[WG-InfoSharing] Reminder: tomorrow's call

Info@SS info at smartspecies.com
Fri Jun 28 17:54:26 UTC 2019


What a provoking response.

+1 — > fantastic synthesis - agree that consent is about this type of external/societal (root) power struggle.  Its fundamentally about control over personal data (autonomy) that is the tussle at the moment, I think it’s the same v. old power struggle in a different form. A receipt is a governance innovation and this type of self-soveign innovation is a  persistent activity in human history and why this WG is  great. 

Society (not just individuals) very much need independent autonomous digital transparency for digital identity to be trustworthy, which is something I think most (if not all) people here might  agree with. 

- Mark 

 - Mark

> On 28 Jun 2019, at 17:21, Lisa LeVasseur <lalevasseur at ieee.org> wrote:
> 
> Thanks for all great feedback, gang!  I’m still reading and synthesizing.  One quick comment I want to make—and I’m reaching out to a legal expert for further clarification.  So I'll start off caveating this with  "I'm no lawyer but...."
>  
> Yes, we can describe signing a contract as “consenting” to the contract—though I think the more formal term would be “signing” or “executing” the contract.   I’m referring to Consent as a legal instrument, not an informal verb.  And I suggest that there are relevant differences between the legal instruments of Consent vs. Contract vs. License.   (again, not a lawyer....but seeking confirmation/clarification.)
>  
> Consent necessarily has to do with a proposal to a change in legal/ethical boundaries between two parties. (here’s the litmus test for that, btw:  you don’t need or ask for consent when you act in compliance with legal and ethical boundaries.)   You may say that in our current digital world, Consent is something else—a “formality” due to GDPR or something innocuous.  I respectfully disagree.  I suggest that Consent in our digital world actually is reflective of and acknowledging of breaching an ethical boundary vis a vis tracking and usage of personal information.   
>  
> Moreover, the Consent instrument favors the creator of the proposal—the recipient can only be reactive, and only has the choices offered by the proposer.  Online, only the Service Provider is equipped to make the proposal, and that’s where the asymmetry and power imbalance arise.  This is what I meant by saying that Consent is controlled by Service providers.
>  
> [As an aside, in the US, when the War on Drugs began under Reagan, police began the widescale practice/abuse of search and seizure through the use of Consent.  Instead of the previous practice of requiring a warrant [probable cause, etc.], now, stopping a person for a minor traffic violation afforded the police the ability to ask for consent to search the person and the car.  Well, who’s going to say no to an aggressive police officer?  There was even a case before the supreme court that tried to mandate that the police clearly state to people in that situation that they have the right to say no to the request for consent during the traffic stop or other situation.  It was struck down.  I share this because it amplifies the clear power imbalance between the proposer of consent over the recipient.  (and because I learned of it recently and it's really disturbing .)]
> 
> Lisa
> 
> On Fri, Jun 28, 2019 at 7:42 AM James Aschberger <james at onethingless.com <mailto:james at onethingless.com>> wrote:
> Thank you Lisa for preparing a great draft document as basis for an engaging discussion, and thank you Doc for outlining so comprehensively your thoughts. Like you, I truly believe in the concept of personal privacy agents (if that's the working title).
> 
>  
> 
> Three perspectives from me, maybe a bit provocative, but I hope to contribute to an engaging discussion 😊
> 
>  
> 
> I find "beyond consent" (page 1) a bit confusing, because even with personal privacy agents negotiating services / processes, the individual has to directly or indirectly provide her/his/their consent to the final proposed terms. A contract cannot be valid or legally binding unless consent from all contracting parties is given. In my understanding, "beyond consent" should be understood as how to better manage consent from individuals to business terms.
>  
> 
