(this is a draft blog post, pending WG approval)

Support Open ISO Standard to Scale Digital Privacy Transparency and make privacy and consent free

Working Group 5, with which Kantara has had a liaison agreement since … at its most recent in-person meeting in Manchester, is taking action with regards to publicly available standards.

The Anchored Notice and Consent Work Group (ANCR WG) unanimously approved a request to the Leadership Council (LC) to support efforts to restore ISO/IEC 29100 Information Technology - Security Techniques - Privacy Framework as an open standard.

It incorporates basic privacy principles stemming from the 1970’s and the Fair Information Practice Principles (FIPPs). At present the standard is no longer publicly available and has been updated to a 2024 version. Action is being taken to make this open again. As a workgroup we strongly support this recommendation and action.

In addition, there is an effort to make ISO/IEC 27560:2024 Consent record information structure and open standard. As a workgroup we also request support of the LC in this effort as well, and only if this is done in combination with ISO/IEC 29184:2020 Online privacy notices and consent. The notice and consent specification provides critical transparency requirements and security and privacy controls that can be used by people to manage their digital identities. These 3 standards together provide an operational transparency framework and architecture enabling security for infrastructure and services with privacy and consent by default.

Why open access matters
29184 was developed to supplement the freely accessible ISO/IEC 29100 security and privacy techniques framework. Our work at the Kantara Initiative has long focused on standardizing notice to enable managed consent and control over data access on a large scale. This effort began more than a decade ago at the W3C - Do Not Track and Beyond conference The need for notice and transparency standards in online security and privacy.

The business case for standardizing digital transparency
There is a compelling business case for ISO/IEC to lead in standardizing digital transparency for security, privacy, and digital identity management. A robust set of international transparency standards would compel industries to adopt ISO/IEC’s paid security standards, such as 27001, 27002, and 27701. These standards provide specific requirements and guidance for establishing a Privacy Information Management System (PIMS).  Acting now to facilitate data governance and security interoperability will enable ISO/IEC to lead this competitive practice internationally. 

International impact and interoperability
Our commitment to this project is driven by 29100’s influence in developing international privacy instruments that are interoperable with GDPR, and importantly for Canada, and elsewhere, is the CoE Convention 108+. Expected to be ratified by 2025 Convention 108+ will provide an international data governance instrument for security and privacy across the Commonwealth, encompassing 56 countries and 2.5 billion people. Convention 108+ mirrors the GDPR Chapter 1 Transparency Modalities section, and 29100. It has been used as a primary standard to create transnational transparency requirements that establish a legal basis for consent leading to and not determined by identity and access management systems.

Scaling Digital Privacy Transparency of Your Identity
The ANCR WG effort at Kantara Initiative specifies notice and consent receipts which focus on this combination of standards, laws, and current market dynamics to create a regulatory tool to provide PII Principles with digital transparency over processing personal data.

ANCR WG tools assess the transparency conformance and compliance of PII Controllers security, privacy and transparency. The notice record and receipts are digital identity credentials that benchmark compliance utilizing 29100, 29184, and 27560 natively. These standards when required to be open make it possible to scale standardized digital privacy transparency in the international Commonwealth.

For 'Digital Identity Surveillance and Trust' this means people can see and therefore have the opportunity to trust, when personal data is processed by digital identity technologies and agents. Solving security and trust issues involved in identifying ones self for service processing personal data.

The Call to Action

For ISO this enhances the adoption of paid for standards, and for Kantara the opportunity to enable a 100% completely inclusive trust technology to enable the ethical and secure use of digital identity management and its society surveillance. This means in ANCR WG we are able to assess the transparency, mis-information and compliance of any identity management framework, protocol, technology or notice, for how trustworthy it is for the individual.

The ANCR WG’s draft Transparency Performance Scheme for creating conformant PII Controller records are a legal record of processing that provides proof of knowledge, missing online today. Without knowledge and transparency over the choices we make online and who benefits from them, we act without truth or digital freedom.

