Blog

In our work to support international flow of personal data, and to celebrate the OECD Guidelines,  which provides the International framing for instruments, like the Council of Europe 108 +, which is the reason for  International Privacy Day in the first place.     

This day not only provides a great opportunity to kick off the new year for ANCR WG with an updated Charter, set of goals, milestones and deliverables. 

Jan 28th 2022 Agenda

10:00 - 11:00

  • Intro to ANCR Record & Receipt
  • call for collaboration, the ANCR\ mission
  • AuthC for review by Data Protection Authorities,
  • Technical practice for governance codes of conduct to govern automated processing with digital identifier management systems and protocols.
  • Possible Panel (TBC)

11:00 - 12:00,

  • Inviting demo's,
  • presentations and use cases for any receipts. 

Audience 

  • Kantara Community, Regulators, Policy and Standards People
  • Related Community WG's


To Join, use this Zoom Link - https://zoom.us/j/91703794933?pwd=VTZRZng3SXh3UUt5YmJ2eVBXK0pWQT09

AuthC

The objective of AuthC (authorization from consent) is to create and maintain an active state of trust in surveillance with a special class of surveillance called digital identity for dynamic data control (diddc) to automate human governance.  The result must be the freedom to control your personal information, to choose who benefits from it, including ourselves, to be empowered with our own record of relationships.  

AuthC specifies a two factor notice (2FN) and two factor Notice for Consent (2FC) flow for presenting digital privacy transparency, accountability and rights access.  

2FN ->2FC  produces legal proofs (computational privacy) that can be used to enhanced access and mobility services so they can be better used directly by people.  regardless of physical or digtial technology or data governance providence (digi-space).  The specification for 2FN is designed to produce 'Privacy Assurance', (versus the existing framework of IAL, AAL, FAL), a new category of eConsent and identity management. 

The work builds on a decade of effort, much of it in Kantara workgroups. The Consent Receipt has been widely recognized and adopted, with iteration and implementations since the publication of the Consent Receipt and then its inclusion in the ISO/IEC 29184 annex. 

2FN -> 2FC  specifies how consent receipts be generated from a Notice Record to provide evidence of consent and can be used for any legal justification for processing personal data. Most importantly, AuthC presents how ANCR Records and Consent Receipts can be generated by either party (the PII Controller and the PII Principal) or by both stakeholders, for active state privacy and security. 

To learn more, check out initial document for 2FN for Data Governance 2FC for Data Controls

For a sneak preview, take a look at ANCR: Consent Receipt Section 1 - which is the work to specify the ANCR Notice Record Format for generating Notice and Consent Receipts - for PII Controller and Principal processing records




The first week of December, the Kantara Initiative ANCR WG was represented by Mark Lizar, the 2FC and Consent Receipt Specification author, who attended a Childrens AI Conference with MyData for Children hosted by Unicef Helsinki / Finland.  The focus was centred on the use, application and ethically / operational problems with AI and AI interaction for children with some deep dives into privacy and security challenges and benefits. 

Auspiciously, the same week the Data Governance Act was ratified in the EU, a good omen that these topics are finally starting to appear in more mainstream discourse.   A deep dive into both of the topics of children and AI highlighted that governance is needed for the processing of children' data, which provides the infrastructure for children's data to be entrusted for them. For this we advocated for co-regulatory type of governance, for children, parents and schools, overseen by Privacy Regulators.   

Core AI and ethical issues have been conflated, so it  difficult to know how control and consent over children's surveillance requires regulation of digital identity technology which provides which embed the rules that govern my child's data use.   

The AI topics produce questions around the role of a technical or legal intermediary and the control of personal data access and processing. The Data Governance Act looks to address these roles in practice.  Practices in which a consent receipt is required but missing personal record system, and which is used as a vehicle for safeguarding rights and data controls in processing supply chains.   Micro-credentials which can be managed in software systems with digital identity and access management technology.  The Data Governance  a credential wrapper for digital identifier management. 

In this WG's effort to address these core technical and governance issues 2FN and 2FC will work to separate technical permissions in the context of access management and human permission referred in this workgroup (and draft charter update) as 'purpose of use' management.  Distinguishing from identity management or online service provider implementation of consent with system centric permissions.  Made more difficult through a consolidated industry effort to conflate these two types of permission (as digital trust) for commercializing digital identity (session based micro- security services) as digital trust services, which insinuate a micro-technical operational impact on trust or privacy.

The 2FN proof of authorization before processing policy, is a policy control for the use of AI, and through discussion was conceived as tool for safeguarding children's privacy in AI.  The mirrored notice record standard : aka a Consent Receipt provides high quality, labelled data for people to manage their own micro-data and control its use and who benefits from this data when used as - meta-data.       Promoting an alternative to services t&Cs for children, youth, indigenous data sovereignty and education environments.   2FN before 2FC for processing sovereign data to address the data governance requirements and safeguard the use of meta-data for  data trusts - like school records with access management utilizing Consent Receipts.

Support the Children's Privacy Assurance Lab (Future Christmas Present) Policy . Micro-Data is Soverign Data, and requires data (and identity) trust, to be trustworthy by parents for a child's future.  

Resources and Links 

Unicef Released an Ethics/Policy Guide

https://www.unicef.org/globalinsight/reports/policy-guidance-ai-children

Based on Guidance Research

https://www.unicef.org/globalinsight/reports/childrens-rights-design-new-standard-data-use-tech-companies

Calls to Action:

Policies & Case Studies:

Scientific papers/related resources on the topic (AI & children / children’s rights / children’s participation / ...):


Research projects:


Technical Standards / Regulations

Initiatives

E-learning courses



Here is the workshop methodology UNICEF used to consult children on AI https://drive.google.com/drive/folders/1IVh4DTNnFpNeLTLY1c3dX0LmAuO3y6Tu

ANCR Aweigh!


The ANCR WG has kicked off its work to update the Kantara Consent Receipt Specification v1.1. The current specification is included in ISO/IEC 29184 Online Privacy Noticies and Consent as Appendia B. The workgroup brings together the same community of experts armed with increased global requirements to address critical issues we face with consent across physical and digital space and the opportunity to leverage the notice  and consent receipts for decentralized controls and interoperability in the delivery identity and surveillance governance. The ANCR WG is working with and leveraging the important and sympathetic work across the consent community. In our kick off  before the formal start of the work group we brought together leaders of the global consent community. We look forward to facilitating collaboration and input into the WG.  We have created a file repository where we have our drafts for the WG effort framework and the receipt fields as well as videos of presentations.