|
|
Line 1: |
Line 1: |
| ==Full Title or Meme== | | ==Full Title or Meme== |
| | | |
− | Consent Receipt generated by an IDESG [[Best Practice and Example Identifier Provider]].
| + | A structured receipt generated by a [[Web Site]] to show the detail of what information the user has agreed to share. |
| | | |
| ==Context== | | ==Context== |
| | | |
− | The current design of a Consent receipt is based on the theory of a transaction between a pii data controller and a pii data principle. | + | The current design of a Consent receipt is based building a JSON object and user display of the current transaction that describes categories of user data. |
| | | |
| A '''Consent Receipt''' is defined as a "record of a consent interaction (or consent record summary linked to the record of consent)" ... "in accordance with an agreed set of terms." | | A '''Consent Receipt''' is defined as a "record of a consent interaction (or consent record summary linked to the record of consent)" ... "in accordance with an agreed set of terms." |
Line 43: |
Line 43: |
| | | |
| The user is giving reasons why the data is required and what will be done with before the data is even entered. | | The user is giving reasons why the data is required and what will be done with before the data is even entered. |
− |
| |
− | [[File:OrigPageConsentReceipt.png]]
| |
− |
| |
− | This site described is an IdP. Several points were noted for discussion:
| |
− | # The Consent Receipt spec is not specific to IdPs. Some assumptions were necessary about how it might work for an IdP that were not necessarily optimal.
| |
− | # One interesting example is the "third party" as that is not known for a federated identifier at the time the the consent receipt is issued. One use case might require that consent receipts were reissued at every new site logon? The right answer may not be known until the lawyers complete some very expensive lawsuits. One can only hope that answers to question like these do not have different answers in different jurisdictions.
| |
− | # Some mandatory requirements, like service address and phone number might be fine for large organizations, but if applied to small ones there will be some that just avoid the issue and hope no one notices. I specifically noted that this site was not in compliance with those requirements, and never intends to be compliant.
| |
− | # Termination was unclear especially as to what might actually be possible. It was decided to just use a link to where the user can get information about that AND privacy policy - they should be tightly related, if not identical.
| |
− | # Experience leads to the conclusion that fields like purpose vary among the different elements of user private information stored. If fact it seems like the GDPR requires this as the point is made (at least in the CA initiative) that some data may be part of a core function and other data voluntary. Since the consent receipt is designed so that it can be issued prior to (and independent of) any data collection, there was no provision made for user data beyond the very broad piiCategory. The question remains about how to accommodate users' desires for determination of the exact extent of exposure and redress to unwanted data disclosures. Specifically can the Kantara Consent Receipt serve as a base requirement to which other elements are added, or is a completely different standard required to meet user expectations?
| |
− | # The assumption seems to be that piiPrinciple is a sentient carbon-based life form. This is not necessarily true. In the case of a [[Pseudonym]] it is PII to even know if the principle ([[Subject]]) is a carbon-based life form. In case you wondered about this odd formulation it should be noted that [https://www.washingtonpost.com/news/innovations/wp/2017/10/29/saudi-arabia-which-denies-women-equal-rights-makes-a-robot-a-citizen/ Saudi Arabia, which denies women equal rights, makes a robot a citizen]
| |
− |
| |
− | Warning that this is a description of a work in process and changes continue to be added to the best practice site.
