Kantara Initiative : ANCR WG
V. Status Draft v0.5 (WiP)
Author: Mark Lizar
Editor: Sharon Polsky
Contributors: Sal D’Agostino
Abstract:
At the present time, when online services are involved, Individuals have no way of seeing or knowing who is in control of collecting, using, processing, or disclosing their personal information before the collection, use, processing, or disclosure takes place. Individuals are powerless to resist or object to the one-size-fits-all contracts presented on websites that are called ‘terms and conditions’, ‘user licenses’, with corresponding ‘privacy policies’ or ‘data sharing agreements’, that do not implement or provide privacy rights or data control people expect. No mechanism is currently available for Individuals to assert authority in advance of disclosing their personal information; and no way for them Expectation which don’t scale online.
ANCR, Anchored notice and consent receipt, is a record and receipt protocol that is used to twin the state of security and digital privacy, in a format that is designed to be human understandable by default. A simple solution to trust, a receipt, advances assurances for personal data control and transparency while being inclusive of everyone.
Extending an exigent public trust mechanism for high risk, confidentiality and the assertion of authority in advance of disclosing their personal information; as without a receipt (a record of our own) there is no way to determine, control, or negotiate the conditions or sources under which data about them may be processed, used, managed, or associated with other data consent.
Lack of transparency and consent defaults prevent our own digital transparency prevents tracking the states of our own consent, preventing Individuals from knowing or seeing (therefore trusting or controlling), when digital identifiers and related metadata micro-meta data about themselves are created, used, or disclosed, for additional purposesSystemically prohibiting .
Services today. systemically control the records of interaction, choosing when to make records often with no records at all. As a result, restricting user side interaction, access and participation required for individuals, to see how information about themselves is used, when, by whom, and for what purposes.. Which in effect requires a systematic approach to addressing digital transparency to enable people online.
The consent receipt is used to twin the security and privacy state relative to the individual. Enabling individuals to see how information about themselves is used, when, by whom, and for what purposes, requires a standardized transparency mechanism as a way to provide data governance that scales when decentralized.
The Anchored Notice and Consent Record implements a standard of transparency to enable Receipt (ANCR) is normalized here as notice and consent receipt flow, where a notice receipt is received by the individual and consent receipt is a grant provided by the Individual. credential used to enable transparency for Individuals to see if data governance, in online contexts. To visualize PII about them that is being used processed in ways that are private and whetherweather, when, where, and to whom it is disclosed — locally, domestically, or internationally.
The A record ability to direct and control the collection, use and disclosure of information about themselves is essential for Individuals to have technical capacity to trust the management of surveillance, personal identity, and advanced digital data analysis technologies.
The ANCR specification provides a mechanism to implement legal and technical standards for transparency that supersede ‘terms and conditions’, ‘user licenses’, ‘privacy policies’ and ‘data sharing agreements’. Specifying an active technical object for managing the rules of data and its consented exchange in accordance to international data governance convention.
NOTES TO READER
This Kantara Initiative work effort began when Liberty Alliance became the Kantara Initiative, and the Consent and Information Sharing Working Group formally began in 2015. That Working Group’s activities carried on through the ANCR Working Group.
In this specification and proposed standard the term “PII Principal” is used interchangeably with Data Subject and “Individual”.
Introduction
This documents specifies the core credential schema using the ANCR Notice record schema to generate a digital record which acts as a digital envelop for the digital privacy information, attributes, identifiers and notice text it is used with.
...
The Notice Credentials Scope of authority is restricted to the notice it is embedded to and the context it is provided in.
Credential Purpose of Use
Operationally, the embedded Notice Credential is used to dynamically generate micro-notice credentials and to receive consent receipt tokens, as well as to render an active state digital privacy signal
Notice Credential Binding
To generate a credential, these core notice fields are bound to the accountable authority, which can be delegated (and by default is referred to in this as the PII Privacy Officer).
...
The credential type is also required. fields added to the notice record to become a credential must be crypto-graphically signed with a public private key pair.
Notice Record Schema
Notice Record Credential fields are added to the notice record schema and used to bind and generate an Open Notice PII Controller Credential
...
Notice Record ID
Key Pair
Controller Type
Delegated Authority Attributes for Controller & Principal - DPO
Serialization - the controller id# used to generate a record id, which is used to generate a consent receipt id - 1.
Normative References
For the international and cross-domain use of the records and receipts reflected in this specification, this document refers to the following:
ISO/IEC 29100:2011 Security and privacy techniques
ISO/IEC 29184: Online privacy notices and consent
31700-1:2023 : Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements
Fair Information Practice Principles (FTC) foundational principles
Non-Normative References
1980/2013 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data [OECD]
Kantara Initiative Consent Receipt v1.11
Kantara Initiative: Blinding Identity Taxonomy (Bit)2
For input to ISO/IEC 27561:2022 POMME (Privacy operationalization model and method for engineering)
Additive Reference
General Data Protection Regulation (GDPR)
Council of Europe Convention 108+ (Conv. 108+)
PIPEDA – Individual, Meaningful Consent
Terms and definitions
The definitions and reference terms that are used in this specification to indicate what is normative, non-normative, and additive.
