Difference between revisions of "Consent Receipt"

From MgmtWiki
Jump to: navigation, search
(XML output)
(Full Title or Meme)
 
(76 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
==Full Title or Meme==
 
==Full Title or Meme==
  
Consent Receipt generated by an IDESG compliant Identifier Provider
+
A structured receipt generated by a [[Web Site]] to show the detail of what [[User Information]] the [[User]] has agreed to share and for what purposes.
  
 
==Context==
 
==Context==
  
The current design of a Consent receipt is based on the theory of a transaction between a pii data controller and a pii data principle.
+
While the spec is silent of the actual structure format to be shared, the current design of a [[Consent Receipt]] is based on the construction of a JSON object based on a schema in the spec and user display of the current transaction that describes categories of user data.
  
 
A '''Consent Receipt''' is defined as a "record of a consent interaction (or consent record summary linked to the record of consent)" ... "in accordance with an agreed set of terms."
 
A '''Consent Receipt''' is defined as a "record of a consent interaction (or consent record summary linked to the record of consent)" ... "in accordance with an agreed set of terms."
  
 
A '''Privacy Policy''' is a "statement/policy and applicable terms of use in effect when the consent was obtained, and the receipt was issued".
 
A '''Privacy Policy''' is a "statement/policy and applicable terms of use in effect when the consent was obtained, and the receipt was issued".
 
In the context of an IDESG identifier provider best practice it was based on a state at the IdP of a user immediately after a user initiated profile update. Note that user here means whatever sort of entity has the identifier shown as "user name". It cannot be inferred that the identified user has any rights, or indeed any legal standing, under any regulation, as that would be an unwarranted privacy exposure of its own.
 
 
It might be useful for the consent receipt to carry an indication of the context (aka receipt type) at its generation.
 
  
 
===Current draft of the Spec===
 
===Current draft of the Spec===
Draft on which this implementation was based is listed below. In theory practice is the same as theory, in practice it is not.
+
Kantara has published an implementers' draft of the spec which is focused exclusively on the legal requirements of [[Information Sharing]]. The issues about other [[Privacy]] concerns are described in [[Native App Privacy]].
  
 
[https://kantarainitiative.org/confluence/display/infosharing/Consent+Receipt+Specification?preview=/76447870/101810304/Consent%20Receipt%20Specification%201_1_0%20DRAFT%208.docx Current draft of Kantara Initiative Technical Specification Recommendation, Consent Receipt Specification  ] Version:1.1.0 DRAFT 8  Date:2018-02-20
 
[https://kantarainitiative.org/confluence/display/infosharing/Consent+Receipt+Specification?preview=/76447870/101810304/Consent%20Receipt%20Specification%201_1_0%20DRAFT%208.docx Current draft of Kantara Initiative Technical Specification Recommendation, Consent Receipt Specification  ] Version:1.1.0 DRAFT 8  Date:2018-02-20
  
Warning: this document is based the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data [OECD] focusing on consent using the ISO 29100 [ISO 29100:2011] lexicon, which means that the terms are stilted and do not reflect current usages.
+
===Current States of Implementations===
 
+
*Kantara has been collecting examples of consent reciepts in preparation for an interop demo. At present there is not an agreement on the best format to use for the [[Consent Receipt]], for example is it to be plain JSON or a JWT.
==Implementation on Microsoft ASP.NET Core 2 Web Site==
+
*A detailed description of the open source implementation is at this page [[Consent Receipt Construction]].
 
 
Consent receipts were added to the IDESG best practice web site which is accessible at this [http://idesg-idp.azurewebsites.net/ site].
 
 
 
This site is an IdP. Several points were noted for discussion:
 
# The Consent Receipt spec is not well adapted to IdPs. It seems to focus on RPs.
 
# Some data requirements, like service address and phone number might be fine for large orgs, but if applied to small ones there will be some that just avoid the issue and hope no one notices.
 
# Termination seems like it addresses complete dissolution between the site and the user. But that is seldom good for the user if paid services or merchandise is involved. Perhaps Freeze would be a better term?
 
