Page tree
Skip to end of metadata
Go to start of metadata

"towards human usable transparency and control as a public utility" 

Summary 

  • SSI - Controller Credential for Know Your Business (KYB) interactions and governance control flows.
    • the specification addresses inherent risks due to a vulnerability, with technical identifier based systems.
      • the more powerful the technology, , the higher the sensitivity, the  
    • this risk is mitigated with a controller credential for proof of transparency and by the performance of data control. 
    • Announcement June 9: This work group  calls for interest in ToiP community to support the development and extension of decentralized data governance for decentralized digital identity management.   
    • This specification, specifies how to generate a controller credential by creating an ANCR's eNotice Record, and then using this record to generate an electronic eConsent Receipt. 
    • This document aims to bridge the ISO/IEC 29100  (formalized international security and privacy framework standard that is free) with ISO/IEC  27002 (formalized information security controls)  to the trust over IP governance framework.
    • The method is
      • to specify the extension of  notice records and consent receipts into micro-credentials with  DiD's to generate electronic eNotice and eConsent receipts utilizing ToiP Governance Framework ecosystem. 
    • The controller credential is an extension of the Kantara Initiative, ANCR Notice Record specification, and apart of the  eNotice record and eConsent receipt information structure used for the AuthC (authorization default) Protocol.
  • to get access to the current draft - please join a work group call and request it. 


Implementing true SSI with electronic notice and consent - using international governance frameworks for hyperlocal transparency and data control

Process in progress:

  1. Updated March 24
  2. Notice Controller Credential Specification
  3. Papers (in progress)
    1. Decentralized Data Governance 
    2. identity interoperability

Notice & Consent Task Force 

Project owner:

Mark Lizar 

Editors

Surveillance Controller EditorSalvatore DAgostino

OCA Schema Editor: 


Status

ACTIVE 




Notice Controller Credential add's additional fields to an existing consent record formant for notice and consent 


Introduction

In privacy regulations globally transparency is a key requirement.   transparency is most often represented by the requirements for notice and specifying a legal justification and purpose for processing.

In this regard standards for the transparency and notice are required for transparency to scale. As a result there is a critical security issue in which people are not able to see who is in control of their personal data, what the legal justification and authority is used to processing personal - which makes it almost impossible to consent to transfer or exchange personal data across boarders.

This specification specifies the creation of a notice controller credential, which is used to generate micro-credential, signing a receipt to authorise  a specific purpose of use to implement international records of processing. 

Default - consent (representing shared understanding - as starting point)  - is provided in relationships record. 

  • the default presented to the controller - using the controller credential 
  • a notice request is the provided aka - a request to track - to  update the understanding 

Scenario of Use 

  • For decentralized digital identity, utilizing decentralized data governance to...

Governance Reference Architecture 

This controller credential utilizes a reference architecture that began with 1980 OECD Guidelines, and has been worked on for international /internet scalable data governance.  This work has driven regulatory reform and convergence internationally. GDPR refer framework for digital. 

This controller credential specification extends this international governance standard to the Trust over IP Governance Framework and is used to generate purpose specific micro-credentials for the governance of digital information with SSI's.   This enables the use of this reference architecture to scale analogue notice and consent to electronic eNotice and eConsent for digital exchanges and interoperability.  

  • ISO/IEC 29100
    • ISO/IEC 29100:2011 provides a privacy framework which. specifies a common privacy terminology; defines the actors and their roles in processing personally identifiable information (PII); describes privacy safeguarding considerations; and. provides references to known privacy principles for information technology.
    • ISO/IEC 29184 Online Privacy Notice & Consent 
    • ISO/IEC 29184 WD 5 Consent record information structure 
  • ISO 27002 Series : WG 5 SC27
    • ISO 27001 sets forth the compliance requirements needed to become certified. In contrast, ISO 27002 is a set of guidelines that are designed to help you introduce and implement ISMS best practices.
  • CoE 108+
    • International GDPR - 
      • data governance framework which provides the international enforcement policy baseline suitable for internet scale data control, identity transparency governance and consent
  • W3C Data Privacy Vocabulary 
    • V.5
  • Kantara
    • ANCR WG: eNotice and eConsent identity governance information structure  
    • ANCR Notice Record


Addressing The Challenge: Security Risk, Vulnerability  and Governance  Transparency Gap for SSI, as decentralized identifiers need a framework for transparency and control that can demonstrate international legal adequacy.  

