Apologies for missing what seems like a good call. We created a v0.1 of a json privacy policy template as apart of this past weeks efforts that would operate a consent receipt generator, which conforms to the CR spec we are working on. (this is an interesting approach as well) As for GDPR and regulatory capture for consent. This might be a bit of a red herring for UMA contractual approach, The space is wide open now for interpretation because of emerging laws, but, in practice there are a lot of gaps and operational holes that innovation like UMA PII Notices can innovate. A consent receipt for example is only required for sensitive data collection and is useful legally for consent options, but not really required for providing PII. Which needs another variant of the notice structure we are working on. I think its important to look at what is required for the use case that UMA is being applied to and stay operational in the approach to address it. - Mark
On 3 Sep 2016, at 17:52, Andrew Hughes <andrewhughes3000@gmail.com> wrote:
Nobody ever said that you were critical about CommonAccord.
The issue I see is that there's lots of non-productive text pointing out that this group is failing to address the challenges you identify.
I don't really understand the phrase "regulatory capture". Without regulations, organizations won't change en masse - those enlightened organizations may see some advantage in early action, but will be outliers until social norms (and eventually regulations) catch up to them. Kantara aims squarely at the needs of organizations within their markets - which includes regulators and customer/consumers/clients (and many other actors). I have not done an in-depth analysis of the state of regulation and the internet - but a cursory survey tells me that the unregulated spaces tend to spawn powerful walled-garden oligopolies or monopolies (Uber, Facebook, Google, etc) which are capture audiences in different ways.
Stating that "Kantara" has a view on prioritizing industry versus individual interests is a false argument. Kantara's view and place in the ecosystem is the result of its members input and work. It has no organizational position or viewpoint of its own. Kantara provides innovators the tools and space and freedom to meet and discuss ways to change the world - neutral and open is the mantra.
Will you lead a new Kantara Discussion Group to further explore the imbalances in the ecosystem that cause "industry interests" to trump "individual interests"? Because that's the mechanism to include topics like that in Kantara's scope. Trying to force other WGs to look at issues tangential to their mandates isn't going to work very well.
You will get strong participation in such a DG - there are many in the Consent and Information Sharing, UMA, , myData, Personal Data Ecosystem, and other communities that would be enthusiastic contributors. The DG would be supported in writing a Kantara Report that assists the other DG/WG on understanding the issues and aligning correctly.
What do you say? Charter up and get going?
Andrew. Kantara Initiative Leadership Council Chair
Andrew Hughes CISM CISSP Independent Consultant In Turn Information Management Consulting
o +1 650.209.7542 m +1 250.888.9474 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com <mailto:AndrewHughes3000@gmail.com> ca.linkedin.com/pub/andrew-hughes/a/58/682/ <http://ca.linkedin.com/pub/andrew-hughes/a/58/682/> Identity Management | IT Governance | Information Security
On Sat, Sep 3, 2016 at 8:48 AM, Adrian Gropper <agropper@healthurl.com <mailto:agropper@healthurl.com>> wrote: My comment was in no way a criticism of CommonAccord. I have supported that project for years and it's still the only thing like it that I know of and it makes sense.
My comment is critical of regulatory capture and the way we translate innovations like CommonAccord and regulatory initiatives like GDPR into industry practice. Governance is at the heart of the issue. The standards mechanism, including Kantara, is not set up to put individual and civil society interests above industry interests. Regulatory mechanisms like GDPR and the US "Meaningful Use" debacle are not set up to create standards. Regulatory capture is the result.
The places I've experienced pushback on regulatory capture is UMA, (where, under Eve's leadership, we have consistently sought to widen the ecosystem and consider individual rights equal to institutional) and the blockchain communities where avoiding regulatory capture is a religion in itself.
My comment, which was obviously unclear, was a call for us to consider the governance mechanisms that might result in creating structured and standardized privacy policies based on CommonAccord and GDPR.