> I don't think that consent is solely controlled by enterprises (page 4). Individuals almost always have a choice not to consent and not to use a specific service. I have a choice to delete my Google account and use DuckDuckGo instead of Google Search. It's not as convenient to do so, but I do have a choice. Hence I disagree that consent reflects power asymmetry. To make my point: imagine that someone orchestrates a movement that gets all active Facebook users with residence in the EU to restrict data processing (no profiling, no automated decision-making). This would significantly disrupt and potentially cripple Facebook if users in other regions demanded the same right as granted under GDPR. So from my point of view, the issue is that people seek convenience and do not want to think too much about what they consent to because it is an opaque and complex topic that causes cognitive overload, so they push it into the background.
>  
> 
> I believe we should not underestimate the complexity of the evolutionary journey ahead of us, so Lisa is absolutely right to look until 2025 and beyond. People often do not make rational decisions, e.g. they are bad at assessing long-term risks and have brand preferences, which might interfere with a very rational privacy agent approach. To make a hypothetical example: I might be willing to tolerate less user-friendly privacy terms from BMW if I like the brand, but would not agree to the same terms in the automotive category if Ford proposed them to me. For an AI-based privacy agent solution to learn my preferences, that solution would essentially learn a lot about me, which makes it a nice target for hackers. And if I were to adjust all the settings in the relevant granularity, then I would be overwhelmed and not use the privacy agent. So we need to find the adequate user experience approach that gets individuals engaged on a sustainable basis in the first place.
>  
> 
> James
> 
>  
> 
> From: WG-InfoSharing <wg-infosharing-bounces at kantarainitiative.org <mailto:wg-infosharing-bounces at kantarainitiative.org>> on behalf of Doc Searls <doc at searls.com <mailto:doc at searls.com>>
> Date: Friday, 28 June 2019 at 01:07
> To: Lisa LeVasseur <lalevasseur at ieee.org <mailto:lalevasseur at ieee.org>>
> Cc: Information Sharing Work Group <wg-infosharing at kantarainitiative.org <mailto:wg-infosharing at kantarainitiative.org>>
> Subject: Re: [WG-InfoSharing] Reminder: tomorrow's call
> 
>  
> 
> Here are some responses to text in the deck, starting with Slide 2, from which I'll quote here...
> 
> 
> 
> 
> European Policy /GDPR Consent
> In practice, Consent is an automatic click-thru with little user understanding.
> 
>  
> 
> I've been in Europe for two weeks (Spain, UK), occasionally comparing the experience of using the commercial Web here to the same in the U.S., using a VPN for the latter. Here are some ways the GDPR actually works. Or, more accurately, fails more awfully than what we had prior to the GDPR.
> 
>  
> 
> Example 1:
> 
>  
> 
> <image001.png>
> 
> This is Slate's total violation of the GDPR. There is no choice but to agree to be tracked for all the reasons they give—or to go away. That's the first violation. The second is forced agreement. There is no "consent" worthy of the noun.
> 
>  
> 
> When I look at Slate in the U.S. I see no notice at all. Also no trackers. (Privacy Badger spotted 46 when I took that screen shot in Spain,)
> 
>  
> 
>  
> 
> Example 2:
> 
> <image002.png>
> 
>  
> 
> Note the large OK and the tiny "x" for making it go away. The  GDPR requires that a notice like this should not be a gateway to the website (that's the Slate violation), and I suppose some ComputerWeekly readers know enough to click the little x. But clearly the site wants people to click the large "OK," so they can continue "personalizing content and advertising." Which means they get to continue tracking people, only now with "consent."
> 
>  
> 
> In other words, the site gets to kid itself (and regulators, they hope) into thinking they are complying with the letter of the GDPR while in fact they are utterly violating its spirit. But at least one can opt out of the whole thing with the little x—or maybe not. At that site, as we see, 17 trackers are loaded anyway. 
> 
>  
> 
> Yes, you can "manage your preferences," but they're not yours. And they're not managed by you, or meant to be managed by you. They are meant to coerce you into saying "the hell with it" and clicking "OK."
> 
>  
> 
>  
> 
> Example 3:
> 
>  
> 
> <image003.png>
> 
>  
> 
> McKinsey provides no choice at all, with this banner that persists on the page. What they obtain by this is not consent, but acquiescence to being tracked, which the GDPR was made to forbid.
