P3 PF SubGroup Kickoff Meeting Notes - 2010-11-11

What follows are draft meeting notes from the Privacy Framework SubGroup kickoff telecon.

Attendees:

Mark Lizar
Jeff Stollman
Gershon Janssen
Myisha Frazier McElveen
Trent Adams
Christine Runnegar
Anna Slomovic
Bill Braithewaite
Colin Wallis

Peter Capek

Staff:
Joni Brennan
Anna Ticktin

Meeting Notes:

1. Description of the mission

  • Create a Privacy Framework consisting of Service Assessment Criteria that allow auditors to assess the level of privacy protection afforded by various IdPs and RPs – as well as Attribute Providers.
  • Create an overarching Framework, supported by profiles that support tailoring of the PF to address the unique requirements of particular jurisdictions or industry sectors to allow for widespread adoption of the Privacy Framework.
  • Structure the development of the Privacy Framework to allow its components to be developed in small pieces.
  • Leverage the wide array of existing work in this subject area by governments, NGOs, and businesses to keep from reinventing the wheel and to encourage buy-in.

Why Kantara?

  • As we talk about the fact that other organizations have already been doing work in the area of privacy, it raises the question, “What’s so special about Kantara that I should put my energy into this effort?”
  • Previous work falls under two rubricks:  research and policy, including some initial attempts at government regulation. This effort is different.  Even though research has been done on the topic of Privacy Frameworks, what we are creating is a working system where the rubber meets the road.
  • Kantara has already pioneered a trust framework for which it has existing clients and which continues to attract additional clients. – including the US government.  Kantara has already implemented the first leg of its Trust Framework Platform:  a working Identity Assurance Framework that affords Relying Parties the ability to understand and trust the processes used by audited and certified Identity Providers  at multiple clearly defined Levels of Assurance.
  • The task before us now is to implement the second leg of this platform to provide certification procedures that will evince trust from Subjects that both IdPs and RPs are treating their personal information with the due care appropriate to the Level of Protection to which the IdPs and RPs are certified.
  • Our output is not another policy paper to be glossed over by regulatory authorities.  It is not pie-in-the-sky wish list of how we believe all personal information should be treated.  It is an implemented system that allows independent auditors to reliably assess the personal information handling practices of IdPs and RPs that affords all parties the ability to select among multiple Levels of Protection.
  • We don’t have to wait for regulations to happen. – though we must be cognizant of both current and forthcoming regulatory requirements.  This is not just another policy paper that gets submitted to a third-party for their consideration. There are no gatekeepers standing in our way.  We are creating a commercial implementation of standardized privacy practices. We are creating a living, working Privacy Framework. And it will be implemented. We already have customer demand from Subjects, IdPs, and RPs. Our work will become a highly visible part of the fabric of the internet.  And you can be a part of this pioneering effort. If nothing else, it will enhance your resume. It may even enhance how your children look at you.

QUESTION:

  • Will the Privacy Framework be part of  Kantara Initiative Certification? YES.

2. Execution Plan

a. Communities of Interest

b. Leverage parallel efforts

  • Identify existing Privacy Framework and Service Assessment Criteria documents
  • Review existing Privacy Framework and Service Assessment Criteria documents
  • Document existing Privacy Framework and Service Assessment Criteria documents

c. Document requirements

d. Develop outline

e. Develop PF

  • For IdPs
  • For RPs
  • For Attribute Providers

f. Develop ICAM profile

g. Develop other profiles as clients evince interest

3. Schedule

a. Discovery for January

  • Identify and obtain support from Communities of Interest
  • Collect, review and report on parallel efforts

b. Phase 2: Framework Development

  • Document requirements
    1. Determine if the requirements will be different for IdPs, RPs, and APs
  • Outline document
  • Develop detailed schedule
  • Compose document
  • Review and Edit document
  • Obtain approval

c. Phase 3: ICAM Profile Development

  • Outline document
  • Develop detailed schedule
  • Compose document
  • Review and Edit document
  • Obtain approval

4. Next Steps

a. Non-P3 members need to join group to maintain appropriate IP protection

b. Next telecon – P3 will cancel it's regular bi-weekly telecon and instead host this subgroup call on Thursday, 18 November 2010.

c. Once we have our new mailist, Jeff will send out a note to direct volunteers to begin collection and review of

  • Privacy Frameworks
  • Assessment Criteria
  • Issues submitted by subgroup members

ACTION ITEM 20101111-01 Jeff — will determine which IPR this subteam should operate under.

ACTION ITEM 20101111-02 Anna Ticktin — will create a P3 Privacy Framework landing page and mail list

QUESTION:

  • What loose milestones does this subteam have before them? Targeting Q2 2011.

Adjourned.