[WG-P3] Final Call: Input to OECD panel on Fostering Innovation in Privacy Protection

Iain Henderson iain.henderson at mydex.org
Thu Oct 14 16:10:58 EDT 2010 

Hi Trent,

Here are my thoughts.

1. What technical innovations offer promise for giving individuals easier access to and control over information about them?

Various bits and pieces like u-Prove and information cards will help, but only if they are deployed at scale, and that implies enough resource put into designing and explaining the user experience. I personally believe that the most promising innovation will be the personal data store, obviously this is technical innovation, but also new processes, new business models and ultimately a new class of data. All of this is explained in more detail in the attached paper. That said, it is not so much the personal data store that makes the real difference, it will be the applications that build on top of the PDS that make the difference. These apps may well be powered by the likes of u-Prove and Information Cards, although the tech won't get lead billing; if apps exist that allow people to get things done in an efficient, in-expensive, privacy protecting way then they will come to be strong in the market.

2. What are the incentives and barriers for innovating privacy tools and what are challenges to successful deployment?

The biggest incentive is the release in value that comes from enabling volunteered personal information to flow (i.e. the stuff that the current tick box and 55 page privacy policies prevent); again more detail on that big picture in the paper.

The biggest barriers are likely to be inertia amongst individuals, and feet dragging and resistance amongst some organisations (public and private sector) which have a vested interest in maintaining the status quo.

3. What is the role of technological innovation within a broader framework for privacy protection?

That's a difficult one, PETs won't win the arms race against the data grabbers, so better to look at approaches that are not head on.

General talking points on Fostering Innovation in Privacy Protection as well as specific points regarding these questions would be very useful.

I think there is a useful discussion to be had around 'where should an individual keep their data', in terms of what country? If we can engineer a race to the top to establish a strong privacy protecting and data enabling regime because countries think they will do well economically out of it then that must be a good thing. There are certainly some countries already starting to look at this issue.

Hope that helps.

Cheers

Iain




On 14 Oct 2010, at 17:31, J. Trent Adams wrote:

