Transparency Trust Metrics
Editors: Sharon Polsky, Mark Lizar
Chair: Sal D’Agostino
Contributors:
IPR Option:
This ANCR Record Specification is available for use for public benefit licensing @0PN C.I.C and the open schema available @Human Colossus, and is specified under a Reasonable and Non‑Discriminatory (RAND) agreement at the Kantara Initiative for submission to ISO/IEC SC 27 WG 5
Published for use as public infrastructure through code of conduct and practice in industry and trade certification bodies.
Patent & Copyright: Reciprocal Royalty Free with Opt-out to Reasonable and Nondiscriminatory (RAND)
Suggested Citation: (upon WG approval)
ANCR Specification v0.9
NOTICE
This document has been prepared by participants of Kantara Initiative Inc. Permission is hereby granted to use the document solely for the purpose of implementing the Specification. No rights are granted to prepare derivative works of this Specification. Entities seeking permission to reproduce this document, in whole or in part, for other uses must contact the Kantara Initiative to determine whether an appropriate license for such use is available.
Implementation or use of certain elements of this document may require licenses under third party intellectual property rights, including without limitation, patent rights. The Participants and any other contributors to the Specification are not and shall not be held responsible in any manner for identifying or failing to identify any or all such third-party intellectual property rights. This Specification is provided "AS IS," and no Participant in Kantara Initiative makes any warranty of any kind, expressed or implied, including any implied warranties of merchantability, non-infringement of third-party intellectual property rights, or fitness for a particular purpose. Implementers of this Specification are advised to review Kantara Initiative’s website (http://www.kantarainitiative.org ) for information concerning any Necessary Claims Disclosure Notices that have been received by the Kantara Initiative Board of Directors.
Dear reader,
Thank you for downloading this publication prepared by the international community of experts that comprise the Kantara Initiative. Kantara is a global non-profit ‘commons’ dedicated to improving trustworthy use of digital identity and personal data through innovation, standardization and good practice.
Kantara is known around the world for incubating innovative concepts, operating Trust Frameworks to assure digital identity and privacy service providers, and developing community-led best practices and specifications. Its efforts are acknowledged by OECD ITAC, UNCITRAL, ISO SC27, other consortia and governments around the world. 'Nurture, Develop, Operate' captures the rhythm of Kantara in consolidating an inclusive, equitable digital economy offering value and benefit to all.
Every publication, in every domain, is capable of improvement. Kantara welcomes and values your contribution through membership, sponsorship and active participation in the working group that produced this and participation in all our endeavors so that Kantara can reflect its value back to you and your organization.
Copyright: The content of this document is copyright of Kantara Initiative, Inc.
© 2022 Kantara Initiative, Inc.
Introduction
Transparency Performance Indicator’s (TPI’s) are used to capture the performance of digital transparency measuring how dynamic the performance of transparency is for digital services.
These TPI’s are designed to quickly measure operational performance, compliance and trustability of publicly required digital service information.
TPI’s are recorded with a Notice Record, fully filled in, it is useable as a Controller Credential, which is used to generate a Consent Receipt.[1] A standardized record format for the capture of attributes that are required by law for the legal and trustworthy processing of personal identifiers.
The format is defined with ISO/IEC 29100 security and privacy techniques framework. This format is used to collect identifier and session based attributes, notice, notification and disclosure text mapped directly to the the analogue (brick and mortar) legal requirements, in a standardized TPI process.
The Notice record format can also be used to measure conformance with ISO/IEC 29184 Online privacy notice and consent standard (2020), in which, the Consent Notice Receipt is provided in Appendix B.
The use of the associated notices, receipts and records dramatically improve the security of personal data control, significantly increasing transparency and as a result greatly improves the scale and effectiveness of cyber physical security and digital privacy.
This specification is a contribution to th ISO/IEC SC27 WG5 body of work, extending the ISO/IEC 29100 privacy and security framework for more advanced trust applications.
