[WG-InfoSharing] Reminder: tomorrow's call

James Aschberger james at onethingless.com
Sun Jun 30 07:49:40 UTC 2019


I would also have a preference for "permission", because colloquially it seems to be more intuitive. However, in the business context, I think we should stay closer to the legal language, as making wrong assumptions could turn into costly mistakes (as I experienced myself with company). Please let me elaborate on my thinking:

 
Giving "permission" means that someone gives someone else the authorization to do something. For example, I give Doc the permission to enter my house. This permission is rooted in my property rights, hence the law.
 
Giving "consent" means that someone agrees to someone else doing something, but it does not imply a valid authorization. I can consent to Doc entering Iain's house, but that does not mean that Doc has now a valid permission to enter Iain's house. The consent is rooted simply with me as a person, but not necessarily the law.
 
My assumption is that GDPR and the CCPA do not use "permission but "consent" for this very reason as these words are used in the legal context (and not as part of the software world regarding "permission management" from a user/admin perspective). The regulation/law would need to specify all use cases that an entity can/must give permission, so we would need clear laws and rights in place regarding the ownership of personal data as a basis for valid "permissions". In the "Me2B" relationship, we are looking at two separate entities (the individual and a company) which are freely agreeing to terms, often not negotiated but proposed by one party (the business). IMHO we have to be very careful that we do not undermine the right of two parties to consent to a contract in which they both have a choice of not agreeing to its terms. Nobody is forced to use Facebook or Instagram and accept their terms, but if you want to use Facebook, then you have to accept their terms (and make adequate privacy setting adjustments). Without a doubt, there is a big opportunity to improve the terms that Facebook puts forward for user to agree to.
 
For a similar reason I don't think that we are looking a true acquiescence. I am a non-native English speaker, but acquiescence occurs - according to Wikipedia-  "when a person knowingly stands by without raising any objection to the infringement of his or her rights, while someone else unknowingly and without malice aforethought acts in a manner inconsistent with their rights." By actively providing consent (e.g. clicking on "I accept" without reading the terms), there is no "infringement of his or her rights" anymore. Many companies use dark design principles to make it hard, but again the problem is that users don't make understanding the terms a priority for themselves. And under GDPR, a data subject has the right to revoke consent at any time.
Cheers,

James

 

 

From: WG-InfoSharing <wg-infosharing-bounces at kantarainitiative.org> on behalf of Doc Searls <doc at searls.com>
Date: Sunday, 30 June 2019 at 08:50
To: Iain Henderson <iainhenderson at mac.com>
Cc: "wg-infosharing at kantarainitiative.org" <wg-infosharing at kantarainitiative.org>
Subject: Re: [WG-InfoSharing] Reminder: tomorrow's call

 

Good point.

Sent from my phone


On Jun 29, 2019, at 7:11 PM, Iain Henderson <iainhenderson at mac.com> wrote:

I think the word ‘permission’ works an awful lot better than ‘consent’; at least when working from the individual perspective as is our orientation in this group. Permission/ to permit is more neutral and does not imply a power imbalance. It is much more an understood word from the individual perspective; not legalese.

 

A permission, or indeed many of them, is easy to map onto a dashboard/ control panel for individuals. And permission can be mapped to any of the 6 GDPR bases for processing personal data in GDPR, or indeed any other basis from other legislation.

 

Iain


On 29 Jun 2019, at 13:43, Andrew Hughes <andrewhughes3000 at gmail.com> wrote:

Doc writes:

Assent is one example; but the most appropriate one is acquiescence. When we click "agree" to continued tracking, as the examples I give below urge us to do, we are not consenting, but rather acquiescing. 

 

The specification family is being slightly rejigged to accommodate a more neutral usage... I am hopeful that by establishing a “Personal Data Receipt” specification (from which the Consent Receipt Specification is a profile) implementers can find many ways to use the concept. 

