Transparency Trust Metrics
Editors: Sharon Polsky, Mark Lizar
Chair: Sal D’Agostino
Contributors:
IPR Option:
This ANCR Record Specification is available for use for public benefit licensing @0PN C.I.C and the open schema available @Human Colossus, and is specified under a Reasonable and Non‑Discriminatory (RAND) agreement at the Kantara Initiative for submission to ISO/IEC SC 27 WG 5
Published for use as public infrastructure through code of conduct and practice in industry and trade certification bodies.
Patent & Copyright: Reciprocal Royalty Free with Opt-out to Reasonable and Nondiscriminatory (RAND)
Suggested Citation: (upon WG approval)
ANCR Specification v0.9
NOTICE
This document has been prepared by participants of Kantara Initiative Inc. Permission is hereby granted to use the document solely for the purpose of implementing the Specification. No rights are granted to prepare derivative works of this Specification. Entities seeking permission to reproduce this document, in whole or in part, for other uses must contact the Kantara Initiative to determine whether an appropriate license for such use is available.
Implementation or use of certain elements of this document may require licenses under third party intellectual property rights, including without limitation, patent rights. The Participants and any other contributors to the Specification are not and shall not be held responsible in any manner for identifying or failing to identify any or all such third-party intellectual property rights. This Specification is provided "AS IS," and no Participant in Kantara Initiative makes any warranty of any kind, expressed or implied, including any implied warranties of merchantability, non-infringement of third-party intellectual property rights, or fitness for a particular purpose. Implementers of this Specification are advised to review Kantara Initiative’s website (http://www.kantarainitiative.org ) for information concerning any Necessary Claims Disclosure Notices that have been received by the Kantara Initiative Board of Directors.
Dear reader,
Thank you for downloading this publication prepared by the international community of experts that comprise the Kantara Initiative. Kantara is a global non-profit ‘commons’ dedicated to improving trustworthy use of digital identity and personal data through innovation, standardization and good practice.
Kantara is known around the world for incubating innovative concepts, operating Trust Frameworks to assure digital identity and privacy service providers, and developing community-led best practices and specifications. Its efforts are acknowledged by OECD ITAC, UNCITRAL, ISO SC27, other consortia and governments around the world. 'Nurture, Develop, Operate' captures the rhythm of Kantara in consolidating an inclusive, equitable digital economy offering value and benefit to all.
Every publication, in every domain, is capable of improvement. Kantara welcomes and values your contribution through membership, sponsorship and active participation in the working group that produced this and participation in all our endeavors so that Kantara can reflect its value back to you and your organization.
Copyright: The content of this document is copyright of Kantara Initiative, Inc.
© 2022 Kantara Initiative, Inc.
Introduction
Transparency Performance Indicator’s (TPI’s) are used to identify the performance of digital transparency with a scale includes and allows for dynamic transparency performance,.
These TPI’s are used to quickly ascertain the trust performance in accordance with standard privacy law, and human capacity to ‘trust’ requirements.
TPI’s are recorded with a Notice Record, also known as a Consent Receipt or Controller Credential, is a common record format derived with and from the ISO/IEC 29100 security and privacy techniques framework. This format is used to collect the digital identity attributes, notice, notification or disclosure text, and the associated metadata (digital context information) mapped directly to the the analogue (brick and mortar) legal requirements, in a standardized TPI process.
The TPI’s once collected in this record format are used to measure conformance with ISO/IEC 29184 Online privacy notice and consent standard (2020), in which, the Consent Notice Receipt can be found in Appendix B.
to capture a record of notice text and meta-data, digital required describes the creation and use of the ISO/IEC 29100 Privacy Framework for processing (personal) data and to illustrate the use of ISO/IEC 29184 controls to assess performance of this record. The associated notice controller credential and its associated record is regulated with international privacy laws, principals and standards, As a result of the record’s basis on the ISO privacy and security frameworks, the record and associated data fields provide a globally binding and standardized governance framework for creating records. Importantly it provides the transparency legally required for trustworthy ‘consented data access’, for adequate data transfers internationally; and can also provide an opportunity to implement a low-cost digital (twin) record and receipt mechanism. The use of the associated notices, receipts and records dramatically improve the security of personal data control, significantly increasing transparency and as a result greatly improves the scale and effectiveness of cyber physical security and digital privacy.
