Consent Manifesto

From MgmtWiki
Revision as of 11:17, 26 August 2020 by Tom (talk | contribs) (Other Material)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Full Title or Meme

The all-too-human users of the World Wide Web have had too little control of their own destiny when interacting with gigantic enterprises either commercial or governmental.

Context

  • The context is the World Wide Web as it exists today. Enterprises, both governmental and corporate have taken control in spite of all the grass roots attempts to enforce anarchy.
  • The user has had only one choice in this process and this is to not play the game. That take-it-or-leave approach to commercial transaction has been embedded in the Contract of Adhesion.
  • The following theses are presented as propositions for debate concerned with the question of user consent in a connected collection of web interactions. It is past time for a reformation of the WWW.
  1. While the internet was constructed as a fully distributed communications ecosystem, IP identity was only available from the fully centralized DNS.
  2. What has happened since commercial enterprises were admitted to the internet with the .com top-level-domain is the total domination by a few gigantic enterprises.
  3. The requirement for user consent to their interaction is this fully monopolized system needs to be enforced (at the very minimum) on those gigantic enterprises.
  4. Consent is nearly always part of some other activity which almost always involves some sort of extended relationship between a human and a corporation.
    Note that extended in this sense is relative as the protocol theoretically can span several seconds to several millennia. As a practical matter, there is no reason to worry about web connections that are less than, say, 30 minutes or longer than a lifetime. Also sovereign entities are left out as they can unilaterally change the rules of the game.
  5. The relationship needs some sort of continuity over time for the benefit of both parties.
    In order for a corporate entity to be able to notify the user of problems, or for the user to change the terms of the relationship (aka Recovery and Redress), it must be possible to reconnect at future times. If that is not possible, then the terms of most privacy legislation is also impossible.
  6. The human may chose some pseudonym for the relationship.
    Again, recovery and redress demand that a notification channel remains open.
  7. The best case allows the human to establish the terms of the relationship.
    The California legislation, for one example, demands that users not be required to enter any information that is not required. The implication is that the Web site must be honest in specifying which user attributes are essential and not blocking access if non-essential attributes are omitted.
  8. This wiki defines this as this establishment a "consent to create a binding", others call it registration.
  9. The continuity of binding is established through some sort of "secret credential."
  10. the simplest form of cred is the cookie placed on a device by a advertisement.
  11. humans have here-to-fore hand little control of cookies, It is time to change this is some manner.
  12. there are (at least) two levels of assurance of the continuity (aka AAL1 and AAL2): in the first level the human is very casual about the re-establishment of connectivity, in the second level the human is purposeful in the re-establishment of connectivity
  13. The humans have better control as well as better security in AAL2.
  14. Looking at the way to make aal2, like FIDO & FIDO2 are useful, but cater to the company.
  15. human-centric purposeful connection re-establishment methods give the human the best opportunity to control the on-going consent process.
  16. The best method for achieving purposeful human-centric connection (IMHO)) is the phone (actually any internet connected device under the users intimate control)
  17. All major operating system providers for mobile device provide the means to protect user secrets in the phone in a manner that makes them quite secure.

Solutions

Give the user an application that can be trusted by web sites to create secure, authenticated connections with user secrets held securely in the phone.

References

Other Material

  • An early paper on User Centric Identity[1]
    Information systems that co-operate to originate, control and consume identity information have been called identity systems. The evolution of the Internet requires increased interoperability of these systems. Such interoperability demands an abstract model that encompasses the characteristics of all co-operating identity systems. We call this abstract model the Identity Metasystem.
  • Consent on Campus: A Manifesto (2018-09-04) by Donna Freitas ISBN 978-0190671150 is a completely different view of consent that is eerily similar to the relationship between users and corporations.
    A 2015 survey of twenty-seven elite colleges found that twenty-three percent of respondents reported personal experiences of sexual misconduct on their campuses. That figure has not changed since the 1980s, when people first began collecting data on sexual violence. What has changed is the level of attention that the American public is paying to these statistics. Reports of sexual abuse repeatedly make headlines, and universities are scrambling to address the crisis. 2015 survey of twenty-seven elite colleges found that twenty-three percent of respondents reported personal experiences of sexual misconduct on their campuses. That figure has not changed since the 1980s, when people first began collecting data on sexual violence. What has changed is the level of attention that the American public is paying to these statistics. Reports of sexual abuse repeatedly make headlines, and universities are scrambling to address the crisis.A 2015 survey of twenty-seven elite colleges found that twenty-three percent of respondents reported personal experiences of sexual misconduct on their campuses. That figure has not changed since the 1980s, when people first began collecting data on sexual violence. What has changed is the level of attention that the American public is paying to these statistics. Reports of sexual abuse repeatedly make headlines, and universities are scrambling to address the crisis.
  • Forget erasure: why blockchain is really incompatible with GDPR by Elizabeth M. Renieris (2019-09-24)
    Participants tend to dive head first into debating technical and nuanced details about the implementation of specific features or functionality in a given network, often losing sight of the bigger picture. In this way, solving one discrete issue often makes another tension harder to resolve, in a never-ending game of compliance whack-a-mole. By abstracting to a higher-level discussion based on the core GDPR principles, we can see how blockchain is, at least as presently conceived, fundamentally at odds with the [GDPR] Regulation.
  • Kim Cameron +2, A User-Centric Identity Metasystem 2008-10-05 https://www.identityblog.com/wp-content/images/2009/06/UserCentricIdentityMetasystem.pdf