If this specification is not compatible with a jurisdiction’s privacy laws, the internationally‑defined terms reflected in this specification can be mapped to jurisdiction’s laws and context specific terms. For example, PII Principal in this document maps to the term ‘Data Subject’ in European GDPR legislation and the term ‘individual’ in Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
NOTATIONS
In this document the keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", “NOT RECOMMENDED”, "MAY", and "OPTIONAL" are to be interpreted as described in [RFC 2119].
ABBREVIATIONS
The following abbreviations and set of stakeholders are used to frame a mutually exclusive and collectively exhaustive set of terms for providing transparency over what organization controls the processing of personal information, and who is accountable for enforcement.
ANCR Record — means the Anchored Notice Record and Consent Receipt Record
ANCR WG — means the Advanced Notice and Consent Receipt Work Group
Array — means an array of field objects
Conv. 108+ — means the Council of Europe Convention 108+
FIPP — means Fair Information Practice Principles
IRM — means Identifier Relationship Management
ISO/IEC — means International Organization for Standardization/International Electrotechnical Commission
Object — means a field object
PII — means Personally Identifiable Information
PbD- Privacy by Design
TPI - Transparency Performance Indicators -
ZPN – Zero Public Network – a network in which each processor of personal information has a controller credential and the PII Principal has a private record of the credential
Terms & Definitions
Code of Conduct
A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.
...
[Source: Conv. 108+ Art 29.5]
Concentric Notice Label
This a new field – normative in this specification.
...
The types of Concentric Notice Label are specified in Annex B, which spans the spectrum of legally defined consent types, defined from for the individual’s context and perspective.
Concentric Notice Label Types
Not Concentric: Legal obligation or legitimate interest independent of PII Principal
...
[Source: Conv 108+ Rec.20]
Digital Privacy [Proposed]
The reference to digital privacy specifies the not only the data category for a specific element, but also the field format, record structure, the attributes that populate the field elements, the attributes used in those fields, the ontology and vocabulary used to specify the attributes.
...
representation of individual physical privacy online
proportional and reciprocal access to privacy rights information, controls, mitigations and remedies
access to privacy services and controls without identification
use of privacy services and controls for security and commerce
transparency over the active state of digital privacy in context
dynamic transparency and data control capacity
Digital Privacy Transparency (DPT) [Proposed]
The transparency over digital representation of active state of privacy in a specific context
digital identity of Organization
digital Identity of Privacy Officer
digital privacy access point for information and control
digital Privacy Transparency; Laws & Standards
references enforceable and standardized regulations
GDPR [General Data Protection Regulation]
Convention 108+/GDPR - Transparency Adequacy Legal Code of Conduct
Digital Privacy Transparency (DPT)Standards reference:
ISO/IEC 29100 security + privacy techniques for ISO 27k Framework
ISO/iEC 29184 Online privacy notice and consent, Consent Notice Receipt (record) in the appendix B
W3C - Data Privacy Vocabulary V1
Kantara Consent Receipt v1.1
accretive to the ISO/IEC 31700, Privacy by Design standard. Contributing high performance data privacy transparency metrics, which are referenced as - K-DPI’s (Key Digital Privacy Indicators) indicating the active state of digital transparency.
Transparency Performance Indicators:
transparency data capture and assessment criteria for assessing the performance of digital privacy elements.
Notice
Adhering to the openness, transparency and notice principles means providing PII Principals with clear and easily accessible information about the PII Controller’s policies, procedures and practices with respect to the processing of PII;
...
The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.
[GDPR Rec.58]
Notice Modalities
The organization may implement the control using different techniques: layered notices, dashboards, just-in-time notices, or icons, and may provide notices in a machine-readable format so that the software which is presenting it to the PII Principal can parse it to optimize the user interface and help PII Principals make decisions
...
That information may be provided in combination with standardised icons in order to better provide an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.
[Conv 108+ Rec 35]
Notice Record
Organizations should seek consent for changes such as those outlined here, and should consider whether the PII Principal has access to a record (of some kind) of their original consent, as well as how much time has elapsed between the original consent and the present. If the PII Principal is able to access a record of their prior consent readily and if the elapsed time is not significant, organizations may provide notice of the changes and seek consent for same. Otherwise, the organization should seek reconfirmation of the original consent in addition to consent to the notified changes.
...
[Source: Conv 108+ Art 31]
Principles relating to processing of personal data
Personally identifiable information must be processed lawfully, fairly, and in a transparent manner in relation to the Data Subject (‘lawfulness, fairness and transparency’);
...
[ANCR Notice Record Annex B]
Privacy by Design [Proposed]
In reference to privacy design methodologies in which privacy is considered and integrated into the initial design stage and throughout the complete lifecycle of products, processes or services (3.3) that involve processing of personally identifiable information (3.2), including product retirement (3.15) and the eventual deletion (3.26) of any associated personally identifiable information (3.2)
...
