Mark – great start.
In addition to ‘why trust is required’, more is needed on ‘how trust is attained’.
Bringing in the privacy advocates as you have suggested is a great start and should Kantara proceed with this project, their engagement is essential.
That said, though, there is another consideration. The whole ‘trust’ challenge this is not just a logic problem. At least as significant is the Human Computer Interface challenge. Or even more deeply as often pointed out by Susan Morrow, the whole social anthropology of these processes.
By way of example, have a look at the Oxford Handbook of Internet Psychology (http://ukcatalogue.oup.com/product/9780199561803.do) and in particular, the chapter titled “Trust in Mediated Interactions”, copy attached. I met with one of the authors, Angela Sasse, in London 10 days ago where we discussed these issues and the impact that HCI is having on the UK Hub arrangements currently being developed for a User Centred federated ID management system.
Ignoring the human face of all this will (again) lead to a less than acceptable outcome.
Regards
Malcolm Crompton
Managing Director
Information Integrity Solutions Pty Ltd
ABN 78 107 611 898
<joinson.pdf>
Gentlemen,
The question comes to mind: whose "trust" are we talking about? As long as IDPs and RPs "trust" each other's credentials, consumer privacy is not really relevant to their willingness to transact. Consumers apparently "trust" online and offline merchants enough to provide data and continue doing business, although in many (most?) cases they do not have a choice in the matter if they want to make purchases or participate in society in other ways.
I am not questioning the need for privacy--I've been doing privacy work for a dozen years, and in my personal life I take more precautions than most people. However, before we propose a pilot, we need to be very careful about defining the problem we are trying to address. As Mark pointed out, doing what Target is doing is perfectly legal in the US, and FICAM's requirements extend only to activities on government web sites. Privacy protections will cost companies money both in implementation costs and in foregone revenue. So what is the business case for these protections when it is legal to operate without them?
Anna
Anna Slomovic
Chief Privacy Officer
Equifax
1010 N. Glebe Road, Suite 500
Arlington, VA 22205
O: 703.888.4620
C: 703.254.9656
UK is proposing retention of very detailed data for security monitoring and investigation. There is fear that other uses would be made of this data. Same problem as purchasing transactional data only more so.
[snip]
Rather than the Government holding the information centrally, companies including BT, Sky, Virgin Media, Vodafone and O2 would have to keep the records themselves.
Under the scheme the security services would be granted “real time” access to phone and internet records of people they want to put under surveillance, as well as the ability to reconstruct their movements through the information stored in the databases.
The system would track “who, when and where” of each message, allowing extremely close surveillance.
Mobile phone records of calls and texts show within yards where a call was made or a message was sent, while emails and internet browsing histories can be matched to a computer’s “IP address”, which can be used to locate where it was sent.
[snip]
Anna Slomovic
Chief Privacy Officer
Equifax
1010 N. Glebe Road, Suite 500
Arlington, VA 22205
O: 703.888.4620
C: 703.254.9656
_______________________________________________ WG-P3 mailing list WG...@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-p3
Susan,
I agree that the topic is far from the agenda--except that the P3 NSTIC pilot is being couched in terms of trying to address issues around data retention and reuse by commercial entities.
I'm happy to end this thread.
Anna
Anna Slomovic
Chief Privacy Officer
Equifax
1010 N. Glebe Road, Suite 500
Arlington, VA 22205
O: 703.888.4620
C: 703.254.9656
Mark et al – I think there are a number of threads of argument here worthy of discussing.
Notice as a trust issue & Accountability as a privacy issue
I think this distinction is artificial. Both tools arguably apply to both.
We have good examples of where additional information leads to disinformation, worse decision making etc and in such circumstances, it is accountability that is the key to trust.
On the one hand, capital markets are discovering that longer more complete product disclosure notices do not lead to better informed markets. On the other, today’s motor car is incomprehensible to the ordinary driver compared to one made 50 years ago in terms of the technology inside (eg ABS systems compared with simple braking systems of years ago) yet is more trustworthy and trusted. It is not notice that achieves this, it is the accountability structures, ie the compliance plate on the car’s firewall.
