[WG-InfoSharing] Reminder: tomorrow's call

Andrew Hughes andrewhughes3000 at gmail.com
Sat Jun 29 12:43:41 UTC 2019


Doc writes:
*Assent is one example; but the most appropriate one is acquiescence. When
we click "agree" to continued tracking, as the examples I give below urge
us to do, we are not consenting, but rather acquiescing. *

The specification family is being slightly rejigged to accommodate a more
neutral usage... I am hopeful that by establishing a “Personal Data
Receipt” specification (from which the Consent Receipt Specification is a
profile) implementers can find many ways to use the concept.

Although, “Tracking Cookie Acquiescence Receipt” might be a bit
provocative.  ;-)


On Sat, Jun 29, 2019 at 8:28 AM Doc Searls <doc at searls.com> wrote:

>
> On Jun 28, 2019, at 6:54 PM, Info at SS <info at smartspecies.com> wrote:
>
> What a provoking response.
>
>
> I agree.
>
> +1 — > fantastic synthesis - agree that consent is about this type of
> external/societal (root) power struggle.  Its fundamentally about control
> over personal data (autonomy) that is the tussle at the moment, I think
> it’s the same v. old power struggle in a different form. A receipt is a
> governance innovation and this type of self-soveign innovation is a
>  persistent activity in human history and why this WG is  great.
>
>
> Not sure I follow, but instinctively I take your points.
>
> An additional thought: If we are talking *only *about consent, we remain
> stuck inside the walls of the early default winner in that power struggle.
> This is why I think Lisa's points below are very well made. More about
> those below.
>
> Society (not just individuals) very much need independent autonomous
> digital transparency for digital identity to be trustworthy, which is
> something I think most (if not all) people here might  agree with.
>
> - Mark
>
>  - Mark
>
> On 28 Jun 2019, at 17:21, Lisa LeVasseur <lalevasseur at ieee.org> wrote:
>
> Thanks for all great feedback, gang!  I’m still reading and synthesizing.
> One quick comment I want to make—and I’m reaching out to a legal expert for
> further clarification.  So I'll start off caveating this with  "I'm no
> lawyer but...."
>
>
> Yes, we can describe signing a contract as “consenting” to the
> contract—though I think the more formal term would be “signing” or
> “executing” the contract.
>
>
> Indeed. Great point.
>
> I’m referring to Consent as a legal instrument, not an informal verb.  And
> I suggest that there are relevant differences between the legal instruments
> of Consent vs. Contract vs. License.   (again, not a lawyer....but seeking
> confirmation/clarification.)
>
>
> Another.
>
> Consent necessarily has to do with a proposal to a change in legal/ethical
> boundaries between two parties. (here’s the litmus test for that, btw:  you
> don’t need or ask for consent when you act in compliance with legal and
> ethical boundaries.)
>
>
> You may say that in our current digital world, Consent is something else—a
> “formality” due to GDPR or something innocuous.  I respectfully disagree.
> I suggest that Consent in our digital world actually is reflective of and
> acknowledging of breaching an ethical boundary vis a vis tracking and usage
> of personal information.
>
>
> Moreover, the Consent instrument favors the creator of the proposal—the
> recipient can only be reactive, and only has the choices offered by the
> proposer.  Online, only the Service Provider is equipped to make the
> proposal, and that’s where the asymmetry and power imbalance arise.  This
> is what I meant by saying that Consent is controlled by Service providers.
>
>
> Good analysis!
>
> Worth noting is that there are other verbs that apply to the current ways
> the GDPR is at most only partially obeyed.
>
> *Assent* is one example; but the most appropriate one is *acquiescence*.
> When we click "agree" to continued tracking, as the examples I give below
> urge us to do, we are not consenting, but rather acquiescing.
