Re: [WG-InfoSharing] [WG-IDAssurance] Rough draft Intro section for the PAC (RE: P3 Agenda: Thursday, September 29th, 2011 - Delving into the Privacy Assessment Criteria)

[Mark@Identity Trust]

Thanks David, this is clearly an important issue to raise. 

I support your statement, in fact, I think this statement is worth reflecting in the PAC introduction and socialising to other WG's that have may have a stake in its impact (CC'd accordingly).  As well, I think we would be well served in discussing the bi-lateral nature of  consent (and its required notices).  As consent provisioned under the Subject's control (E.g. ISWG, UMA Approach) is different than that of consent provisioned under a RP'S/CSP control.  Why and how is it different?  A topic it seems that needs to be discussed and I wonder if clearly reflected in the PAC would enable the PAC to be salient across jurisdictions?

To extrapolate a little, so far it seems that consent and notice is often only discussed as a monologue from the perspective of the rp/csp etc, in which real-time consent is a privacy obstacle and challenge that is too onerous or technically not possible at this time.   Something that I think needs to be dismissed as a truth only in some circumstances. 

There seems to be no discussion about the administration of consent and its attachment to notice by the subject.  (E.g.  A bilateral consent and/or notice infrastructure).   Ultimately, this then can be looked upon as an administrative solution for both parties which is facilitated by updating the technically ancient understanding of consent and notice processes that exist today in the privacy industry.    For instance, why not have  an open notice standard (a central point to administratively link to notices) so that consent can be managed equally by both (all) parties in a transaction.  If a Data Subject would like to administrate the usability of their consent or hold a service provider accountable to its provision of notices (revoke consent) this then becomes possible and provides an entry platform for IAM enablement technologies like UMA. 

From looking at the EnCoRe project which delves deep into consent and revocation, there seems the obvious need for an individual to be able to provide consent and to also revoke consent, especially if a consent and notice system is to have any integrity (or be meaningful).  To date, this is not happened and the identity management industry is suffering from a lack of integrity, limiting its advancement across jurisdictions, while also having a dramatic impact on sustainable privacy. (a critical topic)  

Ideally, both parties in a transaction need the ability to administrate consent, for this to be simplified (I believe) there is a need for a single consent to be attached to a single notice and implied action.  For multiple consents to be managed at any one time there can be a packaging of single consents and layered notices to the data subject and/or aggregated by the consent provider. (including implied consents)

Importantly for consent providers this indicates that a consent and notice centric administrative architecture is needed in order to increase the usability, privacy and alternatively, the control of the Subject in the use of their own data.  Of course there are consent and notice facilitating technical solutions like UMA and EnCoRe, and these will also move to address these issues, but the market point of entry is needed (something a well delivered PAC can facilitate) for these technologies.   Although, I think, the technical ability to revoke consent provided by the RP/CSP is beyond what will ever be commonly available in the marketplace without a bilateral notice and consent infrastructure. 

If opening notice is too much to discuss in the PAC context at this point in time, perhaps an administrative solution to consent can be developed alongside - expanding the i agree checkbox so that it can be tagged and administered post consent provisioning by the Subject of consent. (e.g. an I agree checkbox with a I want to tag this consent box added).   Although I am sure there are many more ways to discuss and develop bilateral notice and a consent discussion/solution. (E.G. UMA and ISWG)

In terms of this thread, in the PAC for assessors a valuable discussion around assessing a single consent, matched to a single notice,  provided by a RP/CSP, versus multiple consents packaged by the Subject would be meaningful.   At a minimum, an assessment of who has control of consent and how accessible notices are- is critical.  

Bottom line I think the message should be,  the greater (and more sustainable) the Subject's control of consent and access to notice (post and pre consent) the less onerous the privacy assessment and requirements for IDP's/RP's/CSP's.  (but this is just my humble opinion)

So I agree with David, lets not get caught up in the weeds or set off in the wrong direction, lets move on with incrementally discussing assessment criteria with certain clarity that we are talking about the subjects control in relation to the privacy practices of a CSP/IDP/RP's/Attribute Providers/ etc.  

In this regard, I have provided some summary comments to the PAC to illustrate where these points might more productively be raised, discussed, debated, etc. 

- Mark