To further this work and utilize 29184 we invite Kantara Initiative to support an international standard for digital privacy transparency and digital identity that complies with consent. Lets demand notice record and consent receipts together.

Support the vision of the ANCR WG, help people can see the impact their choices have on themselves, family, community and society, so that we can collectively address the challenges we face in digital identity management today.

This year ANCR WG and 0PN Digital Transparency Lab teamed up to present a report on Canada’s Bill C 27, extending the ANCR Transparency Performance Scheme, with a Canadian Bill C27, WHiSSPR Report, referring to a White Hat iDentity, Surveillance, Security, Privacy Risk Report. With a special Jan 28 podcast with Joni Brennan, Sharon Polsky, Gigi Agassani and myslef (Mark Lizar).

Incredibly, the report is quite short as Bill C27 failed basic digital privacy requirements of a) requiring the identity of the PII Controller Credential for surveillance and b) doesn’t required any records of processing activities.

The report highlights some of the implications of this to the Digital Identity Industry and the security of Canadian data. It delves deeper assessing the integrity of the law in contrast to the international data privacy law framework and standards that are coming into force in 2024 or 2025.

To find out more about what is going on check out the Digital Transparency Lab WHiSSPR Report News Letter.

May 24, 2024 ANCR (Jedi Privacy Day) WG Report : For International Digital Security and Privacy Community

There is a critical lack of transparency in the use of digital identity technologies and the governance of personal data. The lack of systemic transparency over who is processing your data, under what authority, to what purpose, to what benefit, and when is hidden. Current security and privacy engineering is for institutional and enterprise infrastructure, not for the individual. In the ANCR WG (Anchored Notice and Consent Receipt) we have worked to standardize transparency records and consent receipts.

Known as Records of Processing Activities (RoPA’s) which owned and kept by the individual, anchor the the state of security and privacy in the digital relationship. Standard records and receipts make it for the first time possible to overlay digital privacy over any notice, notification and sign, to enable consent based rights and controls. An individual can use digital transparency to see the state of privacy and consent for all service providers, independently of them.

ANCR’s record framework is Consent by design as it enables the PII Principle self-identify, by adding multiple verified receipt based credentials to a single credential, to provide assurance requied by a service, while still being anonymous. 

Introduction 

Digital Transparency refers to  Record and Receipt specifications  for Record of Processing Activities, (contributed as 27560 Consent Record Information Structure to JTC1/SC27/WG5 after 6 years of community group development @Identity Commons, called Identity Trust WG )

The study and specification of Consent by Design has been evolving at Kantara since 2012 Call for standards collaboration at W3C - Do not Track and Beyond conference. The transparency record and receipt model mimicks secure currency exchanges by prioritizing the privacy principle of transparency and accountability over choice and consent, placing this as the first privacy principle (as opposed to the 4th in 29100) for PII Principal centric data trust and governance.  

The work is contributed to the commons governance framework, which in it’s latest Commonwealth iteration is the Council of Europe’s Convention 108+ as the international legal adequacy base line for transparency modalities required for security and privacy regulation. The foundation for internet based data governance technologies to interoperate, using the PII Controller Notice Record and Credential to specifically govern identity management technology.

Our focus in the Kantara Initiative and the Digital Transparency Lab has been records an receipts and to demonstrate how to govern mis-information, in digital identity management standards using an  ISO/IEC 29100 specified record framework.

Consent by Design is specified in a number of ways,

• Digital Privacy Transparency, referring to the presentation of notice, notifications and disclosures are presented in a way that mimics the physical how people, notice, permission and consent.  In particular,  humans manage consent while systems manage permission (an instance of a consented surveillance context)

• The PII Controller notice record is standardized and used to generate a receipt, which is a verifiable credential. In this context the PII Controller automatically becomes the gatekeeper to PII (aka the relying party) to verify the digital relationship presented in the receipt.