>
> This is one reason I worry that getting a receipt called "consent" for
> what amounts to acquiescence. This risks rationalizing misdirection, and
> therefore only makes the status quo worse. And, BTW, in making this point I
> am not criticizing the consent receipt work done by the good people here,
> but rather pointing toward to a risk in one possible application of it. We
> do need to bear in mind that all new, well... anything... risks
> misapplication, as Lisa points out well in this paragraph here::::
>
> [As an aside, in the US, when the War on Drugs began under Reagan, police
> began the widescale practice/abuse of search and seizure through the use of
> Consent.  Instead of the previous practice of requiring a warrant [probable
> cause, etc.], now, stopping a person for a minor traffic violation afforded
> the police the ability to *ask for consent* to search the person and the
> car.  Well, who’s going to say no to an aggressive police officer?  There
> was even a case before the supreme court that tried to mandate that the
> police clearly state to people in that situation that they have the right
> to say no to the request for consent during the traffic stop or other
> situation.  It was struck down.  I share this because it amplifies the
> clear power imbalance between the proposer of consent over the recipient.
> (and because I learned of it recently and it's really disturbing .)]
>
> Lisa
>
>
> Thanks, all.
>
> I'll be fresh off a plane from the UK before the call on Monday, but I'll
> try my best to make it.
>
> Doc
> Writing over a tethered phone in an ancient stone barn on this hill here
> <https://www.google.com/search?q=round+hill+kelston>.)
>
>
> On Fri, Jun 28, 2019 at 7:42 AM James Aschberger <james at onethingless.com>
> wrote:
>
>> Thank you Lisa for preparing a great draft document as basis for an
>> engaging discussion, and thank you Doc for outlining so comprehensively
>> your thoughts. Like you, I truly believe in the concept of personal privacy
>> agents (if that's the working title).
>>
>>
>>
>> Three perspectives from me, maybe a bit provocative, but I hope to
>> contribute to an engaging discussion 😊
>>
>>
>>
>>    1. I find "beyond consent" (page 1) a bit confusing, because even
>>    with personal privacy agents negotiating services / processes, the
>>    individual has to directly or indirectly provide her/his/their consent to
>>    the final proposed terms. A contract cannot be valid or legally binding
>>    unless consent from all contracting parties is given. In my understanding,
>>    "beyond consent" should be understood as *how to better manage
>>    consent from individuals to business terms*.
>>
>>
>>
>>    1. I don't think that consent is solely controlled by enterprises
>>    (page 4). Individuals almost always have a choice *not to consent*
>>    and not to use a specific service. I have a choice to delete my Google
>>    account and use DuckDuckGo instead of Google Search. It's not as convenient
>>    to do so, but I do have a choice. Hence I disagree that consent reflects
>>    power asymmetry. To make my point: imagine that someone orchestrates a
>>    movement that gets all active Facebook users with residence in the EU to
>>    restrict data processing (no profiling, no automated decision-making). This
>>    would significantly disrupt and potentially cripple Facebook if users in
>>    other regions demanded the same right as granted under GDPR. So from my
>>    point of view, the issue is that people seek convenience and do not want to
>>    think too much about what they consent to because it is an opaque and
>>    complex topic that causes cognitive overload, so they push it into the
>>    background.
>>
>>
>>
>>    1. I believe we should not underestimate the complexity of the
>>    evolutionary journey ahead of us, so Lisa is absolutely right to look until
>>    2025 and beyond. People often do not make rational decisions, e.g. they are
>>    bad at assessing long-term risks and have brand preferences, which might
>>    interfere with a very rational privacy agent approach. To make a
>>    hypothetical example: I might be willing to tolerate less user-friendly
>>    privacy terms from BMW if I like the brand, but would not agree to the same
>>    terms in the automotive category if Ford proposed them to me. For an
>>    AI-based privacy agent solution to learn my preferences, that solution
>>    would essentially learn a lot about me, which makes it a nice target for
>>    hackers. And if I were to adjust all the settings in the relevant
>>    granularity, then I would be overwhelmed and not use the privacy agent. So
>>    we need to find the adequate user experience approach that gets individuals
>>    engaged on a sustainable basis in the first place.
>>
>>
>>
>> James
>>
>>
>>
>> *From: *WG-InfoSharing <wg-infosharing-bounces at kantarainitiative.org> on
>> behalf of Doc Searls <doc at searls.com>
>> *Date: *Friday, 28 June 2019 at 01:07
>> *To: *Lisa LeVasseur <lalevasseur at ieee.org>
>> *Cc: *Information Sharing Work Group <
>> wg-infosharing at kantarainitiative.org>
>> *Subject: *Re: [WG-InfoSharing] Reminder: tomorrow's call
>>
>>
>>
>> Here are some responses to text in the deck, starting with Slide 2, from
>> which I'll quote here...
