Disposition of Comments: PICPR20241010
Document or Set Title: Recommendations for Privacy Enhancing Mobile Credentials v.1
Document Status: Group Approved Draft Recommendation
Originating Work Group: Privacy Enhancing Mobile Credentials (PEMC)
Comment Review Period Closing Dates: October 10 - November 23, 2024
Submitted to Leadership Council: pending comment period
Leadership Council Comments: N/A
Comment form for multiple comments:
Ref # | Page# | Line # | Comment Type: Editorial or Technical | Comment / Request | Proposed Edit / Change | WG Accepted |
---|---|---|---|---|---|---|
1. | 12 | 222-223 | Editorial or Technical | Include your comment | Recommend a change | WG lists their finding here |
1. | Section 2.2.4 |
| Editorial | Suggested addition of “For example, in most use cases, marketing should not be the sole or primary purpose for the collection of mobile credential data.” | Remove addition and refrain from referencing marketing/any other use case | Sentence deleted. |
2 | 9 |
|
| The diagram is a bit of a mess with the line numbers interfering with the graphic. | Line numbers removed from release version |
|
3 | 10 | 195 |
| Line 195, the use of the word “her” in the paragraph. In this day and age “him and her” are a questionable way to describe the human condition. | @John Wunderlich Will attempt to update before release to “their” |
|
4 | 11 | 204 |
| socio-technical, in other places this is one word. | Replaced socio-technical with sociotechnical throughout |
|
5 | 19 | 410 |
| missing a period at the end. | Fixed |
|
6 | 20 | 455 |
| The word “Current’ got my attention. Is it not possible that ‘old’ information (however old is defined), still accurate information, could still be relevant to parties interested in the information on the mDL and presented by the Holder for a specific purpose? (I suspect many minds brighter than mine already had this discussion and decided that “Current” was OK in this explanation. Oh well.) Line 480 also mentions “currency.” Something could be “accurate” but not “current.” The accurate ‘old’ information could still be relevant. (?) | Added this note: NOTE: For these requirements, “current” is not a measure of how old the information is. For example, a home address may be current if it has not changed in 10 years and is still the ‘current’ address. |
|
7 | 23 | 537 |
| I’m not too keen on using the word “downstream.” I know what it means and what ‘you’ are trying to say, but I’m not sure that its use in a technical paper is appropriate. I think it is a shortcut for perhaps a longer phrase that might better define what you are trying to say here. “Downstream” is a corporate term, but not widely used by the average person. (?) | Original: NOTE: Where Verifiers use Holder data for downstream purposes identified, whether or not this is identified in their Notice, the Verifiers should implement a system or a process to allow the Holder to understand what data has been processed. Changed: NOTE: Where Verifiers use Holder data for other purposes, whether or not this is identified in their Notice, the Verifiers should implement a system or a process to allow the Holder to understand what data has been processed. |
|
8 | 26 | 643 |
| I would insert “(PIA)” right after “A Privacy Impact Assessment”. In my property world our style is that when there is the first use of a term, as we have in this case, and subsequent use of the acronym, that the acronym is defined right after the first use of the full term. | (PIA) added |
|
9 | 28 |
|
| Should the “Note” in “Biometric” end with something like this: “…retina scans, or other features, or a combination of features.” ?? Are there cases, or will there be cases, when more than a singular biometric feature will be used to establish identity of a natural person? Seem possible to me, although I do not have a current example for you. | Updated to read: Note: Biometrics are treated throughout this document as inherently sensitive data, and can include facial images, fingerprints, retina scans, or other features or combinations of features. |
|
10 | 30 |
|
| “Holder” then “Note”, I was taught by a bright lawyer I know that “and/or” is poor form and lazy use of language. On the other hand I am not offering a ‘correction.’ I’ll leave that up to the group. | Updated note reads: Note: Delegates are handled elsewhere in this document. In those cases, the delegate may ‘hold’ the device or use the app on behalf of the natural person. |
|
11 | 30 |
|
| “Identity proofing. Why the three dots … before “This is the process…” ? And to be consistent, the word “proofing” in the “Term” column should be in capitalized. | No change. The ellipsis indicates that the words following are a continuation of the text from the source. |
|
12 | 30 |
|
| “Identity Provider” Does the “AKA” here stand for the usual “also known as”? And I assume “SP” Stands for “Service Provider.” ? And, is it proper to keep the little footnote number at the end of the definition when there is no footnote shown on this page? | Removed the footnote number, but left the rest unchanged as a quote from the indicated source. |
|
13 | 31 |
|
| I think to be consistent with your style that “Mobile Driver’s License” should have a cap “D” and “L”. And I have a question about the AAMVA definition. I have concern, maybe a question, about the word “same.” Is it not possible, even likely, that there will be or could be a ton more data on an mDL than on a ‘plastic’ driver’s license? | Changed Mobile driver’s license to mobile Drivers’s License. The rest is unchanged and can be discussed by the group.