This specification is a contribution to th ISO/IEC SC27 WG5 body of work, extending the ISO/IEC 29100 privacy and security framework for more advanced trust applications.
The Notice Record generated from TPI’s are designed to enable operational ‘online’ transparency guided by the use of the controls in ISO/IEC 29184 Online Privacy Notices and Consent and evidenced with anchored notice and mirrored (digitally twinned) notice consent receipts [ISO/IEC 29184, Appendix B], which can be generated from a TPI record.
Why was this specification written?
Currently, there is no standard (digital) way to see who is monitoring, tracking and surveilling personal data and digital identifiers. As a result, people are required to use external processes with regulation to access, control and monitor the processing of personal data. This second order, public system is not dynamic, not reciprocal, or systematically useable or meaningful for people. Meanwhile service providers can monitor, disclose and copy personal data real-time, without individuals knowing, circumventing governance, people, and society. Refereed to as surveillance capitalism.
This is a significant issue humankind faces, as it enables people to be maniupulated, provides for weak security, enables mis-information, and a pervailing lack of accountability for all stakeholder, even the PII Principal.
Why Transparency Performance Indicator’s?
TPI’s provide a way to quickly see if digital privacy or security measures are in place in line with human, legal and analogue requirements the Individual can under stand and expect.
The are designed from legal and social research gained through implementation and capture of records for legal proof of notice and receipts used to provide evidence of notice in digital surveillance and consent contexts.
TPI’s capture the corresponding digital representations of physical / human requirements for digital transparency, and when required digital consent. .
What should you expect to find in this document?
Transparency Performance Indicator’s are a way for all stakeholders to measure the performance of digital transparency, digtial privacy and digital consent.
TPI’s provide a human and consent centric digital privacy transparency framework, that people can use tp see and understand who and how, their personal information and identity is controlled.
of online services measuring self-asserted self-asserted identifiers, attributes and meta-data in terms of how dynamic their performance is, against well known requirements, for people, not service providers to assess trustworthiness according to Soverign reasoning. (ref)
TPI 1 - Measuring the Timing of Notice: This TPI captures when the Controllers legal entity digital identifiers and accountable Privacy Officer is notified; Before, just in time, at the time of, or after personal data is captured. Ensuring to capture if Dynamic transparency is systematically provided before data is captured and processed, or not. Providing a way for an individual to assess if they can trust a service or not.
Note: This is the most common legislated privacy element in the world, required in all privacy legislation and instruments. (ISTPA 2007)
TPI 2 - Measures What Required MetaNotice-Data is present
TPI 3 - Measures that accessibility of the required information/attributes captured in TPI 2 in a digital context. For example, is the information presented in a pop-up notice, or is it required to click a link, e.g. to a standard transparency / privacy policy, (where it is known only 3% of users go to secondary links). Is it at a bottom of a multi-screen display, or at the top of the first screen.
TPI 4 - Measures security information performance integrity of a session. For example, does the SSL certificate Organization field and location match the Controller legal entity information?
The capture is with an ANCR Notice Record, the record is captured using ISO/IEC 29100 Security and Privacy (international framework). It’s captured can be compared agains the ISO/IEC 29184 Online privacy notice and consent receipt standard format, controls and conditions, to demonstrate conformance, and is mapped to CoE 108 + and the GDPR in the Notice Record Framework.
TPI’s are generated through the capture of a notice, and its assessment for the time of notice presentation(1) in relations to first data capture, the contents of the notification (2), the accessibility of the notice access for use (3), and the digital trust/security of the notice (4), all of which are required for digital privacy interoperability utilizing a standard concentric notice transparency framework, whereby proof of notice and evidence of consent is required for permissions to process and disclose personal and identifying digital identifier’s.
These (aforementioned 4) transparency performance indicators (TPIs) are used together to automate a digital privacy transparency performance baseline, The notice records created through interaction with standardized online notifications demonstrate next generation digital privacy.
The indicators and associated report utilize a standard information structure, notice and consent record format, and controls for digital privacy rules and regulations and their performance measurement.
Transparency Performance Indicators
There are 4 TPI’s that are used to asses public service data at an assurance level 0 (self asserted) of 4 privacy assurance levels identified in the ANCR Framework. (ref)
These 4 indicators are bundled together as analogue assessment type, which people can do quickly to understand the transparency state, and that can then be used to measure how dynamic the performance of transparency is, for higher interoperability assurance levels.