>>
>>
>>
>> European Policy /GDPR Consent
>> In practice, Consent is an automatic click-thru with little user
>> understanding.
>>
>>
>>
>> I've been in Europe for two weeks (Spain, UK), occasionally comparing the
>> experience of using the commercial Web here to the same in the U.S., using
>> a VPN for the latter. Here are some ways the GDPR actually works. Or, more
>> accurately, fails more awfully than what we had prior to the GDPR.
>>
>>
>>
>> Example 1:
>>
>>
>>
>> <image001.png>
>>
>> This is Slate's total violation of the GDPR. There is no choice but to
>> agree to be tracked for all the reasons they give—or to go away. That's the
>> first violation. The second is forced agreement. There is no "consent"
>> worthy of the noun.
>>
>>
>>
>> When I look at Slate in the U.S. I see no notice at all. Also no
>> trackers. (Privacy Badger spotted 46 when I took that screen shot in Spain,)
>>
>>
>>
>>
>>
>> Example 2:
>>
>> <image002.png>
>>
>>
>>
>> Note the large OK and the tiny "x" for making it go away. The  GDPR
>> requires that a notice like this should not be a gateway to the website
>> (that's the Slate violation), and I suppose some ComputerWeekly readers
>> know enough to click the little x. But clearly the site wants people to
>> click the large "OK," so they can continue "personalizing content and
>> advertising." Which means they get to continue tracking people, only now
>> with "consent."
>>
>>
>>
>> In other words, the site gets to kid itself (and regulators, they hope)
>> into thinking they are complying with the letter of the GDPR while in fact
>> they are utterly violating its spirit. But at least one can opt out of the
>> whole thing with the little x—or maybe not. At that site, as we see, 17
>> trackers are loaded anyway.
>>
>>
>>
>> Yes, you can "manage your preferences," but they're not yours. And
>> they're not managed by you, or meant to be managed by you. They are meant
>> to coerce you into saying "the hell with it" and clicking "OK."
>>
>>
>>
>>
>>
>> Example 3:
>>
>>
>>
>> <image003.png>
>>
>>
>>
>> McKinsey provides no choice at all, with this banner that persists on the
>> page. What they obtain by this is not consent, but acquiescence to being
>> tracked, which the GDPR was made to forbid.
>>
>>
>>
>>
>>
>> Example 4:
>>
>>
>>
>> <image004.png>
>>
>>
>>
>> This one forces a simple choice, and to its credit makes the rejection
>> button as big (but not as attractive to clicks) as the acceptance button.
>> At least here, if you click on the former, it goes away.
>>
>>
>>
>>
>>
>> Example 5:
>>
>>
>>
>> <image005.png>
>>
>> I've seen lots of these, "powered by Quantcast."
>>
>>
>>
>> "Deny All" is nice but clearly "Accept and move on" is what the site
>> prefers, and that means continuing to track people exactly as the GDPR
>> would rather they not.
>>
>>
>>
>> Now, let's dive into "Manage My Consents." It looks like this (on a
>> popover page with no going-back option):
>>
>>
>>
>> <image006.png>
>>
>>
>>
>> Notice the scroll bar on the right. Here's what's actually there:
>>
>>
>> Information storage and access
>>
>> The storage of information, or access to information that is already
>> stored, on your device such as advertising identifiers, device identifiers,
>> cookies, and similar technologies.
>>
>> *Off*
>> Personalisation
>>
>> The collection and processing of information about your use of this
>> service to subsequently personalise advertising and/or content for you in
>> other contexts, such as on other websites or apps, over time. Typically,
>> the content of the site or app is used to make inferences about your
>> interests, which inform future selection of advertising and/or content.