# My investigation leads me to believe that fields like purpose are variable between data elements. If fact it seems like the GDPR requires this as the point is made (at least in the CA initiative) that some data may be part of a core function and other data voluntary. I think that the CR should enumerate the data retained and the purpose for each item.
 
# The assumption seems to be that piiPrinciple is a sentient carbon-based life form. This is not necessarily true. In the case of a pseudonym; it is PII to even know if the principle (subject) is a carbon-based life form.
 
 
 
Warning that this is a work in process and it works at varying levels of support as changes continue to be added to the site.
 
 
 
===Json classes===
 
 
 
  // ConsentReceipt helper clases (c) 2018 tom jones
 
  {
 
    public class ConsentReceipt
 
    {
 
        [JsonObject]
 
        public class ProfileResponse
 
        {
 
            [JsonProperty]
 
            public string version { get; set; }
 
            [JsonProperty]
 
            public string jurisdiction { get; set; }
 
            [JsonProperty]
 
            public string consentTimestamp { get; set; }
 
            [JsonProperty]
 
            public string collectionMethod { get; set; }
 
            [JsonProperty]
 
            public string consentReceiptID { get; set; }
 
            [JsonProperty(NullValueHandling=NullValueHandling.Ignore)]
 
            public string publicKey { get; set; }
 
            [JsonProperty(NullValueHandling = NullValueHandling.Ignore)]
 
            public string language { get; set; }
 
            [JsonProperty]
 
            public string piiPrincipalId { get; set; }
 
            [JsonProperty]
 
            public Array piiControllers { get; set; }
 
            [JsonProperty]
 
            public string policyUrl { get; set; }
 
            [JsonProperty]
 
            public Array services { get; set; }
 
            [JsonProperty]
 
            public string sensitive { get; set; }
 
            [JsonProperty(NullValueHandling = NullValueHandling.Ignore)]
 
            public string spiCat { get; set; }
 
        }
 
 
 
        [JsonObject]
 
        public class jsonController
 
        {
 
            public static jsonController Create(string json)
 
            {
 
                return new jsonController(json);
 
            }
 
            public static string Write(jsonController options)
 
            {
 
                return JsonConvert.SerializeObject(options);
 
            }
 
            public jsonController()
 
            { }
 
            public jsonController(string json)
 
            {
 
                try
 
                {
 
                    JsonConvert.PopulateObject(json, this);
 
                }
 
                catch (Exception ex)
 
                {
 
                    throw new Exception(string.Format("Error deserializing json:'{0}', into '{1}.", json, GetType()), ex);
 
                }
 
            }
 
            [JsonProperty]
 
            public string piiController { get; set; }
 
            [JsonProperty(NullValueHandling = NullValueHandling.Ignore)]
 
            public string onBehalf { get; set; }
 
            [JsonProperty]
 
            public string contact { get; set; }
 
            [JsonProperty]
 
            public string address { get; set; }
 
            [JsonProperty]
 
            public string email { get; set; }
 
            [JsonProperty]
 
            public string phone { get; set; }
 
            [JsonProperty(NullValueHandling = NullValueHandling.Ignore)]
 
            public string fax { get; set; }
 
            [JsonProperty(NullValueHandling = NullValueHandling.Ignore)]
 
            public string piiControllerURL { get; set; }
 
        }
 
  
        [JsonObject]
+
*In the context of an [[Best Practice and Example Identifier Provider]] it was based on a state at the IdP of a user immediately after a user initiated profile update. Note that user here means whatever sort of entity has the identifier shown as "user name". It cannot be inferred that the identified user has any rights, or indeed any legal standing, under any regulation, as that would be an unwarranted privacy exposure of its own.
        public class jsonService
 
        {
 
            [JsonProperty]
 
            public string service { get; set; }
 
            [JsonProperty]
 
            public Array purposes { get; set; }
 
        }
 
  
        [JsonObject]
+
==Problems (both solved and remaining)==
        public class jsonPurpose
 
