Transparency Trust Metrics
Editors: Sharon Polsky, Mark Lizar
Contributors: Sal D’Agostino
Abstract:
At the present time, when online services are involved, Individuals have no way of seeing or knowing who is in control of collecting, using, processing, or disclosing their personal information before the collection, use, processing, or disclosure takes place. Individuals are powerless to resist or object to the one-size-fits-all contracts presented on websites that are called ‘terms and conditions’, ‘user licenses’, ‘privacy policies’ or ‘data sharing agreements’, that do not implement privacy people expect.
No mechanism is currently available for Individuals to assert authority in advance of disclosing their personal information; and no way for them to determine, control, or negotiate the conditions or sources under which data about them may be processed, used, managed, or associated with other data consent.
Lack of transparency and consent defaults prevent Individuals from knowing or seeing (therefore trusting or controlling) when digital identifiers and related metadata about themselves are created, used, or disclosed, for additional purposes
Systemically prohibiting interaction, access and participation required for individuals to see how information about themselves is used, when, by whom, and for what purposes.
Enabling individuals to see how information about themselves is used, when, by whom, and for what purposes, requires a standardized transparency mechanism as a way to provide data governance that scales when decentralized.
The Anchored Notice and Consent Record implements a standard of transparency to enable Individuals to see if PII about them is being used in ways that are private and whether, when, where, and to whom it is disclosed — locally, domestically, or internationally.
The ability to direct and control the collection, use and disclosure of information about themselves is essential for Individuals to have technical capacity to trust the management of surveillance, personal identity, and advanced digital data analysis technologies.
The ANCR specification provides a mechanism to implement legal and technical standards for transparency that supersede ‘terms and conditions’, ‘user licenses’, ‘privacy policies’ and ‘data sharing agreements’. Specifying an active technical object for managing the rules of data and its consented exchange.
NOTES TO READER
This Kantara Initiative work effort began when Liberty Alliance became the Kantara Initiative, and the Consent and Information Sharing Working Group formally began in 2015. That Working Group’s activities carried on through the ANCR Working Group.
In this specification and proposed standard the term “PII Principal” is used interchangeably with Data Subject and “Individual”.
IPR Option:
This ANCR Record Specification is available for use for public benefit licensing @0PN C.I.C and the open schema available @Human Colossus, and is specified under a Reasonable and Non‑Discriminatory (RAND) agreement at the Kantara Initiative for submission to ISO/IEC SC 27 WG 5
Published for use as public infrastructure through code of conduct and practice in industry and trade certification bodies.
Patent & Copyright: Reciprocal Royalty Free with Opt-out to Reasonable and Nondiscriminatory (RAND)
Suggested Citation: (upon WG approval)
ANCR Specification v0.9
NOTICE
This document has been prepared by Participants of Kantara Initiative Inc. Permission is hereby granted to use the document solely for the purpose of implementing the Specification. No rights are granted to prepare derivative works of this Specification. Entities seeking permission to reproduce this document, in whole or in part, for other uses must contact the Kantara Initiative to determine whether an appropriate license for such use is available.
Implementation or use of certain elements of this document may require licenses under third party intellectual property rights, including without limitation, patent rights. The Participants and any other contributors to the Specification are not and shall not be held responsible in any manner for identifying or failing to identify any or all such third-party intellectual property rights. This Specification is provided "AS IS," and no Participant in Kantara Initiative makes any warranty of any kind, expressed or implied, including any implied warranties of merchantability, non-infringement of third-party intellectual property rights, or fitness for a particular purpose. Implementers of this Specification are advised to review Kantara Initiative’s website (http://www.kantarainitiative.org ) for information concerning any Necessary Claims Disclosure Notices that have been received by the Kantara Initiative Board of Directors.
Dear reader
Thank you for downloading this publication prepared by the international community of experts that comprise the Kantara Initiative. Kantara is a global non-profit ‘commons’ dedicated to improving trustworthy use of digital identity and personal data through innovation, standardization and good practice.
Kantara is known around the world for incubating innovative concepts, operating Trust Frameworks to assure digital identity and privacy service providers, and developing community-led best practices and specifications. Its efforts are acknowledged by OECD ITAC, UNCITRAL, ISO SC27, other consortia and governments around the world. 'Nurture, Develop, Operate' captures the rhythm of Kantara in consolidating an inclusive, equitable digital economy offering value and benefit to all.
Every publication, in every domain, is capable of improvement. Kantara welcomes and values your contribution through membership, sponsorship and active participation in the working group that produced this and participation in all our endeavors so that Kantara can reflect its value back to you and your organization.
Copyright: The content of this document is copyright of Kantara Initiative, Inc.
© 2022 Kantara Initiative, Inc.