|
|
14 | 32 |
|
| Cap issue with the Term “Operational Circumstances”. Same for the “Personal Information” below. | Changed to Title Case |
|
15 | 33 |
|
| Relying Party.” Here you use “IDP” but on page 30 you use “IdP”. I think you need a lower case “d’” here. | Unchanged. This was from the source IDPro Body of Knowledge. Agree not completely user friendly. |
|
16 | 34 |
|
| OK, I know what “GDPR” is. But much of the world does not. As this is first use in this paper, you should spell it out. | Done |
|
17 | 34 |
|
| Under “Term” “Design should be a cap “D”. | Fixed |
|
18 | 35 |
|
| “and/or” shows up again. | Fixed |
|
19 | 36 |
|
| Line 679 Missing a period at the end?? | Fixed |
|
20 | 37 |
|
| Line 694. I would remove the word “written.” A sign is a sign, written or electronic. | Changed |
|
21 | 37 |
|
| Line 697 Missing a period at the end?? | Fixed |
|
22 | 6 | 109 |
| An individual's privacy is protected when compensating controls implemented by the recipient protects the individual's data, not when the controls may protect the individual's data. | No change - to discuss |
|
23 | 6 | 113 |
| This wording includes transactions that are not in person at all. Strike "primarily". | Deleted |
|
24 | 10 | 196 |
| There is only one triangle. | No change - the inner triangle is Issuer, App, and Reader components; and the outer triange are the Issuer, Verifier, and Holder organisations/individuals. “The distinction between the two triangles is between electronic connections between components and relationship connections between individuals and organisations.” added |
|
25 | 10 | 200 |
| There is only one triangle. | No change - the inner triangle is Issuer, App, and Reader components; and the outer triange are the Issuer, Verifier, and Holder organisations/individuals. “The distinction between the two triangles is between electronic connections between components and relationship connections between individuals and organisations.” added |
|
26 | 14 | 266 |
| "...at... the Holder presents..." does not read right. | In some operational contexts, the presentation of the credential is the consent action. |
|
27 | 14 | 282 |
| Hard to follow this sentence. Possible alternative: The Issuer shall ensure that the Mobile Credential app into which it provisions allows the Holder to share data elements selectively. |
|
|
28 | 14 | 289 |
| Consent to present/share is not the same as selective release. Consent to present/share does not imply selective release. It is not clear how the note relates to the requirement. |
|
|
29 | 15 | 30 |
| If a Verifier or Issuer is not a system developer, this requirement as worded does not apply to a Verifier or Issuer. What is the requirement on a Verifier or Issuer (to which an auditor can hold them)? | No change: It is the case that Systems Developers working on systems to be used by Providers and Developers can set the defaults for the systems which can be changed as part of the implementation. What this requirement means is that the Issuers or Verifiers who want to change the defaults as part of their implemention need to document the reasons. |
|
30 | 16 | 331 |
| Just "Providers"? Is a wallet provider something different from a provider? | “Wallet” deleted |
|
31 | 16 | 333 |
| The Provider shall communicate all the data use information received from the Verifier. Requirements for what a Verifier must communicate must be addressed separately (and elsewhere). |
|
|
32 | 17 | 343 |
| not engage? Refrain from could be interpreted as leaving some wiggle room. | It is ‘shall refrain’ No wiggle room in my view. |
|
33 | 17 | 346 |
| This is not regarded as...? | Cooperation for the purpose of reasonable business risk mitigation is not necessarily a collusive practice. |
|
34 | 17 | 352 |
| This appears to be at odds with the requirement. It implies that it would be possible to use legitimacy to normalize unacceptable business processes. |
|
|
35 | 17 | 357 |
| What reason would there be for verifiers to not follow regulators’ guidance (unless the guidance allows deviation, in which case that would still be guidance)? What will we lose if this sentence is deleted? |
|
|
36 | 17 | 359 |
| This means that there is no requirement on Issuers or Verifiers. Is this correct? |
|
|
37 | 17 | 362 |
| Does this mean that Providers and Vendors should not develop training by themselves? Who are the trusted governance authorities? |
|
|
38 | 18 | 388 |
| System developers, including Providers and Vendors |
|
|
39 | 18 | 389 |
| indirectly from other sources As worded now, a system that includes personal information of a Holder where the information was sourced exclusively from sources other than what was provided directly (via a Mobile Credential) by the Holder are subject to this requirement. This would make an airline reservation system that has nothing to do with a Mobile Credential subject to this requirement. I surmise that we do not want to do that. |
|
|
40 | 19 | 412 |
| System developers, including Providers and Vendors |
|
|
41 | 20 | 449 |
| System developers, including Providers and Vendors |
|
|
42 | 21 | 470 |
| It is not clear to me what this means. |
|
|
43 | 22 | 500 |
| Holder? | Changed |
|
44 | 22 | 500 |
| access and request |
|
|
45 | 22 | 507 |
| System developers, including Providers and Vendors |
|
|
46 | 22 | 509 |
| access their information in the system |
|
|
47 | 22 | 510 |
| means | Changed |
|
48 | 22 | 510 |
| aware of the system's operation Providers and Verifiers shall set defaults in their systems that ensure that the Holder is being informed of the system's operation. |
|
|
49 | 22 | 523 |
| correct, amend, or delete their data where it is inaccurate |
|
|
50 | 22 | 524 |
| data controllers and individuals |
|
|
51 | 23 | 530 |
| Credentials shall be made available to all Holders with rights granted by the Issuer |
|
|
52 | 23 | 535 |
| participate in decisions |
|
|
53 | 23 | 537 |
| purposes identified, whether or not this is identified in their Notice |
|
|
54 | 23 | 539 |
| understand |
|
|
55 | 23 | 541 |
| shall |
|
|
56 | 23 | 541 |
| granted |
|
|
57 | 23 | 544 |
| System developers, including Providers and Vendors |
|
|
58 | 24 | 579 |
| Where law requires |
|
|
59 | 24 | 582 |
| System developers, including Providers and Vendors |
|
|
60 | 26 | 626 |
| System developers, including Providers and Vendors |
|
|
61 | 26 | 635 |
| regulatory |
|
|
62 | 26 | 643 |
| A Privacy Impact Assessment shall be conducted for any system that processes Mobile Credential data. The first Note is not sufficient grounds for an auditor to require anyone to do a PIA. |
|
|
63 | 26 | 652 |
| privacy compliance for regulators where requested |
|
|
64 | 27 | 657 |
| No requirement on Verifiers? |
|
|
65 | 6 |
|
| has created a set of
|
|
|
66 | 6 |
|
| (also referred to as “Holders”) replace with: "These individuals who use mobile identity credentials such as mobile Driving Licenses (mDL) are also known as "Holders". " |
|
|
67 | 6 |
|
| — primarily Replace with; "The good practices apply primarily to in-person transactions and transactions with an in-person component." |
|
|
68 | 6 |
|
| principle’
| Replaced |
|
69 | 6 |
|
| The stakeholders and their Delete sentence - it is not relevant to the topic of the introduction (it is about the structure of the report) |
|
|
70 | 7 |
|
| will be helpful to
| Replaced |
|
71 | 7 |
|
