23F/ Have we forgotten to design for consent while we've been building for SSI (round 2)

From IIW

Have We Forgotten to Design for Consent, While We've Been Building for SSI (Round 2 - Participant Request)

Thursday 23F

Convener: John Phillips

Notes-taker(s): John Phillips

Tags for the session - technology discussed/ideas considered:

Consent Models, Mental Models, SSI, ToIP.

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps

Session not recorded and chat notes not captured. My bad. I pressed end meeting without thinking… blame it on 8 hours sleep over the last 72...

Deck used to frame discussion is here (this is a separate deck to the one used yesterday to incorporate some of yesterday’s comments).

https://docs.google.com/presentation/d/1JEKgLKNRXgZz-YxgWD74LJElIG0GTU4ZM17_nz_XrmI/edit?usp=sharing

Premise

[from the presentation deck]

In general terms, within the SSI world, we illustrate trust frameworks using diagrams like the trust diamond from ToIP. We spend a lot of time on the roles of the actors, the nature of the data that traverses these links, and how and when the data traverses them.

But what about the “why”?

For example, why is the Holder presenting a proof to the Verifier? Because they received a proof request? Why did they trigger the proof request? Why did the Verifier make the request?

My hypothesis on one of the Why’s: before any issuing, requesting, and proving interactions, some form of exploration and bargaining has occurred.

We might say that “consent”, in some form, has been agreed, a bargain has been struck, whether fair or Faustian.

(and yes I’m watching the emerging Schrems v Facebook news from Ireland with interest… some people are gaming the difference between contract and consent…, let’s ignore that for now)

Yes we ‘kinda’ have consent in SSI wallet interactions. We might consider this useful, necessary even, but not sufficient.

These SSI wallet interactions aren’t “consents” in the normally accepted sense. Here are just 3 examples of definitions of consent in a digital context (there are so, so many):

  1. Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

    GDPR

  2. The use of personal information by companies should be permitted only in those instances where consent was specific, express, and voluntary

    “Internet Giants as Quasi-Governmental Actors and the Limits of Contractual Consent”, Nancy S. Kim, D. A. Jeremy Telman, 2015, Missouri Law Review

  3. ...consent given by a consumer is voluntary, express, informed, specific as to purpose, time limited and easily withdrawn.
    Australian Consumer Data Right

In fact, while there are some elements that are common, there seems to be no generally accepted ‘pattern’ for consent, a.k.a “Where’s my mental model of consent? [To the tune of “Dear Science” (the Hoverboard song)]

Here are some brief notes on the papers I’ve reviewed so far:

Title Comments. Useful?

Priority

1 high

10 low

World Economic Forum. 2020. "Redesigning Data Privacy: Reimagining Notice & Consent for human-technology interaction", https://www.weforum.org/reports/redesigning-data-privacy-reimagining-notice-consent-for-humantechnology-interaction Very useful. Very well written 1
Jenkins, Georgia. 2021. "An Extended Doctrine of Implied Consent – A Digital Mediator?", https://link.springer.com/article/10.1007/s40319-021-01024-2 Not useful 8
"FAIR Digital Objects for Science: From Data Pieces to Actionable Knowledge Units", https://bora.uib.no/bora-xmlui/bitstream/handle/11250/2737212/publications-08-00021.pdf?sequence=2&isAllowed=y Interesting, but not directly relevant to consent models 8
Teare, H.J.A. Prictor, Megan. Kaye, Jane.2021: "Reflections on dynamic consent in biomedical research: the story so far", https://www.nature.com/articles/s41431-020-00771-z Discussion on Dynamic Consent. Relatively useful. 3
Kim, Nancy S. Telman, D.A.J. 2015: "Internet Giants as Quasi-Governmental Actors and the Limits of Contractual Consent", https://scholarship.law.missouri.edu/mlr/vol80/iss3/7/ Some useful content, includes a suggestion of "Specific, Express and Voluntary" as required attributes of consent. 3
Solove, Daniel J. 2015. "Introduction: Privacy Self-Management and the Consent Dilemma": https://harvardlawreview.org/wp-content/uploads/pdfs/vol126_solove.pdf This one is not bad. Legally based but an interesting explanation of Privacy Self Management and Consent 2
Neil Richards and Woodrow Hartzog, "The Pathologies of Digital Consent", 96 WASH. U. L. REV. 1461 (2019). Available at: https://openscholarship.wustl.edu/law_lawreview/vol96/iss6/11

Useful and well written. Four key contributions:

