Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 7 Next »

Transparency Performance Reporting (TPR) is a novel approach to digital transparency and data control reporting and has just been submitted as a Kantara Recommendation for public comment by the Anchored Notice and Consent Receipts (ANCR) Work Group. The TPR uses 4 transparency performance measures (TPIs) to measure the transparency of the PII Controller notice of risk to the personal data of the PII Principal. This represents a significant advancement for decentralizing digital identification and data surveillance governance within data flows.

The ANCR transparency and consent work has a 'bottom-up' history, originating as the Notice and Consent Receipt brought to Kantara in 2013 by the Open Notice Initiative. It stemmed from the Identity Commons in California just before that, an initiative aimed to create standards addressing “the Biggest Lie on the Internet”. In 2019 Kantara published the Consent Receipt v1.1 specification, which in 2020 was drafted into ISO/IEC 29184:2020 Online privacy notice and consent, under JTC 1, SC 27, WG 5 – the ISO work group focused on privacy and identity management. The notice and consent receipt schema itself has also now evolved into the ISO/IEC technical standard 27560 Consent record information structure, which has been made open (free).

Transparency performance reporting clarifies when a notice and consent receipt is required and its validity.

The initial Transparency Performance Report is focused on evaluating the validity, security, sovereignty, and accountability of digital consent. It is a tool to expose dark patterns and secret surveillance. It builds on the consent receipt specification by adding standardized transparency with regards to the sovereignty of data and consent and its validity in conjunction with digital identification systems.

The four TPIs used in reporting measure:

  1. Timing of notice

    1. Regarding the initiation of surveillance

  2. Content of notice

    1. PII Controller required disclosures (.. Controller Record)

    2. PII Controller Reverse Cookie (could be captured in a receipt and record for the PII Principal)

      1. Who, where, what, why, how, when

  3. Access and usefulness of notice

    1. Taste of the Cookie

      1. How good were the answers including their veracity to the above

  4. Sovereignty of authority and security

    1. Jurisdictions (Legal) of Principal and Controller

    2. Cryptographic (Technical)

    3. Linked by policy (objects)

This TPR was developed through volunteer work over three years in the ANCR workgroup represents a significant step towards addressing big-tech surveillance and tracking, and promotes the glass-box Commonwealth security and privacy legal standards.

The TPR document includes mapping to privacy frameworks including Convention 108+, that creates a global (2.5 billion people) rule set for security and privacy, that is rights, law, and commons based. This technical record foundation is suitable for a common set of rules allowing people to have their own authoritative records of digital identification relationships.

Records of processing activities (GDPR Article 30) that enable services to be accountable to international (internet) standards for data governance.

  • No labels