/
ANCR WG 20260408

ANCR WG 20260408

Roll Call

Voting

 

@Mark Lizar (Unlicensed)

@Salvatore D'Agostino

 

 

Non-voting

@Tim L

IPR Statement

Proposed Agenda

Time

 Topic

Description

Actions

Time

 Topic

Description

Actions

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Summary of Discussion

Action Items

  • [ ] Sal to review specifications in anchor GitHub repo

  • [ ] Sal to send over PDF of consolidated specifications

  • [ ] Team to conduct work group sessions over next four weeks to reach consensus on TPI scoring system

  • [ ] Sal to build and maintain list of references showing TPI report recognition in licenses

TPI Report Process & Scoring System

  • Sal shared TPI report results with Scott Lindley (GM/CEO at Dorma Cava) who confirmed timing is right and highlighted references in the report

  • Core process: Run TPI reports, share with stakeholders who understand context, get feedback, use feedback to craft notice and improve compliance ("get all lights to go green")

  • Discussion about refining scoring system - Mark wants to distinguish between -1, 0, and 1 ratings rather than just binary green/not-green

  • Sal suggests creating constrained work item: present four current TPIs, descriptions, draft scoring system, and gather consensus from work group

  • Proposed timeline: One month for work group to review and establish official positions on TPI reports through consensus process

  • Result would be version 1.1 update to scoring documentation

Anchor Work Group Wiki Compliance

  • Current Kantara Anchor Work Group wiki is not compliant with TPI B-1 because it lacks pop-up notice when users first visit

  • First notice requirement: Must happen "as soon as possible" before any identification occurs

  • Notice should inform users that wiki is US-based, data might be accessible by NSA, and non-Americans don't have same rights

  • Proposal: Move wiki from -1 to 0 rating by implementing pop-up notice that gives users choice and mitigates risk

Notice Engineering & Controller Identification

  • Sal is helping controllers do notice engineering as a service

  • Discussion of two-phase lifecycle: first phase is controller-led notice engineering, then moves to maintenance phase where both controller and principal can access and update

  • Controller identification record should be accessible at well-known location without requiring authentication

  • This enables individuals to generate receipts directly from controller information

  • Key principle: People need access to transparency records without being digitally identified first

Metadata Classification & Privacy

  • Discussion about macro vs. micro data distinction

  • Micro data = PII; macro data = identifiers potentially associated externally with device (fingerprinting)

  • First notice should cover permissions for macro data usage before any PII is collected

  • This creates new surface allowing people to choose according to their wishes and potentially connect via wallet without tracking

  • Term "metadata" doesn't work well in this context due to conflation - need clearer breakdown

Scope of Authority & Disclosure

  • Critical policy point: Need to transparently show scope of authority and scope of disclosure for digital identifiers

  • These two measurements together are "the secret power" needed for ISO gap analysis, Anchor, and TPI reports

  • Must be clear in notice from beginning - not sufficient to deduce from controller identity alone

  • Need to know not just where controller is located, but where data is located and where governing authority is located

ISO / ANCR 27560 Profile Digital Code of Transparency Practice - in Development

  • Working on anchor profile of ISO 27560:2023 (not 2020 version)

  • Renaming from "ISO 27560 extension" to "Anchor 27560:2023 profile"

  • Profile includes consent record information structure (from MD)

  • Working on Council of Europe Article 11 Code of Conduct technical implementation

  • ISO 27560:2026 characterized as essentially a ROPA (Record of Processing Activities) - like syslog/audit log

Registry & Repository Architecture

  • Sal building registry for people who create controller records with option to register JSON of reports

  • Distinction between two types of repositories: registry vs. reporting front end

  • Registry would be for Kantara prototyping/demonstration, not to be the permanent registry solution

  • Could be picked up by other organizations like Council of Europe to run their own

  • Registry would track implementations that have passed TPI assessment

Work Group Deliverables & Scope

  • Focus on creating official work group positions through consensus rather than individual opinions

  • Using anchor wiki as sandbox/demonstration for lab implementation

  • Goal: Show what lab sandbox can do through this engineering work with Kantara

  • Important framing: This is work group output supported by lab, not the other way around

  • Keeping scope narrow and tight on deliverables to ensure progress

Peer-to-Peer & Decentralization

  • Physical access control use case demonstrates complete functionality with no need to "phone home"

  • Distinction between decentralized functionality vs. functionality-as-a-service (like Microsoft Cloud for Word)

  • Well-known controller record + notice enables individuals to connect peer-to-peer without middleman tracking

  • Wallet should function as receipt generator to facilitate this

  • Concept breaks free users from hold of big tech giants

AI & Future Applications

  • Creating "AI-facing surface for policy"

  • AI will likely copy everything, so need to license official standard notice/notification/disclosure requirements

  • Open notices for wallets should be licensed and available as open standard

  • AI-ready infrastructure through proper policy transparency

Zero Policy Work Group

  • New Tuesday 9-10am session focused on micro policy at gateway level

  • Participants include Chris Cooper, Judith Radcliffe, Tim, and Paul Knowles from UK

  • Focus on rules and risk assessment - making clear what increases risk and requires more notice

  • Considering this as membership to open lab

  • Goal: Create open dynamic policy and open code of conduct for adoption

Technical Standards & Use Cases

  • Working on required notice/notifications for digital wallets as current use case

  • Doing gap analysis for ISO with Farpoint and their Connect app as customer

  • Physical access control world: card readers, credentials, mobile apps for building access

  • Evolution from cloud to mobile wallets to decentralized identity

  • Need for key management, registries, transparency/notice, crypto agility, and orchestration

Target Market & Adoption

  • Regulators + Manufacturers identified as target market for implementing TPI related governance infrastructure

  • Also applicable to privacy officers and commercial buyers who need rules packaged with products

  • Need credibility which can come from Anchor Work Group consensus process

  • Customers with use cases are best way to develop and validate the work