The Emerging Field of Consent Management – Next Gen UI Infrastructure Under the Hood

From IIW

The Emerging Field of Consent Management

Tuesday 2D

Convener: Ken K.

Notes-taker(s): Eric J.

Tags for the session - technology discussed/ideas considered:

PrivacyLens, Consent

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Links

https://work.iamtestbed.internet2.edu/drupal/

https://work.iamtestbed.internet2.edu/confluence/display/YCW/Yourtown+Community+Wiki+and+Service+Portal

https://spaces.internet2.edu/display/scalepriv/Scalable+Privacy


Notes

Consent is not understandable; you only find out what information is being shared, not why. Consent for Google does not say “yes” or “no”, it’s continue/cancel, which is a different thought process

It is because they want to get the user through the flow, not because they don’t want users to know about the privacy details

Has optional as well as required attributes that are releasable

Shows value that the user gets for each privacy element

Consent revocation as a major flow

Unfortunately, most apps are not granular based on privacy elements released


[Paul] I saw that there are two kinds of attributes; capabilities, and information – should there be a separation?

Determining the minimum required entitlements required.

It’s really hard to get more granular than type of attribute, but even the specific attributes that they access or need, but it’s a goal.


[Eve] It feels like consent dialogs are not the question I want [technical things], but I want a different question: “You want goal X right? How much are you willing to let pass?”


[Paul] The UI doesn’t tell me the consequences of not releasing General agreement that a better UI would not focus on attribute release, but more on what you get for it. But that’s also of an app design issue, and it’s common that apps get it wrong.


[Eve] Non-correlating IDs alone are not enough; some scenarios like sharing need a correlating ID.

Example – New Zealand ID

There are only 2-3 types of attributes that may need meta-attributes. One example is name. Since there often isn’t a name field stored by the IDP as opposed to first/last name, etc.

Applications don’t care what group a person is in – example – A may want to care whether you are a manager or not.

With revocation, consent suppression becomes really easy.