2022-01-18 Meeting notes

Date

 


Attendees

Goals

  • Proposed Merger of FIRE and HIA WGs

Discussion items

TimeItemWhoNotes
Proposed Merger of FIRE and HIA WGs

FIRE-HIA WG-merger theme document for discussion:
https://kantarainitiative.org/pipermail/wg-fire/attachments/20220117/a8fddaf1/attachment.docx

Discussion:

Any trust principal should say if someone is a victim of breach of trust they should have right of redress. Can’t sue in federal court for breach of trust but can sue in state. There should be some recourse.

Result today: lose credential, get sanctioned for complaint.

Bev asked for clarification of business/consumer. Where is the human user?

  • TomS: violations of trust by large tech companies (google, facebook). How do you get redress? We can’t hold a robot accountable. Need to know who was the creator of the intelligence that guides the robot and apply “corrective action plan”.
  • Catherine: doesn’t it fall on CISO? (These roles were created to protect the company or CEO)


Rank principles in priority in FIRE and HIAWG

Merge or new WG?

  • HIAWG only has 3-4 participants. Would like to sunset and join FIRE. 
  • Jim wants to create a new chartered group and sunset FIRE.
  • TomS to share 11-12 Guidelines.
    • Also look at Kip Cameron - seven laws of identity (when he was at Microsoft)
  • Focus on redress


Review FIRE-HIAWG document:

Tom: 

  • Need to reword opening statement - too rambling and seems like its just about smartphone. It’s a broader issue.
  • Not sure what the deliverable is. Zero Trust is not exactly what we are talking about.


Bev: Zero Trust is closely related to DevSecOps.

Jim: how can consumer get their own zero trust tools.

  • Government
  • Corporate
  • Consumer


Catherine: consumer needs decision support guidance. “Nutrition label”, standard. We don’t even have this in person to person relationships. Trust mark, some specific information notification, right of redress

Bev: “Consumer” is a confusing word. Not only commercial context. Could be a robot or AI agent. Human engaging in a transaction that involves some revealing of PII. Not anonymous. Humans that help other humans, power of attorney, guardians, caregiver.

Jeff: GDPR definitions of “natural person”. One offs like robots will fall out of that.

Jim: why not start at the level of definitions.

Bev: look at existing and potential conflicts.

Noreen: definitions come from what people already associate with them in their contexts. “Zero Trust” capitalized is not what we mean for humans trusting entities. Need definition that disambiguates who/what is to be trusted, and doesn’t introduce bias. We trust other people based on what others say about them, which is helpful but can introduce bias. Some people can only participate in digital platform through assistive technologies or AIs and these can be riddled with bias.

Bev: Evolving Human Zero Trust “HZT”

TomS: robots, algorithms, etc are “humanoid”. Person : Non-Person. Personality.

Bev: biometric, facial recognition.

Noreen: described historically how IDESG/NSTIC web page evolved after 2018 to focus more on trusted identity as trusting individual users rather than the user trusting the systems. New administration aside, there was a lot of stuff happening with cybersecurity breaches, Cambridge Aanalytica, election fraud, money laundering, etc. that moved the focus away from individual point of view.

Jim’s synthesis:

  • Focus on individual




Action items