.Nat Zone

Digital Identity et al.

Explicit Consent – Turning Internet Dog into Pavlov’s Dog

      2014/03/02

People like me who is working on internet identity space is trying to solve so called “Internet Dog Problem.”

You surely must have seen this picture — InternetDog.jpg : On the internet, nobody knows you’re a dog.

Internet Dog. Peter Steiner’s cartoon, as published in The New Yorker.

This is a hard enough problem that we have long been trying to solve.

At the same time, to promote the identity federation and API economy, privacy problems also had to be solved, so identirati has long been trying to solve the privacy problems. Things like psudonymous identifier and partially unlinkable authentication etc. are prime example of such things. But above all, the most important thing is to how to get a meaningful consent and we have been trying to solve it. The consent screen you are so familiar with these days were actually created on the way.

Since a few years ago, however, I started to doubt if that is a good model. Do people read the consent screen? Do they read privacy policy and terms of service? Of course not. Then how could such a consent screen be meaningful? Are we not just training the users to click “accept”.

And here comes the “explicit consent requirement” that EU promotes. Oh, no. That’s a disaster.

We are now turning the Internet dog into Pavlov’s Dog.

Turning Internet Dog into Pavlov's Dog - based on IIW dog.

Turning Internet Dog into Pavlov’s Dog – based on IIW dog.

We are doing the Pavlovian conditioning to the users to click “accept”. Then, the  attackers can easily hide the privacy attack in the forest of the seemingly benign privacy policy clauses and have the user click “accept”.

Actually, I would think that the current consent model is completely broken.

The direction of the consent is the reverse of what it should be.

It should be the service providers who agrees to the individual’s privacy policy because it is us who is letting them use our personal data.

One way of implementing it is to create a small set of consent like Creative Commons license. Typical one would be something like:

Minimal – No Share – Single Transaction (min-no-1 license)

standing for

  • Minimal – minimal data (only the minimum amount of data is requested to fulfill the transaction)
  • No sharing – do not give the data except for outsourcing to a data processor, in which case the data controller should have full responsibility for it;
  • Single Transaction – The license to the personal data is valid only for this transaction thus once the transaction is complete and some required retention period has passed, the data will be deleted;

It can be graphical like

min-no-1

 

The user can set this preference in the identity provider. If the relying party / service provider agrees to it, the consent screen MUST NOT be shown. It removes the friction for the service provider, and prevents the user trained as a Pavlov’s Dog.

This way, if the consent screen type of thing appears, user will know that something unusual is happening and they should be very careful about it.

Now then, the problem becomes of the issue of whether the service provider tells a truth. For example in min-no-1 license, does the service provider really only asking for the minimum data?

There comes the assessor. Accredited assessor of a Privacy Trust Framework shall examine the request and determines if it complies to min-no-1 license. If it does, then s/he will sign the request file. Then, the service provider can register the location of the file to the IdP. The IdP fetches the file, validate the signature, and decide whether it is good for its user. If it determines so, it will let the request to come.

Is there a protocol that achieves it?

Yes. OpenID Connect. OpenID Connect has a facility for registering something called request_uri. This is exactly what is described above. So the technology is there. What we do not have is the policy template and the trust framework that assesses the service provider requests.

 - identity, OAuth, OpenID Connect, OpenID Foundation, privacy