Kantara Workshop at the Consumer Identity World 2017 EU
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Kantara Workshop at the Consumer Identity World 2017 EU
Kantara Workshop at the Consumer Identity World 2017 EU
So good morning again. So we're trying to figure out who's in the room a bit more, just a quick survey. How many people came because they're interested in consent.
Oh, wow. So I've been talking about consent really long time and no one's really ever been interested. So it's a bit of a surprise. I think this year it's become a popular topic cuz of the GDPR, even when the GDPR came in, I was like, Hey consent in. And people are just like, you know, I used to start conferences to say, so withdrawing consent, you know, and that would just scare all the businesses because they think that if people have the choice to withdraw consent, they'd lose all of their clientele overnight.
So it's still a bit of a scare for some organization, but I think it's cuz lack of understanding, but so I'll get on with my presentation. So really the consent receipt and the work I've been doing for a long time is about privacy, transparency, privacy records, which is what you make the consent receipt from the GDPR, which is something that I lobby for consent to be in for a real long time. And I know the authors as well, usable privacy was really the reason for this cuz there's really a lack of way for people to actually use their privacy.
And there's just been privacy policies that aren't usable by people and people don't care about what a company's privacy policy is. You know, and companies, they go up, users don't care about privacy because, and then the holy grail, or what, why, why are we doing this? What can happen in the future? And that's getting towards our leading privacy rights management. So bit of background consent specification was put into the canter initiative.
In 2014, it was contributing by open notice with the privacy transparency lobby and open notice continued on at MIT media labs. So we've been collaborating with them for quite a while. And the work was chartered when it was put into the canter initiative to be put into ISO. So this week we're now going into version 1.1 is just about finished to go into a 45 day public IPR review.
And at this point when it's done, we get to start putting it into ISO and ISO's been working on something called 0.9 180 4, which is a security and notice best practice for document and the consent receipt, privacy and consent, privacy notices and consent I think. Yeah.
Notice, notice and consent security notice and consent. It's got security in there somewhere. Look it up. But we've written this in conjunction with that.
So we've, you know, these, both of these documents and specs have been going on for the same time. And we looking to, you know, leverage the ISO 29 100 framework because a lot of work has gone into that framework. We're talking like decades, there's a lot of debates and all the fights over lexicon and all this stuff has already happened. So the topic and a of these concepts are definitely not new.
So yeah, ISO 29, 100 privacy framework is free for download as well. Don't have to pay for it like you do with most other ISOs. Typically the framework ones are free because they are the top of the umbrella for a whole series of, of standards that sit underneath that you do pay 160 Franks or whatever it's gonna be each time that's yeah.
IO 29, 100 free for download, Throw a teaser for ISL. Can we come in?
Well, I think it's cuz what's happened is they realized a lot earlier than anybody else is realizing, but you know, privacy, can't just be some corporate framework. It's gotta be open for people to be able to use it.
It's not, you know, and I think that the industry doesn't really understand that Google and Facebook's sort of pseudo privacy framework, which it had to be there because there hasn't been anything else. And without that, you know, people wouldn't have had any sort of privacy controls or best practices. So what do I mean by privacy transparency? And I'm specifically talking about, you know, privacy contact information, the purpose for sharing personal information or for any, any type of privacy, the identity of the data controller, who the processes are, what information shared.
So this stuff is really, you know, hard to get. It's been part of the laws for a really long time. It's not 1998. The data protection act in the UK, the directive in the EU says you have to have all this information for everything, right? And not just consent, but you try to go and get that. Information's very difficult. So we did a lot of research. This is some of the work that has contributed into ISO is weekly from the international security trust. And privacy is TPA and notice consent are the most common elements across all privacy instruments around the world.
So all OEC, FIPs organizations have noticing consent and they're the most consistent in all of those laws. They really look a lot like each other and they have those privacy transparency requirements. So what we ended up doing is we started creating a consent receipt, which is really like a core use case in privacy for explicit consent. And we brought together the core fields from all these frameworks and then we put it into a format to make it machine readable.