> 
>  
> 
>  
> 
> Example 4:
> 
>  
> 
> <image004.png>
> 
>  
> 
> This one forces a simple choice, and to its credit makes the rejection button as big (but not as attractive to clicks) as the acceptance button. At least here, if you click on the former, it goes away.
> 
>  
> 
>  
> 
> Example 5:
> 
>  
> 
> <image005.png>
> 
> I've seen lots of these, "powered by Quantcast."
> 
>  
> 
> "Deny All" is nice but clearly "Accept and move on" is what the site prefers, and that means continuing to track people exactly as the GDPR would rather they not.
> 
>  
> 
> Now, let's dive into "Manage My Consents." It looks like this (on a popover page with no going-back option):
> 
>  
> 
> <image006.png>
> 
>  
> 
> Notice the scroll bar on the right. Here's what's actually there:
> 
>  
> 
> Information storage and access
> 
> The storage of information, or access to information that is already stored, on your device such as advertising identifiers, device identifiers, cookies, and similar technologies.
> 
> Off
> 
> Personalisation
> 
> The collection and processing of information about your use of this service to subsequently personalise advertising and/or content for you in other contexts, such as on other websites or apps, over time. Typically, the content of the site or app is used to make inferences about your interests, which inform future selection of advertising and/or content.
> 
> Off
> 
> Ad selection, delivery, reporting
> 
> The collection of information, and combination with previously collected information, to select and deliver advertisements for you, and to measure the delivery and effectiveness of such advertisements. This includes using previously collected information about your interests to select ads, processing data about what advertisements were shown, how often they were shown, when and where they were shown, and whether you took any action related to the advertisement, including for example clicking an ad or making a purchase. This does not include personalisation, which is the collection and processing of information about your use of this service to subsequently personalise advertising and/or content for you in other contexts, such as websites or apps, over time.
> 
> Off
> 
> Content selection, delivery, reporting
> 
> The collection of information, and combination with previously collected information, to select and deliver content for you, and to measure the delivery and effectiveness of such content. This includes using previously collected information about your interests to select content, processing data about what content was shown, how often or how long it was shown, when and where it was shown, and whether the you took any action related to the content, including for example clicking on content. This does not include personalisation, which is the collection and processing of information about your use of this service to subsequently personalise content and/or advertising for you in other contexts, such as websites or apps, over time.
> 
> Off
> 
> Measurement
> 
> The collection of information about your use of the content, and combination with previously collected information, used to measure, understand, and report on your usage of the service. This does not include personalisation, the collection of information about your use of this service to subsequently personalise content and/or advertising for you in other contexts, i.e. on other service, such as websites or apps, over time.
> 
> Off
> 
> THIRD PARTY VENDORS
> 
> Information storage and access
> 
> The storage of information, or access to information that is already stored, on your device such as advertising identifiers, device identifiers, cookies, and similar technologies.
> 
> View Companies
> 
> Off
> 
> Personalisation
> 
> The collection and processing of information about your use of this service to subsequently personalise advertising and/or content for you in other contexts, such as on other websites or apps, over time. Typically, the content of the site or app is used to make inferences about your interests, which inform future selection of advertising and/or content.
> 
> View Companies
> 
> Off
> 
> Ad selection, delivery, reporting
> 