 

Although, “Tracking Cookie Acquiescence Receipt” might be a bit provocative.  ;-)

 

 

On Sat, Jun 29, 2019 at 8:28 AM Doc Searls <doc at searls.com> wrote:

 

On Jun 28, 2019, at 6:54 PM, Info at SS <info at smartspecies.com> wrote:

 

What a provoking response.

 

I agree.



+1 — > fantastic synthesis - agree that consent is about this type of external/societal (root) power struggle.  Its fundamentally about control over personal data (autonomy) that is the tussle at the moment, I think it’s the same v. old power struggle in a different form. A receipt is a governance innovation and this type of self-soveign innovation is a  persistent activity in human history and why this WG is  great.

 

Not sure I follow, but instinctively I take your points.

 

An additional thought: If we are talking only about consent, we remain stuck inside the walls of the early default winner in that power struggle. This is why I think Lisa's points below are very well made. More about those below.



Society (not just individuals) very much need independent autonomous digital transparency for digital identity to be trustworthy, which is something I think most (if not all) people here might  agree with. 

 

- Mark 

 

 - Mark



On 28 Jun 2019, at 17:21, Lisa LeVasseur <lalevasseur at ieee.org> wrote:

 

Thanks for all great feedback, gang!  I’m still reading and synthesizing.  One quick comment I want to make—and I’m reaching out to a legal expert for further clarification.  So I'll start off caveating this with  "I'm no lawyer but...."

 

Yes, we can describe signing a contract as “consenting” to the contract—though I think the more formal term would be “signing” or “executing” the contract. 

 

Indeed. Great point.



I’m referring to Consent as a legal instrument, not an informal verb.  And I suggest that there are relevant differences between the legal instruments of Consent vs. Contract vs. License.   (again, not a lawyer....but seeking confirmation/clarification.)

 

Another.



Consent necessarily has to do with a proposal to a change in legal/ethical boundaries between two parties. (here’s the litmus test for that, btw:  you don’t need or ask for consent when you act in compliance with legal and ethical boundaries.)

 

You may say that in our current digital world, Consent is something else—a “formality” due to GDPR or something innocuous.  I respectfully disagree.  I suggest that Consent in our digital world actually is reflective of and acknowledging of breaching an ethical boundary vis a vis tracking and usage of personal information.   

 

Moreover, the Consent instrument favors the creator of the proposal—the recipient can only be reactive, and only has the choices offered by the proposer.  Online, only the Service Provider is equipped to make the proposal, and that’s where the asymmetry and power imbalance arise.  This is what I meant by saying that Consent is controlled by Service providers.

 

Good analysis!

 

Worth noting is that there are other verbs that apply to the current ways the GDPR is at most only partially obeyed.

 

Assent is one example; but the most appropriate one is acquiescence. When we click "agree" to continued tracking, as the examples I give below urge us to do, we are not consenting, but rather acquiescing. 

 

This is one reason I worry that getting a receipt called "consent" for what amounts to acquiescence. This risks rationalizing misdirection, and therefore only makes the status quo worse. And, BTW, in making this point I am not criticizing the consent receipt work done by the good people here, but rather pointing toward to a risk in one possible application of it. We do need to bear in mind that all new, well... anything... risks misapplication, as Lisa points out well in this paragraph here::::



[As an aside, in the US, when the War on Drugs began under Reagan, police began the widescale practice/abuse of search and seizure through the use of Consent.  Instead of the previous practice of requiring a warrant [probable cause, etc.], now, stopping a person for a minor traffic violation afforded the police the ability to ask for consent to search the person and the car.  Well, who’s going to say no to an aggressive police officer?  There was even a case before the supreme court that tried to mandate that the police clearly state to people in that situation that they have the right to say no to the request for consent during the traffic stop or other situation.  It was struck down.  I share this because it amplifies the clear power imbalance between the proposer of consent over the recipient.  (and because I learned of it recently and it's really disturbing .)]

 

Lisa

 

Thanks, all.

 

I'll be fresh off a plane from the UK before the call on Monday, but I'll try my best to make it.