> 
> All -
> 
> So far, I have seen only the responses from Jeff and Mark (copied below)
> to Christine's request for input she can use as talking points at the
> upcoming OECD meeting on "The Evolving Role of the Individual in Privacy
> Protection: 30 Years After The OECD Privacy Guidelines".  Specifically,
> she will be on the "Fostering Innovation in Privacy Protection" panel.
> 
> Are there any more comments that should be considered?  They will be
> submitted early next week to the Internet Technical Advisory Council
> (ITAC).  That group will then finalize the set of "official" input from
> all member groups that Christine will represent on our collective behalf.
> 
> Please let me (or Christine) know if you have any questions.
> 
> Thanks,
> Trent
> 
> 
> ----------
> 
> j stollman wrote:
>> In my view the most promising technical innovation in the area of
>> privacy is the set of Credentica patents that Microsoft purchased and
>> made available to the world as their U-Prove technology.  These hold
>> the potential of allowing an individual to selectively share claims
>> substantiated by a credible third party (IdP) with Relying Parties
>> (RP).  The Credentica technology allows the RP to verify both that the
>> claims were sent by the Subject and validated by the IdP.
> ----------
> 
> Mark Lizar wrote:
> 
>> *The Need for Digital Notice*
>> 
>> As you may or may not be aware there is an  OECD Privacy conference
>> this month in which the W3C (i believe) has the opportunity to
>> contribute input.  Regardless, I would like to raise the issue of
>> digital Notice and its role in the development of public privacy to
>> this list and if possible through this list to the OECD. 
>> 
>> For this reason I wanted to highlight further the idea of a subject
>> access API and the role of Notice to regulators
>> globally. Fundamentally, digital notice is needed for people to
>> understand privacy impacts or to engage in controlling their
>> information sharing and privacy.     Perhaps this is something this
>> list might be interested in discussing? My hope is that this can be
>> done in view of providing a request, asking the OECD to provide
>> regulator guidance, which enforces and evolves digital data protection
>> regulation to a minimum /digital/ standard for legal notice.  As you
>> may or may not be aware at this time the legal infrastructures do not
>> support digital notice and as a result there is no core legal
>> infrastructure for the social web.  This is a big problem and I
>> believe this is the source of many issues we face in public privacy
>> today. 
>> 
>> The specific OECD topic:
>> 
>>> /The Evolving Role of the Individual in Privacy Protection: /
>>> 
>> 
>> Critically in both privacy protection and public identity management
>> the quality of /notice/ (a.k.a. transparency), greatly impacts on the
>> quality of consent and control people need to have to effectively
>> manage their own identity and privacy.  
>> 
>> In this respect, I am looking for a Public Privacy recommendation to
>> the OECD asking them to provide regulatory guidance and evolve
>> existing data protection regulation in a way that supports a digital
>> standard of notice.
>> 
>> From a rights perspective, without a minimal digital standard of
>> notice, data subject access to information is disproportionate to the
>> technical methods which are being used to harvest personal data.  This
>> makes it difficult for an individual (and the W3C) to develop control
>> and trust in the use of digital identity. (violating rights and
>> crippling the social internet) In this regard I am looking for ITAC to
>> ask the OECD to include thes two points in their guideline review:
>> 
>> Evolve the existing data protection to include: 
>> 1. digital (proportional) ability for data subject's to access
>> institutionally held information. (e.g. no mandatory written requests
>> if possible)
>> 2. ability for a subject to give a digital notice to control the
>> collection, use, and revocation of information shared digitally with a
>> service provider. 
>> 
>> *Talking Points*
>> To champion and advocate this issue I would go so far as to assert
>> that a high standard quality in notice would go a long way to solving
>> many internet privacy and trust framework issues in identity
>> management.  In addition, i assert that a higher quality of notice
>> would have a tremendous impact on the social and creative expression
>> across the internet, positively impacting the Internet economy and
>> facilitating global interoperability of personal data control
>> architecture. (e.g. Open social use of the web, live identity, real
>> time integration of actual data, standard observability over time,
>> internet of things, etc.)
>> 
>> The bottom line, the use of information age identity management with
>> industrial aged notice is a rights concern.  A concern that promotes
>> inequality of access to information as the existing quality of notice
>> is not sufficient enough for the average data subject to understand
>> privacy on the network layer.
>> 
>> 
>>> 1. What technical innovations offer promise for giving individuals
>>> easier access to and control over information about them?
>> 
>> Digital notice for subject access and digital subject notice to and
>> from organisations
>>> 
>>> 2. What are the incentives and barriers for innovating privacy tools
>>> and what are challenges to successful deployment?
>> The incentives are  accessibility, education, access and control of
>> information independent of service providers, 
>> - Notices are inherently legal and are also an explicit component of
>> consent.   With no legal quality of notice enforced the law and
>> consent lack trust and integrity needed for the social web. 
>> 
>>> 
>>> 3. What is the role of technological innovation within a broader
>>> framework for privacy protection?
>> 
>> Digital notice would provide road signs for an internet of services at
>> a regulatory level this is a needed mechanism for technological
>> interoperability.  The subsequent transparency enables the development
>> of tools so people can not only see privacy impacts but also evolve
>> control over their information. 
>> 
>> - With a standard in digital notice issues lack un-usable terms of
>> service, and lack of internet policy infrastructure can be
>> comprehensively addressed. 
>> - Notice is an implicit component of informed consent
>> - Notice's are inherently legal as they are "one sided legally binding
>> demarcations." 
>> 
>> Best Regards,
>> 
>> Mark Lizar
> ----------
> 
> 
> -- 
> J. Trent Adams
> =jtrentadams
> 
> Profile: http://www.mediaslate.org/jtrentadams/
> LinkedIN: http://www.linkedin.com/in/jtrentadams
> Twitter: http://twitter.com/jtrentadams
> 
> _______________________________________________
> WG-P3 mailing list
> WG-P3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3

Iain Henderson
iain.henderson at mydex.org

This email and any attachment contains information which is private and confidential and is intended for the addressee only. If you are not an addressee, you are not authorised to read, copy or use the e-mail or any attachment. If you have received this e-mail in error, please notify the sender by return e-mail and then destroy it.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20101014/2bc45501/attachment-0002.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: The Case for Personal Information Empowerment - The rise of	the personal data store - A Mydex White paper September 2010	Final.pdf
Type: application/pdf
Size: 1724988 bytes
Desc: not available
Url : http://kantarainitiative.org/pipermail/wg-p3/attachments/20101014/2bc45501/attachment-0001.pdf 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20101014/2bc45501/attachment-0003.html

More information about the WG-P3 mailing list