Version: 0.8.9.3

Document Updated: Nov 22

Status:

The ANCR record objective is to provide operational transparency for people so they are able to have a choice to control personal data and it’s processing to co-regulate digital surveillance technologies.

The Anchored Notice and Consent Receipt (ANCR) as a digitally twinned record provides active state transparency features with the use of a technique called Differential Transparency. A processing model driven with the authority of the individual. The specification is intended to be used for with or in addition to any legal data processing activity. AuthC employs a 3-layer notice record schema to indicate knowledge of processing, and in this context indicate consent and or permissions as appropriate.

Required for a specific data exchange. PII Principals can enhance the single use record schema with a layer 2 schema that incorporates a digital identifier to serve a ‘proof of notice’ record for repeated use in concentric data exchanges.

The 3^rd notice record schema is the private, anchored notice record which contains sensitive information to validate the digital identity relationship. This schema is' a self-sovereign security' schema, which considers security transparency requirements as a mandatory pre-condition for digital consent receipt tokens validation.

Finally, an active technical record of processing activities provides for the PII Principal in context transparency over who is accountable for — and is a pre-condition of — processing Personally Identifiable Information (PII) for human interoperable governance and security.

AuthC contribution are from the Digital Transparency Lab Canada.

This Kantara Initiative work effort began when Liberty Alliance became the Kantara Initiative, and the Consent and Information Sharing Working Group formally began in 2015. That Working Group’s activities carried on through the ANCR Working Group.

In this specification and proposed standard the term “PII Principal” is used interchangeably with Data Subject and “Individual”.

IPR Option:

This ANCR Record Specification is available for use for public benefit licensing @0PN C.I.C and the open schema available @Human Colossus, and is specified under a Reasonable and Non‑Discriminatory (RAND) agreement at the Kantara Initiative for submission to ISO/IEC SC 27 WG 5

Published for use as public infrastructure through code of conduct and practice in industry and trade certification bodies.

Patent & Copyright: Reciprocal Royalty Free with Opt-out to Reasonable and Nondiscriminatory (RAND)

Suggested Citation: (upon WG approval)

ANCR Specification v0.9

This document has been prepared by Participants of Kantara Initiative Inc. Permission is hereby granted to use the document solely for the purpose of implementing the Specification. No rights are granted to prepare derivative works of this Specification. Entities seeking permission to reproduce this document, in whole or in part, for other uses must contact the Kantara Initiative to determine whether an appropriate license for such use is available.

Implementation or use of certain elements of this document may require licenses under third party intellectual property rights, including without limitation, patent rights. The Participants and any other contributors to the Specification are not and shall not be held responsible in any manner for identifying or failing to identify any or all such third-party intellectual property rights. This Specification is provided "AS IS," and no Participant in Kantara Initiative makes any warranty of any kind, expressed or implied, including any implied warranties of merchantability, non-infringement of third-party intellectual property rights, or fitness for a particular purpose. Implementers of this Specification are advised to review Kantara Initiative’s website (http://www.kantarainitiative.org ) for information concerning any Necessary Claims Disclosure Notices that have been received by the Kantara Initiative Board of Directors.

Thank you for downloading this publication prepared by the international community of experts that comprise the Kantara Initiative. Kantara is a global non-profit ‘commons’ dedicated to improving trustworthy use of digital identity and personal data through innovation, standardization and good practice.

Kantara is known around the world for incubating innovative concepts, operating Trust Frameworks to assure digital identity and privacy service providers, and developing community-led best practices and specifications. Its efforts are acknowledged by OECD ITAC, UNCITRAL, ISO SC27, other consortia and governments around the world. 'Nurture, Develop, Operate' captures the rhythm of Kantara in consolidating an inclusive, equitable digital economy offering value and benefit to all.

Every publication, in every domain, is capable of improvement. Kantara welcomes and values your contribution through membership, sponsorship and active participation in the working group that produced this and participation in all our endeavors so that Kantara can reflect its value back to you and your organization.

Open

Copyright: The content of this document is copyright of Kantara Initiative, Inc.
© 2022 Kantara Initiative, Inc.

The ANCR notice record is fundamentally a layered record schema, the first record layer is the minimum viable notice record (MVNR) a PII Principal can make to capture the organisation/institution that controls their personal data as well as the accountable person liable for that legal entity. This record collects no additional data, except what the PII Principal is required to see and understand in order to be legally informed of the risks of generating a digital identifier.

The notice record is an electronic notice document and is used to initiate electronic consent dialogue using a common, default engagement point that the PII Principal can expect, and trust, per data processing session.

Trust is predicated on operational transparency and security assurances that are inherent to creation and use of records and receipts.

This schema is cumulative, where each schema layer can be added upon the previous layer.

The PII Principal's private record of a notice without digital identifiers, also called a ‘minimum viable record notice’. This record is un-anchored and used for contextual purposes when it does not contain an ANCR Record ID, in the ancr record id field.

1. The meta data that can, and must be collected with the notice record to make a digital record of the notice record

2. Is kept private and not directly accessible, exposed or made public.

3. The PII Principal private record collects personal data specific to the use of the notice

1. A secured Anchored Notice Record generated upon engagement with a notice to demonstrate that the PII Principal is informed. Not an opt-in or opt-out check box – which is linked to a notice. But check-box to confirm a notice clause is read, with a button on the notice dialogue that generates a record and receipt when used by the PII Principal

2. A proof of notice record can then be used by processing stakeholders to generate subsequent (serialized) linked notice, notification and disclosure records pertinent to the context of notice.