One place where we're trying to make a dent in this governance issue is W3C. The idea is to convene an outcome-driven community (not a standards-track process) designed to combine UMA and blockchain and other standards to create a "stack" of protocols that captures the fundamentals of privacy engineering and re-balances the power of individuals over institutions. W3C Verifiable Claims is another example of a standard that will be core to privacy engineering if it survives regulatory capture. You can read about this as paper #7 at http://www.hhs.gov/about/news/2016/08/29/onc-announces-blockchain-challenge-... <http://www.hhs.gov/about/news/2016/08/29/onc-announces-blockchain-challenge-winners.html> (Hint: read paper #13 first to get a very nice introduction to why #7.)
Adrian
On Sat, Sep 3, 2016 at 10:08 AM, James Hazard <james.g.hazard@gmail.com <mailto:james.g.hazard@gmail.com>> wrote: Thanks. I agree fully fully with both comments, except for the part where Adrian claims to disagree.
Yes, the "end-user" (aka "human") gets a short list of diffs from some base (here a _very_ short list, on the CPBR policy.http://www.commonaccord.org/index.php?action=source&file=Wx/gov/whitehouse/OMB/Legislative/Letters/cpbr-act-of-2015/Policy/Acme_Privacy_Policy.01.md <http://www.commonaccord.org/index.php?action=source&file=Wx/gov/whitehouse/OMB/Legislative/Letters/cpbr-act-of-2015/Policy/Acme_Privacy_Policy.01.md> )
Yes, there are different policies for different settings. The range of "settings" is vast - not only industry, but also jurisdiction and language, characteristics of the human (child, disabled, married, employed, related), etc. So the system needs to be extensible - a person on "the edge" can autonomously extend any existing end point and enrich the taxonomy.
The GDPR provides an excellent base for this. I'll spin up a first-level repackaging and see how it goes.
On Fri, Sep 2, 2016 at 10:36 PM, Andrew Hughes <andrewhughes3000@gmail.com <mailto:andrewhughes3000@gmail.com>> wrote: Well, given that GDPR is pan-EU and takes effect soon and has real financial penalties, I'd say that it's not a bad place to start.
Rather than dismissing other's proposals, what do you propose instead?
I'd love to see what you've got in mind to take the 10 pages down to the short versions. Also preferably text that works for non-US regulations.
andrew.
Andrew Hughes CISM CISSP Independent Consultant In Turn Information Management Consulting
o +1 650.209.7542 <tel:%2B1%20650.209.7542> m +1 250.888.9474 <tel:%2B1%20250.888.9474> 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com <mailto:AndrewHughes3000@gmail.com> ca.linkedin.com/pub/andrew-hughes/a/58/682/ <http://ca.linkedin.com/pub/andrew-hughes/a/58/682/> Identity Management | IT Governance | Information Security
On Fri, Sep 2, 2016 at 6:22 PM, Adrian Gropper <agropper@healthurl.com <mailto:agropper@healthurl.com>> wrote: The GDPR is useful but not enough. We need to see more companies compete on the basis of privacy the way they compete on cost or features. To enable that, we need privacy policies that are structured and standardized.
A standards-type of organization would need to categorize the various kinds of information business and then write a standard privacy policy for that category. Businesses would be asked to self-assert a category and only list the exceptions for their business relative to the standard. Categories could be for banks, telecom, merchants, social media, multi-player games, health services, media distribution, government services, productivity software, home appliances, and a handful more. It's pretty easy to tell which category any given product or service is in terms of personal information handling as defined in the GDPR.
Within the categories, we would pull out and structure obvious features such as: is a standard API available for 100% of the private information they hold (like a calendar or email service do); how does the business provide transaction notification to users; prior notification of policy changes; does the business ever export de-identified individual level data; which national jurisdiction is data processed under; is there a right to immediate export and deletion including backups, what technologies are used to track users; and a few more like that.
It would not take much to move from the 10-page privacy policies and terms of use we have today to a typical policy having 0 to 6 exceptions on a single mobile phone screen.
From my perspective as a privacy advocate, simply working toward model clauses or applying CommonAccord to GDPR would be helpful but it could also be a distraction at a time when we need to make very rapid progress to avoid a crisis. Do we really believe that GDPR and HIPAA are the future or are they just the camel's nose under a very shaky tent?
