ANCR Framework: Differential Privacy - Ethics & Security for Privacy

Owned by Mark Lizar
Jan 28, 2023
6 min read

 

For discussion with security and privacy community. Like digital identity management, how sovereign data control can be measured is by identifying which PII Stakeholder is in control of the personal data and personal data process; who benefits from processing personal data; and how dynamic are the personal data controls? The analysis results indicate which stakeholder can authorise the use of the tool, and for which purpose(s)

  1. Differential Privacy [ not to be confused with Differential Transparency]

    1. A method to produce noise in a personal data profile, and data sets so that the output cannot be used as conclusive evidence, or used to attack systems. A safeguard that is described as a way to provide a ‘buffer’ to protect the PII Principal from harms.

      1. A relevant topic defined in the ANCR Record used in a different context, not as a tool used by a PII Controller, but as a control for PII Principal to use when engaging with PII Controller Services,

    2. Synthetic personal data can be generated from the Anchored Private Notice record and linked eConsent receipts with the use of verified micro-credentialing

    3. These records and receipts can be used to provide safe environments to model future personal data, anonymize PII Principles own data before use, provide statistical data to services and trusts, safeguard Altruistic Consent (see concentric data types) can be employed to open certain data types for a specific purpose to help people and society.

    4. Differential privacy can be used to evaluate structural deficiencies in existing data models (online profiles), and invalidate data sets through access rights which are near universal.

    5. Differential privacy tools can generate synthetic personal data to increase the size of a personal data set, to employ machine learning systems on behalf of the PII Principal to diffuse data in order to address privacy harms which exists with use of big data, with out transparency or consent. Like any other tool it can be used in good and bad ways.

 

  1. Automating Operational Transparency

    1. Human centric notice protocol to keep a record of controllers and context of processing, for each session/interaction, so that these contextual records, controlled owned and secured by the PII Principal, can remember the active state of privacy and verify the PII Control and Privacy state without interrupting the service-user flow.

    2. Notice Signal Layer: For operational transparency at a glance using digital signaling to indicate with concentric labeling what is expected, and what is not.

Security Code of Conduct

Non-national standards are used in the ANCR Framework specification to mediate transborder data controls and policies and provide extra-territorial governance. National standards are limited in terms of governance policy.

  • This specification advocates for using international standards for measuring adequacy, mapping the rules, vocabulary and semantics presented in this specification to the national standards and regional privacy regulation.

  • eConsent is a security access control that is required to make a record that a PII Principal signs by engaging with a Two Factor Notice (2FN)

A code of conduct in this specification refers to regulation and/or Regulator approved set of rules, which are enforceable. As oppose to a transparency code of practice, which refers to a certifiable best practice used to implement a code of conduct, for example, requiring the use of two factor notice.

ISO/IEC Security and Privacy Techniques Framework

  • ISO/IEC 29100 - Security and Privacy schema, information structure

    • Mature, mutually exclusive, and collectively exhaustive framework used to identify security and privacy stakeholder roles in data governance

    • The ANCR record is specified to propose a standard method, to secure records that can be self-asserted by people to control, use, and trust online.

    • It is envisioned that the only data ever seen by the PII Principal and accessible only via verification are those specifically delegated as such by the PII Principal.

  • PII Controller uses privacy stakeholders as a mutually inclusive and collectively exhaustive technology governance framework for cross-border identifier exchanges

  • All data processing is required to be transparent by default and provide notice, notifications, and disclosures, all of which can be automated with this specification.

    • Transparency defaults are provided in relation to adequacy with international best practice in order to be interoperable with EU-GDPR and Convention 108 to operationalize transparency with enforcement.

  • Every non-person entity, or delegate, processing personal data is a PII Controller. An unidentified PII Controller, is a 3rd Party, and requires PII Controller Category with a scope of authority for the context of processing personal data.

    • The PII Controller can have many roles, according to context of processing (e.g., Joint Controller, PII Processor, and PII-Sub-processor. 3rd Party

  • 3rd Party Recipients,

    • All 3rd parties MUST be identified as a PII Controller

    • A stakeholder without a Controller ID, or role in direct purpose of processing is required to provide the legitimate legal justification and specified purpose.

    • Monitoring of non-identified controllers should include using a different legal justification, without authority could further be analyzed for mis-information and fraud detection.

    • Assurances that 3rd parties, can also be identified as a PII Controller.

    • Assurances that all PII Joint Controllers, Processors or Sub-Processors, are accountable and identifiable as a PII Controller.

    • PII Controller Identity credential (is required to produce a consent notice receipt for verification, validation and authorisation by the PII Principle.

    • There are interoperable with IAM system roles 0 Holder, Verifier, and Issuer in Self Sovereign Identifiers (SSIs) and Distributed Identifiers (DIDs) can be directly mapped to PII Controller roles.

  • ANCR notice records can be generated by the PII Principal and notarized by a 3rd Party authority, on behalf of the PII Principal, for use independently of a PII Controller.

  • Differential Privacy

    • An editorial use case – in which the questions is asked? who controls the choice to use differential privacy? Is it the PII Principal or the PII Controller, or both? Presented in the context that the PII Principal is in control of record and the choice to use the method. As opposed to the PII Controller being in control and deciding when to use this without proof in the form of electronic notice and consent.

    • To address a security gap – dis-empowering 3rd Party data processing without consent, the creation of an identifier for system access and management, any type of tracking, is referred to as profiling, which constitutes a high-risk privacy activity.

    • To mitigate the substantial risks of digital identifier management technologies, any secondary use of the data – including ‘Differential Privacy’ must a) be transparent (specified with the consent information structure) and b) consented with a proof of notice receipt for evidence of consent,

    • This means processing is specific to purpose of the consent (Note: unless derogated in law which is also provided in notice and a represented in a code of practice, for the service.

    • Best Practice - Consent for the service to re-use a PII Principal profile for a secondary purpose, is a specific explicit consent, not an opt-in, or out governance control.

Trustworthy ID

  • Trustworthy identity requires notice and transparency defaults, or else it is very difficult for people trust the use of digital identity technology. As oppose to every jurisdiction and organisation deciding what is transparent, with T&C’s services just change without notice.

    • The defaults for operational transparency are presented in this industry publication “Adequacy of Identity Governance Transparency” with 23 default transparency for notice, notification and disclosures, which are required for a ZPN code of conduct.4

  • eConsent is a critical and missing component in the generation of identifiers the use of PII for big-data, machine learning, including differential privacy is arguably a breach of PII and clearly un-ethical as it violates the privacy expectations of the Individual, creating records people don’t control, and can’t see when they are used.

  • In this regard, ethical use of differential privacy would require a record of consent to identify and profile and personal identity, then, an explicit consent for the purpose of use.

    • In this way PII Principals can be secure, safeguarded, and empower their choices through the control of who benefits from their personal and why.

  • For an anchored notice record, it is recommended that PII Principal identifying information never be included in a record without being secured at the attribute level in the record. When a eConsent receipt is provided, all PII Principal identifiers MUST be blinded except for the legitimate required stakeholders.

  • Any PII Controller consent record that combine raw personal identifiers, is not secure enough to be a consent record, which in this specification is self-sovereign anchor record. Trust is understood to be relative to each stakeholder but represented in this specification with a PII Controller consent.