...
Suggested Citation: (upon WG approval)
ANCR Specification v0.8
NOTICE
This document has been prepared by participants of Kantara Initiative Inc. Permission is hereby granted to use the document solely for the purpose of implementing the Specification. No rights are granted to prepare derivative works of this Specification. Entities seeking permission to reproduce this document, in whole or in part, for other uses must contact the Kantara Initiative to determine whether an appropriate license for such use is available.
Implementation or use of certain elements of this document may require licenses under third party intellectual property rights, including without limitation, patent rights. The Participants and any other contributors to the Specification are not and shall not be held responsible in any manner for identifying or failing to identify any or all such third-party intellectual property rights. This Specification is provided "AS IS," and no Participant in Kantara Initiative makes any warranty of any kind, expressed or implied, including any implied warranties of merchantability, non-infringement of third-party intellectual property rights, or fitness for a particular purpose. Implementers of this Specification are advised to review Kantara Initiative’s website (http://www.kantarainitiative.org ) for information concerning any Necessary Claims Disclosure Notices that have been received by the Kantara Initiative Board of Directors.
Dear reader,
Thank you for downloading this publication prepared by the international community of experts that comprise the Kantara Initiative. Kantara is a global non-profit ‘commons’ dedicated to improving trustworthy use of digital identity and personal data through innovation, standardization and good practice.
...
Copyright: The content of this document is copyright of Kantara Initiative, Inc.
© 2022 Kantara Initiative, Inc.
Introduction
Transparency Performance Indicator’s (TPI’s) measures digital services and operators in a way that provides people with indicators of trustworthiness and risk, ideally before any surveillance, tracking or data/token exchange takes place.
...
The Notice Record, generated from TPI’s, enables operational ‘online’ transparency by the use of the controls in ISO/IEC 29184. This can be further evidenced with an anchored notice and mirrored (digitally twinned) notice consent receipts [ again ISO/IEC 29184, Appendix B], again generated from a TPI Notice Record.
Why was this specification written?
TPI’s aim to help standardize digital transparency and dramatically improve the safety, security, and usability of digital transparency for people. It does so by providing a set of metrics to quickly assess if and how digital privacy is operating at the moment.
...
The TPIs are a step to where people have the insights to exercise access controls, and to use rights to create and control their own records of digital of identity relationships, in a meaningful or operational manner.
Why Transparency Performance Indicator’s?
TPI's provide a way to quickly see what digital privacy and/or security measures are in place, and in line with human, legal and analogue requirements for the human in context of operating a digital service.
...
{note: this is out of scope} provide provide a record, that can then be used to “anchor” the digital identity relationship with the organization, creating a basis and foundation for higher levels of digital transparency assurance. [2]
What should you expect to find in this document?
The 4 TPI’s specified here focus on the first / initial point of contact, and the transparency for public accessible digital services. This is publicly required information to provided, without requiring identification, authentication or authorization.
...
The TPI’s here are used to assess session based data capture and self asserted information by organizations.
TPI 1 - Measuring the Timing of Notice:
This TPI captures when the Controller's legal entity and accountable Privacy Officer (digital identifiers) provide notice; Before, At the time of, or After personal data is captured. This captures if dynamic transparency is available systematically and when. It provides a way for an individual to assess if they can trust a service or not, independently of the service provider.
Note: This is the most common legislated privacy element in the world, required in all privacy legislation and instruments. (ISTPA 2007)
TPI 2 - Measures Required Data Elements
This TPI capatures data elements required for all data processing (except when legally regulated otherwise [3] derogation). In “all” cases a Notice of who is processing your data, who is a accountable and the privacy contact information for access to personal information must be provided.
Notice of who is processing your data is required for all legal justifications for processing personal data in privacy law, as well as a fundamental security requirement, to identify the legal entity, in some cases including all beneficial owners, and the accountable person(s).
TPI 3 - Measure of Transparency Accessibility
This TPI measures the performance of transparency accessibility by capturing how the availability of the required information in TPI 2. For example, is the information presented in a pop-up notice, or is it required to click a link, e.g. to a standard transparency/privacy policy, is it the first screen or is it at a the bottom of a multi-screen display (with links not highlighted).