 

Doc

Writing over a tethered phone in an ancient stone barn on this hill here.)



 

On Fri, Jun 28, 2019 at 7:42 AM James Aschberger <james at onethingless.com> wrote:

Thank you Lisa for preparing a great draft document as basis for an engaging discussion, and thank you Doc for outlining so comprehensively your thoughts. Like you, I truly believe in the concept of personal privacy agents (if that's the working title).

 

Three perspectives from me, maybe a bit provocative, but I hope to contribute to an engaging discussion 😊 

 
I find "beyond consent" (page 1) a bit confusing, because even with personal privacy agents negotiating services / processes, the individual has to directly or indirectly provide her/his/their consent to the final proposed terms. A contract cannot be valid or legally binding unless consent from all contracting parties is given. In my understanding, "beyond consent" should be understood as how to better manage consent from individuals to business terms. 
 
I don't think that consent is solely controlled by enterprises (page 4). Individuals almost always have a choice not to consent and not to use a specific service. I have a choice to delete my Google account and use DuckDuckGo instead of Google Search. It's not as convenient to do so, but I do have a choice. Hence I disagree that consent reflects power asymmetry. To make my point: imagine that someone orchestrates a movement that gets all active Facebook users with residence in the EU to restrict data processing (no profiling, no automated decision-making). This would significantly disrupt and potentially cripple Facebook if users in other regions demanded the same right as granted under GDPR. So from my point of view, the issue is that people seek convenience and do not want to think too much about what they consent to because it is an opaque and complex topic that causes cognitive overload, so they push it into the background. 
 
I believe we should not underestimate the complexity of the evolutionary journey ahead of us, so Lisa is absolutely right to look until 2025 and beyond. People often do not make rational decisions, e.g. they are bad at assessing long-term risks and have brand preferences, which might interfere with a very rational privacy agent approach. To make a hypothetical example: I might be willing to tolerate less user-friendly privacy terms from BMW if I like the brand, but would not agree to the same terms in the automotive category if Ford proposed them to me. For an AI-based privacy agent solution to learn my preferences, that solution would essentially learn a lot about me, which makes it a nice target for hackers. And if I were to adjust all the settings in the relevant granularity, then I would be overwhelmed and not use the privacy agent. So we need to find the adequate user experience approach that gets individuals engaged on a sustainable basis in the first place. 
 

James

 

From: WG-InfoSharing <wg-infosharing-bounces at kantarainitiative.org> on behalf of Doc Searls <doc at searls.com>
Date: Friday, 28 June 2019 at 01:07
To: Lisa LeVasseur <lalevasseur at ieee.org>
Cc: Information Sharing Work Group <wg-infosharing at kantarainitiative.org>
Subject: Re: [WG-InfoSharing] Reminder: tomorrow's call

 

Here are some responses to text in the deck, starting with Slide 2, from which I'll quote here...

 

European Policy /GDPR Consent
In practice, Consent is an automatic click-thru with little user understanding.

 

I've been in Europe for two weeks (Spain, UK), occasionally comparing the experience of using the commercial Web here to the same in the U.S., using a VPN for the latter. Here are some ways the GDPR actually works. Or, more accurately, fails more awfully than what we had prior to the GDPR. 

 

Example 1:

 

<image001.png>

This is Slate's total violation of the GDPR. There is no choice but to agree to be tracked for all the reasons they give—or to go away. That's the first violation. The second is forced agreement. There is no "consent" worthy of the noun.

 

When I look at Slate in the U.S. I see no notice at all. Also no trackers. (Privacy Badger spotted 46 when I took that screen shot in Spain,)

 

 

Example 2:

<image002.png>

 

Note the large OK and the tiny "x" for making it go away. The  GDPR requires that a notice like this should not be a gateway to the website (that's the Slate violation), and I suppose some ComputerWeekly readers know enough to click the little x. But clearly the site wants people to click the large "OK," so they can continue "personalizing content and advertising." Which means they get to continue tracking people, only now with "consent."