        {
 
            [JsonProperty]
 
            public string purpose { get; set; }
 
            [JsonProperty]
 
            public string[] purposeCategory { get; set; }
 
            [JsonProperty]
 
            public string consentType { get; set; }
 
            [JsonProperty]
 
            public string[] piiCategory { get; set; }
 
            [JsonProperty]
 
            public bool primaryPurpose { get; set; }
 
            [JsonProperty]
 
            public string termination { get; set; }
 
            [JsonProperty]
 
            public bool thirdPartyDisclosure { get; set; }
 
            [JsonProperty(NullValueHandling = NullValueHandling.Ignore)]
 
            public string thirdPartyName { get; set; }
 
        }
 
    }
 
  }
 
  
===Json Initializer===
+
* While the spec appears to allow any format for the interchange of the [[Consent Receipt]], the use of a JSON Schema to define the receipt includes anonymous lists of nodes, which is incompatible with (for example) XML and has been confusing for some developers.
            ProfileResponse profileResp = new ProfileResponse
+
* The terminology of the [[Data Controller]] in the GDPR is confusing, for example there is no distinction made between the source and sink of the [[User Information]] which is also seen in the [[Consent Receipt]].
            {
+
* The [[GDPR]] has the follows requirements which are addressed herewith:
                version = "KI-CR-v1.1.0",
+
** TK - under development by Mark Lizar
                jurisdiction = "WA",
+
* It might be useful for the consent receipt to carry an indication of the context (aka receipt type) at its generation.
                consentTimestamp = DateTime.UtcNow.ToString("o"),
+
* One thing that becomes a little weird in the near future of this site is that the user will have the option of adding more information in the future in support of authentication at other sites. It seems that neither the GDPR nor the Consent Receipt considers that fact that users can enter data of their own free will for reasons that are not known to the IdP but will be used later at a relying party. In this case the IdP is just a trusted third party, a problem which will recur frequently in the health industry.
                collectionMethod = "user input",
 
                consentReceiptID = Guid.NewGuid().ToString(),
 
                language = "en",
 
                piiPrincipalId = user.UserName,
 
                piiControllers = new jsonController[]
 
                {
 
                    new jsonController { piiController = "IDESGidp",
 
                    contact = "jerry",
 
                        email="jerry@ca0.net",
 
                        address="if required there is a class of address lists, like kids soccer, that would be in violation",
 
                        phone="someone needs to think this thing thru!"}
 
                    },
 
                policyUrl = "http://tomjones.us/CRpolicy",
 
                services = new jsonService[]
 
                {
 
                    new jsonService {
 
                        service = "IdP",
 
                        purposes = new jsonPurpose[]
 
                        {
 
                            new jsonPurpose {
 
                            purpose = "IdP",
 
                            purposeCategory= new string[] {"1 - Core Function" },
 
                            consentType="EXPLICIT",
 
                            piiCategory = new string[] {"2 - Contact" },
 
                            primaryPurpose= true,
 
                            termination="one year after last use",
 
                            thirdPartyDisclosure = false
 
                            }
 
                        }
 
                    }
 
                },
 
                sensitive = "false"
 
            };
 
  
            StatusMessage = JsonConvert.SerializeObject(profileResp);
+
* It is not clear from the spec how to code the jurisdiction for US states. Maybe that is covered elsewhere?
  
===Json output===
+
==Solutions==
 +
As a part of the IDEF compatible [[Best Practice and Example Identifier Provider]] the following output is now available from the current work in progress.
  
