[WG-InfoSharing] Read This One - Privacy is not 'Agreement' & Consent is not 'Permission' - A Call for Identity Industry Privacy Best Practice

Info@SS info at smartspecies.com
Thu Mar 28 14:29:45 UTC 2019


> On 28 Mar 2019, at 12:46, Doc Searls <doc at searls.com> wrote:
> 
> Mark,
> 
> About Open Consent, why not create privacy profiles that persons can broadcast to companies?

 
P3P is a good example of this approach.  P3P was the pioneer project, back when the US led the world in privacy efforts. 

A big challenge has been that companies didn’t have an understanding or capability to deal with everyones preferences. 

A brief historical summary, 

In 2012, the Open Notice Project created an industry group of a bunch of privacy projects, that included the Biggest Lie, Know Privacy, Ghostery, etc, we  presented a call for collaboration, at a W3C Do Not Track and Beyond conference in a co-presentation with Ashkan Soltani.  The result of the call, it became clear that the problem was at a governance level and that laws would need to be enforced to change company practice, and real harm would need to be proven. In addition, there would need to be standards, and then there would need to be a way for companies to be able to operationally/economically accept the preferences of the masses    

So, we started the consent receipt specification in this WG, and we lobbied for consent enforcement and autonomy.  Fast forward to today, and now Google has been fined 50 mil for bad consent and notice practices in the first big GDPR fine.  (Result ! ) 

The next step planned was to advocate for a harmonised concept of the default privacy state approach for companies to share control with people.  But, now that the time has come, we realise, the proof is in the pudding. So the plan is to use the Consent Receipt (named ideologically at the time) as a base format for a basic privacy profile for a company. Something companies can use to enable personal data control services and clients.  (AKA : VRM & MyData service enabling)  

The thinking is sort of analogous with, how could we construct the equivalent to a standard USB port, with what we have. Something that is used for sticking in user co-control services and clients. Taking care of the privacy part seems like the needed thing to enable people controlled clients.  

- Mark 
> 
> Doc
> 
>> On Mar 28, 2019, at 6:34 AM, Info at SS <info at smartspecies.com <mailto:info at smartspecies.com>> wrote:
>> 
>> Hi CISWG, 
>> 
>> I am sending this again - with a fix to some auto-correct text fixing issues that has occurred with this email account  Also, I am sending this from a different email account as OpenConsent email address are blocked from sending to the CISWG list at this time 
>> 
>> ***
>> Dear CISWG, 
>> 
>> It’s been a bit quite in this work group, I think in part this because a tension has grown between efforts working on contact, and those working on consent.  The topics around this tension are becoming popular as they are being discussed in the IEEE WG and VRM.  
>> 
>> Its clear now that there is a big fat gap in identity management when it comes to privacy best practices.  After almost a decade of consent advocacy in the Identity Management industry, it is also clear that the identerati have a hard time distinguishing consent from permission and privacy from agreement.  Which is not a surprise because from IdM centric perspective they look the same. 
>> 
>> One effort which has done a great job at distinguishing the two is the FIHR project and the creation of consent directives <http://wiki.hl7.org/index.php?title=FHIR_Consent_Directive_Implementation_Guide> which is a privacy based contract approach. 
>> 
>> Ultimately,  Privacy is not Agreement and consent is not permission.   Even though they look a like from an IdM perspective. 
>> 
>> A key difference is that privacy is based on rights and these laws are related to (define) the state of governance or the relationship state.  Agreements are contract based items that are used to maintain a state.  
>> 
>> This state has often been referred to as the 'social contract' and the 'community bargain’ or new deal on data. 
>> 
>> Privacy and agreement can be combined, but, contract doesn’t replace privacy, and contracts that ignore privacy are what we call in VRM as click bait online.  Eg. - click this to agree to privacy.  This is fake privacy, and ultimately this is the work - called Open Notice and the Biggest Lie, that led me to the consent receipt work to this WG. 
>> 
>> This is why as of next week, we (OpenConsent) are starting to make privacy profiles for companies and institutions.    If anyone is interested in trying out a privacy profile please get in touch. 
>> 
>> Apart of this effort to create privacy profiles, is to support/instigate an effort to generate an Identity Management Industry code of practice, to which privacy can have some default settings.  (Like Blinding Identity) I would like to be apart of such an effort to address the benign evil in IdM. 
>> 
>>   Is this something people would be interested in creating in this WG?   Is this something we should start here? 
>> 
>> Kind Regards, 
>> 
>> Mark Lizar
>> CEO - OpenConsent.com <https://openconsent.com/>
>> 
>> 
>> _______________________________________________
>> WG-InfoSharing mailing list
>> WG-InfoSharing at kantarainitiative.org <mailto:WG-InfoSharing at kantarainitiative.org>
>> https://kantarainitiative.org/mailman/listinfo/wg-infosharing <https://kantarainitiative.org/mailman/listinfo/wg-infosharing>
>> _______________________________________________
>> WG-InfoSharing mailing list
>> WG-InfoSharing at kantarainitiative.org <mailto:WG-InfoSharing at kantarainitiative.org>
>> https://kantarainitiative.org/mailman/listinfo/wg-infosharing
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-infosharing/attachments/20190328/2e1730f6/attachment-0001.html>


More information about the WG-InfoSharing mailing list