 

In other words, the site gets to kid itself (and regulators, they hope) into thinking they are complying with the letter of the GDPR while in fact they are utterly violating its spirit. But at least one can opt out of the whole thing with the little x—or maybe not. At that site, as we see, 17 trackers are loaded anyway. 

 

Yes, you can "manage your preferences," but they're not yours. And they're not managed by you, or meant to be managed by you. They are meant to coerce you into saying "the hell with it" and clicking "OK."

 

 

Example 3:

 

<image003.png>

 

McKinsey provides no choice at all, with this banner that persists on the page. What they obtain by this is not consent, but acquiescence to being tracked, which the GDPR was made to forbid.

 

 

Example 4:

 

<image004.png>

 

This one forces a simple choice, and to its credit makes the rejection button as big (but not as attractive to clicks) as the acceptance button. At least here, if you click on the former, it goes away.

 

 

Example 5:

 

<image005.png>

I've seen lots of these, "powered by Quantcast."

 

"Deny All" is nice but clearly "Accept and move on" is what the site prefers, and that means continuing to track people exactly as the GDPR would rather they not.

 

Now, let's dive into "Manage My Consents." It looks like this (on a popover page with no going-back option):

 

<image006.png>

 

Notice the scroll bar on the right. Here's what's actually there:

 

Information storage and access
The storage of information, or access to information that is already stored, on your device such as advertising identifiers, device identifiers, cookies, and similar technologies.Off
Personalisation
The collection and processing of information about your use of this service to subsequently personalise advertising and/or content for you in other contexts, such as on other websites or apps, over time. Typically, the content of the site or app is used to make inferences about your interests, which inform future selection of advertising and/or content.Off
Ad selection, delivery, reporting
The collection of information, and combination with previously collected information, to select and deliver advertisements for you, and to measure the delivery and effectiveness of such advertisements. This includes using previously collected information about your interests to select ads, processing data about what advertisements were shown, how often they were shown, when and where they were shown, and whether you took any action related to the advertisement, including for example clicking an ad or making a purchase. This does not include personalisation, which is the collection and processing of information about your use of this service to subsequently personalise advertising and/or content for you in other contexts, such as websites or apps, over time.Off
Content selection, delivery, reporting
The collection of information, and combination with previously collected information, to select and deliver content for you, and to measure the delivery and effectiveness of such content. This includes using previously collected information about your interests to select content, processing data about what content was shown, how often or how long it was shown, when and where it was shown, and whether the you took any action related to the content, including for example clicking on content. This does not include personalisation, which is the collection and processing of information about your use of this service to subsequently personalise content and/or advertising for you in other contexts, such as websites or apps, over time.Off
Measurement
The collection of information about your use of the content, and combination with previously collected information, used to measure, understand, and report on your usage of the service. This does not include personalisation, the collection of information about your use of this service to subsequently personalise content and/or advertising for you in other contexts, i.e. on other service, such as websites or apps, over time.Off
 

THIRD PARTY VENDORS
Information storage and access
The storage of information, or access to information that is already stored, on your device such as advertising identifiers, device identifiers, cookies, and similar technologies.View Companies Off
Personalisation
The collection and processing of information about your use of this service to subsequently personalise advertising and/or content for you in other contexts, such as on other websites or apps, over time. Typically, the content of the site or app is used to make inferences about your interests, which inform future selection of advertising and/or content.View Companies Off
Ad selection, delivery, reporting
The collection of information, and combination with previously collected information, to select and deliver advertisements for you, and to measure the delivery and effectiveness of such advertisements. This includes using previously collected information about your interests to select ads, processing data about what advertisements were shown, how often they were shown, when and where they were shown, and whether you took any action related to the advertisement, including for example clicking an ad or making a purchase. This does not include personalisation, which is the collection and processing of information about your use of this service to subsequently personalise advertising and/or content for you in other contexts, such as websites or apps, over time.View Companies Off
Content selection, delivery, reporting
The collection of information, and combination with previously collected information, to select and deliver content for you, and to measure the delivery and effectiveness of such content. This includes using previously collected information about your interests to select content, processing data about what content was shown, how often or how long it was shown, when and where it was shown, and whether the you took any action related to the content, including for example clicking on content. This does not include personalisation, which is the collection and processing of information about your use of this service to subsequently personalise content and/or advertising for you in other contexts, such as websites or apps, over time.View Companies Off
Measurement
The collection of information about your use of the content, and combination with previously collected information, used to measure, understand, and report on your usage of the service. This does not include personalisation, the collection of information about your use of this service to subsequently personalise content and/or advertising for you in other contexts, i.e. on other service, such as websites or apps, over time.View Companies Off
 

