14D/ Privacy Broadcasting for Privacy Awareness & Assurance

From IIW

Privacy Broadcasting for Privacy Awareness and Assurance

Wednesday 14D

Convener: Mark Lizar & Salvatore D’Agostino

Notes-taker(s): Scott Mace

Tags for the session - technology discussed/ideas considered:

@rights @individualrights @privacyagreements @legalterms @privacycontracts @privacyasexpected

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps

Mark: The concept is a person sending a privacy controller credential to get witnessed or notarized to establish the person’s privacy rights. Privacy broadcasting uses standards, this is the button or link to use your rights, rather than accepting (clicking through) a privacy policy. It would have a link to your privacy rights. We’re exploring what that is by defining a privacy controller credential.

Sal: The browser could automate that process.

How can a person capture the privacy controller information and create their own cookie?

This can be made easy by the creation of a privacy controller credential which is publicly available and can be used as a basis to create receipts that can form a privacy agreement.

Making this information available (discoverable) and operational is the key to privacy broadcasting.

Consent by default is needed for privacy by design.

Clearly we need a new flow.

One that creates a record of your preferences.

Use ISO 29100 (a free standard) as a privacy framework

A Consent Gateway with a Notary service can provide proof of notice as evidence of consent

This is distinct from a contract agreement.

Receipts are compared over time to see if there are changes.

Notices of changes are broadcast

Centralized control of preferences and decentralized governance

What does it take to make this privacy state machine and how to make it available and public?

Trying the elevator pitch ….

Providing controller information and consent by default is consistent with the 1st and 4th amendment.

For example its imp

Prefix to the consent receipt is the anchor record which is your own cookie about the nature of surveillance and then move onto the creation of a receipt/proof of notice, these two factors (notice of risk and proof of notice) establish conditions for decentralized governance of online interactions.

Gaps are regional (interregional).

Scott David:

Don’t conflate consent and permissions.

Data vs. Information

Reference to Rothman…

We need to be able to negotiate.

4 torts


  • Consent is a sorry second to negotiation, battle of the forms..

  • Who controi the terrms - offer and acceptance

    • Privacy Agreement - to put forward privacy framework for contracts

      • Accept our terms

        • Binding terms

4 tortts on privacy

  1. Peeping tom - intrusion

  2. public ation of public facts - false light

  3. Defamation - reputational harm -

  4. mis-appropriation (publicity) - a right of publicity -

    1. 1906 NY - flour of the south

Convert a tort to a contract - or to a code of practice -- >>

  • Unconscionable Conrtact -- too bundled -

    • Cant be understoond - which means you go back to tort

First Amendment - Only to gov - not companies

  • Right to access info --

  • Freedom of association

Individual rights vs. privacy rights

Bob Gellman - Fair information practices a basic history


Self-regulatory entity of individuals needs to ride along on other rights questions to deliver

Control the record, you can use multiple tools to enact rights preferences

Contact for a bank account for information, and the responsibilities of anyone else in possession. Transferring the warehousing and duty to the data holder <- in front of the receipt.

Privacy is the human facing component of a contract

Interoperability is equality of duty in this case


From Mark Lizar2 to Everyone: 05:49 PM


From Mark Lizar2 to Everyone: 06:16 PM


From Scott David to Everyone: 06:40 PM

The Right of Publicity - Jennifer Rothman

From dsearls to Everyone: 06:42 PM




From dsearls to Everyone: 06:48 PM

Scott, given the problems with "privacy," how would you change the mission wording for IEEE P7012? It currently says, "The standard identifies/addresses the manner in which personal privacy terms are proffered and how they can be read and agreed to by machines."

From windley to Everyone: 06:49 PM

Very quaint thing: legislators saw a harm and addressed it!

Idea to map rights to contract - so that provider of rights can provide contract upstream on services - b2b

  • Rights