The Notice Record generated from TPI’s are designed to enable operational ‘online’ transparency guided by the use of the controls in ISO/IEC 29184 Online Privacy Notices and Consent and evidenced with anchored notice and mirrored (digitally twinned) notice consent receipts [ISO/IEC 29184, Appendix B], which can be generated from a TPI record.
Why was this specification written?
TPI’s aim to help standardized digital transparency and dramatically improve safety and security usability of digital transparency for people, by providing a set of metrics to quickly assess how operational digital privacy is.
Currently, there is no way for people to see who is tracking them and how digital exposed people are in context. Data control, access and privacy rights requests requiring a 30 day response time, TPI’s indicate if the digital information provided upon contact with a digital service is capable of meeting this requirement and capable of dynamic data access and controls.
Without standardized digital transparency it is difficult if not impossible to see who is monitoring, tracking and surveilling personal data and digital identifiers.
As a result, people do not have insights to exercise access controls, use rights to controls and own records of digital of identity relationships, in a meaningful or operational manner.
Why Transparency Performance Indicator’s?
TPI’s provide a way to quickly see if digital privacy or security measures are in place in line with human, legal and analogue requirements the Individual can under stand and expect.
The are designed from legal and social research gained through implementation and capture of records for legal proof of notice (knowledge) and digital consent with a receipts used to provide people with their own evidence of notice a data records.
TPI’s capture the corresponding digital representations of physical / human requirements for digital transparency, and when required digital consent. .
The 4 indicators specified provide provide a record, that can then be used to ANCR the digital identity relationship with the organization, a basis for higher levels of digital transparency assurance. [2]
What should you expect to find in this document?
There are 4 TPI’s specified here focused on point of contact transparency for public accessible digital services. This is publicly required, self asserted information for in surveillance signs, security notices and privacy notifications. Information that provides the same assurance as
TPI 1 - Measuring the Timing of Notice:
This TPI captures when the Controllers legal entity digital identifiers and accountable Privacy Officer is notified; Before, just in time, at the time of, or after personal data is captured. Ensuring to capture if Dynamic transparency is systematically provided before data is captured and processed, or not. Providing a way for an individual to assess if they can trust a service or not.
Note: This is the most common legislated privacy element in the world, required in all privacy legislation and instruments. (ISTPA 2007)
TPI 2 - Measures Required Data Elements
Required for all data processing (except when legally regulated otherwise [3] derogation) in every privacy instruments a Notice of who is processing your data, who is a accountable and the privacy contact information for access to personal information.
Notice of who is processing your data is required for all legal justifications for processing personal data in privacy law to identify the legal entity and the accountable person.
TPI 3 - Measure of Transparency Accessibility
Measure the performance of transparency accessibility by capturing how avaialbe the required information in TPI 2 is. For example, is the information presented in a pop-up notice, or is it required to click a link, e.g. to a standard transparency / privacy policy, (where it is known only 3% of users go to secondary links). Is it at a bottom of a multi-screen display, or at the top of the first screen.
TPI 4 - Measures security information integrity
Capture of the SSL certificate or security key to compare its meta-data against the required information in TPI 2. For example, does the SSL certificate Organization Unit field and Jurisdiction fields match the captured legal entity information?
TPI Metrics
move for intro text
TPI’s are captured in sequence;
1. TPI measuring the point when the individual is notified versus when personal information / digital identifiers are collected and processed. Capturing the timing of notice presentation in relation to first data capture
2. TPI measuring the contents of the notification for required PII Controller digital attributes that correspond to the physical brick and mortar attributes specified in privacy, security, safety and surveillance legislation. Controller identity and entity information and access point
3.TPI for how accessible the transparency is (transparency of digital transparency) accessibility of the notice access for use
4.TPI validating the cybersecurity information versus the digital transparency information capturing the SSL certificate or keys and its associated meta-data.
Combined, these TPI’s provide an overall Indication of the operational state of digital privacy.
TPI Methodologies
Timing of Notice vs Data Collection Transparency
TP1 requires monitoring the technical end point to see if PII is captured in relation to when a notice is provided. This measures the notice regulatory performance against legal and human usability requirements.