And when you start making privacy or consent records, machine readable, you can start doing stuff like making it usable for people and usable privacy. Transparency is, is what I call privacy metadata. Hopefully other people will call it that soon, but it's, you know, what, how many risks are there? How many purposes are there? How many people is this gonna be shared with? Not what exactly is the sharing?
You know, I think people just wanna know what it glance, what these things are. And they want to know it in a consistent way across platform, across countries, company. So that's the operational performance of, of rights. So I've done a lot of privacy transparency research in my career. I used to be an academic. I've done longitudinal studies on IOT, cuz IOT. We used to call CCTV surveillance.
I, I don't know. Now it's called sharing an IOT. Somehow it's been transformed by the marketing industry, but it's still something that's been around for a very long time. And research has shown that the compliance and privacy transparency's decreased over the last 10 years, it's actually going down and it averages around 88% are actually have the basic minimum transparency partners for privacy and research. From last month that my company's done. It's shown that this hasn't changed in the UK. There's a debt controller registry.
There's only 12% of organizations registered with that registry now, and of those 12%, like 3% have a privacy contact information listed. So the market hasn't changed and it's still 88% and it probably aren't gonna change until they get fined.
You know, and until there's a way, and there's a path cuz there's not a lot of operational guidance out there for organizations or companies on how to actually do this stuff. Well, there hasn't been anyways, the GDPR brings in a lot more requirements than the ones that already exist, which are the ones that I was just showing. And a lot of that has to do with, you know, being much more transparent with organ people about what you're doing with.
So here's a list of some of the extra things that are coming in organizations have to update their privacy policies for GDPR and they have to provide notices to people and they have to keep track of these. So before right now nobody keeps track of anything. They can change time.
They want, nobody has a clue of what the hell's going on with their data. And they, you know, this is sort of by design cuz companies don't know what they're doing with their data from day to day either. Right?
So there, you know, this is this mythical thing called consent is really just been a theory. And now we're gonna start seeing it in practice at a much deeper level. So new guidance for the GDPR. There's a lot of that coming in. So all of a sudden there's this new stuff and companies gotta start digesting it and people have to start working on it. And there's a lot of things here that need to be operational. And you know, there's a big difference between laws and operational practices.
Laws are sort of like a blunt force tool for the market and operational practices are coming outta competition and market innovation, which takes time. So this changest can happen over now. These laws have been moving from best practices to standards, to directive, to legislation for 30 years, a lot of privacy laws started with standards. And what I think the big difference really is is that we're moving from a self-regulatory market to a co-regulatory market.
And self-regulatory means privacy policy privacy policy is meant for companies to look at their internal practices, to tell the world, this is what we do inside our company. Not meant as a privacy notice and they were never intended for privacy notices, but that's how they've been used because it's sort of the minimum requirement for transparency. In order to say, we have some sort of thoughts about privacy, but the poor regulation means that people can start complaining against companies for fines.
And if people don't want to nonprofit organizations or organizations specifically designed for that can start complaining to companies, bell companies to regulators. So if a company isn't transparent, then they can have a complaint and they can be fine. So core regulation is really gonna open the market up for trust frameworks, trust marks and industry code of conduct and industry codes of conduct is really the opportunity to standardize a lot of practices.
So even if all these companies, we're all the same complaint and every company just spent all this money on lawyers and tell us policy work, it still wouldn't mean that privacy would be usable for people. I think that's a really key impact that, you know, it's really important to know that privacy is really meant for usability for, for people to be able to use it or else it's not meaningful to anyone.
So in a, in the new world, I think what your big sign of change is that people aren't gonna have to reprice policy because the laws, you know, it's gonna be standard for everyone. Public privacy should be a resource. And in identity user manage access is like a protocol that enables privacy from the user in enterprise. So that's a good way to look at how I sort of look at user manage access and sort the sister work group to the consent work group effort. So ultimately open, open standards, good gap shift liability. So we're gonna see a shift in liability.
