On Jun 3, 2024, at 3:05 PM, Mark Lizar <mark@transparencylab.ca> wrote:

Hi Andrew, 

You make an excellent point,  Ah, the ethical / business case - is a nuanced topic as you and I both know.    I think fundamentally, open means that 29184 could be used to assess the mis-information in digital identity management and security policy, this would address many systemic governance challenges with digital identity management technologies.  Currently, policy makers and legislators do not have the tools (aka access to 29184 notice controls for consent as a standard), therefore they are unable to compare the policies or procedures they are considering with an international standard digital privacy practices.  

There are multiple call for a foreign transparency registry, in which they are not even aware that there are such standards, nor are we able to use those standards to demonstrate their compliance with international laws and privacy expectations.  All of which are not really compelling corporate incentives, .  

Critical to our work is timing of notice and wether or not consent is valid,  In particular our TPI Performance Scheme, could natively be used to assess conformance with 29184,   Most importantly the consent receipt was written to be used with this standard 29184, and without it being open its not usable to iterate forward with,  

Do you have any ideas on how to fish out the business case there ?  What is the value of authentic data Providence in the market? 

Mark

On Jun 3, 2024, at 2:23 PM, Andrew Hughes <andrewhughes3000@gmail.com> wrote:

All good Mark.

Suggestion: why not describe what is inside 29184, why it is valuable for corporations to use, and why that value cannot be realized by corporations and governments unless it is available at zero cost? 

The rationale you give is all fine and well, but doesn't really make the specific case that 29184 is the one that should be freely available - you are making a decent case for 29100 which would lead to 29184.

————————

Andrew Hughes CISM 
m +1 250.888.9474
AndrewHughes3000@gmail.com 

On Mon, Jun 3, 2024 at 8:08 PM Mark Lizar <mark@transparencylab.ca> wrote:

Thanks for the secret comments, and yes, this could be written to much better effect.  (Thanks for the edit!) 

What if provide this as a letter to the Leadership Council,   and see if we can inspire some consensus on this topic - and a little bit of Kantara PR?    This is the sort of thing we would need to ask Andrew, and the Leadership Council about.   So perhaps a letter to the LC?  

Mark 

Dear Leadership Council, 
Your support needed: Why we must advocate for open access to ISO/IEC 29184 

An important request was made during the recent plenary in Manchester, UK: to make the ISO/IEC 29184 Online privacy notice and consent standard open and free to access.  As a standard designed to enhance transparency, this is essential if it is to fulfil its purpose of addressing misinformation in security and digital identity and personal media management technology.  

On 28 May, I sought assistance from Canada’s National Mirror Committee for ISO/IEC in this effort. Below you can find a summary of my argument for doing so.

Now we ask if  the LC, and Kantara community will join us and support this through the ISO/IEC liaison, to mak this standard open access. You would not only be furthering our shared goal of enhancing digital privacy and transparency but also moving towards ensuring transparency and trust in digital identity practices worldwide.   A topic we could all support and collaborate on.

Thank you for your consideration.

 Mark / ANCR WG

Why open access matters
29184 was developed to supplement the freely accessible ISO/IEC 29100 security and privacy techniques framework. Our work at the Kantara Initiative has long focused on standardizing notice to enable managed consent and control over data access on a large scale. This effort began more than a decade ago at the W3C - Do Not Track and Beyond conference, where Ashkan Soltani, Reuben Bins, and I presented on the need for notice and transparency standards in online security and privacy.

The business case for standardizing digital transparency
There is a compelling business case for ISO/IEC to lead in standardizing digital transparency for security, privacy, and digital identity management. A robust set of international transparency standards would compel industries to adopt ISO/IEC’s paid security standards, such as 27001, 27002, and 27701. These standards provide specific requirements and guidance for establishing a Privacy Information Management System (PIMS).  Acting now to facilitate data governance and security interoperability will enable ISO/IEC to lead this competitive practice internationally. 

International impact and interoperability
Our commitment to this project is driven by 29100’s influence in developing international privacy instruments that are interoperable with GDPR and, importantly for Canada, the CoE Convention 108+. Expected to be ratified by 2025 latest, Convention 108+ will provide Canada with an international data governance instrument for security and privacy across the Commonwealth, encompassing 56 countries and 2.5 billion people. Convention 108+ mirrors the GDPR Chapter 1 Transparency Modalities section, and 29100 has been the only international standard we can use to create an international transparency standard that scales consent with identity management internationally.