OTHER
Google
Allow Google and their technology partners to collect data and use cookies for ad personalisation and measurement.View Companies Off
 

All defaulted to On.

 

Below that, in tiny blue type, is "See full vendor list," which is 510 companies long. Here is just the ones that start with the letter R:

 

R-Advertising
R-TARGET
Rakuten Marketing LLC
Readpeak Oy
Realeyes OÜ
ReigNN Platform Ltd.
Relay42 Netherlands B.V.
remerge GmbH
Research Now Group, Inc
Revcontent, LLC
Reveal Mobile, Inc
RevLifter Ltd
RevX Inc.
Rezonence Limited
RhythmOne, LLC
Rich Audience
RMSi Radio Marketing Service interactive GmbH
Rockabox Media Ltd
Rockerbox, Inc
RockYou, Inc.
Roq.ad GmbH
RTB House S.A.
RTK.IO, Inc
RUN, Inc.

 

Now, let's say you "reject all." Or that you go through that list and decide who you don't and do want to be tracked by. Do you have any record of those settings? Nope, at least beyond whatever cookies might be recorded (likely in an unreadable form) in your browser. 

 

Clearly this is meant to preserve Business As Usual, which is all about tracking people.

 

Consent and Consent Management is solely controlled by Enterprises.


To say the least, this is meaningful only in the sense that makes "consent" meaningless.

 

 

Continuing on Slide 2...

 

2021

 

Meaningful Consent

Care is taken to ensure that users truly understand the ramifications of their consent.

Consent Management is still solely controlled by Enterprises.


When there is only one controlling party and consent is in label only, it is not consensual.

 

To truly understand that you're being screwed isn't a big step beyond ignorance on the matter. It's also not especially meaningful.

 

 

Next...

 

2023

 

User Supplied Terms

Tables are turned and users provide sharing terms to which Enterprises must indicate consent?

 

That date might be realistic, but I'd rather make it closer, if only for aspirational purposes.

 

I'm also not sure we need to turn tables. The status quo is worse than broken. What's proposed here is a better system: People signal their own terms, the simplest of which is "Don't track me off your site, for any purpose. Sign here and we'll both keep a copy."

 

Consent Management provided by User Agents.

 

The agent needn't be a third party, or an intermediary, though those should be on the table as an option. Ideally, there would be a simple tool, such as a browser feature or add-on, or something new that works as simply as one of those.

 

And finally (on Slide 2)...

 

2025


Mutual Agreement / Service Negotiation

Consent is replaced with a Sharing (or Service) Negotiation process.

Consent Management provided by Intermediaries.

 

I think this can be part of the prior stage, and again not require intermediaries, at least for the simple stuff.

 

Okay, it's past midnight here in the UK, and we finally received the third of our three bags missing since Tuesday. The rest of the family is in bed and my noisy keyboard is keeping them awake. I think I may have covered enough anyway. 

 

Some closing thoughts...

 

First, starting with the current status quo, which is deeply corrupt and broken, is like starting with slavery as the infant stage of freedom. There is no "user respect" in this status quo. In fact there is long-standing contempt.

 

Second, though this is the InfoSharing WG, I think it will help to consider that, if one wishes not to be tracked, and an agreement is made about that, very little information needs to be shared. A choice is recorded and respected. If it's not respected, there are ways to resolve disputes in existence already (contact law, ODR). It doesn't need to be complicated, or framed as data exchange.