PII Controller Digital Attribute Transparency
Assess if the required information for transparency over who is in control of notice is ‘provided’
The MUST fields identify elements that are required in legislation that MUST be present.
Transparency Accessibility
How accessible is the PII Controller and Privacy Contact information?
For example, in the context of a website or a mobile device, how difficult was it to access the ‘provided’ information. How many clicks, or screens, away is the required information?
Example — Accessibility Measurement Rating
This transparency accessibility rating score of [1,0, -1 or –3] reflects the number of steps, screens, or clicks required to find the ‘provided’ information within a mobile application or webpage providing the client user interface.
Security Validation Certificate (and/or Key) Security Transparency
This security performance indicator requires that the session security layer certificate or key information to be collected and then compared against the information in the notice record to validate the integrity of the security for digital privacy.
to check if the PII Controller Identity information is the same or linked to the controlling entity in the associated security certificate. For example, does the SSL (secure software layer) certificate identify the Controller, and is it secured for the DNS and localization expectation and corresponding jurisdictional information (a ZPN required digital security for privacy measure to implement the international governance interoperability with legal adequacy with eConsent)
Certificate status, and transparency performance, are used to establish session security prior to the collection, use and processing of PII. The security TPI is used to measure the certificate and or cryptographic keys for a specified organizational unit to corroborate and validate the PII Controller’s digital integrity.
Table 1: Transparency Performance Rating
Rating | Description | Instruction |
|---|---|---|
+1 | Controller identity is embedded as a credential linked to authoritative registries. | PII Controller credential is displayed, using a standard format with machine readable language and linked, for example, in an http header in a browser |
0 | PII Controller Identity prominently displayed on first view – prior to processing first page of viewing, the assessment question would be | PII Controller Identity or credential is provided in first notice |
-1 | Privacy signal Is not first presented – but is linked and one click and screen away | The Controller Identity, or screen with the Controller Identity is one screen and click away. For example, the privacy policy link in the footer of a webpage |
- 3 | Identity or credential is two or more screens of view away | PII Controller Identity is not accessible enough to be considered ‘provided’ |
Table 2: TPI Schema
TPI 1 | ||
|---|---|---|
Notification Timing | ||
Timing of Data Collection |
Table 3 : Transparency Performance Indicator Record Rating Example
Field Name | Field Description | Requirement: Must | TPI 1 | TPI 2 Not Available | TPI 3 Rate: +1, 0, -1, -3, | TPI 4 |
|---|---|---|---|---|---|---|
Notice Location | Location the notice was read/observed | MUST | Present | +1 | found | |
PII Controller Name | Name of presented organization | MUST | Present | 0 | Match | |
PII Controller Address | Physical organization Address | MUST | Present | 0 | Not match | |
Privacy Contact Point | Location/address of Contact Point | MUST | Present | 1 | Not match | |
Privacy Contact Method | Contact method for correspondence with PII Controller | MUST | Present | -1 | No Match | |
Session key or Certificate | A certificate for monitored practice | MUST | Present (or Not-found) | 1 (or –3 ) | Present (or No Security Detected) |
Summary
In summary, transparency performance indicators are specified here for people to use depending on context, location, security, and other out of session elements. TPI’s are an indicator for determine with ones own Soverign reasoning how trust able a service sessions is..
These TPI’s use open standards, with an open license, but unlike the consent record, is specified for people to be able to use and create records they can own and keep.
The first TPI is a measure of trust, when asked, “Do you trust a service is you know who is processing your data before, during or after” people overwhelming indicated trust would be higher. if notified prior to data capture,
TPI 2 indicated is the legally required information is present, providing a metric for compliance
TPI 3 is an indicator for how accessible and inclusive digital transparency is
TPI 4 validates for the individual if security adds up? address a critical security gap that exist today.
Roadmap
References
Appendix A
Notice Record Schema
Endnotes
1 Lizar, M, Pandit, H, Jesus, V, “Privacy as expected Consent Gateway”, Next Generation Internet (NGI) Grant [Access July 4] privacy-as-expected.org/