TPI 4 - Measures security information integrity
This TPI captures the (Secure Socket Layer/Transport Layer Security) SSL/TLS (e.g. 1.3) certificate or security keys (e.g. JOSE) to compare its meta-data against the required information in TPI 2. This is very much along the lines of Certificate Transparency but looking specifically at whether the policies cover the Notice, e.g. does the SSL certificate Organization Unit field and Jurisdiction fields match the captured legal entity information, how does the policy and jurisdiction here related to other beneficial entities. Importantly does this align with the policy expectations of the person.
TPI Metrics
move for intro text
TPI’s are captured in sequence;
...
Combined, these TPI’s provide an overall Indication of the operational state of digital privacy.
TPI Methodologies
Timing of Notice vs Data Collection Transparency
TP1 requires monitoring the technical end point to see if PII is captured in relation to when a notice is provided. This measures the notice regulatory performance against legal and human usability requirements.
PII Controller Digital Attribute Transparency
Assess if the required information for transparency over who is in control of notice is ‘provided’
The MUST fields identify elements that are required in legislation that MUST be present.
Transparency Accessibility
How accessible is the PII Controller and Privacy Contact information?
For example, in the context of a website or a mobile device, how difficult was it to access the ‘provided’ information. How many clicks, or screens, away is the required information?
Example — Accessibility Measurement Rating
This transparency accessibility rating score of [1,0, -1 or –3] reflects the number of steps, screens, or clicks required to find the ‘provided’ information within a mobile application or webpage providing the client user interface.
Security Validation Certificate (and/or Key) Security Transparency
This security performance indicator requires that the session security layer certificate or key information to be collected and then compared against the information in the Notice Record to validate the integrity of the security necessary for digital privacy.
...
Certificate status, and transparency performance, are used to establish session security prior to the collection, use and processing of PII. The security TPI also measures the certificate and or cryptographic keys for a specified organizational unit to corroborate and validate the PII Controller’s digital integrity.
Table 1: Transparency Performance Rating
The TPI Rating system is designed to measure the operational performance of the information provided to be transparent. This rating is unique as it allows for an assurance levels that account for pre-assured and dynamically assured notice and notification information. A technical Requirement for secondary consent, referring to consent as a second (or additional) legal justification for processing personal data.
...
Rating | TPI 1 - Timing (wrt to processing) | TP2 | TPI3 Accessibility (trans performance) | TPI4 - digital security |
|---|---|---|---|---|
+1 (assured) | Before [Transparency of control/governance - Before, during or after processing ] | +1 - credential is registered and present | Controller identity is presented prior to data collection - | Security is required prior to collection (digital wallet based) |
0(dynamic assurance) | Just In time | 0 credential is presented just in time (automated check and first time notice) | Embedded as a credential linked to authoritative registries. | is assured -e.g. certificate is specific to and matches controller and context |
-1 (analogue assurance - online) | During | controller information is accessible during collection | PII Controller Identity prominently displayed on first view – prior to processing first page of viewing, the assessment question would be | not-specific to controller - does not match jurisdiction |
-2 - (not mandatory in flow) | Available | Controller information is linked | is linked not presented | does not match ou |
- 3 ( non operative) | After | Controller information not present | Identity or credential is not accessible in context - e.g. two or more screens of view away, or privacy contact is mailing g address and non operative in context of data collection. | is not valid or secure provider |
TPI Instruction and Guidance
The TPI Rating system is designed to measure the performance of the Controller digital identity and security session information, for example if only a mailing address is provided for a privacy contact, on a website, this is considered non-operable according to the context. This means that privacy access and specific information is not retrievable in the context of data collection. Demonstrating access to non-data governance which is not proportionate or reciprocal in context.