Generated on a partial implementation on 2018-06-01. One thing that might seem a little odd to others is that the Consent receipt for this site never really varies. It is always that same three fields entered at this time.
+
* [https://idesg-idp.azurewebsites.net/consentreceipt.xml this site shows the rendered consent receipt]
 +
* [https://idesg-idp.azurewebsites.net/consentreceipt-min.xsl this is the stylesheet that did the rending]
 +
* The source code is available [https://github.com/TomCJones/idesg-idp here].
 +
* Consent receipts for the user data input in the IDEF best practice web site is accessible at this [https://idesg-idp.azurewebsites.net/ site].
 +
** You will first need to register. Google federated signin works quickest.
 +
** You will need to manage your profile - click on you name in the upper right of the headers (or the drop down if using a cell phone).
 +
** Select the check box "Get Receipt and click "Save". You will see the Consent Receipt and be able to print it or save it as a stringified JSON.
  
One thing that becomes a little weird in the near future of this site is that the user will have the option of adding more information in the future in support of authentication at other sites. It seems that neither the GDPR nor the Consent Receipt considers that fact that users can enter data of their own free will for reasons that are not known to the IdP but will be used later at a relying party. In this case the IdP is just a trusted third party, a problem which will recur frequently in the health industry.
+
The user is giving reasons why the data is required and what will be done with the data before it is even entered as a part of the [[User Consent]] process.
  
It is also not clear how to code the jurisdiction for US states. Maybe that is covered elsewhere?
+
Content of the [[Consent Receipt]] is displayed on the page [[Consent Receipt Construction]].
  
But the real problem is, now that I have a Consent Receipt on the web site, what do I do with it?
+
===Standards===
  {
+
*[https://www.w3.org/community/dpvcg/ W3C DATA PRIVACY VOCABULARIES AND CONTROLS COMMUNITY GROUP]
  "version": "KI-CR-v1.1.0",
 
  "jurisdiction": "WA",
 
  "consentTimestamp": "2018-06-04T02:34:12.9239336Z",
 
  "collectionMethod": "user input",
 
  "consentReceiptID": "25696cbc-9bd4-4abf-9774-7c57dd5bedc6",
 
  "language": "en",
 
  "piiPrincipalId": "tomcjones",
 
  "piiControllers": [
 
    {
 
      "piiController": "IDESGidp",
 
      "contact": "jerry",
 
      "address": "if required there is a class of address lists, like kids soccer, that would be in violation",
 
      "email": "jerry@ca0.net",
 
      "phone": "someone needs to think this thing thru!"
 
    }
 
  ],
 
  "policyUrl": "http://tomjones.us/CRpolicy",
 
  "services": [
 
    {
 
      "service": "IdP",
 
      "purposes": [
 
        {
 
          "purpose": "IdP",
 
          "purposeCategory": [ "1 - Core Function" ],
 
          "consentType": "EXPLICIT",
 
          "piiCategory": [ "2 - Contact" ],
 
          "primaryPurpose": true,
 
          "termination": "one year after last use",
 
          "thirdPartyDisclosure": false
 
        }
 
      ]
 
    }
 
  ],
 
  "sensitive": "false"
 
  }
 
  
===XML output===
+
==References==
  
<code>
+
[[Category:Glossary]]
<?xml version="1.0"?>
+
[[Category:Authentication]]
<ConsentReceipt>
+
[[Category:Privacy]]
  <version>KI-CR-v1.1.0</version>
+
[[Category:Consent]]
  <jurisdiction>WA</jurisdiction>
 
  <consentTimestamp>2018-06-04T22:33:45.5573709Z</consentTimestamp>
 
  <collectionMethod>user input</collectionMethod>
 
  <consentReceiptID>6b66b08f-c875-4c20-8843-71a65e11e4ec</consentReceiptID>
 
  <language>en</language>
 
  <piiPrincipalId>tomcjones</piiPrincipalId>
 
  <piiControllers>
 
    <piiController>IDESGidp</piiController>
 
    <contact>jerry</contact>
 
    <address>if required there is a class of address lists, like kids soccer, that would be in violation</address>
 