• Rather that identifying the individual up front and taking their meta data. The individual can define and present their own digital identity, identifiers, credentials according to context using receipts as verified credentials, for security, safety and trust when interacting online.  (AuthC)

• Very Canadian approach, in that permission is first required to introduce a new purpose for consent, and the individuals consent is implied by engagement and capture in a notice record.

• Notification and disclosure can be capture with standard 29100 defined notice record and receipt.

• Semantically standard with the W3C Data Privacy Legal Vocabulary, so as to be entirely machine readable legal semantics. Specified to GDPR which mirrors Chapter 1 of the Convention 108+ Transparency Modalities,

• For and services ANCR’s Records and receipts can be used to demonstrate compliance with Article 30 Records of Processing activities, and in Convention 108+. Article 80 Logging.

• For individuals a receipt can be used to directly consent (and withdraw consent) to the PII Controller service according to context.

• Like in real life, in physical interactions, the individual is anonymous to begin with and the first interaction with a PII Controller/service, the sharing of data is through consensus and consent.

Standardised Digital Privacy Transparency(SDPT) is conceptualized much like bank accounts, in which every personal data processing activity is recorded, and where services provide a record to the bank and the receipt to the individual when interacting with currency.  

SDPT, requires that all surveillance, data processing, capture, and inference be identified, notified, with the risks of secondary and extra-territorial disclosure,  provided through notification just in time, prior to processing dynamically in context, to provide high assurance.  

Notification, notification and disclosure requirements for technologies performance internet based governance functions are specified in Commonwealth International Privacy Convention 108+ and mirrored in the GDPR.  These are legally specified to  inform the individual about the identity of the PII Controller, if there is a DPO Delegate, for  1 of the 6 legal justifications for processing personal information, from the legal context of existing consent in common spaces.  (known as consensus)   

SDPT as specified in the ANCR WG, takes into account Data Control, Data Protection, and whether or not the data trust is co-regulated, in order to measure how operational digital transparency is, assess technical risk and capacity for liability mitigation in a specific context.

Dear Members of JTC 1/SC27/WG 5 - WG Mirror Committee: Introducing the Transparency Performance Scheme

ANCR (Anchored, Notice and Consent Receipts) Standard Digital Privacy Transparency Record Framework for Consent by Design.

The ANCR WG contributed to the last JTC 1/SC27/WG5 meeting a number of items:

• ISO/IEC 27568 Security and privacy in Digital Twin - ANCR Report Submitted

• ISO/IEC 27091 Security and privacy in Generative AI - A use case for Digital Privacy and Ethic Governance of generative AI

• ISO/IEC 27566-2 Benchmarking Age Assurance Systems -ANCR Post

Attached here is the report presented in the 27568 sessions, and this be found here,. The 27568 PWI Report can be found at the link below (if you have credentials) with the TPS scheme posted on pg 69.

The presentation of this work articulated how security and privacy can be digitally twinned for Age Assurance and Generative AI applications in order to enable governance through the use of digital identifier management technologies.

ANCR Transparency Performance Scheme (TPS)

This scheme (in draft on the ANCR wiki) is used to capture the presentation of required PII Controller Transparency information.  This scheme is operated to capture information that is recorded into a conformant ISO/IEC 29100, 29184, 27560 record called the PII Controller Notice Record    This is then used to measure compliance with privacy laws and provide a standardised digital privacy transparency report.

For the most part we found that most transparency requirements are not operational in context, they are analogue privay process that need to be back channelled externalizing form the context of service delivery, making it impossible for an individual to access and use their rights in a digital context.

 The TPS uses a scale that assesses the notice for how dynamically usable in context, to provide a contextual integrity measure of reciprocal and proportionate digital privacy access is as indicator of risk.   Addressed with the use of standard digital transparency privacy transparency (SDPT). 

PII Controller Credential

Consent by design is enabled by using a PII Controller Notice Credential to decentralised the records, with a receipt.  In that individual is provided with a receipt in order to mitigate the liability and risk in data processing.  In the common context a digital transparency receipt is provided when engaging with any type of  sign or notice,  This specifies for  a notice/sign enhancement for an inclusive record and receipt provisioning practice, that is a called a two factor notice (2FN). A 2FN uses an overlay capture architecture  when interacting with a notice, notification and disclosure, to create a consent receipt, which can be used with consent to interact with the service autonomously.

In Summary

We submit the ANCR WG specifications as Consent by Design for Privacy by Default systems, which can be used to secure individual privacy, dramatically reduce risks, enable the dynamic transfer of liability with authentication from consent.

The record and receipt framework is driven by identifying the providence of personal data, and enabling PII Controller data processing transparency. Individuals who receive receipts for data processing are able to secure and manage the priavcy of their own data themselves.

The ANCR framework for Consent Receipt tokenisation address mis information, and uses ISO/IEC 29100 to define digital identity technologies using law and socially expected definitions. This enables the individual to interact with the privacy by default system, regardless of what legal justification is used to collect, process or access personal information.

The standard PII Controller record and its use as a consent receipt, is specified using ISO/IEC 29100 security and privacy framework, and  further specified in 27560, consent record information structure, is also published in the appendix of ISO/IEC 29184 Online privacy notice and consent framework.

To address Generative AI risks of deep fake, as well as assurance against mis-information the consent receipt is produced  with a registered controller record, (a digital trust registry) and is registered  in order to secure the accountability, providence and  transparency of personal identifiable information processing

ANCR Work Group Presentation

0PN-DTL - ANCR Transparency Record Framework - Global Age Assurance April 13 2024 Manchester, UK

This presentation on the use of this framework was provided in Manchester at the Global Age Assurance Conference held in conjunction with the WG5 Plenary.  You can find this presentation here.

Presents on the risks of displacing human governance mechanism, the cause of those risks, and how standardized digital privacy transparency (SDPT) can address these risks for any privacy and surveillance context.

Introduces Standard Digital Privacy Transparency (SDPT) which is a standard PII Controller notice record and consent receipt practice for data governance. In the 0PN digital identity model security and privacy is digitally twinned (like in banking) and introudess a digital privacy framework where all data processing is recorded, logged and linked to a receipt which the individual keeps in their digital wallet. 

Global Age Assurance Conference Presentation April 11

or here

https://youtu.be/QrJnFJFuv3g

Establishing the Commons Rule Book For Digital Identity: 

ANCR will be presenting, the Digital Transparency at Think Digital @ Westminster in London UK, June 11. Covering the inclusive ANCR Record and Receipt Framework for the Digital Commons, International secure governance of digital identity and digital identity polkicy. 

Presenting the Data Trust Commons Architecture for the PII Controller Notice Credential along with the Consent Receipt v2, Consent Tokens for Trustworthy Identity, and the ANCR Transparency Performance Scheme for scaling the data governance and regulation online, for regulators and policy makers. 

Presenting a New Digital Privacy & Trust Paradigm for Consent

Covering Digital Transparency Stack: For legislators and regulators 

• PII Controller Credential, Addressing the inherent risks of un-regulated digital identity technology, wh 

• ANCR Transparency Performance Scheme A record and receipt specifications apart of the 

  • Presented via this ANCR Contribution Report to ISO/IEC 27568 Digital Twins as a standard method to twin digital security and privacy state 

• The Use in Age Assurance, the Canadian Consent standards approach 

  • Kantara ANCR Comments Submitted to 27568-2 Age Assurance Benchmarking, to add a transparency record, and provide ‘when appropriate’ a consent receipt. 

• ISO/IEC - 27091 - Security and Privacy in Gen AI with the Commons Data Trust Governance Model 

  • The ANCR WG, submitted through the Kantara ISO/IEC liaison a use case for implementing ANCR to address security and privacy risks in generative AI. (link)

Consent as Distributed and Decentralised Data Governance 

A new category of governance. in which the law record of notice and receipts for consent are standardised, fixing the semantics of security and identity which are deeply flawed with mis-information. 