TPI for when Notice is Provided vs when data is collected
TPI for transparency over required PII Controller digital identity and privacy access contact point
TPI for how accessible the transparency is (transparency of digital transparency)
TPI for digital privacy security verification
The first TPI is to capture if a PII Principal is notified before data is collected, the 2nd and 3rd TPI performance indicators measure the transparency of the ‘provided’ PII Controller Identity information.
This is required to measure how accessible the PII Controller Identity and privacy information is, before or at the time of data processing, which is a condition of governance adequacy and privacy compliance for all digital identifier-based processing activities, used to develop data profiles. An ANCR Record of data processing activity in this way provides evidence to demonstrate security and privacy compliance.
Once the capacity for the active state of digital privacy is ascertained, the fourth performance indicator is used to verify the cybersecurity certificate (or token key) to see if the security matches digital privacy information.
TPI 1: Timing of Notice vs Data Collection Transparency
TP1 requires monitoring the technical end point to see if PII is captured in relation to when a notice is provided. This measures the notice regulatory performance against legal and human usability requirements.
TPI: 2 PII Controller: Required PII Controller Data Transparency
Assess if the required information for transparency over who is in control of notice is ‘provided’
The MUST fields identify elements that are required in legislation that MUST be present.
TPI 3: Transparency Accessibility
How accessible is the PII Controller and Privacy Contact information?
For example, in the context of a website or a mobile device, how difficult was it to access the ‘provided’ information. How many clicks, or screens, away is the required information?
TPI 3–Example — Accessibility Measurement Rating
This transparency accessibility rating score of [1,0, -1 or –3] reflects the number of steps, screens, or clicks required to find the ‘provided’ information within a mobile application or webpage providing the client user interface.
Transparency Accessibility Rating description table 2
Rating | Description | Instruction |
|---|---|---|
+1 | Controller identity is embedded as a credential linked to authoritative registries. | PII Controller credential is displayed, using a standard format with machine readable language and linked, for example, in an http header in a browser |
0 | PII Controller Identity prominently displayed on first view – prior to processing first page of viewing, the assessment question would be | PII Controller Identity or credential is provided in first notice |
-1 | Privacy signal Is not first presented – but is linked and one click and screen away | The Controller Identity, or screen with the Controller Identity is one screen and click away. For example, the privacy policy link in the footer of a webpage |
- 3 | Identity or credential is two or more screens of view away | PII Controller Identity is not accessible enough to be considered ‘provided’ |
TPI 4: Certificate (and/or Key) Security Transparency
This security performance indicator requires that the notice record session certificate is collected and used to check if the PII Controller Identity information is the same or linked to the controlling entity in the associated security certificate. For example, does the SSL (secure software layer) certificate identify the Controller, and is it secured for the DNS and localization expectation and corresponding jurisdictional information (a ZPN required digital security for privacy measure to implement the international governance interoperability with legal adequacy with eConsent)
Certificate status, and transparency performance, are used to establish session security prior to the collection, use and processing of PII. The security TPI is used to measure the certificate and or cryptographic keys for a specified organizational unit to corroborate and validate the PII Controller’s digital integrity.
Table 2 : Notice Record TPI Report
Field Name | Field Description | Requirement: Must | TPI 1 Not Available | TPI 2 Rate: +1, 0, -1, -3, | TPI 3 |
|---|---|---|---|---|---|
Notice Location | Location the notice was read/observed | MUST | Present | +1 | found |
PII Controller Name | Name of presented organization | MUST | Present | 0 | Match |
PII Controller Address | Physical organization Address | MUST | Present | 0 | Not match |
Privacy Contact Point | Location/address of Contact Point | MUST | Present | 1 | Not match |
Privacy Contact Method | Contact method for correspondence with PII Controller | MUST | Present | -1 | No Match |
Session key or Certificate | A certificate for monitored practice | MUST | Present (or Not-found) | 1 (or –3 ) | Present (or No Security Detected) |
1 Lizar, M, Pandit, H, Jesus, V, “Privacy as expected Consent Gateway”, Next Generation Internet (NGI) Grant [Access July 4] privacy-as-expected.org/