The controller credential can be generated by any stakeholder, and is use to generate eNotice and eConsent records and receipts, that are defined here as micro-credentials.


 be verified and validated for legal proof and evidence. 

Terms & Definitions

The terms and definitions presented here and defined here are in addition to the references, this cover the field names specified for the controller. 

  • specific to this spec, (in the annex - mapping semantics between frameworks )
  •   


Auth-C: Notice Alert Protocol  


3 Vectors of Governance 

  1. Personal Data Control (Gov) - (lower risk) uses micro-credentials 
    1. the individual controls the source of data and verification 
    2. attribute by attribute control 
    3. Logging the access to the attribute for processing 
  2. Co-Regulation : multi-party governed - 
    1. Data trusts, where the individual + regulator and service co-regulate
    2. Logging the access to the processing 
  3. Data Protection : Self-Regulated -
    1. the service provider regulates the processing of personal data
    2. Signed, verified and open code, with shared logging

3 Tiers of  Controller Assurance


0 - Self Asserted Identifier 

  1. Public verifiable 
  2. Digitally verifiable & Legal (service delegation)
  3. Operator Controller - Certified and legal 


Specification Overview 

This specification builds upon the Kantara ANCR Record specification (and Consent Reciept)(ref) to build a notice controller credential for recording the controller and contract information in a notice. 

The ANCR Record provides Consent Types to anchor the record trust record and an individual's understanding of the relationship.  Specifically, root of trust record for the individual, which the individual owns and controls In a personal data store and profile. 


The Record and Receipt specification uses ISO/IEC 29100 Security and Privacy techniques ref (free ISO specification) terms and definitions to identify the legal stakeholders(ref) and their roles in the processing and control of personal information.    Using international standards for creation of  record and receipts publicly. 

ISO/IEC 29184 - Online Privacy Notice and Consent Controls  - 


The field data for the records and receipts are specified from numerous sources, in particular the W3C Data Privacy Vocabulary, for 



Fields Added to ANCR Record to Create Verifiable Credential

ANCR Record spec - is here (enter link)

This credential is for transparency and accountability for data (and identifier) governance,

The  eNotice (PII) Controller Cresdential, is used to generate eNotice record, for micro-credential PII Principal 

  1. PII Controller Identifier [DiD] 
    1. Credential ID 
    1. Accountable Person 
    2. Accountable Person role 
    1. Controller Notice Record Identifier 
    1. As a DiD: Verified Credential  
  1. Controller Type[Ctype]:  
  2. Notice Controller,  
  3. PII notice controller,  
  4. PII controller,    
  5. PII surveillance controller , (info not provided by PII Principle) 
  6. [Ctype] controller operator, 
  7. Accountable Person Type

Security Considerations

how to specify the 

To address the security gap, the controller credential is presented in a privacy or security notice, prior to surveillance.

The individual can use this controller credential to provide consent for a specific purpose, as well as specifying the source of data, by providing a consent receipt, signed to be a micro-credential. 

There are a series of steps which need to take place to establish two types of trust 

Type 1: Transparency Trustframework - 

Human security, discovers or generates a controller credential to create human trust anchor record and credential (dial tone)independent of the Controller/Service provider. 

Type 2: Technical Trust 


Mitigation Risk

Using standard framework for transparency of control with data control defaults 


Micro-Credential 

defined as a credential specified to a specific purpose. 


Use Case

Assessment of transparency and performance of a micro-credential to mitigate risks with SSI


 Examples

  1. Security, 
    1. evidence 
      1. fraud, traceabilty
      2. permission and access control transparency. 
    2. Security of Security 
      1. schema struture and use of object identifiers 
      2. NIST - Privacy and Security Control framework 
        1. NIST Language - 
  2. Auditing a ToiP implementation



Glossary

Controller Credential 

Micro Credential

Privacy Stakeholders - ISO 29100

Privacy Stakeholders

ISO Definition


Regulator / 
Privacy Regulator for individuals 
PII Principal

PII Controller

Joint PII Controller

PII Processor

3rd Party
another person, or police, 


Annex: Privacy Stakeholder Mapping to Functional ToiP Roles

Continuing of the ANCR Record Assessment to identify the controller credential,

Map the ToiP functional role to the legal authority, justification and role of the stakeholder. 