Technical Transparency is required to scale Digital Privacy, but it must be open and international framework to scale trust.

• Open international law, and open free to access internationals standards are required for digital transparency to scale. 

The ANCR WG, has been working on developing the technical specifications for the PII Controller notice record and consent receipt, which uses the ISO/IEC 29100 security and privacy framework standard, to specify digital transparency record and consent receipts for. Request to open the Consent Record Structure, 27560 Consent Record Information Structure, which is based on the Kantara Consent Receipt, and ISO/IEC 29184 Online Privacy notice and consent standard are currently being submitted and reviewed. The three standards, can then be openly used to scale ANCR Record and Receipt framework as the Commonwealth standard. 

CJEU invalidates IAB Transparency and Consent Framework (TCF)

March 7, 2024 was a watershed moment for the digital privacy landscape. The landmark CJEU Judgment in Case C‑604/22 on the commercial Transparency and Consent Framework (TCF) set a new precedent, not just for online platforms, but for every entity processing personal data across the European Union. This judgment isn't a mere legal jargon shuffle; it redefines the intersection of personal data, consent, and accountability.

Navigating the New Normal of Data Privacy Governance in the Wake of the CJEU Judgment: What It Means for Digital Identity Industry.

A Groundbreaking Judgment for the Modern Digital World

The Court pronounced a robust perspective, broadening the scope of data controllership and emphasizing that it's not merely about the hands-on data processing but also about orchestrating the very purposes and means of processing.

March 7, 2024 - CJEU Judgment in Case C‑604/22 (IAB TCF)

The Broader Ramifications of Data Controllership

This interpretation effectively expands the circle of entities labeled as data controllers. It's not just about the literal data handlers; software-as-a-service (SaaS) providers and application platforms, by design, dictate the processing of data and thus shoulder the responsibilities of a joint controller.

Any service using I Agree - data protection agreements do not have valid consent.

Invalidating 'Processor' Claims

Platforms that have been traditionally leaning on Data Processing Agreements (DPAs) as a shield for their 'processor' status are now facing a crossroads—those agreements may need revision to accommodate their newly-established joint controllership. As Digital Privacy is not a Contract based agreement framework, instead it uses law which stipulates contract as only one legal justification for processing, and this is usually b2b.

Extending Privacy Protection to All Digital Pavements

The jurisdiction of the judgment is not confined to web services. Mobile applications, desktop tools, and operating systems all fall under its purview, signifying that no digital domain shall be exempt from the stringent privacy principles this judgment upholds.

The Anchored Notice and Consent Receipt (ANCR) WG has approved a WG Draft Kantara Recommendation Transparency Performance Scheme (TPS) and Indicators (TPIs) and shared this with the Leadership Council for comment. The work address critical gaps in security and privacy by establishing and measuring standardized digital transparency and notice requirements based on the legal requirements that exists in all security and privacy frameworks. The comformance and compliance scheme and indicators are mapped directly to CoE 108+ which provide legal authority and provenance across nearly 50 countries, including signatories outside of Europe. Other mappings are underway. These tools are directly designed for use by people to be able to control their personal data, exercise their rights, and create their own records of processing activity (ROPA) independently of service providers and to be able to co-govern their data. In doing so it advances new vectors of governance of personal data control, and co-governance (complementing regulatory authorities' activities), in addition to data protection. The WG is co-sponsorium a symposium and hackathon September 22 - 24 in Montreal in combination with Quebec Bill 64 “An Act to modernize legislative provisions as regards the protection of personal information” which comes into force on 22 September.

📣 Announcing the Digital Freedom Project 🚀

by: Mark Lizar & Salvatore D'Agostino

Introducing Two Operational Transparency Tools to Govern the Capacity to Trust Digital Identity with Standards

In today's digital world, the agency of the individual is a critical requirement that is often missing. We need to address the current harms and imbalances by focusing on technology's directionality and who benefits from the system. This concept, also known as proportionate transparency, ensuring reciprocal data control, is useful to govern relationships in digital spaces and ensure that human remains in control of their data flows. To achieve this, operational transparency becomes the key to activating agency, enabling us to move safely and freely in the digital landscape and establish trusted digital relationships.

