You've missed my point.

The analysis and ontology work that went/is going into TosBack2 is the piece you might want to explore. You are looking for a simplified representation of policy - but until you examine the structure and conceptual meanings of the policies that will be simplified, there's a risk of missing important pieces.

Just a suggestion, rather than re-inventing and creating new uses for words...

Andrew Hughes CISM CISSP 
Independent Consultant
In Turn Information Management Consulting

o  +1 650.209.7542
m +1 250.888.9474
1249 Palmer Road,
Victoria, BC V8P 2H8
AndrewHughes3000@gmail.com 
ca.linkedin.com/pub/andrew-hughes/a/58/682/
Identity Management | IT Governance | Information Security 


On Sat, Mar 12, 2016 at 9:12 AM, Adrian Gropper <agropper@healthurl.com> wrote:
Yes. TOS Back has the same goal but is the exact opposite of what I'm proposing. It presumes that there's some value to the consumer for having 20-page privacy policies and terms of use that are heavily customized for every service we visit. We might call this the passive-aggressive approach to authoring and managing privacy notices. Just because we can create 20 page custom legal documents for an apartment lease or a privacy notice doesn't mean there's actual value to the consumer in doing so. A privacy notice is not the same as a piece of source code and should not need a Diff function run by experts to be understood. Privacy notices can be standardized.

We standardize software licenses and apartment leases for a reason. We do it to help typical people understand any unusual exceptions, good or bad, from what might be expected in the particular domain. The problem is that standards organizations are funded by commercial interests and making privacy notices easier to understand and to enforce is not likely a priority yet. As ad-blockers and GDPR begin to add real costs and benefits to privacy practices, we can expect to see a shift toward standardization.

Adrian



On Sat, Mar 12, 2016 at 11:44 AM, Andrew Hughes <andrewhughes3000@gmail.com> wrote:
Not completely on topic, but Adrian: have you seen the ToSBack2 project from ISOC?


I have not plunged into the abyss of reading the documentation... but I suspect that they have created a functional ontology for privacy policies that enables the analysis engine to do cross-version comparison. That might save some thinking work about how to slice and dice then represent the policies...

just a thought.

andrew.

Andrew Hughes CISM CISSP 
Independent Consultant
In Turn Information Management Consulting

o  +1 650.209.7542
m +1 250.888.9474
1249 Palmer Road,
Victoria, BC V8P 2H8
AndrewHughes3000@gmail.com 
ca.linkedin.com/pub/andrew-hughes/a/58/682/
Identity Management | IT Governance | Information Security 


On Sat, Mar 12, 2016 at 4:42 AM, James Hazard <james.g.hazard@gmail.com> wrote:

On Fri, Mar 11, 2016 at 10:29 PM, Adrian Gropper <agropper@healthurl.com> wrote:
Thanks, for sharing this. From my strictly consumer perspective, here's what I would do with this:
  1. Start a Standard Privacy Notice workgroup in Kantara with a narrow charter to classify and label privacy notices.
  2. Make the Automattic Policy the first label and post it the way we would a CC or OSI license.
  3. Publish a DRY Privacy Notice Best Practice that would incorporate a labeled privacy notice BY REFERENCE and list only the exceptions, if any to the referenced policy.
  4. Add CommonAccord to this as an option for describing only the exceptions.
  5. Suggest standardized formatting for the exceptions right down to the fonts and colors.

My guess is that the world can get by with only 5 or so of these baseline privacy notice labels to serve, for example:

  • blogs, (Automattic)
  • merchants, (Vendor)
  • things, (Robot)
  • medical services, (HIPAA)
  • directories (Dating)

In addition, I would classify each privacy notice into one of three classes depending on the kind of API they provide:

Class 1: Service will not see your data. You are in sole control of the API.

Class 2: Service will see your data but the API you control has all of the data available in reral-time.

Class 3: Service will see your data but there's limited or no API access.

I've described these three classes in http://thehealthcareblog.com/blog/2016/02/22/apple-and-the-3-kinds-of-privacy-policies/

The result would be that Kantara privacy notices would look like: Automattic_2 or HIPAA_3 and people would mostly pay attention only to the exceptions.

Adrian


On Fri, Mar 11, 2016 at 12:31 PM, Eve Maler <eve@xmlgrrl.com> wrote:
On today's call, I mentioned a cool privacy policy I ran across when I downloaded this app:


The app costs $4.99, and I carefully looked at the policy and decided I was very willing to pay money -- and they were making the tradeoff very worthwhile. They based the policy closely on this (both are CC-licensed -- hooray for DRY content!):


BTW, the app is awesome too.

Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl


_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma




--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/

_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma




--
@commonaccord

_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma





--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/