| Kantara Mobile |
|
|
72 | 7 |
|
| etc |
|
|
73 | 8 |
|
| etc
|
|
|
74 | 8 |
|
| For this report, a mobile version of the credential is a machine-readable1 digital
|
|
|
75 | 8 |
|
| provision a
|
|
|
76 | 8 |
|
| Requirements on Issuers should be read to apply to Vendors to Issuers
|
|
|
77 | 8 |
|
| Holder: The Holder is the natural person2 whose attributes are contained in a Mobile Is it clear that this report only covers credentials on the person's device that pertain to the holder? Obviously there could be credentials for other subjects present - it's ok to constrain the scope... |
|
|
78 | 8 |
|
| Verifier: The Verifier of the Mobile Credential is the organization that receives the Mobile
|
|
|
79 | 8 |
|
| depend on their Providers
|
|
|
80 | 8 |
|
| Sometimes, the Provider and the Vendor in a transaction may be the same
|
|
|
81 | 9 |
|
| The primary relationship between the key actors is shown in the following diagram Not sure whether this figure is useful or not. If it is used, then the prior list should be separated into 'key' and 'not key' actors otherwise the reader wonders what makes these particular actors 'key'. |
|
|
82 | 9 |
|
| The Issuer ‘provisions’ the Holder with a Mobile This text is slightly different than the descriptions above - should be the same/aligned. |
|
|
83 | 10 |
|
| Respecting privacy in a Mobile Credential ecosystem is a sociotechnical problem3 that requires
|
|
|
84 | 10 |
|
| The figure above
|
|
|
85 | 12 |
|
| The following are derived from
|
|
|
86 | 12 |
|
| taken into consideration to respect the privacy of individuals. We recognize that each requirement
|
|
|
87 | 12 |
|
| NOTE: Most data protection or privacy regulations are designed to apply to processing personal Not sure I like this note... the sentences don't really hang together - first talks about regulations, power imbalance. Then says that individual autonomy has only one or two components. Then says that "considerations" compensate for a new thing: "digital autonomy" - and that these considerations have a profound effect on data processing (they do not - the orgs implementing them probably have more) |
|
|
88 | 12 |
|
| The convention in this report is that the requirement is a
|
|
|
89 | 12 |
|
| We plan to establish a certification process to enable stakeholders to make claims about their
|
|
|
90 | 12 |
|
| NOTE: Where implementing a particular requirement or part of a requirement violates local This statement should be deleted. Implementers must always be lawful - it does not matter what this document says to do or not do. |
|
|
91 | 13 |
|
| only processes
|
|
|
92 | 13 |
|
| unless otherwise required by law see prior comment about reference to legal applicability |
|
|
93 | 13 |
|
| two elements to consider here
|
|
|
94 | 13 |
|
| Providers
|
|
|
95 | 13 |
|
| Where processing Mobile Credential data is required by law, consent should not be sought as the
|
|
|
96 | 13 |
|
| NOTE: In some use cases, the cognitive overload on Holders (i.e., being incessantly asked for
|
|
|
97 | 13 |
|
| NOTE: What can be used as consent for processing will vary between jurisdictions. We use ‘valid
|
|
|
98 | 14 |
|
| consent may be inferred is this really true? |
|
|
99 | 14 |
|
| For Can you use a better example? this one is very incomplete... a good public notice would have more information than what is in this text. |
|
|
100 | 14 |
|
| NOTE: In some use cases, the possibility of a coerced presentation exists, and Implementers are
|
|
|
101 | 14 |
|
| NOTE: This is one of three requirements related to selective data release.
|
|
|
102 | 14 |
|
| NOTE: Selective data release capability does not warrant the Verifier limiting the data request.
