10 min. | Government-issued Digital Credentials and the Privacy Landscape - whitepaper | @Heather Flanagan (Unlicensed) | The Government-Issued Digital Credentials and the Privacy Landscape whitepaper starts its public comment period today. The comment period closes on April 24. |
45 min. | Draft Report | @John Wunderlich | Question of “implied consent” in the Draft report: Google doc This is a very difficult topic that is used in various ways in different jurisdiction. We need to be clear as to what definition we’re using in this paper. Is this defined in any international standards? Not so far as anyone on the call knows. It is, however, regularly used operationally. Are we talking about implied consent, or implied notice? Perhaps consent must be intentional; implied consent is logically an implied notice. Circle of care is an example where submitting/requesting health care is consent and implied notice exists. Maybe it would make more sense to talk about this re: PEMC as consent requires intentionality on the part of the person who is providing the consent; that intentionality can be drawn from an explicit action or the context drawn from an implied notice. There is sufficient understanding relative to the risk. GDPR-style: An entity that’s processing the info about a person has to have the authority to do that; one authority is consent. The authorities aren’t in priority order; none is more superior than another. It can also come from more than one place. If you have multiple sources, you have to decide what to do if one contradicts another. Does one supercede another? This implies the hierarchy we wanted to avoid. If the person says no and the processing happens anyway, then that makes consent irrelevant because it is not respected.
In the definition table, we recognize the phrase is used in places, but we are not going to use it and instead stick with the more formal notice and consent. Unclear how this might impact notaries. For government use cases, there is a lot of informing going on. For commercial wallets/credentials, there is some level of user consent that will be recorded (maybe one-time, or every time). Re: how the verifier does their job, it will come down to how we define implied consent. If we can have just one definition of consent (vs implied vs explicit) would make life easier and be less open to interpretation.
Purpose Legitimacy and Specification Updated with revised text Can we be more clear about definition of terms and exactly how verification will happen? What does it mean for something to be valid or validated? How is the space defined as “safe”? Definition, yes, but exactly how verification/validation will happen is a bit more tricky. The technical description of how verification/validation will happen needs to be specified in the the technical specifications themselves. We do want to do something to make sure that entities are following the right guidance and possibly signals what they’re doing or that they’ve been certified as doing it correctly (e.g., the “blue check”).
Will pick up at Purpose Limitation again next week to wrap up the language.
|