[31700-1:2023 : Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements]
Privacy Principles
The privacy principles articulated in ISO/IEC 29100 are now embodied in international standards and laws.
...
[Source: ISO/IEC 29100 Table 3]
Proof of Notice
A Consent Notice Receipt, for a proof of notice, used as evidence of consent and to ...demonstrate compliant records of processing activities.
...
[Source: ANCR Notice Record v1 – Specification]
Personally Identifiable Information (PII)
Any information that (a) can be used to identify the PII Principal to whom Personally Identifiable Information relates, or (b) is or might be directly or indirectly linked to a PII Principal.
...
[Source: Conv. 108+ Rec 16]
PII that is in a Sensitive (or Special) Category
What constitutes Sensitive PII is defined explicitly in legislation; however, the definition might vary across jurisdictions. Sensitive PII might include information revealing race, ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, sexual lifestyle or orientation, and the physical or mental health of the PII Principal. In other jurisdictions, sensitive PII might include information that could facilitate identity theft or otherwise result in significant emotional, psychological, or financial harm to the natural person (e.g., credit card numbers, bank account information, or government-issued identifiers such as passport numbers, social security numbers or drivers’ license numbers), and information that could be used to determine the PII Principal’s real time location.
...
[Source: Conv. 108+ Rec, 29]
PII Principal (also Data Subject or Individual)
The natural person to whom the personally identifiable information (PII) relates.
...
Individual: Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
[Additive: PIPEDA 4.9]
PII Controller
A PII controller determines why (purpose) and how (means) the processing of PII takes place. The PII controller should ensure adherence to the privacy principles in this framework during the processing of PII under its control (e.g., by implementing the necessary privacy controls). There might be more than one PII controller for the same PII set or set of operations performed upon PII (for the same or different legitimate purposes). In this case the different PII controllers shall work together and make the necessary arrangements to ensure the privacy principles are adhered to during the processing of PII. A PII controller can also decide to have all or part of the processing operations carried out by a different privacy stakeholder on its behalf. PII controllers should carefully assess whether or not they are processing sensitive PII and implement reasonable and appropriate privacy and security controls based on the requirements set forth in the relevant jurisdiction as well as any potential adverse effects for PII principals as identified during a privacy risk assessment.
...
[Source: Conv 108+ Art 3(8)]
PII Sub-Controller [Proposed]
in IoT use case of a smart building, in which the building controller leases a space to a bank, the building Controller delegates PII Controller Credential to the bank for that space and defined geo-location for data governance of security and privacy.
PII Joint Controller
Covers multiple joint controller relationships including co-controllers, hierarchical, fiducial, and code.
...
[Source: Conv 108+ Art 86.1]
PII Processor
A privacy stakeholder that processes personally identifiable information (PII) on behalf of and in accordance with the instructions of a PII Controller.
...
[Source: Conv. 108+ Art 3(12)]
PII Sub-Processor [Additive]
Refers to the PII Controller type in the ANCR record specification.
...
[Additive: W3C DPV 2.3.1.6 http://w3c.github.io/dpv/dpv/ ]
Processing of PII
An operation or set of operations performed on personally identifiable information (PII).
...
[Source. Convention 108+]
PII Regulator
Refers to a government authority responsible for the enforcement of privacy and data protection regulation. Referred to also as a Data Governance Authority, a Data Protection Authority (DPA) or simply Privacy Regulator.
Privacy Stakeholder
A natural or legal person, public authority, agency or any other body that can affect, be affected by, or perceive themselves to be affected by a decision or activity related to personally identifiable information (PII) processing.
...
[Source: Conv.108+ Art 51(c)]
ISO/IEC 29100 to 27000: Security Framework Mapping
Table A.1 — Mapping ISO/IEC 29100 concepts to ISO/IEC 27000 concepts
ISO/IEC 29100 concepts | Correspondence with ISO/IEC 27000 concepts |
Privacy stakeholder | Stakeholder |
PII | Information asset Information security incident Control |
Privacy breach Privacy control Privacy risk | Risk |
Privacy risk management | Risk management |
Privacy safeguarding requirements | Control objectives |
[Source: ISO/IEC 29100: Annex A]
Standard Concentric clauses
Standard Concentric Clauses implement 29184 compliance controls and Privacy Service Agreements [ISO/IEC TS 27570: 3.22]
...
These clauses MUST be employed in a manner to scale the expectations of the PII Principal online, to facilitate data governance interoperability and transborder adequacy of electronic consent.
Third Party (or 3rd Party)
A privacy stakeholder other than the personally identifiable information (PII) principal, the PII Controller and the PII processor, and the natural persons who are authorized to process the data under the direct authority of the PII Principal, PII Controller or the PII processor. Referring to government, police, telecoms, relying parties. In all roles, the stakeholder is also considered to have a controller identity.
...
[Source: Convention 108 Art 3.14]
Open Notice PII Controller Credential Schema
TABLE1: NOTICE RECORD SCHEMA
adds the technical attributes
...