Cause right now reason why organizations aren't really transparent is cause they don't wanna be liable for practices that they don't know they're gonna have yet. Cause they're innovating. And the GDPR really works on what exactly needs to be transparent, how much it needs to be transparent. And it opens organizations up to being more liable, but it also enables the use of standards, which organizations can push the liability onto a public resource, like a standard.
So that organizations can say, well, you know, everyone's using these open standards and these open standards are, are being used to reduce not only our liability, but also to be commonly used by people. And I think that's the, the big point.
Yeah, it needs to be open. So I've been a big advocate of being open. So I call this privacy 1.0, which is May 25th. I think that starts co-regulation that's when privacy really starts getting in the market. I say up until now it's be best practices and they haven't been operational. And you know, when, when people can start pressing one button communicating with all the companies in the world and saying, giving my data, then you start seeing some change in, in the power of, of who owns a controlled data, which brings us to the Conservancy.
So it's really Conservancy is a, is something that I couldn't go with and ask any company. So for any type of sensitive data now already any CDIP jurisdiction, I can say, please gimme this data.
You know, who's the, what's the purpose. Who's the identity of the data controller who are the processors and by law. And most jurisdictions have to tell you that already. So the consent receipt really has those requirements that companies have to be transparent about, but they do it in a consistent and common format so that organizations can use it. So a good benefit of the consent receipt is that comes up in a human readable format, which is sort of like a text file, which someone could look at and read, not necessarily human understandable.
So there's a lot of clients and things that are being built and being used like Miko, who's not here yet. And Fiji me, they're sort of absorbing these and providing an aggregate view. That's more useful to people. And so this leads to the future of the consent. So when you have this big data and when you can be able to see all your data at once, you can see how many companies have this purpose. How many companies have this attribute? If there's a data breach, I can go, how many, you know, how many organizations have that attribute that's reached?
Then I can start controlling my own identity and we're starting getting stuff like sovereign identity. So a consent receipt already is like 95%. It's like one field away from the subject to access request.
So you, when you give a receipt front, you're actually giving the information for access request to the user before they actually start using the service. And that subject access request has all the information, the user needs to start using their rights. So enables basically automated privacy rights management. So what's next. So it's a multi privacy is a multi stakeholder thing. It's not like Canterra can go around and, and make privacy happen for the world. And it's not something like a company can do themselves either.
So until the market starts moving and until things start moving forward, it's been very difficult to actually do a lot with privacy. But now what we're looking for is we're looking for a cross industry and across standards, multi standards organization to create a privacy receipt, 1.0, which be a privacy receipt, which would be useful for all privacy contacts and for all justification to processing. So that's what I'm starting to work on now.
So when the version 1.1 goes forward to ISO, we're gonna be calling for interest in the privacy receipt, in the consent information, steering, standing work group sharing work. Yeah. It's probably three months ago. Yeah. Yeah.
Well, I think it takes time. We're talking about extending a court. So the consumer, state's got a poor privacy format. That's good around the world and it's just really been focused on explicit consent. Now we're just gonna do it for easier use cases, which is, you know, for any other legitimate interest surveillance, IOT, all of these require privacy notices. So doesn't matter what context you have. You still need the same information, that's in a consent except it's gonna be instead of just for consent and list what processing it is.
And then there's also multiple justifications for processing personal data. So you can give your name and your name can be used for like six different purposes. And how's an organization gonna tell you that. And you know, so operationally, you know, there has been little thought that's gone into how privacy's actually gonna work, especially at scale and well market hasn't even started working on this. So a lot of people are like, oh no, one's ready for, yeah.