>>
>> *Off*
>> Ad selection, delivery, reporting
>>
>> The collection of information, and combination with previously collected
>> information, to select and deliver advertisements for you, and to measure
>> the delivery and effectiveness of such advertisements. This includes using
>> previously collected information about your interests to select ads,
>> processing data about what advertisements were shown, how often they were
>> shown, when and where they were shown, and whether you took any action
>> related to the advertisement, including for example clicking an ad or
>> making a purchase. This does not include personalisation, which is the
>> collection and processing of information about your use of this service to
>> subsequently personalise advertising and/or content for you in other
>> contexts, such as websites or apps, over time.
>>
>> *Off*
>> Content selection, delivery, reporting
>>
>> The collection of information, and combination with previously collected
>> information, to select and deliver content for you, and to measure the
>> delivery and effectiveness of such content. This includes using previously
>> collected information about your interests to select content, processing
>> data about what content was shown, how often or how long it was shown, when
>> and where it was shown, and whether the you took any action related to the
>> content, including for example clicking on content. This does not include
>> personalisation, which is the collection and processing of information
>> about your use of this service to subsequently personalise content and/or
>> advertising for you in other contexts, such as websites or apps, over time.
>>
>> *Off*
>> Measurement
>>
>> The collection of information about your use of the content, and
>> combination with previously collected information, used to measure,
>> understand, and report on your usage of the service. This does not include
>> personalisation, the collection of information about your use of this
>> service to subsequently personalise content and/or advertising for you in
>> other contexts, i.e. on other service, such as websites or apps, over time.
>>
>> *Off*
>>
>>
>>
>> *THIRD PARTY VENDORS*
>> Information storage and access
>>
>> The storage of information, or access to information that is already
>> stored, on your device such as advertising identifiers, device identifiers,
>> cookies, and similar technologies.
>>
>> View Companies
>>
>> *Off*
>> Personalisation
>>
>> The collection and processing of information about your use of this
>> service to subsequently personalise advertising and/or content for you in
>> other contexts, such as on other websites or apps, over time. Typically,
>> the content of the site or app is used to make inferences about your
>> interests, which inform future selection of advertising and/or content.
>>
>> View Companies
>>
>> *Off*
>> Ad selection, delivery, reporting
>>
>> The collection of information, and combination with previously collected
>> information, to select and deliver advertisements for you, and to measure
>> the delivery and effectiveness of such advertisements. This includes using
>> previously collected information about your interests to select ads,
>> processing data about what advertisements were shown, how often they were
>> shown, when and where they were shown, and whether you took any action
>> related to the advertisement, including for example clicking an ad or
>> making a purchase. This does not include personalisation, which is the
>> collection and processing of information about your use of this service to
>> subsequently personalise advertising and/or content for you in other
>> contexts, such as websites or apps, over time.
>>
>> View Companies
>>
>> *Off*
>> Content selection, delivery, reporting
>>
>> The collection of information, and combination with previously collected
>> information, to select and deliver content for you, and to measure the
>> delivery and effectiveness of such content. This includes using previously
>> collected information about your interests to select content, processing
>> data about what content was shown, how often or how long it was shown, when
>> and where it was shown, and whether the you took any action related to the
>> content, including for example clicking on content. This does not include
>> personalisation, which is the collection and processing of information
>> about your use of this service to subsequently personalise content and/or
>> advertising for you in other contexts, such as websites or apps, over time.
>>
>> View Companies
>>
>> *Off*
>> Measurement
>>
>> The collection of information about your use of the content, and
>> combination with previously collected information, used to measure,
>> understand, and report on your usage of the service. This does not include
>> personalisation, the collection of information about your use of this
>> service to subsequently personalise content and/or advertising for you in
>> other contexts, i.e. on other service, such as websites or apps, over time.
>>
>> View Companies
>>
>> *Off*
>>
>>
>>
>> *OTHER*
>> Google
>>
>> Allow Google and their technology partners to collect data and use
>> cookies for ad personalisation and measurement.
>>
>> View Companies
>>
>> *Off*
>>
>>
>>
>> All defaulted to On.
>>
>>
>>
>> Below that, in tiny blue type, is "See full vendor list," which is *510
>> companies long*. Here is just the ones that start with the letter R:
>>
>>
>>
>> R-Advertising
>> R-TARGET
>> Rakuten Marketing LLC
>> Readpeak Oy
>> Realeyes OÜ
>> ReigNN Platform Ltd.
>> Relay42 Netherlands B.V.
