Kantara Initiative ANCR WG Report to JTC 1/SC27/WG 5 Mirror Committee

Dear Members of JTC 1/SC27/WG 5 - WG Mirror Committee: Introducing the Transparency Performance Scheme

ANCR (Anchored, Notice and Consent Receipts) Standard Digital Privacy Transparency Record Framework for Consent by Design.

The ANCR WG contributed to the last JTC 1/SC27/WG5 meeting a number of items:

Attached here is the report presented in the 27568 sessions, and this be found here,. The 27568 PWI Report can be found at the link below (if you have credentials) with the TPS scheme posted on pg 69.

 

Project No.

Title

Due date

27568 (1.27.163)

PWI report Security and privacy of digital twins

2024-04-29

The presentation of this work articulated how security and privacy can be digitally twinned for Age Assurance and Generative AI applications in order to enable governance through the use of digital identifier management technologies.

ANCR Transparency Performance Scheme (TPS)

This scheme (in draft on the ANCR wiki) is used to capture the presentation of required PII Controller Transparency information.  This scheme is operated to capture information that is recorded into a conformant ISO/IEC 29100, 29184, 27560 record called the PII Controller Notice Record    This is then used to measure compliance with privacy laws and provide a standardised digital privacy transparency report.

For the most part we found that most transparency requirements are not operational in context, they are analogue privay process that need to be back channelled externalizing form the context of service delivery, making it impossible for an individual to access and use their rights in a digital context.

 The TPS uses a scale that assesses the notice for how dynamically usable in context, to provide a contextual integrity measure of reciprocal and proportionate digital privacy access is as indicator of risk.   Addressed with the use of standard digital transparency privacy transparency (SDPT). 

PII Controller Credential

Consent by design is enabled by using a PII Controller Notice Credential to decentralised the records, with a receipt.  In that individual is provided with a receipt in order to mitigate the liability and risk in data processing.  In the common context a digital transparency receipt is provided when engaging with any type of  sign or notice,  This specifies for  a notice/sign enhancement for an inclusive record and receipt provisioning practice, that is a called a two factor notice (2FN). A 2FN uses an overlay capture architecture  when interacting with a notice, notification and disclosure, to create a consent receipt, which can be used with consent to interact with the service autonomously.

In Summary

We submit the ANCR WG specifications as Consent by Design for Privacy by Default systems, which can be used to secure individual privacy, dramatically reduce risks, enable the dynamic transfer of liability with authentication from consent.

The record and receipt framework is driven by identifying the providence of personal data, and enabling PII Controller data processing transparency. Individuals who receive receipts for data processing are able to secure and manage the priavcy of their own data themselves.

The ANCR framework for Consent Receipt tokenisation address mis information, and uses ISO/IEC 29100 to define digital identity technologies using law and socially expected definitions. This enables the individual to interact with the privacy by default system, regardless of what legal justification is used to collect, process or access personal information.

The standard PII Controller record and its use as a consent receipt, is specified using ISO/IEC 29100 security and privacy framework, and  further specified in 27560, consent record information structure, is also published in the appendix of ISO/IEC 29184 Online privacy notice and consent framework.

To address Generative AI risks of deep fake, as well as assurance against mis-information the consent receipt is produced  with a registered controller record, (a digital trust registry) and is registered  in order to secure the accountability, providence and  transparency of personal identifiable information processing

ANCR Work Group Presentation

0PN-DTL - ANCR Transparency Record Framework - Global Age Assurance April 13 2024 Manchester, UK

This presentation on the use of this framework was provided in Manchester at the Global Age Assurance Conference held in conjunction with the WG5 Plenary.  You can find this presentation here.

Presents on the risks of displacing human governance mechanism, the cause of those risks, and how standardized digital privacy transparency (SDPT) can address these risks for any privacy and surveillance context.

Introduces Standard Digital Privacy Transparency (SDPT) which is a standard PII Controller notice record and consent receipt practice for data governance. In the 0PN digital identity model security and privacy is digitally twinned (like in banking) and introudess a digital privacy framework where all data processing is recorded, logged and linked to a receipt which the individual keeps in their digital wallet. 

Global Age Assurance Conference Presentation April 11

or here

https://youtu.be/QrJnFJFuv3g