5K/ Privacy Enhancing Credentials / @PrivacyCDN

From IIW

Session 5L

Privacy Enhancing Mobile Credentials (authoring)


Session Convener: John Wunderlich

Notes-taker(s): Heather Flanagan

Tags / links to resources / technology discussed, related to this session:


https://kantara.atlassian.net/wiki/spaces/PEMCP/overview


PEMC Draft Early Implementors Report (WIP Commenter Access)

https://docs.google.com/document/d/18gNx9wcE6-8o9K9usv085KCPpWLuPOQjGTeKplI__cA/edit?usp=sharing


https://insights.som.yale.edu/insights/what-happens-when-billion-identities-are-digitized


Consent receipts: https://kantarainitiative.org/download/7902/


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


“Acceptable/appropriate friction” not perhaps the right concept for a privacy paper. It is a design consideration, not a privacy consideration. The goal is meaningful consideration; friction is a side-effect. But there can’t be an over-dependence on consent either. But, consideration still might be better than friction. Friction is makes you slow down and be thoughtful, but that might not be the only way to make you slow down and be thoughtful.


Reach out to marginalized communities to make sure that privacy-enhancing meets their needs as well.


Encouraging conscious decision making is another way to phrase what “friction” is doing.


Cognitive overload is another form of privacy abuse. That’s friction in the wrong direction.


The next order of how you solve the problem is the “reasonable friction” idea. But there are steps passed that. In the longer term, how do you do that at the protocol level? All RPs are registered, and there is vetting for all RPs on all use cases (see the Aadhaar system). That may not be achievable in all markets and in a cross-border interoperable way, but it’s an interesting model to consider as a gold standard. There is a proto-example of this with SAML entity categories that have the ability to structure attribute released based on the type of entity (e.g., research org) asking for the data.


What about data sharing receipts? If you get a receipt linked to the verifier, that could be evaluated by a court of law. Kantara published a consent receipt specification.


See image(s) for these notes in the IIWXXXIV Book of Proceedings here:

https://internetidentityworkshop.com/past-workshops/

Retrieved from "https://iiw.idcommons.net/index.php?title=5K/_Privacy_Enhancing_Credentials_/_@PrivacyCDN&oldid=24639"