[WG-InfoSharing] Call for A Critical Assessment of the Capacity of CISWG to produce a V2 of the Consent Receipt

Colin Wallis Kantara colin at kantarainitiative.org
Fri May 31 10:23:40 UTC 2019

Thanks Mark

I wasn't on yesterday's call, so my comments and completely personal views
below are my personal interpretation of the current motivations and the
landscape as I holistically understand it, rather than specifically wrt
yesterday's call.

And I am a non voting participant really on calls to inform the group of
other context that might help. The group decides its work and direction.
Not me, not the Board, just the group.

First point to note, it will be wrong. There is no way I will be 100%
accurate in interpreting other people's and organisations positions. But
here goes..

Let's track the development in ISO. ISO, like many SDOs, approaches new
domains by developing framework standards. That's why it has 24760, a
Framework for Identity Management and 29100, Privacy Framework. It does
this, so that the concepts (one or a combination of several) in scope of
the framework, can be further developed to fulfill a particular need (I
visualize a tree or pyramid or..). A good example of that has been 29184
Online privacy notices and consent (an example of the CR is now to be in
Annex B). 29184 is strongly informed by 29100 and other ISO standards but
goes deeper into a particular concept or set of concepts. ISO then launches
a study period to consider a potential future standard for consent receipts
and records. It depends on how you interpret the motivation, but I think it
is also strongly informed by 29100 (and branch off that main trunk) and
partially by 29184, rather than an extension and refinement of 29184 itself.

Now let's track the development of Kantara. As an industry organisation it
is often filling in the blank canvas where ISO et al have not already
drawn, 'because industry needs something now', while all the while,
checking back with ISO et al to best know how to orchestrate its
contributions and informing its future work, after considering what
standards have been developed since the last check. In Kantara, the
forerunner to this group, then called the ISWG some 7 years ago, created an
info sharing specification. ISO had nothing like that, but some of the
principles were derived from the then very new 29100. Then around 2015 you
and a small band of folks in the group saw GDPR et al on the horizon, saw
that industry would have no standardized tools and determined to create the
Consent Receipt to fill gap.

So here we are in mid 2019 at something of a crossroads.

Mindful of what ISO is planning wrt a potential Consent Receipts and
Records standard, that even in its name suggests a potential standard that
is broader in scope than the Consent Receipt, my sense of the Chair's
proposal is to reflect that new ISO motivation by broadening the scope of
CISWG's next window of work - not forever - just this next phase of work.
Just as ISO seems to be 'calling home' to the 29100 trunk, the equivalent
in Kantara is to 'call home' to the Information Sharing Agreement (ISA)
trunk and build out a broader scoped branch that in turn would retrofit the
existing CR as one sub-branch and in a future piece of work at a future
time, continue to develop it. The CR was a ground breaking, world leading
great idea, no-one is arguing that, least of all the Chair. But my sense of
it is that he is concerned that it was a remedial fix to an industry
problem and at some stage Kantara has to circle back to rationalize its
development from the original concepts in the ISA and build those out

Looking at it that way, there would have been be this specification with a
broader scope (currently missing due to the priority quite understandably
devoted to CR ) sitting between the ISA and the CR, from which the CR would
have been developed if there had been time.

Fast forward to today. ISO is indicating a broader scoped standard is
needed, and with the Study Period on Consent Receipts and Records already
underway, the decision whether to proceed or not, will be based on the
findings of the Study Period. A well known technique to help that decision
is to provide a wireframe draft of the standard, to give the ISO national
bodies a glimpse of what it might look like, so as to gain their support to
proceed. The findings of the Study Period are in front of ISO in October,
the work having to be completed in August. That is 3 months from now.

We face some stark choices for this next 3 month window.

Option 1) We can continue with refining CR as a V2. I don't really know
what you propose that to be but it seems like adding requirements arising
out of regulations, so in a practical sense giving implementers more fields
to choose from. Nothing wrong in that but that means we cannot do the
wireframe to inform the ISO Study Period and the direction it goes, and we
still have our 'spec gap' between ISA and CR. Under Kantara's usual
approach it will take as long as it takes until there's consensus, vote and

Option 2) Pivot to focus on the ISO wireframe as a 'CR V2' appreciating
that it is wider in scope to satisfy ISO's motivations and filling in a gap
in the specs for Kantara. But we can't use Kantara's usual approach if we
are to deliver something by the end of August. There is simply not enough
time. So my sense of it was to have an expert draft the wireframe informed
by Kantara's published work that has found broad agreement in the past, and
to create something that won't have the time for the Kantara process in the
usual one step at a time order, but will be done later as a second pass
when the time is not so constrained. After the ISO decision in October
which we hope is to proceed with a standard and offering up the wireframe
as a 1st Working Draft, we have the time to contribute comments to correct
the wireframe, and in so doing actually helping develop our own missing
spec. It is both a short term opportunistic play, but with a longer term
strategic return, if you think of the broader range of profiles that might
arise from it, attracting new folks to this group.

Please note that most times I have seen V2 it is in 'speech marks' because
it could (maybe should) be called something more descriptive to what it
actually is. I take it that 'CR V2' is actually a working title until we
have a real one.

There's no perfect answer - just two main choices - both of which carry

Kind regards
PS: I can't get your references to the identity industry. I don't know if
that's misunderstanding the make-up of Kantara's members and non member
participants which are about 50/50 identity/personal data platforms but
heavily overlapping, or if it refers to your belief that only identity
organizations are likely to deploy our work, or a confusion with the other
ISO Study Period (IDPV) that has a Kantara DG focused on that which has
nothing to do with the discussion on Study Periods here..I dunno..