| |
− |
| |
− | ===Json classes===
| |
− |
| |
− | // ConsentReceipt helper clases (c) 2018 tom jones
| |
− | {
| |
− | public class ConsentReceipt
| |
− | {
| |
− | [JsonObject]
| |
− | public class ProfileResponse
| |
− | {
| |
− | [JsonProperty]
| |
− | public string version { get; set; }
| |
− | [JsonProperty]
| |
− | public string jurisdiction { get; set; }
| |
− | [JsonProperty]
| |
− | public string consentTimestamp { get; set; }
| |
− | [JsonProperty]
| |
− | public string collectionMethod { get; set; }
| |
− | [JsonProperty]
| |
− | public string consentReceiptID { get; set; }
| |
− | [JsonProperty(NullValueHandling=NullValueHandling.Ignore)]
| |
− | public string publicKey { get; set; }
| |
− | [JsonProperty(NullValueHandling = NullValueHandling.Ignore)]
| |
− | public string language { get; set; }
| |
− | [JsonProperty]
| |
− | public string piiPrincipalId { get; set; }
| |
− | [JsonProperty]
| |
− | public Array piiControllers { get; set; }
| |
− | [JsonProperty]
| |
− | public string policyUrl { get; set; }
| |
− | [JsonProperty]
| |
− | public Array services { get; set; }
| |
− | [JsonProperty]
| |
− | public string sensitive { get; set; }
| |
− | [JsonProperty(NullValueHandling = NullValueHandling.Ignore)]
| |
− | public string spiCat { get; set; }
| |
− | }
| |
− |
| |
− | [JsonObject]
| |
− | public class jsonController
| |
− | {
| |
− | public static jsonController Create(string json)
| |
− | {
| |
− | return new jsonController(json);
| |
− | }
| |
− | public static string Write(jsonController options)
| |
− | {
| |
− | return JsonConvert.SerializeObject(options);
| |
− | }
| |
− | public jsonController()
| |
− | { }
| |
− | public jsonController(string json)
| |
− | {
| |
− | try
| |
− | {
| |
− | JsonConvert.PopulateObject(json, this);
| |
− | }
| |
− | catch (Exception ex)
| |
− | {
| |
− | throw new Exception(string.Format("Error deserializing json:'{0}', into '{1}.", json, GetType()), ex);
| |
− | }
| |
− | }
| |
− | [JsonProperty]
| |
− | public string piiController { get; set; }
| |
− | [JsonProperty(NullValueHandling = NullValueHandling.Ignore)]
| |
− | public string onBehalf { get; set; }
| |
− | [JsonProperty]
| |
− | public string contact { get; set; }
| |
− | [JsonProperty]
| |
− | public string address { get; set; }
| |
− | [JsonProperty]
| |
− | public string email { get; set; }
| |
− | [JsonProperty]
| |
− | public string phone { get; set; }
| |
− | [JsonProperty(NullValueHandling = NullValueHandling.Ignore)]
| |
− | public string fax { get; set; }
| |
− | [JsonProperty(NullValueHandling = NullValueHandling.Ignore)]
| |
− | public string piiControllerURL { get; set; }
| |
− | }
| |
− |
| |
− | [JsonObject]
| |
− | public class jsonService
| |
− | {
| |
− | [JsonProperty]
| |
− | public string service { get; set; }
| |
− | [JsonProperty]
| |
− | public Array purposes { get; set; }
| |
− | }
| |
− |
| |
− | [JsonObject]
| |
− | public class jsonPurpose
| |
− | {
| |
− | [JsonProperty]
| |
− | public string purpose { get; set; }
| |
− | [JsonProperty]
| |
− | public string[] purposeCategory { get; set; }
| |
− | [JsonProperty]
| |
− | public string consentType { get; set; }
| |
− | [JsonProperty]
| |
− | public string[] piiCategory { get; set; }
| |
− | [JsonProperty]
| |
− | public bool primaryPurpose { get; set; }
| |
− | [JsonProperty]
| |
− | public string termination { get; set; }
| |
− | [JsonProperty]
| |
− | public bool thirdPartyDisclosure { get; set; }
| |
− | [JsonProperty(NullValueHandling = NullValueHandling.Ignore)]
| |
− | public string thirdPartyName { get; set; }
| |
− | }
| |
− | }
| |
− | }
| |
− |
| |
− | ===Json Constructer===
| |
− | ProfileResponse profileResp = new ProfileResponse
| |
− | {
| |