While many "trust assurance" programs rely on static processes such as periodic audits, trust itself is dynamic. These programs primarily focus on the individual, providing information about them and tracking their every move. However, none of this data is shared with the individual, limiting the capacity for people to trust these digital relationships. This limitation hampers our digital freedoms limiting our individual ability to see and control the flow of our own personal data in context.

Over the past decade, organizations like the Kantara Initiative, OpenConsent, Digital Transparency Lab, and Surveillance Trust have dedicated their efforts to transform this landscape. The Consent Receipt, initially designed to serve as a record of digital relationships, has revealed that what currently passes as consent online is actually permissions actioned by an 'I Agree' opt-in, with no proof that the 'User' has the minimum knowledge to be able to consent legally.

To address these challenges, we are thrilled to introduce two groundbreaking tools that prioritize human-centric record control that is proportionate and reciprocal. We clarify the functionality of the Consent Receipt by introducing the Notice Receipt as an authorization credential, which captures information about the Notice Controller.

This capture utilizes a Two Factor Notice (2FN) to generate a proof of knowledge record with two key components: (1) notice of who is accountable and (2) what their authority is to process PII. In addition, we offer tools to measure the timing, operational information, usability, and security of the notice. This empowers individuals to independently document their relationships, with the information required to evaluate them and use these records as evidence to access data rights.

With these tools in place, individuals can then create a Controller Notice Credential, allowing them to establish agency and transparency by asserting digital authority. They can use this credential to authenticate themselves. Importantly, the use of a Controller Credential for authentication control does not require the use of identifiers related to the individual. Instead, it focuses surveillance on the controller's identity, using a profile to check the legal status of the service in the context of data collection and processing to enable data privacy controls.

To delve deeper into these exciting developments, we (the ANCR WG + Digital Transparency Lab) are hosting a Summer Project with 3 Open ANCR WG meetings throughout the summer, with the next one scheduled for June 21.

We invite you to join us on this transformative journey towards building the human capacity to trust in digital identity standards. Together, we can shape a digital world that empowered individuals with operational transparency that provide you with agency, freedom, and trust. (For more information, click here)

ANCR WG: Announces an Open Notice Controller Credential to champion the standardization of Digital Privacy Transparency and to mark the occasion, and our activities, we use the name Digital Privacy Day.

3 New Workstreams and Projects

1. An Open Notice Controller: TPI Record & Credential n An Open Notice Controller Credential (ONCC) contains all the required information and guidance to embed required information for self-asserted digital privacy notice records.

   1. The ONCC is specified to CoE Convention 108+, GDPR, and produces records which can be used for ISO/IEC 29184 Online privacy notice and consent, conformity assessments. This furthers the work done in the stanards development to date with a specification for standard open digital privacy access with a digital privacy framework for PII Controllers,

2. Transparency Performance Indicators, used to make a notice record and measure transparency performance

   1. The TPIs are used to create a digital privacy transparency record with ISO/IEC 29100 privacy framework for definition and terms.

3. 2 Factor Concentric Notice (2FCN), used to generate a proof of notice record and an evidence of consent receipt, with an Notice Record or ONCC, depending on the stakeholder generating the record.

   1. A 2FCN is used to implement or enhance existing privacy service practices and is designed to replace terms and conditions with a consent receipt, it used the core interoperable schema specification of the Consent Receipt V1.1.

Last Quarter Activity

The workgroup submitted comments to the Federal Trade Commission on its Advanced Notice of Proposed Rulemaking on Commercial Surveillance and Data Security. Advocating for;

• Introduction of the 2FCN,

• To legislate rules for digital privacy that scale on the internet.

• Educate about digital transparency technology for ‘co-regulation innovation’ through standardized digital transparency that provides decentralized data governance with notice and consent.