The implications for Kantara
Last August, ISO/IEC 27560 Consent Record Information Structure was published, derived from the Kantara Consent Receipt V1.1 specification. This specification was designed to supplement both 29100 and 29184. When 29184 was published, the Consent Notice Receipt was included in Appendix B. Consequently, our work at Kantara on notice and consent receipts can contribute as a regulatory tool to assess the conformance and compliance of PII Controller notice records and credentials, benchmarking compliance with 29184 natively.

In our ANCR WG, we developed a Transparency Performance Scheme for creating conformant PII Controller records, as a legal record of processing to assess the performance of transparency and  legal validity of consent.  To further this work and utilize 29184 for it to support an international standard for digital privacy transparency and consent (notice record and receipts), it, along with ISO/IEC 27560 consent record information structure must be open and freely available to use for public digital infrastructure.

On May 28, 2024, at 1:31 PM, Mark Lizar <mark@transparencylab.ca> wrote:

Hi ANCR’s,

I have just submitted this request to ISO/IEC Mirror Committee, here is the requests - (without the form) for your review, and perhaps with ANCR Consensus on this topic ANCR WG can support this too?  What do you think @Sal? 

Kind Regards, 

Mark

****

Dear JTC1 / SC 27 / WG5 Mirror Committee, 

During the plenary in Manchester UK a request to make ISO/IEC 29184 Online privacy notice and consent standard free to access.  First and foremost this is a transparency standard for online  privacy notice which if not open defeats the purpose of the standard,  which can be used to address mis-information in security and digital identity management technology. 

29184  was made to supplement the free to access ISO/IEC 29100 security and privacy techniques framework and it has been a long term focus of the work at the Kantara Initiative, with the mission of standardizing notice to enable  consent to managed control and access to data  scale online.   This effort began in 2012 with a call to action for notice and transparency standards for security and privacy online at a W3C - Do Not Track and Beyond conference, where Ashkan Soltani, Reuben Bins and I presented on this topic.

There is a clear business case for ISO/IEC to standardize digital transparency for security, privacy and digital identity management, as a successful international transparency set of standards would more aggressively  onboard industries into ISO/IEC paid security standards.
27001, 27002, and 27701 which provides specific requirements and implementation guidance for establishing a Privacy Information Management System (PIMS).   Enabling data governance and security interoperability is competive practice which ISO/IEC obviously wants to lead internationally in. 

The reason we chose this project and work was because ISO/IEC 29100 has driven the development of international privacy instruments, and is interoperable with GDPR and more importantly for Canada, CoE Convention 108+ which is expected to be ratified in 2024 or 2025.  Providing Canada with an international data governance instrument for security and privacy across the commonwealth containing 56 countries and 2.5 Billion people.      Convention 108+ mirrors the GDPR Chapter 1 Transparency Modalities section and ISO/IEC 29100, as a  free to access standard, has been the only international standard which we can use  to make an international transparency standard to scale consent with identity management internationally.  .  

Background
The  standard published last August, ISO/IEC 27560 consent record information structure,  was  developed from the  Kantara Consent Receipt V1.1  specification, which was written to supplement both 29100 and  29184 Online privacy notice and consent standard.   When 29184 was published the Consent notice receipt, was published  in the Appendix B,  and as a result, our  notice and consent receipt work at Kantara  could be contribute as a regulatory tool to asses   conformance  and compliance of PII Controller notice  records and credentials, which could then  be used to benchmark compliance with 29184 natively.   In the ANCR WG we have a Transparency performance scheme, for making conformant records of processing and for assessing if consent is valid or not.     In order to further this work or to utilize 29184 to support an international standard for digital privacy transparency and consent (aka notice record and receipts) it must   be open and freely available to be use and specify with.    

To this end,  I humbly ask for this committees's support of this  request to make   ISO/IEC 29184 Online privacy notice and consent standard   open and free to access
.  

Best Regards,

Mark Lizar

_______________________________________________
A Community Group mailing list of KantaraInitiative.org
Wg-ancr mailing list -- wg-ancr@kantarainitiative.org
To unsubscribe send an email to staff@kantarainitiative.org
List archives --  https://mailman.kantarainitiative.org/hyperkitty/list/wg-ancr@kantarainitiative.org/
______
Group wiki -- https://kantara.atlassian.net/wiki/spaces/Wg-ancr

_______________________________________________
A Community Group mailing list of KantaraInitiative.org
Wg-ancr mailing list -- wg-ancr@kantarainitiative.org
To unsubscribe send an email to staff@kantarainitiative.org
List archives --  https://mailman.kantarainitiative.org/hyperkitty/list/wg-ancr@kantarainitiative.org/
______
Group wiki -- https://kantara.atlassian.net/wiki/spaces/Wg-ancr