> The collection of information, and combination with previously collected information, to select and deliver advertisements for you, and to measure the delivery and effectiveness of such advertisements. This includes using previously collected information about your interests to select ads, processing data about what advertisements were shown, how often they were shown, when and where they were shown, and whether you took any action related to the advertisement, including for example clicking an ad or making a purchase. This does not include personalisation, which is the collection and processing of information about your use of this service to subsequently personalise advertising and/or content for you in other contexts, such as websites or apps, over time.
> 
> View Companies
> 
> Off
> 
> Content selection, delivery, reporting
> 
> The collection of information, and combination with previously collected information, to select and deliver content for you, and to measure the delivery and effectiveness of such content. This includes using previously collected information about your interests to select content, processing data about what content was shown, how often or how long it was shown, when and where it was shown, and whether the you took any action related to the content, including for example clicking on content. This does not include personalisation, which is the collection and processing of information about your use of this service to subsequently personalise content and/or advertising for you in other contexts, such as websites or apps, over time.
> 
> View Companies
> 
> Off
> 
> Measurement
> 
> The collection of information about your use of the content, and combination with previously collected information, used to measure, understand, and report on your usage of the service. This does not include personalisation, the collection of information about your use of this service to subsequently personalise content and/or advertising for you in other contexts, i.e. on other service, such as websites or apps, over time.
> 
> View Companies
> 
> Off
> 
> OTHER
> 
> Google
> 
> Allow Google and their technology partners to collect data and use cookies for ad personalisation and measurement.
> 
> View Companies
> 
> Off
> 
>  
> 
> All defaulted to On.
> 
>  
> 
> Below that, in tiny blue type, is "See full vendor list," which is 510 companies long. Here is just the ones that start with the letter R:
> 
>  
> 
> R-Advertising
> R-TARGET
> Rakuten Marketing LLC
> Readpeak Oy
> Realeyes OÜ
> ReigNN Platform Ltd.
> Relay42 Netherlands B.V.
> remerge GmbH
> Research Now Group, Inc
> Revcontent, LLC
> Reveal Mobile, Inc
> RevLifter Ltd
> RevX Inc.
> Rezonence Limited
> RhythmOne, LLC
> Rich Audience
> RMSi Radio Marketing Service interactive GmbH
> Rockabox Media Ltd
> Rockerbox, Inc
> RockYou, Inc.
> Roq.ad GmbH
> RTB House S.A.
> RTK.IO <http://rtk.io/>, Inc
> RUN, Inc.
> 
>  
> 
> Now, let's say you "reject all." Or that you go through that list and decide who you don't and do want to be tracked by. Do you have any record of those settings? Nope, at least beyond whatever cookies might be recorded (likely in an unreadable form) in your browser. 
> 
>  
> 
> Clearly this is meant to preserve Business As Usual, which is all about tracking people.
> 
>  
> 
> Consent and Consent Management is solely controlled by Enterprises.
> 
> 
> To say the least, this is meaningful only in the sense that makes "consent" meaningless.
> 
>  
> 
>  
> 
> Continuing on Slide 2...
> 
>  
> 
> 2021
> 
>  
> 
> Meaningful Consent
> 
> Care is taken to ensure that users truly understand the ramifications of their consent.
> 
> Consent Management is still solely controlled by Enterprises.
> 
> 
> When there is only one controlling party and consent is in label only, it is not consensual.
> 
>  
> 
> To truly understand that you're being screwed isn't a big step beyond ignorance on the matter. It's also not especially meaningful.
> 
>  
> 
>  
> 
> Next...
> 
>  
> 
> 2023
> 
>  
> 
> User Supplied Terms
> 
> Tables are turned and users provide sharing terms to which Enterprises must indicate consent?
> 
>  
> 
> That date might be realistic, but I'd rather make it closer, if only for aspirational purposes.
> 
>  
> 
> I'm also not sure we need to turn tables. The status quo is worse than broken. What's proposed here is a better system: People signal their own terms, the simplest of which is "Don't track me off your site, for any purpose. Sign here and we'll both keep a copy."
> 
> 
> 
> 
> Consent Management provided by User Agents.
> 
>  
> 
> The agent needn't be a third party, or an intermediary, though those should be on the table as an option. Ideally, there would be a simple tool, such as a browser feature or add-on, or something new that works as simply as one of those.
> 
>  
> 
> And finally (on Slide 2)...