HCI and privacy and trust
The point of this remark is simply to suggest that any process that Kantara develops shouldn’t just be seen through a technology or logic lens. I am not an expert in the area. But I have been concerned for some time that we are not bringing HCI and related fields into the development of online safety / security / privacy when we have seen the incredible impact of it in other aspects of human behaviour online (to wit, the touchscreen / smartphone / tablet revolution) yet haven’t applied it to safety. Again, the road experience and the way the world has standardised the road experience to improve safety shows it can have considerable safety impact.
Storage and use of data by either public or private sector
Many folk are aghast at the volumes of information created, retained and used in ways described in the NYT article by either the private sector or the policing / national security folk (themselves or by forcing agents such as ISP to do their work for them).
The extent to which this is developing covertly only adds to the unease. If the Targets of this world, the ad networks and ad servers, the smartphone Apps have nothing to hide, they have nothing to fear too. The obfuscation of these processes and the unconvincing hand wringing when caught (eg the controversy over the Path app, http://www.theregister.co.uk/2012/02/15/apple_rank_hypocrisy_as_privacy_protector/) at least supports conspiracy theory!
Anna’s point that “as long as IDPs and RPs "trust" each other's credentials, consumer privacy is not really relevant to their willingness to transact” needs considerable debate. Arguably, one of the reasons why Federated Identity systems are NOT trustworthy is that they only deal with trust between IDPs and RPs. Traditional Federated Identity schemes have provided insufficient assurance at either the technological level or the business process / compliance level to the individuals involved that what they are doing with the information so exchanged is appropriate. This is where the Kim Cameron Laws of Identity come in and more recently, the concept of Attribute Based Credentials (see the ABC4Trust project for exploration of these issues at https://abc4trust.eu/index.php/pub/talks, especially the first half dozen slides in the presentation by Marit Hansen). At the very least, this involves minimal disclosure of attribute information between parties and prevention of tracking that starts at the technology layer.
Which brings us back to notice and accountability. Trustworthiness and respect for privacy in such complex systems is probably not going to come from increased notice. It is going to come from third parties who are acting in the consumer / citizen interest (rather than the organisational interest but with the ability to understand what is going) on certifying in some way that the right thing is being done – in other words, standards, testing against standards and accountability. Just as is the case for the process that puts compliance plates on the motor car firewall.
Mark et al – I think there are a number of threads of argument here worthy of discussing.Notice as a trust issue & Accountability as a privacy issueI think this distinction is artificial. Both tools arguably apply to both.We have good examples of where additional information leads to disinformation, worse decision making etc and in such circumstances, it is accountability that is the key to trust.On the one hand, capital markets are discovering that longer more complete product disclosure notices do not lead to better informed markets. On the other, today’s motor car is incomprehensible to the ordinary driver compared to one made 50 years ago in terms of the technology inside (eg ABS systems compared with simple braking systems of years ago) yet is more trustworthy and trusted. It is not notice that achieves this, it is the accountability structures, ie the compliance plate on the car’s firewall.HCI and privacy and trustThe point of this remark is simply to suggest that any process that Kantara develops shouldn’t just be seen through a technology or logic lens. I am not an expert in the area. But I have been concerned for some time that we are not bringing HCI and related fields into the development of online safety / security / privacy when we have seen the incredible impact of it in other aspects of human behaviour online (to wit, the touchscreen / smartphone / tablet revolution) yet haven’t applied it to safety. Again, the road experience and the way the world has standardised the road experience to improve safety shows it can have considerable safety impact.Storage and use of data by either public or private sectorMany folk are aghast at the volumes of information created, retained and used in ways described in the NYT article by either the private sector or the policing / national security folk (themselves or by forcing agents such as ISP to do their work for them).
The extent to which this is developing covertly only adds to the unease. If the Targets of this world, the ad networks and ad servers, the smartphone Apps have nothing to hide, they have nothing to fear too. The obfuscation of these processes and the unconvincing hand wringing when caught (eg the controversy over the Path app,http://www.theregister.co.uk/2012/02/15/apple_rank_hypocrisy_as_privacy_protector/) at least supports conspiracy theory!
Mark – yes, it is a combination.
With regard to the role that notice has, it is less whether a notice is given (again, thinking of the motor car analogy or financial audit obligations), it is less about the notice given by the organisation processing the data so much as the (legal) obligations on the third party accountability agent to act in the interests of the individual not the organisation (as is the case in both the motor car circumstance and financial audit, where the obligation of the auditor is the interest of the shareholder not company management).
Malcolm