Questions: 

Is the controller the holder, verifier, or issuer? 


ISO Term

TOIP Terms 




Controller Holder, verifier, issuer

    
Principal



Processor


















controller contactextend consent termination for a control point



Delegated Authority Examples :




Delegated 

Regulator

Ombudsman
PII Principal

Guardian/Parent/School
PII Controller

Joint-Controller
PII Processor

Sub-Processor
3rd Party

turtles 

References for Controller Credential, Infrastructure and Legal Framework

Standard/Specifications

Title

Description 

Resource Status

ISO 29100

Information technology — Security techniques — Privacy framework

ISO/IEC 29100:2011 provides a privacy framework which

  • specifies a common privacy terminology;
  • defines the actors and their roles in processing personally identifiable information (PII);
  • describes privacy safeguarding considerations; and
  • provides references to known privacy principles for information technology.
Status - Is publicly available - https://www.freestandardsdownload.com/iso-iec-29100-2011.html
ISO/IEC 29184:2020Online privacy notice and consent
(just published - not available to public - we are working on publishing a report/appendix for use with this group )
W3C DPV  0.01Data Privacy Vocabulary
  • legal ontology for technically breaking down and mapping legal ontology to a data legal ontology - 
  • the Notice +  CR V1.2 and W3C DPV, also use a common set of purpose categories. and the Kantara CR v1.1 for purpose specification
  • (note shared by initial FIHR approach - now much more evolved) 

Reference: OPN: Open Notice  (+ Consent) Receipt Schema: Starters Guide to Unified Data Control Schema

Lizar, M. & Pandit, H.J., OPN: Open Notice Receipt Schema, 14th International Conference on Semantic Systems (SEMANTiCS 2019), Karlsruhe, Germany, 2019 [Published http://www.tara.tcd.ie/handle/2262/91576 [accessed July 1, 2020]


Field Name

Field Label

Format

Description 

Required/Optional

Schema Version

version

string

The version of specification used to which the receipt conforms. To refer to this version of the specification, the string "v1" or the IRI "https://w3id.org/OPN/v1" should be used.

Required

Notice Profile URI

profile

string

Link to the controller's profile in the OPN registry. 

Required

Type of Notice Receipt

Notice Receipt

string 

Label Notice Receipt 

Required

Receipt ID

id

string

A unique number for each Notice Receipt. SHOULD use UUID-4 [RFC 4122].

Required

Timestamp

timestamp

integer

Date and time of when the notice was generated and provided. The JSON value MUST be expressed as the number of seconds since 1970-01-01 00:00:00 GMT (Unix epoch).

Required

Signing Key

key

string

The Controller’s profile public key. Used to sign notice icons, receipts and policies for higher assurance.

Optional

Language

language

string

Language in which the consent was obtained. MUST use ISO 639-1:2002 [ISO 639] if this field is used. Default is 'EN'.

Optional

Controller Identity

controllerID

string

The identity (legal name) of the controller.

Required

Legal Jurisdiction

jurisdiction

string

The jurisdiction(s) applicable to this notice

Required

Controller Contact

controllerContact

string

Contact name of the Controller. Contact could be a telephone number or an email address or a twitter handle.

Required

Link to Notice

notice

string

Link to the notice the receipt is for 

Optional

Link to Policy

policy

string

Link to the policies relevant to this notice e.g. privacy policy active at the time notice was provided

Required

Context

context

string

Method of notice  presentation, sign, website pop-up etc

Optional

Receipt Type

The human understandable label for a record or receipt for data processing.  This is used to extend the schema with  profile for the type of legal processing - and is Used to identify data privacy rights and controls 

OCA schema specification: https://docs.google.com/spreadsheets/d/1KOdq8Yy3OXmuELyh7tpHMlhyMZPSZ3Ib/edit#gid=68769926

  • No labels