Community News

• DataFund.io - Demo’s: Consent Receipt Suite

• Mark Lizar takes on role as a IEEE Sub-Committee Vice Chair, for Data Flow and Control in the Human Context. Suite

• Jan 27, Digital Privacy Day Event: Hosted event inviting Ieee Digital Privacy Community to participate in Sc1, and introducing to Kantara ANCR Specifications.

The ANCR WG specifications measure digital transparency performance and record it in a notice credential for a personal record of digital privacy.  These are used  to implement law is code transparency that supersede ‘terms and conditions’, ‘user licenses’, ‘privacy policies’ and ‘data sharing agreements’.

The ANCR WG is pleased to announce that the WG effort to specify a PII Controller credential for enabling a standard for Digital Privacy Transparency that supports the operationalization of privacy by design service infrastructure. The effort here recognizes the gap in public benefit infrastructure to which this Notice Controller Credential is focused. Specifying the publicly required privacy information elements in law and referenced standards to be an operationally co-regulated privacy credential. Referreing specifically to standardized digital privacy transparency requirements that are directly regulated through international and national privacy laws.

The Open Notice Controller Record is specified to capture and record Transparency Performance Indicators (TPI’s) that are specified separately from the Notice Controller Credential. The record is the minimum viable version of a credential, a digital transparency notice, or record. Used for the individual to see at a glance basic privacy performance of digital services.

The Open Notice Controller Credential builds upon the record, utilizing the international standard security and privacy framework of standards to provide space for architectures with broad data governance scope and interoperability. Accretive to the ISO 31700-1:2023(en) Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements. ISO/IEC 31700 updates the international privacy standard landscape consolidating many references into a privacy by design framework to support next generation digital security and privacy engineering and, data governance interoperability.

The controller credential contributes to this landscape by enhancing the digital privacy transparency requirements and their utility for conformance for use in digital privacy notice, notifications and disclosures.

It adds the next layer to the notice record and consent receipt framework for generating records of processing activities for people. It provides the capability for new network architectures, where a micro-notice credentials can provide proof of digital notice and where consent receipt tokens are used for evidence of consent.

It’s specified scope of authority is for the notice and its linked context. We are publishing a specification in the WG that can be self-asserted (our Level 0 Digital Privacy and Transparency) and for public use, including the ability to “broadcast” digital transparency enhancing dynamic digital notifications.

The Open Notice Controller Credential is specified to be a regulated controller credential by design using ISO/IEC 29100 security and privacy techniques, ISO/IEC 29184 privacy and security controls and cross-referenced and mapped to Convention 108+, and GDPR. These requirements have been nicely rolled up and further updated by the ISO 31700-1:2023(en) Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements. Encompassing the broader systems and process components that comprise self-evaluation for data protection.

By open the Notice Controller Credential is designed to be, Open +++

1. Open for people, as a record for digital privacy transparency, Data Control Privacy, and Data Co-Regulation Privacy Risk Vectors,

2. Open, in that it is specified to international standards and laws that are openly accessible, binding and interoperable with security and privacy best practices.

3. Open for business - usable for people to use to access business service data directly (without intermediaries and for public benefit) increasing trust and value in a dynamic (personal) data economy. Data Governance (concentric) driven business, legal and technical frameworks.

[Updated: Feb 8, 2023]

I just created and uploaded a slide for the Kantara AGM coming up. Please take a look at PEMC_Update_Update_22-11-29 and be prepared to discuss on Wednesday’s call.

The work group submitted the following response offering the past, current and future work of on notice and consent receipts and records to the FTC can address many of the challenges presented in the Advanced Notice of Proposed Rulemaking on Commercial Surveillance and Data Security

1 big thing: The wallet-less future draws closer

Axios Login, Oct. 7 2022

The original article is here: https://www.axios.com/newsletters/axios-login-ffb597d1-6c80-44b7-9a05-cc24af374527.html?utm_source=newsletter&utm_medium=email&utm_campaign=newsletter_axioslogin&stream=top

On a recent trip to Seattle, I learned how tantalizingly close we are to being able to ditch our wallets.