Introduction
This section describes the creation and use of an ISO/IEC 29100 for processing (personal) data and to illustrate the use of ISO/IEC 29184 controls to assess performance of this record. The associated notice controller credential and its associated record is regulated with international privacy laws, principals and standards, As a result of the record’s basis on the ISO/IEC 29100 Security and Privacy Framework the record and associated data fields provide a globally binding and standardized governance framework for creating records. Importantly it provides the transparency legally required for trustworthy ‘consented data access’, for adequate data transfers internationally; and can also provide an opportunity to implement a low-cost digital (twin) record and receipt mechanism. The use of the associated notices, receipts and records dramatically improve the security of personal data control, significantly increasing transparency and as a result greatly improves the scale and effectiveness of cyber physical security and digital privacy.
This specification is a contribution for extending the work and interoperability of ISO/IEC SC27 WG5, 29100 privacy and security framework, that results in a standardized record processing format for generating notice records and consent receipts.
The Notice Record specified here provides, importantly, operational transparency with the use of the controls in ISO/IEC 29184 Online Privacy Notices and Consent and evidenced with anchored notice and consent receipts. [ISO/IEC 29184, Appendix B]
Why was this specification written?
An internationally standardized notice controller credential provides people with digital transparency over who controls personal data in context. It provides a public (open) format for a PII Principal to generate records independently of the PII Controller, and to hold, control and manage, separately from the PII Controller, and for the PII Principal to withdraw consent by context for multiple services efficiently (at the same time). The specification uses standards to capture, and measure the performance of PII Controllers’ transparency, digital security and active state of digital privacy throughout the life-cycle of the use of (digital) services.
Why Digital Transparency?
Standardized digital notice is a steppingstone to digital privacy and is required to scale human to system (electronic) consent online. A record that is provided by default using standard digital identifier governance defaults, designed for self-sovereign/human centric transparency and interoperability, between people and systems.
The notice record information structure is specified in this document with ISO/IEC 29100 Security and privacy techniques framework, which is a free and public standard. ISO/IEC 29100 is used in this specification to measure the performance of transparency using the controls, and consent notice receipt, specified in ISO/IEC 29184.
What should you expect to find in this document?
This ANCR WG Transparency Performance Indicator’s specifications assess the digital privacy transaprency of online services.
The capture is with an ANCR Notice Record, the record is captured using ISO/IEC 29100 Security and Privacy (international framework). It’s captured can be compared agains the ISO/IEC 29184 Online privacy notice and consent receipt standard format, controls and conditions, to demonstrate conformance, and is mapped to CoE 108 + and the GDPR in the Notice Record Framework.
Transparency Performance Indicator’s (TPI’s) provide a human and consent centric digital privacy transparency framework, that people can use tp see and understand who and how, their personal information and identity is controlled.
TPI’s are generated through the capture of a notice, and its assessment for the time of notice presentation(1) in relations to first data capture, the contents of the notification (2), the accessibility of the notice access for use (3), and the digital trust/security of the notice (4), all of which are required for digital privacy interiperability utilizing a standard consentric notice transparency franework, whereby proof of notice and evidence of consent is required for permissions to process and disclose personal and identifying digital identifier’s.
These (aforementioned 4) transparency performance indicators (TPIs) are used together to automate a digital privacy transparency performance baseline, The notice records created through interaction with standardized online notifications demonstrate next generation digital privacy.
Utilizing standard informations structure, notice and consent record format, controls, for digital privacy rules and regulations,
Notice Record Generation
** Old Narrative *
how a minimum notice record Information structure can be used to create a record that the PII Principal holds, controls, and manages to control their personal information, namely:
The PII Controller Identity and privacy contact point
The Accessibility of PII Controller Identity and Contact information,
The Security and Integrity of the PII Controller’s Transparency
The ANCR Notice Record is specified for PII Principals, using terms, semantics and laws that champion the legal utility of data control and its management. As such, representing a shift in the architecture of digital identity semantics to legal semantics specific to human centric transparency, usability, and control.
For this purpose, the ANCR record is first specified as a single use record, that the Individual controls with 3 transparency performance indicators. First defined as a single use record to generate a record the Individual can own, control and trust. The KPI’s provided here are specified to provide transparency over data control and it’s human/decentralized data governance. (Specified as Operational Transparency),
Notice Record
The Notice Record is first specified as a static, one-time use notice record that is created by the PII Principal and used to initiate a state of operational transparency in context measured by access to, and performance of, rights.