> 
>  
> 
> 2025
> 
> 
> Mutual Agreement / Service Negotiation
> 
> Consent is replaced with a Sharing (or Service) Negotiation process.
> 
> Consent Management provided by Intermediaries.
> 
>  
> 
> I think this can be part of the prior stage, and again not require intermediaries, at least for the simple stuff.
> 
>  
> 
> Okay, it's past midnight here in the UK, and we finally received the third of our three bags missing since Tuesday. The rest of the family is in bed and my noisy keyboard is keeping them awake. I think I may have covered enough anyway. 
> 
>  
> 
> Some closing thoughts...
> 
>  
> 
> First, starting with the current status quo, which is deeply corrupt and broken, is like starting with slavery as the infant stage of freedom. There is no "user respect" in this status quo. In fact there is long-standing contempt.
> 
>  
> 
> Second, though this is the InfoSharing WG, I think it will help to consider that, if one wishes not to be tracked, and an agreement is made about that, very little information needs to be shared. A choice is recorded and respected. If it's not respected, there are ways to resolve disputes in existence already (contact law, ODR <https://en.wikipedia.org/wiki/Online_dispute_resolution>). It doesn't need to be complicated, or framed as data exchange.
> 
>  
> 
> Third, (to me at least) Me2B is anchored with Me, not B. The vector of "to" goes from Me to B. It may end up as a mutual thing, but it's fundamentally about the individual having full agency, and the ability to make the first move. This is another reason why I don't see a path from the existing B-screws-Me system to Me2B. We need to start anew with Me2B and show how that's better for the Bs of the world than B-screws-Me has proven to be.
> 
>  
> 
> Doc
> 
> 
> 
> 
> On Jun 27, 2019, at 4:27 PM, Lisa LeVasseur <lalevasseur at ieee.org <mailto:lalevasseur at ieee.org>> wrote:
> 
>  
> 
> This is the drafty view of the evolution of consent to mutual agency, from a Me2B perspective.  Comments welcome.
> 
>  
> 
> On Wed, Jun 26, 2019 at 8:11 AM Jim Pasquale <jim at digi.me <mailto:jim at digi.me>> wrote:
> 
> With many of the workgroup participants at Identiverse this week. Tomorrow’s call will focus on drafting an update to the new charter for CIS. 
> 
>  
> 
> Here are the call in details:
> 
>  
> 
> GoToMeeting (GTM1)
> Please join my meeting from your computer, tablet or smartphone. 
> 
> Please join my meeting from your computer, tablet or smartphone. 
> https://global.gotomeeting.com/join/323930725  <https://global.gotomeeting.com/join/323930725>
> 
> You can also dial in using your phone. 
> United States: +1 (669) 224-3318 
> 
> Access Code: 323-930-725 
> 
> More phone numbers 
> Australia: +61 2 9091 7603 
> Austria: +43 1 2530 22500 
> Belgium: +32 28 93 7002 
> Canada: +1 (647) 497-9376 
> Denmark: +45 32 72 03 69 
> Finland: +358 923 17 0556 
> France: +33 170 950 590 
> Germany: +49 692 5736 7300 
> Ireland: +353 15 360 756 
> Italy: +39 0 230 57 81 80 
> Netherlands: +31 207 941 375 
> New Zealand: +64 9 282 9510 
> Norway: +47 21 93 37 37 
> Spain: +34 932 75 1230 
> Sweden: +46 853 527 818 
> Switzerland: +41 225 4599 60 
> United Kingdom: +44 330 221 0097 
> 
>  
> 
> See you on the call.
> 
>  
> 
> Disclaimer
> 
> The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorised to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. If you have received this email in error, please delete it and advise the sender.
> 
> .
> 
> _______________________________________________
> WG-InfoSharing mailing list
> WG-InfoSharing at kantarainitiative.org <mailto:WG-InfoSharing at kantarainitiative.org>
> https://kantarainitiative.org/mailman/listinfo/wg-infosharing <https://kantarainitiative.org/mailman/listinfo/wg-infosharing>
> <Beyond Consent_ Evolving to Mutual Agency in Me2B Relationship.pdf>_______________________________________________
> WG-InfoSharing mailing list
> WG-InfoSharing at kantarainitiative.org <mailto:WG-InfoSharing at kantarainitiative.org>
> https://kantarainitiative.org/mailman/listinfo/wg-infosharing <https://kantarainitiative.org/mailman/listinfo/wg-infosharing>
>  
> 
> _______________________________________________
> WG-InfoSharing mailing list
> WG-InfoSharing at kantarainitiative.org
> https://kantarainitiative.org/mailman/listinfo/wg-infosharing

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-infosharing/attachments/20190628/99ae482d/attachment-0001.html>


More information about the WG-InfoSharing mailing list