Rating - Instruction | TPI 1 - Timing (wrt to processing) | TP2 - Required Info Presentation | TPI3 Accessibility (trans performance) | TPI4 - Digital Security |
|---|---|---|---|---|
+1 (assured) | PII Controller credential is displayed, using a standard format with machine readable language and linked, for example, in an http header in a browser | Controller is discoverable automatically prior to session (out of band) in a machine readable format. Number of ways | Controller identity is presented prior to data collection | Security is required prior to collection (digital wallet based) |
0(dynamic assurance) | PII Controller Identity or credential is provided in first notice | 0 credential is presented just in time (automated check and first time notice) | Embedded as a credential and dynamically available upon access (almost just in time) | is assured -e.g. certificate is specific to and matches controller and context |
-1 (analogue assurance - online) | The Controller Identity, or screen with the Controller Identity is one screen and click away. For example, the privacy policy link in the footer of a webpage | controller information is accessible (not presented) during collection | PII Controller Identity prominently displayed on first view – prior to processing first page of viewing, the assessment question would be | not-specific to controller - does not match jurisdiction |
-2 - (not mandatory in flow) | Controller Credential information is linked during collection | is linked not presented | does not match ou | |
-3 ( non operative) | PII Controller Identity is not accessible enough to be considered ‘provided’ | Controller information not present | Identity or credential is not accessible in context - e.g. two or more screens of view away, or privacy contact is mailing g address and non operative in context of data collection. | is not valid, secure, or recognized provider. |
Table 2: TPI Schema
TPI 1 | ||
|---|---|---|
Notification Timing | ||
Timing of Data Collection |
Table 3 : Transparency Performance Indicator Record Rating Example
Field Name | Field Description | Requirement: Must | TPI 1 | TPI 2 Not Available | TPI 3 Rate: +1, 0, -1, -3, | TPI 4 |
|---|---|---|---|---|---|---|
Notice Location | Location the notice was read/observed | MUST | before, during, after | Present | +1 | found |
PII Controller Name | Name of presented organization | MUST | Present | 0 | Match | |
PII Controller Address | Physical organization Address | MUST | Present | 0 | Not match | |
Privacy Contact Point | Location/address of Contact Point | MUST | Present | 1 | Not match | |
Privacy Contact Method | Contact method for correspondence with PII Controller | MUST | Present | -1 | No Match | |
Session key or Certificate | A certificate for monitored practice | MUST | Present (or Not-found) | 1 (or –3 ) | Present (or No Security Detected) |
Summary
In summary, Transparency Performance Indicators, TPI’s are specified here for people to use depending on context, location, security, and other out of session elements. TPI’s are used to determine with one's own soverign reasoning whether to trust a service, not an external framing, opinion or forced default.
...
TPI 4 validates for the individual if security “adds up” for the them and in doing so addresses a critical security gap widely overlooked today.
Roadmap
References
Appendix A: Notice Record Schema
In this appendix, here is a notice record template to fill out when recording a rating, along with a rating template, and analysis results format.
Notice Record Schema & , Notice Record and Report - Template and Example
1.2. TABLE1: NOTICE RECORD SCHEMA
FIELD NAME | FIELD DESCRIPTION | REQUIREMENT: MUST, SHALL, MAY | FIELD DATA EXAMPLE |
Notice Location | Location the notice was read/observed | MUST | |
PII Controller Name | Name of presented business | MUST | Walmart |
Controller Address | The physical address of controller and/or accountable person | MUST | 1940 Argentina Road Mississauga, Ontario L5N 1P9 |
PII Controller Contact Type | Contact method for correspondence with PII Controller | MUST | Email, phone |
PII Controller-Correspondence Contact | General contact point | SHALL | |
Privacy Contact Type | The Contact method provided for access to privacy contact | MUST | |
Privacy Contact Point | Location/address of Contact Point | MUST | |
Session Certificate | A certificate for monitored practice | Optional | SSL Certificate Security (TLS) and Transparency |
Endnotes
1 Lizar, M, Pandit, H, Jesus, V, “Privacy as expected Consent Gateway”, Next Generation Internet (NGI) Grant [Access July 4] privacy-as-expected.org/