− | version = "KI-CR-v1.1.0",
| |
− | jurisdiction = "WA",
| |
− | consentTimestamp = DateTime.UtcNow.ToString("o"),
| |
− | collectionMethod = "user input",
| |
− | consentReceiptID = Guid.NewGuid().ToString(),
| |
− | language = "en",
| |
− | piiPrincipalId = user.UserName,
| |
− | piiControllers = new jsonController[]
| |
− | {
| |
− | new jsonController { piiController = "IDESGidp",
| |
− | contact = "jerry",
| |
− | email="jerry@ca0.net",
| |
− | address="too restrictive for small sites",
| |
− | phone="too restrictive for small sites"}
| |
− | },
| |
− | policyUrl = "http:idesg-idp.azurewebsites.net/Home/About",
| |
− | services = new jsonService[]
| |
− | {
| |
− | new jsonService {
| |
− | service = "IdP",
| |
− | purposes = new jsonPurpose[]
| |
− | {
| |
− | new jsonPurpose {
| |
− | purpose = "Authenticate User",
| |
− | purposeCategory= new string[] {"1 - Core Function" },
| |
− | consentType="EXPLICIT",
| |
− | piiCategory = new string[] {"2 - Contact" },
| |
− | primaryPurpose= true,
| |
− | termination="http:idesg-idp.azurewebsites.net/Home/About",
| |
− | thirdPartyDisclosure = false
| |
− | },
| |
− | new jsonPurpose
| |
− | {
| |
− | purpose="Federated Logon",
| |
− | purposeCategory= new string[] {"2 - not clear to me" },
| |
− | consentType="IMPLICIT",
| |
− | piiCategory=new string[] {"2 - Contact", "3 - More stuff"},
| |
− | primaryPurpose=false,
| |
− | termination="same as primary purpose",
| |
− | thirdPartyDisclosure = true,
| |
− | thirdPartyName="this will be the site you visit"
| |
− | }
| |
− | }
| |
− | }
| |
− | },
| |
− | sensitive = "false"
| |
− | };
| |
− |
| |
− | string jsonResp = JsonConvert.SerializeObject(profileResp);
| |
− |
| |
− | ===Json output===
| |
− |
| |
− | Generated on a partial implementation on 2018-06-06. One thing that might seem a little odd to others is that the Consent receipt for this site never really varies. It is always that same three fields entered at this time.
| |
− |
| |
− | The next challenge is, given a Consent Receipt on the web site, what should be done with it?
| |
− |
| |
− | {
| |
− | "version": "KI-CR-v1.1.0",
| |
− | "jurisdiction": "WA",
| |
− | "consentTimestamp": "2018-06-08T17:43:20.7681968Z",
| |
− | "collectionMethod": "user input",
| |
− | "consentReceiptID": "ce56a128-abd2-4edc-94f3-3d1b2efcb57d",
| |
− | "language": "en",
| |
− | "piiPrincipalId": "tomcjones",
| |
− | "piiControllers": [
| |
− | {
| |
− | "piiController": "IDESGidp",
| |
− | "contact": "jerry",
| |
− | "address": "too restrictive for small sites",
| |
− | "email": "jerry@ca0.net",
| |
− | "phone": "too restrictive for small sites"
| |
− | }
| |
− | ],
| |
− | "policyUrl": "http:idesg-idp.azurewebsites.net/Home/About",
| |
− | "services": [
| |
− | {
| |
− | "service": "IdP",
| |
− | "purposes": [
| |
− | {
| |
− | "purpose": "Authenticate User",
| |
− | "purposeCategory": [ "1 - Core Function" ],
| |
− | "consentType": "EXPLICIT",
| |
− | "piiCategory": [ "2 - Contact" ],
| |
− | "primaryPurpose": true,
| |
− | "termination": "http:idesg-idp.azurewebsites.net/Home/About",
| |
− | "thirdPartyDisclosure": false
| |
− | },
| |
− | {
| |
− | "purpose": "Federated Logon",
| |
− | "purposeCategory": [ "2 - not clear to me" ],
| |
− | "consentType": "IMPLICIT",
| |
− | "piiCategory": [ "2 - Contact", "3 - More stuff" ],
| |
− | "primaryPurpose": false,
| |
− | "termination": "same as primary purpose",
| |
− | "thirdPartyDisclosure": true,
| |
− | "thirdPartyName": "this will be the site you visit"
| |
− | }
| |
− | ]
| |
− | }
| |
− | ],
| |
− | "sensitive": "false"
| |
− | }
| |
− |
| |
− | ===XML output===
| |
− |
| |
− | This is a conversion of the same [JSONOBJECT] that was converted to JSON above.