Adrian
On Fri, Sep 2, 2016 at 8:05 PM, James Hazard <james.g.hazard@gmail.com <mailto:james.g.hazard@gmail.com>> wrote: Great work!
As we considered "consent" vs other words in the conversation today, the GDPR's vocabulary seemed important, because it is likely to have great influence on privacy, in Europe and outside. http://www.commonaccord.org/index.php?action=doc&file=/Wx/eu/europa/eur-lex/GDPR/Comment/Consent/0.md <http://www.commonaccord.org/index.php?action=doc&file=/Wx/eu/europa/eur-lex/GDPR/Comment/Consent/0.md>
A thought occurred to me - what if privacy policies and similar agreements relating to privacy mapped to the organization of provisions of the GDPR and reused, to the extent reasonable, the vocabulary of the GDPR. This would provide a base for a common taxonomy. The taxonomy would prove inadequate or undesirable, at least in detail, in many circumstances, but it is an influential starting place.
Some time ago, I played with this notion in connection with the CPBR - the proposed US Consumer Privacy Bill of Rights. Like the GDPR, the CPBR calls for organizations (like Kantara?) to create charters that can be used by companies. I played out the idea as a privacy policy that referenced a charter, which in turn mapped to (was mostly made from) the CPBR. The resulting privacy policy is goofy, but it demonstrates a chain-of-text that connects all the layers of the conversation.
http://www.commonaccord.org/index.php?action=list&file=Wx/gov/whitehouse/OMB/Legislative/Letters/cpbr-act-of-2015/ <http://www.commonaccord.org/index.php?action=list&file=Wx/gov/whitehouse/OMB/Legislative/Letters/cpbr-act-of-2015/>
The GDPR has the additional advantage of being quite complete, actually enacted, available in many languages, etc. http://www.commonaccord.org/index.php?action=doc&file=/Wx/eu/europa/eur-lex/GDPR/Form/0.md#Article.Sec <http://www.commonaccord.org/index.php?action=doc&file=/Wx/eu/europa/eur-lex/GDPR/Form/0.md#Article.Sec>
On Fri, Sep 2, 2016 at 3:43 PM, Eve Maler <eve@xmlgrrl.com <mailto:eve@xmlgrrl.com>> wrote: http://kantarainitiative.org/confluence/display/uma/UMA+legal+subgroup+notes... <http://kantarainitiative.org/confluence/display/uma/UMA+legal+subgroup+notes#UMAlegalsubgroupnotes-2016-09-02> 2016-09-02 Working session on User-Managed Access (UMA) in Contractual and Regulatory Contexts <https://docs.google.com/a/wunderlich.ca/document/d/1HGM5-PoJFMnepyrTX91hqHKQ-qNgNxgQjkzqod7Otto/edit?usp=sharing> Eve will try to press ahead with lots of editing AIs prior to the call Adrian and Kathleen have sent various suggestions in list/private email in the last month we should review Attending: Eve, Kathleen, Ann, John W, Mary, Jim We did a ton of work in the document. If you haven't seen it, the latest version of the slides with the "legal use cases" is here <http://www.slideshare.net/ForgeRock/usermanaged-access-why-and-how-access-control-in-digital-contract-contexts>. Please feel free to share it. See also Jim's CommonAccord capture of the GDPR <http://www.commonaccord.org/index.php?action=doc&file=/Wx/eu/europa/eur-lex/GDPR/Form/0.md#Article.4.11.sec>.
Eve Maler Cell +1 425.345.6756 <tel:%2B1%20425.345.6756> | Skype: xmlgrrl | Twitter: @xmlgrrl
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <mailto:WG-UMA@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/wg-uma <http://kantarainitiative.org/mailman/listinfo/wg-uma>
-- @commonaccord
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <mailto:WG-UMA@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/wg-uma <http://kantarainitiative.org/mailman/listinfo/wg-uma>
--
Adrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/ <http://patientprivacyrights.org/donate-2/> _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <mailto:WG-UMA@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/wg-uma <http://kantarainitiative.org/mailman/listinfo/wg-uma>
-- @commonaccord
--
Adrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/ <http://patientprivacyrights.org/donate-2/> _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma