Difference between revisions of "Consent"

Revision as of 11:36, 12 August 2020

Full Title or Meme

Consent is a process that the User undertakes at a Web Site to agree to some conditions of use of that site. Only some Artifact of the process can be used as proof that consent was freely given.

Principles

The opposite of willing consent is abuse.

"I May Destroy You." created by he British-Ghanaian writer and actor Michaela Coel has been described as a drama about consent, but mostly it's a show about trauma - how mutable and contagious it is, how insidious and pervasive. The story doesn't build so much as it burrows, digging into crevices to reveal an infinite regress of damage. With each new trauma its characters endure, another is set off, or uncovered, or recalled, revealing a system of abuse so ubiquitous, so normalized as to be invisible, hiding in plain sight.^[1]

That show is about sexual and physical abuse, but the quote applies directly to the lack of consent that web users experience every day they pick up their smartphone.

The only sin is for one human to use another human without their informed and willing consent.
The only cowardice is for any human to allow one human to use another human without their informed and willing consent.

Context

Prior to 2019 consent of users to actions in cyberspace has been found in a Privacy Policy or Terms of Service which in many countries take on legal weight as a Contract of Adhesion. That legal basis is now being re-imagined in many legal jurisdictions.
Definitions: Compliance or approval, especially to what is done or proposed by another.^[2]
Components ^[3]

Act of consent by the person (By 2020 it must be explicit, rather than implicit or buried in some other document.)
Knowledge or Understanding of what is requested and what the impact might result (also called transparency in some documents)
Voluntary or Freedom to chose

Problems

An individual is nearly powerless against a large organization, beit a feudal barony or a large corporation. Since baronies and corporations where given the patina of legality, they have abused individual humans for all of recorded history.
Individuality as imagined by Hobbes and Luther has turned into a mind-alering drug that provide the illusion of freedeom with none of the benefits.
It's easy to say that the user should have control of their own data, it's hard to capture the fact. Facebook and Google refuse to provide their service if you don't given the consent to store your entire life online. That is not really a choice for most people that use the internet daily.
"Consent, in its purest form, could easily become a dystopian stick to control citizens with," Susan Morrow, doesn't pull her punches as she argues that GDPR hasn't resolved the conflict between choice and consent. ^[4]

Solutions

The Process

In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

The Office of the Privacy Commissioner of Canada has published Guidelines for obtaining meaningful consent^[5] which "sets out practical and actionable guidance regarding what organizations should do to ensure that they obtain meaningful consent."

The Artifact

One source for a Consent artifact is the Indian Government^[6] this document has the XML format of a consent artifact. Note: crore = ten million; one hundred lakhs, especially of rupees, units of measurement, or people.
The wiki page Consent Receipt describes an artifact that is created by the recipient of the User Information. The version 1.0 does not prove that consent was freely given.

The Taxonomy

The question inevitably arises, "What is it that the User has agreed to Share?" This question implies that there is a taxonomy of shareable attributes that is equally understandable to (1) the user, (2) the data controller and (3) the regulatory agency that determines whether consent was actually given.

Data Privacy Vocabulary v0.1 seeks to provide such a taxonomy and even mentions consent, but the shear volume of taxa basically is too large to expect that users could possible understand the details even if they wanted to.

References

↑ Editorial At Risk NY Times Magazine 2020-08-02 p 7 ff
↑ Webseter's Third New International Dictionary
↑ Nancy S. Kim, Consentability: Consent and its Limits. (2019-04-04) ISBN 978-1316616550
↑ Susan Morrow, 50 shades of privacy: Consent and the fallacy that will prevent privacy for all. (2019-05) Information Age https://www.information-age.com/consent-privacy-gdpr-privacy-by-design-default-123482351/
↑ Privacy Commissioner of Canada, Guidelines for obtaining meaningful consent. https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/
↑ Ministry of Electronics & Information Technology, Electronic Consent Framework Technology Specifications, Version 1.1 Government of India (undated, retrieved on 2019-04-09) http://dla.gov.in/sites/default/files/pdf/MeitY-Consent-Tech-Framework%20v1.1.pdf

External Sources

R4 of FHIR Resource consent. 'A record of a healthcare consumer’s choices, which permits or denies identified recipient(s) or recipient role(s) to perform one or more actions within a given policy context, for specific purposes and periods of time.'
FHIR Consent Fields could be helpful in creating consents.
Web Authentication defines User Consent as when the user agrees with what they are being asked, i.e., it encompasses reading and understanding prompts. An authorization gesture is a Ceremony component often employed to indicate user consent.

[1] Editorial At Risk NY Times Magazine 2020-08-02 p 7 ff

[2] Webseter's Third New International Dictionary

[3] Nancy S. Kim, Consentability: Consent and its Limits. (2019-04-04) ISBN 978-1316616550

[4] Susan Morrow, 50 shades of privacy: Consent and the fallacy that will prevent privacy for all. (2019-05) Information Age https://www.information-age.com/consent-privacy-gdpr-privacy-by-design-default-123482351/

[5] Privacy Commissioner of Canada, Guidelines for obtaining meaningful consent. https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/

[6] Ministry of Electronics & Information Technology, Electronic Consent Framework Technology Specifications, Version 1.1 Government of India (undated, retrieved on 2019-04-09) http://dla.gov.in/sites/default/files/pdf/MeitY-Consent-Tech-Framework%20v1.1.pdf

[1]

[2]

[3]

[4]

[5]

[6]