Diagram 1: Notice Record
Table1: Single Use Notice Record:
PII Controller Identity AND Contact Transparency Report
Field Name | Field Description | Requirement: Must, Shall, May | Field Data Example |
|---|---|---|---|
Notice Location | Location the notice was read/observed | MUST | www.walmart.com |
PII Controller Name | Name of presented business | MUST | Walmart |
Controller Address | The physical address of controller and/or accountable person | MUST | 1940 Argentina Road Mississauga, Ontario L5N 1P9 |
PII Controller Contact Type | Contact method for correspondence with PII Controller | MUST | Email, phone |
PII Controller-Correspondence Contact | General contact point | SHALL | Privacy@org.com |
Privacy Contact Type | The Contact method provided for access to privacy contact | MUST | |
Privacy Contact Point | Location/address of Contact Point | MUST | Org.com/privacy.html |
Session Certificate | A certificate for monitored practice | Optional | SSL Certificate Security (TLS) and Transparency |
Anchoring the Notice Record for Trust
The record identifier, when added to each record, provides an anchor for the notice record in the first instance. The Anchored Notice Record can be extended for use as a ‘trust anchor’ for the PII Principal by adding an ANCR Record ID that the PII Principal can use to track the PII Controller and the data processing and digital identity relationship over time. In this way an Anchored Notice Record is a gateway to scale consent online and internationally.1
Notice Record Transparency Performance Indicators
Diagram 2: Transparency Performance Indicators
The first two (2) performance indicators measure the transparency of the ‘provided’ PII Controller Identity information. Required to measure how accessible the provided PII Controller Identity information is, before or at the time of data processing, which is a condition of governance adequacy and privacy compliance for all digital identifier-based processing activities, used to develop data profiles. An ANCR Record of data processing activity in this way provides evidence to demonstrate security and privacy compliance.
Once the capacity for digital privacy is ascertained, the third performance indicator can be used to measure the security certificate (or key) for its contextual integrity for the specific session and processing context.
TPI 1: PII Controller Identity and Contact Transparency
Assess if the required information for transparency over who is in control of notice is ‘provided’
The MUST fields identify elements that are required in legislation that MUST be present.
TPI 2: Transparency Accessibility
How accessible is the PII Controller and Privacy Contact information?
For example, in the context of a website or a mobile device, how difficult was it to access the ‘provided’ information. How many clicks, or screens, away is the required information?
TPI 2–Example — Accessibility Measurement Rating
This transparency accessibility rating score of [1,0, -1 or –3] reflects the number of steps, screens, or clicks required to find the ‘provided’ information within a mobile application or webpage providing the client user interface.
Transparency Accessibility Rating description table 2
Rating | Description | Instruction |
|---|---|---|
+1 | Controller identity is embedded as a credential linked to authoritative registries. | PII Controller credential is displayed, using a standard format with machine readable language and linked, for example, in an http header in a browser |
0 | PII Controller Identity prominently displayed on first view – prior to processing first page of viewing, the assessment question would be | PII Controller Identity or credential is provided in first notice |
-1 | Privacy signal Is not first presented – but is linked and one click and screen away | The Controller Identity, or screen with the Controller Identity is one screen and click away. For example, the privacy policy link in the footer of a webpage |
- 3 | Identity or credential is two or more screens of view away | PII Controller Identity is not accessible enough to be considered ‘provided’ |
TPI 3: Certificate (and/or Key) Security Transparency
This security performance indicator requires that the notice record session certificate is collected and used to check if the PII Controller Identity information is the same or linked to the controlling entity in the associated security certificate. For example, does the SSL (secure software layer) certificate identify the Controller, and is it secured for the DNS and localization expectation and corresponding jurisdictional information (a ZPN required digital security for privacy measure to implement the international governance interoperability with legal adequacy with eConsent)
Certificate status, and transparency performance, are used to establish session security prior to the collection, use and processing of PII. The security TPI is used to measure the certificate and or cryptographic keys for a specified organizational unit to corroborate and validate the PII Controller’s digital integrity.
Table 2 : Notice Record TPI Report
Field Name | Field Description | Requirement: Must | TPI 1 Not Available | TPI 2 Rate: +1, 0, -1, -3, | TPI 3 |
|---|---|---|---|---|---|
Notice Location | Location the notice was read/observed | MUST | Present | +1 | found |
PII Controller Name | Name of presented organization | MUST | Present | 0 | Match |
PII Controller Address | Physical organization Address | MUST | Present | 0 | Not match |
Privacy Contact Point | Location/address of Contact Point | MUST | Present | 1 | Not match |
Privacy Contact Method | Contact method for correspondence with PII Controller | MUST | Present | -1 | No Match |
Session key or Certificate | A certificate for monitored practice | MUST | Present (or Not-found) | 1 (or –3 ) | Present (or No Security Detected) |
1 Lizar, M, Pandit, H, Jesus, V, “Privacy as expected Consent Gateway”, Next Generation Internet (NGI) Grant [Access July 4] privacy-as-expected.org/