.Nat Zone

Digital Identity et al.

More on Personal Data working group report

      2014/03/02

So, during the Kantara Initiative’s Information Sharing working group call, which happend between 1:30am and 2:30am here in Munich, Joe Andreu kindly pointed out that an English version of the press release is available at: http://www.meti.go.jp/english/press/2013/0510_01.html

For the content of the report, you can go directly to the section 3 of the release. In it, it talks about three topics:

1) Methods and approaches to user-friendliness

2) Utilization of information-providing organizations

3) Selection of disclosable information by consumers

The topic 1) is about how to show the users the nature of the personal data offering that they are making. Showing them 30pages ToS would not help, nor repeated consent dialogue would. It would just be a “click training” turning the internet dog into the Pavlov’s dog. We should suppress the consent dialogue whenever appropriate. For example, if the case falls into one of the “conditions for processing”, then, as one of the working group member advocated (not me), “the consent dialogue MUST NOT be shown.” (Now, this was too radical and did not quite made into the report, but I think it is something we need to explore.)

The report discusses what would be effective ways to convey what is important to the consumers, and give Information Sharing Label as an example. Further, it discusses about “iconified” version of it, since that would be even easier for the users, and would be able to overcome the language barrier.

The translated title of topic 2) is a bit misleading. At the first sight, you may think that it is talking about the attribute providers. It is not. It is talking about the metadata providers: metadata about the recipient of the personal data.

Consumer in general faces great deal of information asymmetry that they are unable to assess if the data receiver is trustworthy. A metadata provider, which is typically an entity that inspects the receiving entity in one way or another would be able to help them. It could be completely private sector, or could be blessed by the respective authority such as privacy commissioner. In a way, it is a privacy trust framework.

Item 3) is about letting the user select what attribute to share. Sounds familiar? Well, may be not. The proposal is to provide the consumer the purpose of the use for each attribute. That’s not very conventional. I have not seen many of them.

I would further argue that it should tell the consumer what is the consequence of data sharing, but that is not in the report.

Some of the things that did not quite made into the report (perhaps because the report writer was not there during the discussion) but I think is very important is about the direction of consent. In the real life that we live, it is reversed. We daily agree to companies’ terms of service and privacy policy, but that actually does not make sense because the entity that licenses the personal data is us, the consumer, and not the recipient. It is the corporations that has to agree to your licensing terms. Doc Searls’ “The Intention Economy” was also quoted in the working group. 

By the way, I am at the European Identity Conference this week, and so is Doc Searls. It might be a good opportunity to connect if you are at the EIC2013.

 - identity, privacy