|
|
|
103 | 14 |
|
| NOTE: Holders’ selective release is provided in person by the Holder choosing to present their
|
|
|
104 | 15 |
|
| NOTE: Providers and Vendors should provide documentation or training for their systems to
|
|
|
105 | 15 |
|
| NOTE: Where Issuers or Verifiers opt to install systems based on opt-out consent or where consent
|
|
|
106 | 16 |
|
| The purpose should be legitimate – i.e. it
|
|
|
107 | 16 |
|
| Such data must only be processed where there is a specific
|
|
|
108 | 16 |
|
| or confidential
|
|
|
109 | 16 |
|
| the purpose for which that Mobile Credential was This is confusing - is it a requirement? I'm not quite certain what is trying to be said... |
|
|
110 | 16 |
|
| kinds of data Pedantic: are we dealing with data or information - the text seems to use the terms interchangeably. |
|
|
111 | 16 |
|
| legal requirement
|
|
|
112 | 16 |
|
| reasonable business purpose duplicated paragraph |
|
|
113 | 16 |
|
| reasonable
Secondary information uses in this example are often for convenience - if evidence is requested then a convenient tamper-resistant piece of evidence is an ID Card. Or, the government-issued ID evidence must be produced on demand as stated in statues (which means it doesn't count as 'reasonable' in your description) |
|
|
114 | 16 |
|
| legally specified
|
|
|
115 | 16 |
|
| NOTE: To inform Holders of a Verifier's retention policy and the data requested, the Provider should Is this not simply the "privacy notice"? |
|
|
116 | 17 |
|
| regulatory capture
|
|
|
117 | 17 |
|
| NOTE: Stakeholders often cooperate or share data to prevent fraud or identity theft. We do not Again - this note pertains to authorization to process - if collusion can never be an authorized processing, then say that instead of this. |
|
|
118 | 17 |
|
| NOTE: ‘Legitimacy’ is determined in the context of the relevant regulations or the Holder's view. Not really - 'legitimacy' is related to authorization and permission - if the holder believes that even though the verifier is authorized to collect data for some purpose, the processing is unwanted/unwelcome, then the processing is still 'legitimate' but will be declined or whatever. |
|
|
119 | 17 |
|
| NOTE: Where regulators understand ‘legitimate purpose’ as a legal basis for processing, they will This seems to be a different sense of the term 'legitimate' than used previously. I don't think the concept of 'legal basis' has been described yet in this document. |
|
|
120 | 17 |
|
| trusted governance authorities
|
|
|
121 | 17 |
|
| Any such data should be obtained by lawful and fair means and, where possible, with This seems to be a better way to talk about consent. |
|
|
122 | 18 |
|
| NOTE: Verifiers only request the strictly necessary personal information to provide the services
|
|
|
123 | 18 |
|
| NOTE: To avoid excessive data collection, the Verifiers' requested data fields should be mapped to Is this implementation detail necessary? Are there other ways to avoid excessive data collection that are equally valid? |
|
|
124 | 18 |
|
| necessary for
|
|
|
125 | 18 |
|
| stated
|
|
|
126 | 18 |
|
| Regular reviews should be conducted to ensure that the data held is
|
|
|
127 | 18 |
|
| unnecessary
|
|
|
128 | 19 |
|
| NOTE: Verifiers should only combine presented data to identify the user or establish patterns if the Why not say 'unless re-identification is a stated purpose' instead of hanging it all on 'consent'. dark patterns etc. |
|
|
129 | 19 |
|
| NOTE: The minimum personal information necessary may include metadata or other elements
|
|
|
130 | 19 |
|
| NOTE: Verifiers should not store personal information unless the Holder has consented to a
|
|
|
131 | 20 |
|
| NOTE: Many systems generate audit trails, which may contain personal information. Those audit why not require that PII is segregated from operational data/logs to avoid unwanted exposure? PII is PII - doesn't matter what form or location. So this is interresting information but should have no additional protective effect on well designed systems. |
|
|
132 | 20 |
|
| NOTE: Verifiers may include the retention period as part of their consent request. this note is simply a restatement of the requirement. delete |
|
|
133 | 20 |
|
| NOTE: Verifiers should communicate to the Holder the retention period for personal information or this note is simply a restatement of the requirement. delete |
|
|
134 | 20 |
|
| Accuracy is the foundation of a quality management system are you implying that mobile credential systems should implement quality management systems as well? |
|
|
135 | 21 |
|
| what they know about Holders perhaps state this as "what information they have about Holders" |
|
|
136 | 22 |
|
| guarantee
|
|
|
137 | 22 |
|
| NOTE: Open in this context should mean that the Holder is aware of the system's operation.