It's like, you know, gimme a bit of a break it's it's, you know, this stuff takes time and it takes collaboration and, and takes innovation. So yeah, looking forward to enabling receipt, to be format, to be extended, extended for all types of purposes. And I think Panera's prepping for that capability. That's what I'm looking forward to. And to kick it off, we're actually gonna have an international privacy summit for international privacy day. I'm organizing that this week it's gonna be focused on identity trusted standards. And we're gonna be able to start talking about this.
So if anybody's in London, let me know. I'm gonna be pushing the link out to join the conference. Welcome in London. Yeah. Thanks. Three minutes questions. All right. What can I get consent for?
So, so have you, have you had any question, have you had anybody expressed interest in actually implementing consent receipts Commercially? Yes. No. We've got one company's implemented over 4 million users in the UK. We have many, many companies implemented service receipts for years. Yeah. So there's a lot, lot of uptake.
I think, you know, it's sort its sort of a new technology in that the user site, even though it's meant for user transparency, the user side for how to visualize it, use it on aggregate hasn't been done and the UX around privacy hasn't been done. And that's because, you know, in my opinion, privacy metadata in order to make something simple and usable, I mean, people just want build the look and see oh 10 purposes share with 20 people. I don't really have privacy now or I do have privacy now. Like that's, you know, that's what people want to know.
They don't want to know who all these people are and how many times, you know, they want to be able to go and look in case something happens in the future. But really it's a lot of just being able to give simple, concise, consistent messages to people about how much privacy do I have now. So the consent receipt's gonna enable being able to see what my privacy is digitally and physically, you know, that's the format.
So I, you know, in this space, on my phone, I don't have any privacy, but I do have a lot of privacy in this room. So that's the sort of transparency needed to start making it usable for people. And I'm looking forward to that day. It's good. Yeah. So is there any other questions? Are We good questions actually? Do you want, do you wanna couple of things, do you want to briefly talk about the specification also? Maybe just a little bit on use terms of iconography? Sure. Yeah. So a big hole in privacy has always been that any company can go find the purpose any way they want.
So it could be the same purpose, but you won't know that you have to, a user would have to go and read each purpose and then assess themselves if it's the same purposes it's other company or is this other organization or there's other context. And so that's really difficult cause no one's ever gonna do that. The companies can pretty much just say whatever purpose they want. So this is still a big problem.
So all these laws really meant to that massive loophole that until there's some sort of standards around purpose, then you know, privacy still is the most bullshit for, for users because they won't get. So I think what we're doing now is we gotta pull through for a paper on purpose specification, which is how do you specify purpose in a global context. So that right now privacy is really defined for local context. It's defined about, you know, what, it's not meant for an internet. It's not meant for scale.
So being able to categorize what purpose means, just, you know, for example, it's finances for my credit information, I share my account details. So under purpose category, it be finance financed. That just makes it lot easier for people to know all of this finance data be hit. So the purpose category is, is how we are attacking that problem. So we're looking forward to that and that's really big deal for marketing cause marketing's gonna have a big problem with definitely with consent and with Richard. And when do we do what for what processes do we do?
Legitimate interest managing data and what process do we need consent for? And I think being able to just categorize, you know, if you're buying media, you need consent. If you're selling media, you know, you need legitimate interest. I think there's some tests there and a lot of industry confusion right now in the market. So that's good Together.
Oh, the other one was briefly uses submitted terms and how that plays into consent with the icon. So identity management is about access control. So you get permissions. So you might have a bunch of permissions add up to consent and for users to be able to understand privacy, what you need is sort of like one icon that wraps up a bunch of permissions, a bunch of access, a bunch of sharing into one thing, which is used all the time. So I send to authorize Uma for finances, right?
That's got a lot of very log consent receipt would be like this, no one will ever read it, but you could sum that all up into one icon and a user would them with that, with that framer be able to present preferences at it. So the user submitted terms is looking at compiling all those industry standard terms and being able to enable people to then assert their own preferences in contract. So that's.