- vocabulary of pathologies of consent

- ideal circumstances for consent

- arguing against/explaining the privacy paradox

- theory of consumer trust

1
Matilda A. Haas. Harriet Teare. Megan Prictor. Gabi Ceregra. Miranda E. Vidgen. David Bunker. Jane Kaye. Tiffany Boughtwood. 2020. "‘CTRL’: an online, Dynamic Consent and participant engagement platform working towards solving the complexities of consent in genomic research", https://www.nature.com/articles/s41431-020-00782-w Yes in the context of NAGIM. Describes experience and lessons learnt in building of CTRL which uses online forms to generate DUO compliant statements about the constraints / use of the data about the patient for research. 2
W. Nicholson Price II, JD, PhD and I. Glenn Cohen, JD. 2019. "Privacy in the age of Medical Big Data", https://www.nature.com/articles/s41591-018-0272-7 Not bad, but not very useful 4
"Contracting Around Privacy - The (Behavioral) Law and Economics of Consent and Big Data", https://www.jipitec.eu/issues/jipitec-8-1-2017/4529 Slightly useful. Argues for the use of behavioural and "traditional" interventions in privacy law. 3
MEF Whitepaper: Understanding Digital Consent, 2017 (I think), https://mobileecosystemforum.com/programmes/personal-data/whitepaper-understanding-digital-consent/ "Mobile Ecosystem Forum" - 6

DUO - the Data Use Ontology - the essentials

https://github.com/EBISPOT/DUO

The (GA4GH) Data Use Ontology (DUO) includes terms describing data use conditions, particularly for research data in the health/clinical/biomedical domain. 5
#### PLEASE ADD MORE TO THIS LIST IF YOU HAVE THEM

I’m not researching this (just?) for fun, there is a real use case underpinning this exploration...We’re (Sezoo) looking at SSI as a potentially better way to provide consent management for genomic data research being performed in Australia under NAGIM. This is a pro-bono piece of research/pilot work that, along with the other pilots, will receive a review in December this year from the world’s most prestigious medical research centres - and then the follow up work may get grant funding.

This could be important, an SSI approach might become an adopted model for medical research consent patterns. That could be good...

So… I want a “mental model’, a simple but meaningful representation that helps reason about consent. Any type of consent, for any purpose. I’m thinking of a mental model like this from the eSSIF-LAB and Sovrin Guardianship Working Group:

[[File:./output/media/image1.png|624x296px]]

[But this is a mental model for Guardianship, what would a mental model for consent look like?]

Summary:

Before: Mostly we’ve been thinking hard about the technology that underpins trust (which we must, it is evolving, enabling, constraining and essential)

Now: We’ve begun to think about how this must work with governance in human trust frameworks. Equally essential

Next: we should think more about consent, it’s human, important, and critical to sustainable trust.

Challenge:

So have we been forgetting Consent? Is consent a missing piece of our trust framework?

Discuss….

Premeditated notes organisation - only use if it helps

Additional Research to consider Existing Implementations / Standards Legal frameworks Attributes/Qualities of Consent
List of ideas. Add them here please…

List of sources. Add them here please…

Yoma?

List of sources. Add them here please… All ideas welcome, can be themed later…

Discussion:

John | Nicky H | Mark L | Vanu

Scrappy real time notes by John

Nicky H: Separate intent and consent. Model of rituals and tights

Mark L: Consent as a valid legal state

ToIP: Notice and Consent task force privacy controller credential. Privacy Broadcasting (Privacy as expected)

Making standards to make a record of that state.

Permission and consent confusion

Started at the do not track working group.

Data Privacy Vocabulary Controls W3C

Council of Europe 108+ Trying to be bigger than the GDPR

https://www.coe.int/en/web/conventions/full-list?module=treaty-detail&treatynum=108

IAB

Consent Record Information Structure

Dynamic

Broken into 4 parts:

  1. Prefix (GDPR….)

  2. Purpose specification (legal justification, legitimate interest, covid etc.)

  3. Data treatment and rights (frequency, withdrawal process)

What rights you have

Purpose management rather than consent management

Consent “Grant” - Open Banking

Data Receipt is Contract

Consent scales in the EU, not in the US where contract scales (Terms and Conditions)

ISO SE27

Privacy Assurance the ability to benchmark privacy according to context and then measure the performance of their response.

2014 Consent Receipt Team led to Me2B

Privacy Broadcasting.

Privacy Policy Log as a minimum

Intent Data - School Education Record

Four (five) terms to manage in the mental model

Purpose

Intent

Consent / Permission

Preference