    <email>jerry@ca0.net</email>
 
    <phone>someone needs to think this thing thru!</phone>
 
  </piiControllers>
 
  <policyUrl>http:idesg-idp.azurewebsites.net/Home/About</policyUrl>
 
  <services>
 
    <service>IdP</service>
 
    <purposes>
 
      <purpose>IdP</purpose>
 
      <purposeCategory>1 - Core Function</purposeCategory>
 
      <consentType>EXPLICIT</consentType>
 
      <piiCategory>2 - Contact</piiCategory>
 
      <primaryPurpose>true</primaryPurpose>
 
      <termination>one year after last use; or click this link http:idesg-idp.azurewebsites.net/Home/About</termination>
 
      <thirdPartyDisclosure>false</thirdPartyDisclosure>
 
    </purposes>
 
  </services>
 
  <sensitive>false</sensitive>
 
</ConsentReceipt>
 
</code>
 

Latest revision as of 14:51, 4 April 2019

Full Title or Meme

A structured receipt generated by a Web Site to show the detail of what User Information the User has agreed to share and for what purposes.

Context

While the spec is silent of the actual structure format to be shared, the current design of a Consent Receipt is based on the construction of a JSON object based on a schema in the spec and user display of the current transaction that describes categories of user data.

A Consent Receipt is defined as a "record of a consent interaction (or consent record summary linked to the record of consent)" ... "in accordance with an agreed set of terms."

A Privacy Policy is a "statement/policy and applicable terms of use in effect when the consent was obtained, and the receipt was issued".

Current draft of the Spec

Kantara has published an implementers' draft of the spec which is focused exclusively on the legal requirements of Information Sharing. The issues about other Privacy concerns are described in Native App Privacy.

Current draft of Kantara Initiative Technical Specification Recommendation, Consent Receipt Specification Version:1.1.0 DRAFT 8 Date:2018-02-20

Current States of Implementations

  • Kantara has been collecting examples of consent reciepts in preparation for an interop demo. At present there is not an agreement on the best format to use for the Consent Receipt, for example is it to be plain JSON or a JWT.
  • A detailed description of the open source implementation is at this page Consent Receipt Construction.
  • In the context of an Best Practice and Example Identifier Provider it was based on a state at the IdP of a user immediately after a user initiated profile update. Note that user here means whatever sort of entity has the identifier shown as "user name". It cannot be inferred that the identified user has any rights, or indeed any legal standing, under any regulation, as that would be an unwarranted privacy exposure of its own.

Problems (both solved and remaining)

  • While the spec appears to allow any format for the interchange of the Consent Receipt, the use of a JSON Schema to define the receipt includes anonymous lists of nodes, which is incompatible with (for example) XML and has been confusing for some developers.
  • The terminology of the Data Controller in the GDPR is confusing, for example there is no distinction made between the source and sink of the User Information which is also seen in the Consent Receipt.
  • The GDPR has the follows requirements which are addressed herewith:
    • TK - under development by Mark Lizar
  • It might be useful for the consent receipt to carry an indication of the context (aka receipt type) at its generation.
  • One thing that becomes a little weird in the near future of this site is that the user will have the option of adding more information in the future in support of authentication at other sites. It seems that neither the GDPR nor the Consent Receipt considers that fact that users can enter data of their own free will for reasons that are not known to the IdP but will be used later at a relying party. In this case the IdP is just a trusted third party, a problem which will recur frequently in the health industry.
  • It is not clear from the spec how to code the jurisdiction for US states. Maybe that is covered elsewhere?

Solutions

As a part of the IDEF compatible Best Practice and Example Identifier Provider the following output is now available from the current work in progress.

  • this site shows the rendered consent receipt
  • this is the stylesheet that did the rending
  • The source code is available here.
  • Consent receipts for the user data input in the IDEF best practice web site is accessible at this site.
    • You will first need to register. Google federated signin works quickest.
    • You will need to manage your profile - click on you name in the upper right of the headers (or the drop down if using a cell phone).
    • Select the check box "Get Receipt and click "Save". You will see the Consent Receipt and be able to print it or save it as a stringified JSON.

The user is giving reasons why the data is required and what will be done with the data before it is even entered as a part of the User Consent process.

Content of the Consent Receipt is displayed on the page Consent Receipt Construction.

Standards

References