|
|
|
138 | 23 |
|
| NOTE: Processes and systems should be designed to accept and process individuals' requests for
|
|
|
139 | 23 |
|
| and participate in decisions about
|
|
|
140 | 23 |
|
| NOTE: Where Verifiers use Holder data for downstream purposes identified, whether or not this is
|
|
|
141 | 23 |
|
| NOTE: Where a person requests access to records held by the Verifier, access to Mobile Credential
|
|
|
142 | 23 |
|
| data protection principles
|
|
|
143 | 23 |
|
| Organizations shall
|
|
|
144 | 24 |
|
| Verifiers shall identify themselves with the Holder with enough details about the transaction to help
|
|
|
145 | 24 |
|
| Where law requires, Verifiers shall maintain appropriate registries with the minimum required data
|
|
|
146 | 25 |
|
| All identifying data shall be transacted through encrypted channels. To protect the confidentiality
|
|
|
147 | 28 |
|
| Terminology
|
|
|
148 |
|
|
|
|
|
|
149 |
|
|
|
|
|
|
150 |
|
|
|
|
|
|
151 |
|
|
|
|
|
|
152 |
|
|
|
|
|
|
153 |
|
|
|
|
|
|
154 |
|
|
|
|
|
|
155 |
|
|
|
|
|
|
156 |
|
|
|
|
|
|
157 |
|
|
|
|
|
|
158 |
|
|
|
|
|
|
159 |
|
|
|
|
|
|
160 |
|
|
|
|
|
|
161 |
|
|
|
|
|
|
162 |
|
|
|
|
|
|
163 |
|
|
|
|
|
|
164 |
|
|
|
|
|
|
165 |
|
|
|
|
|
|
166 |
|
|
|
|
|
|
167 |
|
|
|
|
|
|
168 |
|
|
|
|
|
|
169 |
|
|
|
|
|
|
170 |
|
|
|
|
|
|
171 |
|
|
|
|
|
|
172 |
|
|
|
|
|
|
172 |
|
|
|
|
|
|
173 |
|
|
|
|
|
|
174 |
|
|
|
|
|
|
175 |
|
|
|
|
|
|
176 |
|
|
|
|
|
|
177 |
|
|
|
|
|
|
178 |
|
|
|
|
|
|
179 |
|
|
|
|
|
|
180 |
|
|
|
|
|
|
181 |
|
|
|
|
|
|
182 |
|
|
|
|
|
|
183 |
|
|
|
|
|
|
184 |
|
|
|
|
|
|
185 |
|
|
|
|
|
|
186 |
|
|
|
|
|
|
187 |
|
|
|
|
|
|
188 |
|
|
|
|
|
|
189 |
|
|
|
|
|
|
190 |
|
|
|
|
|
|
191 |
|
|
|
|
|
|
192 |
|
|
|
|
|
|
193 |
|
|
|
|
|
|
194 |
|
|
|
|
|
|
195 |
|
|
|
|
|
|
196 |
|
|
|
|
|
|
197 |
|
|
|
|
|
|
198 |
|
|
|
|
|
|
199 |
|
|
|
|
|
|
200 |
|
|
|
|
|
|
201 |
|
|
|
|
|
|