@@ Line 1: / Line 1: @@
 ==Full Title or Meme==
 [[Consent]] is a process that the [[User]] undertakes at a [[Web Site]] to agree to some conditions of use of that site. Only some [[Artifact]] of the process can be used as proof that consent was freely given.
+==Principles==
+The opposite of willing consent is abuse.
+<blockquote>"I May Destroy You." created by he British-Ghanaian writer and actor Michaela Coel has been described as a drama about consent, but mostly it's a show about trauma - how mutable and contagious it is, how insidious and pervasive. The story doesn't build so much as it burrows, digging into crevices to reveal an infinite regress of damage. With each new trauma its characters endure, another is set off, or uncovered, or recalled, revealing a system of abuse so ubiquitous, so normalized as to be invisible, hiding in plain sight.<ref>Editorial ''At Risk'' NY Times Magazine 2020-08-02 p 7 ff</ref></blockquote>
+That show is about sexual and physical abuse, but the quote applies directly to the lack of consent that web users experience every day they pick up their smartphone.
+#The only sin is for one human to use another human without their informed and willing consent.
+#The only cowardice is for any human to allow one human to use another human without their informed and willing consent.
 ==Context==
-Consent of users to actions in cyberspace has been found in a [[Privacy Policy]] or [[Terms of Service]] which in many countries take on legal weight as a [[Contract of Adhesion]]. That legal basis is now being reimagined in many legal jurisdictions.
+*Prior to 2019 consent of users to actions in cyberspace has been found in a [[Privacy Policy]] or [[Terms of Service]] which in many countries take on legal weight as a [[Contract of Adhesion]]. That legal basis is now being re-imagined in many legal jurisdictions.
+* Definitions: Compliance or approval, especially to what is done or proposed by another.<ref>Webseter's Third New International Dictionary</ref>
+*Components <ref>Nancy S. Kim, ''Consentability: Consent and its Limits.'' (2019-04-04) ISBN 978-1316616550</ref>
+# Act of consent by the person (By 2020 it must be explicit, rather than implicit or buried in some other document.)
+# Knowledge or Understanding of what is requested and what the impact might result (also called transparency in some documents)
+# Voluntary or Freedom to chose
 ==Problems==
-It's easy to say that the user should have control of their own data, it's hard to capture the fact.
+* An individual is nearly powerless against a large organization, beit a feudal barony or a large corporation. Since baronies and corporations where given the patina of legality, they have abused individual humans for all of recorded history.
+* Individuality as imagined by Hobbes and Luther has turned into a mind-alering drug that provide the illusion of freedeom with none of the benefits.
+*It's easy to say that the user should have control of their own data, it's hard to capture the fact. Facebook and Google refuse to provide their service if you don't given the consent to store your entire life online. That is not really a choice for most people that use the internet daily.
+*"Consent, in its purest form, could easily become a dystopian stick to control citizens with," Susan Morrow, doesn't pull her punches as she argues that GDPR hasn't resolved the conflict between choice and consent. <ref>Susan Morrow, ''50 shades of privacy: Consent and the fallacy that will prevent privacy for all.'' (2019-05) Information Age https://www.information-age.com/consent-privacy-gdpr-privacy-by-design-default-123482351/</ref>
 ==Solutions==
 ===The Process===
 In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
 The Office of the Privacy Commissioner of Canada has published Guidelines for obtaining meaningful consent<ref>Privacy Commissioner of Canada, ''Guidelines for obtaining meaningful consent.'' https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/</ref> which "sets out practical and actionable guidance regarding what organizations should do to ensure that they obtain meaningful consent."
@@ Line 18: / Line 32: @@
 * One source for a Consent artifact is the Indian Government<ref>Ministry of Electronics & Information Technology, ''Electronic Consent Framework Technology Specifications, Version 1.1'' Government of India (undated, retrieved on 2019-04-09) http://dla.gov.in/sites/default/files/pdf/MeitY-Consent-Tech-Framework%20v1.1.pdf</ref> this document has the XML format of a consent artifact. Note: crore = ten million; one hundred lakhs, especially of rupees, units of measurement, or people.
+* The wiki page [[Consent Receipt]] describes an artifact that is created by the recipient of the [[User Information]]. The version 1.0 does not prove that consent was freely given.
+===The Taxonomy===
+The question inevitably arises, "What is it that the User has agreed to Share?" This question implies that there is a taxonomy of shareable attributes that is equally understandable to (1) the user, (2) the data controller and (3) the regulatory agency that determines whether consent was actually given.
+* [https://www.w3.org/ns/dpv Data Privacy Vocabulary v0.1] seeks to provide such a taxonomy and even mentions consent, but the shear volume of taxa basically is too large to expect that users could possible understand the details even if they wanted to.
 ==References==
 <references />
-===External References===
+===External Sources===
+*[http://hl7.org/fhir/R4/consent.html R4 of FHIR Resource consent]. 'A record of a healthcare consumer’s choices, which permits or denies identified recipient(s) or recipient role(s) to perform one or more actions within a given policy context, for specific purposes and periods of time.'
 *[https://www.hl7.org/fhir/consent-examples.html FHIR Consent Fields] could be helpful in creating consents.
+* [[Web Authentication]] defines '''User Consent''' as when the user agrees with what they are being asked, i.e., it encompasses reading and understanding prompts. An authorization gesture is a [[Ceremony]] component often employed to indicate user consent.
 [[Category:Glossary]]
 [[Category:Privacy]]
 [[Category:Consent]]