Explicit Consent – Turning Internet Dog into Pavlov’s Dog
People like me who is working on internet identity space is trying to solve so called “Internet Dog Problem.”
You surely must have seen this picture — InternetDog.jpg : On the internet, nobody knows you’re a dog.
This is a hard enough problem that we have long been trying to solve.
At the same time, to promote the identity federation and API economy, privacy problems also had to be solved, so identirati has long been trying to solve the privacy problems. Things like psudonymous identifier and partially unlinkable authentication etc. are prime example of such things. But above all, the most important thing is to how to get a meaningful consent and we have been trying to solve it. The consent screen you are so familiar with these days were actually created on the way.
And here comes the “explicit consent requirement” that EU promotes. Oh, no. That’s a disaster.
We are now turning the Internet dog into Pavlov’s Dog.
Actually, I would think that the current consent model is completely broken.
The direction of the consent is the reverse of what it should be.
One way of implementing it is to create a small set of consent like Creative Commons license. Typical one would be something like:
Minimal – No Share – Single Transaction (min-no-1 license)
- Minimal – minimal data (only the minimum amount of data is requested to fulfill the transaction)
- No sharing – do not give the data except for outsourcing to a data processor, in which case the data controller should have full responsibility for it;
- Single Transaction – The license to the personal data is valid only for this transaction thus once the transaction is complete and some required retention period has passed, the data will be deleted;
It can be graphical like
The user can set this preference in the identity provider. If the relying party / service provider agrees to it, the consent screen MUST NOT be shown. It removes the friction for the service provider, and prevents the user trained as a Pavlov’s Dog.
This way, if the consent screen type of thing appears, user will know that something unusual is happening and they should be very careful about it.
Now then, the problem becomes of the issue of whether the service provider tells a truth. For example in min-no-1 license, does the service provider really only asking for the minimum data?
There comes the assessor. Accredited assessor of a Privacy Trust Framework shall examine the request and determines if it complies to min-no-1 license. If it does, then s/he will sign the request file. Then, the service provider can register the location of the file to the IdP. The IdP fetches the file, validate the signature, and decide whether it is good for its user. If it determines so, it will let the request to come.
Is there a protocol that achieves it?
Yes. OpenID Connect. OpenID Connect has a facility for registering something called request_uri. This is exactly what is described above. So the technology is there. What we do not have is the policy template and the trust framework that assesses the service provider requests.