| |
− |
| |
− | <?xml version="1.0"?>
| |
− | <?xml-stylesheet type="text/xsl" href="ConsentReceipt-min.xsl" ?>
| |
− | <ConsentReceipt>
| |
− | <version>KI-CR-v1.1.0</version>
| |
− | <jurisdiction>WA</jurisdiction>
| |
− | <consentTimestamp>2018-06-07T05:18:39.7205685Z</consentTimestamp>
| |
− | <collectionMethod>user input</collectionMethod>
| |
− | <consentReceiptID>57678f2e-0ea7-4da9-b01b-0446902ffced</consentReceiptID>
| |
− | <language>en</language>
| |
− | <piiPrincipalId>tomcjones</piiPrincipalId>
| |
− | <piiControllers json:Array="true" xmlns:json="http://james.newtonking.com/projects/json">
| |
− | <piiController>IDESGidp</piiController>
| |
− | <contact>jerry</contact>
| |
− | <address>too restrictive for small sites</address>
| |
− | <email>jerry@ca0.net</email>
| |
− | <phone>too restrictive for small sites</phone>
| |
− | </piiControllers>
| |
− | <policyUrl>http:idesg-idp.azurewebsites.net/Home/About</policyUrl>
| |
− | <services json:Array="true" xmlns:json="http://james.newtonking.com/projects/json">
| |
− | <service>IdP</service>
| |
− | <purposes>
| |
− | <purpose>Authenticate User</purpose>
| |
− | <purposeCategory json:Array="true">1 - Core Function</purposeCategory>
| |
− | <consentType>EXPLICIT</consentType>
| |
− | <piiCategory json:Array="true">2 - Contact</piiCategory>
| |
− | <primaryPurpose>true</primaryPurpose>
| |
− | <termination>http:idesg-idp.azurewebsites.net/Home/About</termination>
| |
− | <thirdPartyDisclosure>false</thirdPartyDisclosure>
| |
− | </purposes>
| |
− | <purposes>
| |
− | <purpose>Federated Logon</purpose>
| |
− | <purposeCategory json:Array="true">2 - not clear to me</purposeCategory>
| |
− | <consentType>IMPLICIT</consentType>
| |
− | <piiCategory>2 - Contact</piiCategory>
| |
− | <piiCategory>3 - More stuff</piiCategory>
| |
− | <primaryPurpose>false</primaryPurpose>
| |
− | <termination>same as primary purpose</termination>
| |
− | <thirdPartyDisclosure>true</thirdPartyDisclosure>
| |
− | <thirdPartyName>this will be the site you visit</thirdPartyName>
| |
− | </purposes>
| |
− | </services>
| |
− | <sensitive>false</sensitive>
| |
− | </ConsentReceipt>
| |
The current design of a Consent receipt is based building a JSON object and user display of the current transaction that describes categories of user data.
Draft on which this implementation was based is listed below. In theory, practice is the same as theory, in practice it is not.
Warning: this document is based the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data [OECD] focusing on consent using the ISO 29100 [ISO 29100:2011] lexicon, which means that the terms are stilted and do not reflect current usages. That is also the reason for some of the odd tags in the JSON object.
The Consent Receipt uses obsolete technical terms like "Personally Identifiable Information (PII)" rather than the more generic term from the GDPR of Personal Information or the more descriptive of what we should control Private Personal Information, although with the Right to be Forgotten there may no distinction between those two terms in the EU.
The user is giving reasons why the data is required and what will be done with before the data is even entered.