Skip to end of metadata
  • Created by Former user (Deleted), last modified on Sept 20, 2018
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Date

2018-09-20

Status of Minutes

DRAFT

Approved at: <<Insert link to minutes showing approval>>

Attendees

Voting

Non-Voting

  • Derek Munneke
  • David Turner
  • Marvin van Wingerde

Regrets

  •  

Quorum Status


Meeting was <<<>>> quorate


Voting participants


Participant Roster (2016) - Quorum is 5 of 9 as of 2018-07-12

Iain Henderson, Mary Hodder, Harri Honko, Mark Lizar, Jim Pasquale, John Wunderlich, Andrew Hughes, Oscar Santolalla, Richard Gomer

Discussion Items

Time

Item

Who

Notes

4 mins
  • Roll call
  • Agenda bashing
Former user (Deleted)
5 min
  • Organization updates
All

Please review these blogs offline for current status on Kantara and all the DG/WG:

There is a new wiki page that will hold all the known implementations of Consent Receipts - Please update the page or inform Andrew of your implementation.

Planning a Member Plenary meeting October 26-ish San Francisco (Friday after IIW)

  • Are there specific cross-group items you'd like to propose to work on?
30 minInteroperable Consent Receipt roadmap ideasAll

See the data flow sketch that Andrew circulated by email

0 min

Permissions v User Consent discussion

notes from From 2018-09-13 call

All

Proposal:

Permission = Authorization to act

Data Permissions = the functional actions that are allowed on information (database: Create, Read, Update, Delete; communications: Copy, Transmit, Store; data flow: Collect, Use, Disclose) or resources.

User Consent = Voluntary agreement by the person to take an action. GDPR includes 'unambiguous'

  • So, a system might be authorized to act on personal data with or without a user's agreement. A person may grant permission or authorize a system to act on personal data.

Questions:

  • Is an OAuth 'consent' / 'authorization' / 'permission' dialog box truly 'user consent'?
    • If it is not 'user consent' then why not?
    • So: the process of obtaining agreement from the user in the OAuth dialog box is "User Consent". What the user has agreed that you can do with their resources is "authorization" in the sense that they give you 'permission' to take actions.
  • How does this apply to Collection, Use and Disclosure of information? (these are the data flow words)
  • To tease out the usable definition of 'authorization': What is the difference between Authorization and Access Control? (data & systems-context)
    • Authorization is the granted right to proceed (a.k.a 'permission')
    • Access control is the functional actions that are allowed

Alternative proposal:

  • Permission is a general authorization to act. Authorization may be granted by actors that are not the data subject.
  • Consent is a specific agreement to act in a limited case.

Note:

  • Permission / authorization as a verb can be granted through an act of user consent.

Another proposal:

  • Should the terms should be Authorization and User consent
5 minW3C workshop on User Consent and Permissions September 26, 2018Andrewhttps://www.w3.org/Privacy/permissions-ws-2018/schedule.html
5 minAdding feature requests to next version of spec familyAll

AOB


Next meeting

2018-09-27 Same time same number (Andrew not available next 2 weeks)



 


  • No labels