On Thu, May 30, 2019 at 8:29 PM Mark @ OC <mark at openconsent.com> wrote:

> HI Colin,
> Perahaps you are right.
>  This might originates with a few mis-communications, and these  are
> really important for a working effort to address  and the role of the chair
> to facilitate.
>  In this proposal there seems to be a key mis-understanding in the scope.
> From my understanding, the consent receipt specification customer  (or
> core audience)  are  regulators and standards organisations, and the
> identity industry/implementors are the consumers  or users of the work.
> This is because this standard made in this way is legally authoritative, if
> it is combined with other legally authoritative standards, laws  and
> artefacts. (Like perhaps a consent certificate)
> It has been used as input into the GDPR and other regulators changes, and
> these have been fundamental to the development of the iteration on
> requirements which produced this specification .  It is actually now a
> going concern, because this approach, this lobby, this combination of
> people and community, have won in it’s combined work.
> The market wants, and people need a standard that is capable of automating
> compliance and evidence requirements in the ‘market’.     As Iain and Tom
> are saying, consent should be in the background and not a burden on people.
> This is why,  Kantara is the ideal place for such works, due to its bottom
> up approach, its key roles in assurance in the identity industry, and all
> of the people who participate and genuinely care about this stuff.  Care
> enough to battle and lobby for consent and notice to actually be a piece of
> infrastructure that identity systems can add as tools to the systems they
> make possible.
> Hopefully, this helps with providing some insight into the very focused
> and hardened consent receipt works that we now have the opportunity to
> complete.  Expanding the scope to more types of processing besides consent
> is not actually required to fulfil the objective of this work.  But
> creating a specification capable of compliance automation that people can
> control and use  - is.
> The people with the expertise to evaluate how to expand the scope for
> legal compliance use, to something like a processing receipt for many legal
> justifications, are largely not in this work group.
> I would have no objecting to a separate piece of work called the personal
> data receipt or whatever the group chose.  And if there was an expansion of
> scope - my major sticking point, is that the  expansion of the scope would
> need to be crystal clear (ideally to the existing customer ) before
> expanding it.
> Mark
> On 30 May 2019, at 19:57, Colin Wallis Kantara <
> colin at kantarainitiative.org> wrote:
> OK, thanks.
> Yes, sounds like some crossed wires, but also, it is a different approach
> than is typical in Kantara, and there's always a level of discomfort when
> something new is tried, .
> How it is expressed of course is an individual thing..;-).
> On Thu, May 30, 2019 at 6:03 PM Andrew Hughes <andrewhughes3000 at gmail.com>
> wrote:
>> Mark. There are factual errors in your email. More to come.
>> *Andrew Hughes *CISM CISSP
>> *In Turn Information Management Consulting*
>> o  +1 650.209.7542
>> m +1 250.888.9474
>> 1249 Palmer Road, Victoria, BC V8P 2H8
>> AndrewHughes3000 at gmail.com
>> *https://www.linkedin.com/in/andrew-hughes-682058a
>> <https://www.linkedin.com/in/andrew-hughes-682058a>*
>> *Digital Identity | International Standards | Information Security *
>> On Thu, May 30, 2019 at 9:46 AM Mark @ OC <mark at openconsent.com> wrote:
>>> Dear CISWG,
>>> After the last call, I have some critical concerns about the ability of
>>> the  V.2 work to be progressed in the current proposal.  There definitely
>>> should not be this much friction in process and admin.
>>> The proposal for the V2, is not a transparent approach, agreed by
>>> consensus, and what is extremely alarming is the proposition of  a
>>> re-start to requirement gathering from the identity industry, to produce a
>>> specification in 3 months.
>>> The existing consent receipt specification was developed with 5 years of
>>> requirement gathering (over 10 versions of separate requirements for each
>>> version and use cases ) in consultation with standards bodies, industry
>>> trade associations and regulators.  This took a heck of a lot of work and
>>> has resulted in a legal tech specification for using consent with notice
>>> transparency that has been adopted by global standards efforts and entire
>>> industries. (US Health) To the point in which ISO has offered to initiate a
>>> study period which would be driven by this work group.
>>> For leadership, to not be aware or understand this scope, while also
>>> proposing to lead the work group product, is a massive red flag .
>>> A WG chair, to not know of the history of this extraordinary effort
>>> called the consent receipt, and to want to reframe this entire work from a
>>> identity implementation perspective is not only alarming but would not
>>> work. As this would be a different specification and not be CR V2
>>> In addition, I personally have a complaint that the behaviour
>>> continuously exhibited in calls by the convening chairs is not acceptable.
>>> In particularly, not letting other people speak, not being transparent, and
>>> effectively (or continuously man-splaining) is not acceptable from a WG
>>> chair in any organisations - especially for work of such  import.
>>> It is very clear that this proposal to V2 doesn’t consider the legal
>>> scope of work, which makes this a real legal framework (regulation usable)
>>> in consent standard for legal compliance.
>>> I would like to respectfully ask Kantara Leadership  Colin and Jim (of
>>> course) to review this behaviour, as well as all of you in this work group,
>>> and perhaps in the mean time, respectfully request that  Jim  (the Chair)
>>> take over the reigns of leadership in CISWG. .
>>> With respect to CISWG,  I invite everyone to provide an opinion on this
>>> matter, who has an investment in the V2 work.
>>> Kind Regards,
>>> Mark
>>> _______________________________________________
>>> WG-InfoSharing mailing list
>>> WG-InfoSharing at kantarainitiative.org
>>> https://kantarainitiative.org/mailman/listinfo/wg-infosharing
>> _______________________________________________
>> WG-InfoSharing mailing list
>> WG-InfoSharing at kantarainitiative.org
>> https://kantarainitiative.org/mailman/listinfo/wg-infosharing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-infosharing/attachments/20190531/53e41842/attachment-0001.html>

More information about the WG-InfoSharing mailing list