Sal, Is this something that can be added to the wiki, like in a blog post? - Mark
On 22 Apr 2025, at 12:25, Salvatore D'Agostino <sal@idmachines.com> wrote:
From: Salvatore D'Agostino Sent: Monday, April 14, 2025 4:56 PM To: Tricia.Farley-Bouvier@mahouse.gov <mailto:Tricia.Farley-Bouvier@mahouse.gov> <Tricia.Farley-Bouvier@mahouse.gov <mailto:Tricia.Farley-Bouvier@mahouse.gov>>; Michael.Moore@masenate.gov <mailto:Michael.Moore@masenate.gov> <Michael.Moore@masenate.gov <mailto:Michael.Moore@masenate.gov>> Cc: Daniel Schleifer <dan@idmachines.com <mailto:dan@idmachines.com>>; gigi.agassini@gmail.com <mailto:gigi.agassini@gmail.com><gigi.agassini@gmail.com <mailto:gigi.agassini@gmail.com>> Subject: Public Comment to the Joint Committee on Advancing Information Technology, the Internet and Cybersecurity
Joint Committee on Advanced Information Technology, the Internet and Cybersecurity Chairs,
Thank you for the opportunity to comment on the legislation under consideration.
The ability of security and privacy professionals to apply their skills for good are greatly enhanced by the power of law. Too often security measures and privacy compliance are put in place only as a reaction to something gone wrong. The comprehensive slate of legislation here empowers better design and operation of data processing systems, and associated products and services by organizations and citizens.
Massachusetts and the United States have, in the past, led the way in terms of privacy rights and frameworks. The Fair Information Practice Principles (FIPPs <https://www.fpc.gov/resources/fipps/>) that are adopted into the ISO/IEC 29100:2024 <https://www.iso.org/standard/85938.html> Privacy framework from 50 years ago still apply today. It is good to see Massachusetts come back into the fight with other states across the country in enacting substantial legislation.
The Kantara Initiative, where I chair a workgroup <https://kantarainitiative.org/work-groups/ancr/> on Anchored Notice and Consent Receipt, recently published for public comment a set of transparency performance indicators that can be used to measure whether there is a valid basis for consent. This legislation provides the ability to add further to legal requirements that help to define consent. S45 and H78 for example have excellent language around the requirements for consent. What exists today in too many cases are the dark patterns referenced in the legislation, provides a light to expose and change them. In the work we do we reference laws and frameworks to create security and privacy technology for people, this legislation helps. At IDmachines, we believe that there is a great opportunity for innovation when it comes to privacy and security for people. We believe this can be done in a way that benefits all stakeholders, and provide a better data economy, and that we can do that in Massachusetts.
In addition to the legislation we need privacy and security infrastructure for people. While that may seem like a big dig, it in fact can be done with a fraction of the investment and provide tremendous benefits to the Commonwealth its citizens and beyond. We can create an alternative to surveillance valley that provides more useful, secure, and private digital, and real world identity, access, and mobility.
The establishment of a public registry for 3rd party collecting entities could be expanded to all PII Controllers, including all covered entities in the legislation. It could include all that operate in the state of MA. It would provide sufficient information so that people could understand who they are dealing with, as could a program operating on their behalf, as to whether their status as a covered entity was in good standing, in effect the availability of a certificate of good standing, and in the case of where they are not registered in the Commonwealth, the same from the jurisdiction of their registration. In the past, I had the honor to serve as the Chair and President of the Identity Ecosystem Steering Group, a public-private partnership in cooperation with the National Institute of Standards and Technology. We published and stood up an initial registry <https://idefregistry.edufoundation.kantarainitiative.org/>. There now exists an significant opportunity, even perhaps more than before. The attached recommendation gives an example of the information that could be aggregated into controller records in that registry. It would better enable direct digital interactions between people and organizations. It is possible to go beyond managing data brokers to enabling dynamic direct data, business, and personal exchanges and reduce the need and impact of things in the middle.
Respectfully,
Salvatore D’Agostino
IDmachines LLC 4 Lamson Place Cambridge, MA 02139-2612 +1 617.201.4809 @idmachines https://idmachines.com <https://idmachines.com/>
Disclaimer The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. If you have received this email in error, please delete it and advise the sender.
<ATT70460>_______________________________________________ A Community Group mailing list of KantaraInitiative.org <http://kantarainitiative.org/> Wg-ancr mailing list -- wg-ancr@kantarainitiative.org <mailto:wg-ancr@kantarainitiative.org> To unsubscribe send an email to staff@kantarainitiative.org <mailto:staff@kantarainitiative.org> List archives -- https://mailman.kantarainitiative.org/hyperkitty/list/wg-ancr@kantarainitiat... ______ Group wiki -- https://kantara.atlassian.net/wiki/spaces/Wg-ancr