>> remerge GmbH
>> Research Now Group, Inc
>> Revcontent, LLC
>> Reveal Mobile, Inc
>> RevLifter Ltd
>> RevX Inc.
>> Rezonence Limited
>> RhythmOne, LLC
>> Rich Audience
>> RMSi Radio Marketing Service interactive GmbH
>> Rockabox Media Ltd
>> Rockerbox, Inc
>> RockYou, Inc.
>> Roq.ad GmbH
>> RTB House S.A.
>> RTK.IO <http://rtk.io/>, Inc
>> RUN, Inc.
>>
>>
>>
>> Now, let's say you "reject all." Or that you go through that list and
>> decide who you don't and do want to be tracked by. Do you have any record
>> of those settings? Nope, at least beyond whatever cookies might be recorded
>> (likely in an unreadable form) in your browser.
>>
>>
>>
>> Clearly this is meant to preserve Business As Usual, which is all about
>> tracking people.
>>
>>
>>
>> Consent and Consent Management is solely controlled by Enterprises.
>>
>>
>> To say the least, this is meaningful only in the sense that makes
>> "consent" meaningless.
>>
>>
>>
>>
>>
>> Continuing on Slide 2...
>>
>>
>>
>> 2021
>>
>>
>>
>> Meaningful Consent
>>
>> Care is taken to ensure that users truly understand the ramifications of
>> their consent.
>>
>> Consent Management is still solely controlled by Enterprises.
>>
>>
>> When there is only one controlling party and consent is in label only, it
>> is not consensual.
>>
>>
>>
>> To truly understand that you're being screwed isn't a big step beyond
>> ignorance on the matter. It's also not especially meaningful.
>>
>>
>>
>>
>>
>> Next...
>>
>>
>>
>> 2023
>>
>>
>>
>> User Supplied Terms
>>
>> Tables are turned and users provide sharing terms to which Enterprises
>> must indicate consent?
>>
>>
>>
>> That date might be realistic, but I'd rather make it closer, if only for
>> aspirational purposes.
>>
>>
>>
>> I'm also not sure we need to turn tables. The status quo is worse than
>> broken. What's proposed here is a better system: People signal their own
>> terms, the simplest of which is "Don't track me off your site, for any
>> purpose. Sign here and we'll both keep a copy."
>>
>>
>>
>> Consent Management provided by User Agents.
>>
>>
>>
>> The agent needn't be a third party, or an intermediary, though those
>> should be on the table as an option. Ideally, there would be a simple tool,
>> such as a browser feature or add-on, or something new that works as simply
>> as one of those.
>>
>>
>>
>> And finally (on Slide 2)...
>>
>>
>>
>> 2025
>>
>>
>> Mutual Agreement / Service Negotiation
>>
>> Consent is replaced with a Sharing (or Service) Negotiation process.
>>
>> Consent Management provided by Intermediaries.
>>
>>
>>
>> I think this can be part of the prior stage, and again not require
>> intermediaries, at least for the simple stuff.
>>
>>
>>
>> Okay, it's past midnight here in the UK, and we finally received the
>> third of our three bags missing since Tuesday. The rest of the family is in
>> bed and my noisy keyboard is keeping them awake. I think I may have covered
>> enough anyway.
>>
>>
>>
>> Some closing thoughts...
>>
>>
>>
>> First, starting with the current status quo, which is deeply corrupt and
>> broken, is like starting with slavery as the infant stage of freedom. There
>> is no "user respect" in this status quo. In fact there is long-standing
>> contempt.
>>
>>
>>
>> Second, though this is the InfoSharing WG, I think it will help to
>> consider that, if one wishes not to be tracked, and an agreement is made
>> about that, very little information needs to be shared. A choice is
>> recorded and respected. If it's not respected, there are ways to resolve
>> disputes in existence already (contact law, ODR
>> <https://en.wikipedia.org/wiki/Online_dispute_resolution>). It doesn't
>> need to be complicated, or framed as data exchange.