   1. Personal identifiers and attributes are encrypted, secured, verified and validated by linking to the private notice record.

These are the schema elements that are used to generate a static Notice Record and does not contain any PII, or digital identifiers.

These fields can be asserted by the PII Principle to extend the functionality beyond the transparency TPI’s specified, on the PII Principal’s behalf.

These private record fields are separated from the Proof of Notice schema, as these are kept and controlled by the PII Principal and are used to provide defaults.

This is the data source for consented records of processing that is directed (and securely) verified by the PII Principal, with secure localized data source and device.

For consented digital identity management, a proof of Notice Record is used as an alternative to terms and conditions, to mitigate high privacy risks associated with digital identifier surveillance and profiling. Terms of use refer to a contract-based policies for the governance of identifiers and credentials.

Much like a two-factor authentication (2FA) used for digital identity security, a two‑factor notice (2FN), presented here, adopts the ISO/IEC 27560 consent record information structure, as summarized in Appendix: ANCR Record Extension 1.

Each 2FN implements a standardized consent notice dialogue for the use of digital identity management technology, which is the technology used to profile and then automate personal data processing in systems.

Each 2FN requires the presentation of information about data processing using the same content controls, format, ontology, vocabulary, and order of presentation:

1. Legal justification,

2. Purpose of profiling

3. Localization/Scope of disclosures & identification of 3^rd Party Controllers

4. Privacy/Security and Surveillance Risks

The 2FN can provides standardized options to engage with the notice, notification, or disclosure. 2FN is typically implemented with a software interface in which, at a minimum, these three options are used by default (and easily extended with a code of practice):³

1. By default, the notice can be ignored.

2. PII Principal provides an informed consent

3. Privacy rights and control options are presented and, depending on the Individual’s age, an accessibility context can be further simplified to the right to be heard and make a complaint, in specific context of processing personal data notified.

An ANCR Notice Record and a Consent Receipt, referred to as a mirrored (or twinned) record of a processing activity, is generated when the PII Principal engages with a notice dialogue and completes a notification sequence by selecting one of the 2FN options; and, by default, when a notice or notification is ignored. When an ‘I consent’ option is selected an electronic notice record and evidence of consent receipt is generated, for the corresponding eConsent.

Note: The ANCR Notice Record ID is used to create and link new receipts, thereby ensuring the providence of the PII Principal’s control of the ANCR Record.

The Proof of Notice Record builds upon the PII Controller Identity fields and contact fields, with PII Controller Identifiers used to digitally track the state of privacy .

The 2FN produces a network event, presenting information that is needed to produce an evidential record, which a PII Principal can then use independently. A micro-credential used to aggregate operational transparency information, access privacy state and rights information, or to implement personal data controls (that are required for a grant of consent grants to a system to implement controls and permissions in systems for collection, capture, portability and access to private data profiles)

• A notice that is used to generate granular consent receipts using standards that specify purpose in the same way. Those generated with the same schema based can be compared to automate notice for operational transparency over changes to privacy state.

• A 2FN is used to produce a dual record and receipt upon engaging with a standardized notice with access to administrator-level privacy rights from the notice, prior to processing with consent.

• The consent receipts produced from a 2FN can be compared independently to measure the difference in the active state and status of privacy, to automatically produce a notification based on the difference in state.

• Differential Transparency, produced with a tactile signal, or layer1 notice indicator, standardized with machine readable data privacy vocabulary (i.e., concentric and synchronic transparency).

Open

The ANCR Record represents the online privacy notice control record that is used to assess conformance with privacy expectations using controls and structure for consent from ISO/IEC 29184 Online Privacy Notice and Consent, which sets out the rules used to secure, protect and safeguard personal data:

• The only identifier is the identifier the PII Principal chooses to provide to extend the functionality of the anchored record for receipts.

• Only the PII Principal owns, controls, and delegates technical access to this identifier

• Whenever an identifier is exchanged, it must use the blinding identifier taxonomy, cryptographically hashed with PII Principal public/private key pair in which the private key is in the notice record and the public key is applied according to it’s purpose

• Only attributes from the corresponding records can be verified for a credential

• The record MUST not be generated or managed by any other stakeholder or delegate, apart from the PII Principal in order to be a trustworthy id.

Three (3) layers of the notice record schema is presented in this specification, with each layer building on the first as described in the Introduction.

The ANCR record identifier has specific security requirements and considerations since it can be used by the PII Principal as an identifier for and by a PII Controller. The ANCR Notice Record can be extended to additional stakeholders with a public key. Consent records and receipts created by the PII Principal are sensitive, confidential, and secured for PII Principal ownership and control. Evidence of consent is required to access these attributes for producing or using verifiable (micro) credentials the PII Principal can validate.

The protocol requires that the ANCR Record be referenced each time a directed, or altruistic consent is generated, or when decentralized data governance is required. This is done in order to verify the PII Controller Identity and ensure sufficient (any) security for the privacy state that is, and can then be, expected by the PII Principal.

The transparency performance indicators (TPIs) provide transparency and security assurance to the PII Controller before the Controller processes personal information.

Numerous methods available to provide security and to safeguard personal data, and for securing the control and transparency of data processing using the personal and private notice record, held by the PII Principal.

1. Blinding identifier taxonomy (BiT)

1. Pseudonymous identifier

1. Verified Credential Identifier

1. Differential Transparency

1. Differential Privacy (additive as editorial)

In this table, suggestions for what method can be applied on a per attribute level are provided as an example.