Blog from December, 2021


The objective of AuthC (authorization from consent) is to create and maintain an active state of trust in surveillance with a special class of surveillance called digital identity for dynamic data control (diddc) to automate human governance.  The result must be the freedom to control your personal information, to choose who benefits from it, including ourselves, to be empowered with our own record of relationships.  

AuthC specifies a two factor notice (2FN) and two factor Notice for Consent (2FC) flow for presenting digital privacy transparency, accountability and rights access.  

2FN ->2FC  produces legal proofs (computational privacy) that can be used to enhanced access and mobility services so they can be better used directly by people.  regardless of physical or digtial technology or data governance providence (digi-space).  The specification for 2FN is designed to produce 'Privacy Assurance', (versus the existing framework of IAL, AAL, FAL), a new category of eConsent and identity management. 

The work builds on a decade of effort, much of it in Kantara workgroups. The Consent Receipt has been widely recognized and adopted, with iteration and implementations since the publication of the Consent Receipt and then its inclusion in the ISO/IEC 29184 annex. 

2FN -> 2FC  specifies how consent receipts be generated from a Notice Record to provide evidence of consent and can be used for any legal justification for processing personal data. Most importantly, AuthC presents how ANCR Records and Consent Receipts can be generated by either party (the PII Controller and the PII Principal) or by both stakeholders, for active state privacy and security. 

To learn more, check out initial document for 2FN for Data Governance 2FC for Data Controls

For a sneak preview, take a look at ANCR: Consent Receipt Section 1 - which is the work to specify the ANCR Notice Record Format for generating Notice and Consent Receipts - for PII Controller and Principal processing records

The first week of December, the Kantara Initiative ANCR WG was represented by Mark Lizar, the 2FC and Consent Receipt Specification author, who attended a Childrens AI Conference with MyData for Children hosted by Unicef Helsinki / Finland.  The focus was centred on the use, application and ethically / operational problems with AI and AI interaction for children with some deep dives into privacy and security challenges and benefits. 

Auspiciously, the same week the Data Governance Act was ratified in the EU, a good omen that these topics are finally starting to appear in more mainstream discourse.   A deep dive into both of the topics of children and AI highlighted that governance is needed for the processing of children' data, which provides the infrastructure for children's data to be entrusted for them. For this we advocated for co-regulatory type of governance, for children, parents and schools, overseen by Privacy Regulators.   

Core AI and ethical issues have been conflated, so it  difficult to know how control and consent over children's surveillance requires regulation of digital identity technology which provides which embed the rules that govern my child's data use.   

The AI topics produce questions around the role of a technical or legal intermediary and the control of personal data access and processing. The Data Governance Act looks to address these roles in practice.  Practices in which a consent receipt is required but missing personal record system, and which is used as a vehicle for safeguarding rights and data controls in processing supply chains.   Micro-credentials which can be managed in software systems with digital identity and access management technology.  The Data Governance  a credential wrapper for digital identifier management. 

In this WG's effort to address these core technical and governance issues 2FN and 2FC will work to separate technical permissions in the context of access management and human permission referred in this workgroup (and draft charter update) as 'purpose of use' management.  Distinguishing from identity management or online service provider implementation of consent with system centric permissions.  Made more difficult through a consolidated industry effort to conflate these two types of permission (as digital trust) for commercializing digital identity (session based micro- security services) as digital trust services, which insinuate a micro-technical operational impact on trust or privacy.

The 2FN proof of authorization before processing policy, is a policy control for the use of AI, and through discussion was conceived as tool for safeguarding children's privacy in AI.  The mirrored notice record standard : aka a Consent Receipt provides high quality, labelled data for people to manage their own micro-data and control its use and who benefits from this data when used as - meta-data.       Promoting an alternative to services t&Cs for children, youth, indigenous data sovereignty and education environments.   2FN before 2FC for processing sovereign data to address the data governance requirements and safeguard the use of meta-data for  data trusts - like school records with access management utilizing Consent Receipts.

Support the Children's Privacy Assurance Lab (Future Christmas Present) Policy . Micro-Data is Soverign Data, and requires data (and identity) trust, to be trustworthy by parents for a child's future.  

Resources and Links 

Unicef Released an Ethics/Policy Guide

Based on Guidance Research

Calls to Action:

Policies & Case Studies:

Scientific papers/related resources on the topic (AI & children / children’s rights / children’s participation / ...):

Research projects:

Technical Standards / Regulations


E-learning courses

Here is the workshop methodology UNICEF used to consult children on AI