 

Third, (to me at least) Me2B is anchored with Me, not B. The vector of "to" goes from Me to B. It may end up as a mutual thing, but it's fundamentally about the individual having full agency, and the ability to make the first move. This is another reason why I don't see a path from the existing B-screws-Me system to Me2B. We need to start anew with Me2B and show how that's better for the Bs of the world than B-screws-Me has proven to be.

 

Doc

 

On Jun 27, 2019, at 4:27 PM, Lisa LeVasseur <lalevasseur at ieee.org> wrote:

 

This is the drafty view of the evolution of consent to mutual agency, from a Me2B perspective.  Comments welcome.

 

On Wed, Jun 26, 2019 at 8:11 AM Jim Pasquale <jim at digi.me> wrote:

With many of the workgroup participants at Identiverse this week. Tomorrow’s call will focus on drafting an update to the new charter for CIS.  

 

Here are the call in details:

 

GoToMeeting (GTM1)
Please join my meeting from your computer, tablet or smartphone. 

Please join my meeting from your computer, tablet or smartphone. 
https://global.gotomeeting.com/join/323930725 

You can also dial in using your phone. 
United States: +1 (669) 224-3318 

Access Code: 323-930-725 

More phone numbers 
Australia: +61 2 9091 7603 
Austria: +43 1 2530 22500 
Belgium: +32 28 93 7002 
Canada: +1 (647) 497-9376 
Denmark: +45 32 72 03 69 
Finland: +358 923 17 0556 
France: +33 170 950 590 
Germany: +49 692 5736 7300 
Ireland: +353 15 360 756 
Italy: +39 0 230 57 81 80 
Netherlands: +31 207 941 375 
New Zealand: +64 9 282 9510 
Norway: +47 21 93 37 37 
Spain: +34 932 75 1230 
Sweden: +46 853 527 818 
Switzerland: +41 225 4599 60 
United Kingdom: +44 330 221 0097 

 

See you on the call.

 

Disclaimer

The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorised to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. If you have received this email in error, please delete it and advise the sender.

.

_______________________________________________
WG-InfoSharing mailing list
WG-InfoSharing at kantarainitiative.org
https://kantarainitiative.org/mailman/listinfo/wg-infosharing

<Beyond Consent_ Evolving to Mutual Agency in Me2B Relationship.pdf>_______________________________________________
WG-InfoSharing mailing list
WG-InfoSharing at kantarainitiative.org
https://kantarainitiative.org/mailman/listinfo/wg-infosharing

 

_______________________________________________
WG-InfoSharing mailing list
WG-InfoSharing at kantarainitiative.org
https://kantarainitiative.org/mailman/listinfo/wg-infosharing

 

_______________________________________________
WG-InfoSharing mailing list
WG-InfoSharing at kantarainitiative.org
https://kantarainitiative.org/mailman/listinfo/wg-infosharing

 

_______________________________________________
WG-InfoSharing mailing list
WG-InfoSharing at kantarainitiative.org
https://kantarainitiative.org/mailman/listinfo/wg-infosharing

-- 

Andrew Hughes CISM CISSP 
In Turn Information Management Consulting
o  +1 650.209.7542 m +1 250.888.9474
1249 Palmer Road, Victoria, BC V8P 2H8
AndrewHughes3000 at gmail.com 
https://www.linkedin.com/in/andrew-hughes-682058a
Digital Identity | International Standards | Information Security

_______________________________________________
WG-InfoSharing mailing list
WG-InfoSharing at kantarainitiative.org
https://kantarainitiative.org/mailman/listinfo/wg-infosharing

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-infosharing/attachments/20190630/8d476fc5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5328 bytes
Desc: not available
URL: <http://kantarainitiative.org/pipermail/wg-infosharing/attachments/20190630/8d476fc5/attachment-0001.p7s>


More information about the WG-InfoSharing mailing list