, etc. This second factor interaction generates the consent notice receipt  that is sent to the Consent Gateway to be notarized, before being sent to the Data Controller as a privacy rights notice. 

Monitoring Conformity Assessment

The response performance of the Data Controller is measured and reported by the gateway back to the Data Subject when the next receipt for this Data Controller is sent to be verified. Along with any notification of changes to the privacy status of the data controller (as monitored by the Consent Gateway) and the service’s data controller with whom the Data Subject is interacting with.  Thus providing a signal for the discovery  point for privacy notice and rights knowledge, reporting, monitoring and access. 

The result, people are able to see if access to privacy is a  risk and how/who is controlling their personal data.   

To complete the project the PasE protocol is contributed back to the Kantara Initiative ANCR WG, where the PasE protocol will be published under a FRAND license.  The protocol is then able to include controls from ISO/IEC 29184, Online Privacy Notice & Consent”  which are then implemented in notice, notifications and disclosures with the W3C Data Privacy Control Vocabulary.  

And finally, contributed as comments via a Kantara Liaison agreement to ISO/IEC 27560 Consent Record Structure Standard (for receipts) by Aug 16, in comments via the Kantara Liaison for working draft 3. 

 In Context Notifications for identity system permissions

Identity Management Requires that a state change notification for privacy should at a minimum be linked to a log detailing the change using standard (semantics) so that this can automatically be understood by people.  

This protocol is manged with receipts which in the PasECG project is publicly registered with a Consent Gateway so that all stakeholders can see a proof of notice and wether  the consent grant is active, 

When combined with a receipt, this notice can be used to provide an active state signal, that is decentralized and specific to the context and of the person (human centric) view of  the  expected state of Controller of the online service.  This transparency is a universal notice requirement for processing personal data, as it is required in all privacy laws and is required unless there is  a specified legal exemptions and derogations.    Which should be noticed to people as a surveillance risk. 

...

• Consent Receipt framework to implement PasE communication protocol 
  • Legal Justification and what privacy rights apply for each
  • Purpose Specified with data privacy control vocabulary 
  • record format specified with ISO 29100 
  • notice controls and record specification format ISO 29184 
• Notice of Control for Online Services Implementing 2FC
  • 2FC 
    • First Factor - Generated standards 
    • Second Factor (link) - existing Factor - the sign or notice or notification form the provider

• Semantic Standards Stack for Human Centric -  user centric - control semantics

  • usage of the ISO 29100 - roles and definitions for transborder flow of personal data 
    • stakeholders - 
  • usage of ISO 29184 - notice controls and record structure 
  • ISO 27560 - to. generate consent record structure for rights receipt 
  • W3C DPV - legal semantic ontology for notice and notification . 
  • ** In review - 27710
    • requirements against privacy by design and default. 
    • 27550 - Privacy Engineering - C.4 - and C.5 - \
  • Linked Data - Semantics - Human, Legal and Machine Readable framework for expectation management
    • Core Record - or Credential Record for a legal entity
    • Receipt of. notice of credential record 
    • core record id - linked reference id - PII Controller Credential
    • Consent Receipt generated for each purpose specification and linked to anchor record
      • each purpose is specifies by legal justification
      • each purpose specification uses the DPV
  • Security considerations 
    • PII Principal controls the ANCR Record
    • 3rd Party N&C Processor - Network Facilitator 
    • Consent Grant Validation 
      • Status of the PII Controller 
      • Status of the Consent 
      • Scope of Consent Grant Permissions 
      • Privacy Framework Governance 
        • required notice, timing, formats, parties according to Privacy Law
  • Human Centric Privacy RiSK Assessment
    • each, PII Controller shared, identifiers or attributes of the PII Principal is a separate risk factor
    •  impacted by the amount of PII - (digital identifiers and attributes)  Disclosed by the Controller and under what legal frameworks