Dear Mark,

The opportunity with DGSI, the upcoming ISO meeting, and the need to complete the publications on our roadmap, requires us to focus on these projects/publications to take advantage of this.

The direction below does not change the work or the direction of what we have underway. In all cases we need to finalize the scope and get out the TPI/TPS, and CRv2.

I suggest that we use the majority of the meeting to assess where we are at, and what we commit to accomplishing.

Sincerely,

Sal

From: Mark Lizar <mark@transparencylab.ca>
Sent: Thursday, September 5, 2024 11:45 PM
To: wg-ancr@kantarainitiative.org
Subject: [WG-ANCR] Re: Next Steps - Notice and Consent Receipt v2,

Dear WG,

There has been some good forward movement on resolving long outstanding issues in advancing the work from the ANCR WG. Below I explain why I would like to propose that we take our v2 notice and consent receipt work to Data Governance Standards Institute (DGSI), a Canadian national standards body, as soon as possible.

For those of you who don’t know, there are some known challenges to progress the notice and consent receipt work. In summary:

Originally called the MVCR [Minimum Viable Consent Receipt], it was taken too soon to ISO and named 27560 Consent record information structure, without the CISWG’s knowledge
At ISO, it was politicised and diluted by numerous national inputs until it was unable to address the core issues of notice and consent
Consent requires open and standard transparency; its strength, integrity and viability depend on it. This is why the MVCR is a notice receipt, that anyone can use to consent with, Consent is essentially based on a notice record information structure, which is what ISO/IEC 29184 is focused on, as well as some very specific laws,. able to be used autonomously to demonstrate consent

It was specified to the ISO/IEC 29100 security and privacy framework which was open, but its latest update is not
It was specified for ISO/IEC 291284 Online Privacy notice and consent standard, (see Appendix D 29184). This standard is not open (exclusive), so not operational as a international transparency and identity governance standard

Finally, 27560 the consent record information structure makes a fundamental error by confusing consent (managed by humans) with permission (managed by services)
Whats more, continuing this work via Kantara has a dis-advantage, As Kantara is not a national standard body, making a Special Interest Group, for Authc with members from national stakeholder a non viable path.

For these reasons and more, the ANCR WG has always been viewed as a place to incubate standards for industry and regulatory use. This is why we have worked on a companion TP-Scheme that uses this specification to demonstrate conformance and compliance. The idea being that we, the ANCR WG, work on the scheme, and support its use and extension for a Kantara programme, or one that Kantara collaborates with.

The ANCR WG demo, in collaboration with a specification at DGS is what is ultimately being proposed here as the immediate path forward

DGSI are now recognised, accredited to make national and international standards, and have a direct route to ISO/IEC. Even more importantly, DGSI have an arrangement with ISO because their standards are open, the standards put forward to ISO will also be free and open to access. This provides us with a clear path for our v2 Notice and Consent specification to ISO, with national regulatory input, at no cost.

To this end, the next plenary for ISO is coming up at the end of this month and comment is needed next week (w/c 9 September).

I suggest we put forward to the 27560 that we have a proposed v2 to be developed in collaboration with DGSI, and that we have a TPS at Kantara, to assess validity of consent,

Suggesting We move the TP-Scheme forward in this context - and from this context work on the AuthC SiG.

Please comment and respond before next weeks meeting (Wed 12th of September)

- Mark