>>
>>
>>
>> Third, (to me at least) Me2B is anchored with Me, not B. The vector of
>> "to" goes from Me to B. It may end up as a mutual thing, but it's
>> fundamentally about the individual having full agency, and the ability to
>> make the first move. This is another reason why I don't see a path from the
>> existing B-screws-Me system to Me2B. We need to start anew with Me2B and
>> show how that's better for the Bs of the world than B-screws-Me has proven
>> to be.
>>
>>
>>
>> Doc
>>
>>
>>
>> On Jun 27, 2019, at 4:27 PM, Lisa LeVasseur <lalevasseur at ieee.org> wrote:
>>
>>
>>
>> This is the drafty view of the evolution of consent to mutual agency,
>> from a Me2B perspective.  Comments welcome.
>>
>>
>>
>> On Wed, Jun 26, 2019 at 8:11 AM Jim Pasquale <jim at digi.me> wrote:
>>
>> With many of the workgroup participants at Identiverse this week.
>> Tomorrow’s call will focus on drafting an update to the new charter for
>> CIS.
>>
>>
>>
>> Here are the call in details:
>>
>>
>>
>> *GoToMeeting (GTM1)*
>> *Please join my meeting from your computer, tablet or smartphone. *
>>
>> Please join my meeting from your computer, tablet or smartphone.
>> https://global.gotomeeting.com/join/323930725
>> <https://global.gotomeeting.com/join/323930725>
>>
>> You can also dial in using your phone.
>> United States: +1 (669) 224-3318
>>
>> Access Code: 323-930-725
>>
>> More phone numbers
>> Australia: +61 2 9091 7603
>> Austria: +43 1 2530 22500
>> Belgium: +32 28 93 7002
>> Canada: +1 (647) 497-9376
>> Denmark: +45 32 72 03 69
>> Finland: +358 923 17 0556
>> France: +33 170 950 590
>> Germany: +49 692 5736 7300
>> Ireland: +353 15 360 756
>> Italy: +39 0 230 57 81 80
>> Netherlands: +31 207 941 375
>> New Zealand: +64 9 282 9510
>> Norway: +47 21 93 37 37
>> Spain: +34 932 75 1230
>> Sweden: +46 853 527 818
>> Switzerland: +41 225 4599 60
>> United Kingdom: +44 330 221 0097
>>
>>
>>
>> See you on the call.
>>
>>
>>
>> *Disclaimer*
>>
>> The information contained in this communication from the sender is
>> confidential. It is intended solely for use by the recipient and others
>> authorised to receive it. If you are not the recipient, you are hereby
>> notified that any disclosure, copying, distribution or taking action in
>> relation of the contents of this information is strictly prohibited and may
>> be unlawful. If you have received this email in error, please delete it and
>> advise the sender.
>>
>> .
>>
>> _______________________________________________
>> WG-InfoSharing mailing list
>> WG-InfoSharing at kantarainitiative.org
>> https://kantarainitiative.org/mailman/listinfo/wg-infosharing
>>
>> <Beyond Consent_ Evolving to Mutual Agency in Me2B
>> Relationship.pdf>_______________________________________________
>> WG-InfoSharing mailing list
>> WG-InfoSharing at kantarainitiative.org
>> https://kantarainitiative.org/mailman/listinfo/wg-infosharing
>>
>>
>>
> _______________________________________________
> WG-InfoSharing mailing list
> WG-InfoSharing at kantarainitiative.org
> https://kantarainitiative.org/mailman/listinfo/wg-infosharing
>
>
> _______________________________________________
> WG-InfoSharing mailing list
> WG-InfoSharing at kantarainitiative.org
> https://kantarainitiative.org/mailman/listinfo/wg-infosharing
>
>
> _______________________________________________
> WG-InfoSharing mailing list
> WG-InfoSharing at kantarainitiative.org
> https://kantarainitiative.org/mailman/listinfo/wg-infosharing
>
-- 
Andrew Hughes CISM CISSP
In Turn Information Management Consulting
o  +1 650.209.7542 m +1 250.888.9474
1249 Palmer Road, Victoria, BC V8P 2H8
AndrewHughes3000 at gmail.com
https://www.linkedin.com/in/andrew-hughes-682058a
Digital Identity | International Standards | Information Security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-infosharing/attachments/20190629/c7162458/attachment-0001.html>


More information about the WG-InfoSharing mailing list