Over two days, I managed to take two flights, check into a hotel room and pay for meals — all from my phone. Everything worked, but there were some asterisks involved.

Why it matters: We all forget our wallets some times, and many of us would like to leave them behind permanently, if possible.

How it happened: I thought I left my wallet at home. I realized this only after passing through airport security — otherwise I probably would have rushed home to get it.

• I pay for Clear, the privately operated "speed your way through the security line" service, which meant I only needed my irises (or fingerprints) and my boarding pass.

• I did some quick calculations and realized that I might be able to get through this short trip without a wallet. I wasn't renting a car, and Clear also operates in Seattle's airport for my return trip.

The big question mark was my hotel. But I was staying at a Hilton, which offers the ability to use your phone as a key — and, just as important in this context, to skip the usual check-in process requiring a driver's license and credit card.

• Full disclosure: I did figure out I had my wallet with me during the San Francisco-to-Seattle flight. But I decided to shove it back in my backpack to see if I could avoid using it for the whole trip.

The big picture: While my experience relied on my Clear account and being a frequent hotel-goer, there are developments on the way that will make this document-free experience possible for far more people.

• Most notably, Apple is beginning to allow people to store digital versions of their driver's license. (This is only available in Arizona and Maryland right now, and only certain airports are set up to accept such IDs.) More states are coming, and Google is working to support a similar capability in Android.

• Government agencies are also moving toward more modern forms of identity, including U.S. Customs and Border Patrol, which is increasingly using biometrics rather than paper forms or kiosks to identify international travelers at airports.

• A growing number of infrastructure providers are tapping the NFC chip on phones to allow access to buildings that previously would have required a physical key card.

Yes, but: Many of these conveniences come at the expense of sharing even more data — including highly personal biometrics — with third parties.

• If the last few years have taught us anything, it's that companies aren't always good at safeguarding our data.

• On top of all that, high-tech replacements for wallets and keys raise both privacy and equity concerns, especially if they are not thoughtfully designed.

Be smart: If you want to go walletless, or even just be better prepared for the day you forget yours, some prep work can help.

• I already have my ATM and credit cards stored in Apple Pay, and I store photographs of my family's vaccine cards and health insurance cards in my phone. (Just putting them in a separate album in Photos makes them easy to find.)

• A picture of your passport and driver's license, while not valid as an official substitute, can also help in many situations.

Please take a look that this post, originally published at Technometria - Issue #62

Using OpenID4VC for Credential Exchange; Technometria - Issue #62 by @windley http://news.windley.com/issues/using-openid4vc-for-credential-exchange-technometria-issue-62-1374264

Ma B, Zheng X, Zhao C, Wang Y, Wang D, Meng B (2022) A secure and decentralized SSI authentication protocol with privacy protection and fine-grained access control based on federated blockchain. PLoS ONE 17(9): e0274748. https://doi.org/10.1371/journal.pone.0274748

Abstract

Self-sovereign identity authentication protocol is an active research topic in the field of identity authentication and management. However, the current SSI authentication protocols pay little attention to privacy protection and fine-grained access control. Therefore, a secure and decentralized SSI authentication protocol with privacy protection and fine-grained access control is proposed. Firstly, the formal model of SSI including the SDPP-SSI identity model and management model is presented. And then, based on the federated blockchain, the distributed identifier is used as a global identifier for users in the decentralized domain. Finally, the verifiable statement is encapsulated using a policy control signature supporting privacy protection to develop the user’s access control for identity registration in the centralized domain. Compared with the related work (Lin 2018, Zhu 2018, Stokkink 2018, Hammudoglu 2017, Othman 2017, Abraham 2018, Guan 2019, Lin 2019) from controllability, security, flexibility, privacy protection, authentication and fine-grained access control, the proposed SSI authentication protocol not only meets controllability, authentication, and flexibility, but also supports privacy protection and fine-grained access control.