Announcing: A Notice Receipt to Scale Digital Trust

System Administrator - 2024-09-30 15:50 - (0 Reads)

Tuesday Oct 1, the Global Privacy Rights Company is announce a presentation by Mark Lizar on the Notice receipt information structure, two factor notice and notice receipt to the ISO JTC1 SC27 WG 5 committee of international expert and liaisons. This work 15 years in the making, aims to replace terms and conditions based servic agreements online.

Scaling Trust between people to a 3rd Party

Humans evolved with an innate need to communicate, collaborate and synchronize, driven by our ancient need for survival, social cohesion and the benefits of collective effort. Trust was fundamental, because it ensured that individuals could rely on one another, fostering cooperation and reducing the fear of exploitation or betrayal. Yet trust began to have limitations as societies and economies grew more complex. A receipt was devised as a simple method to extend trust further. A receipt was used as a record of trust, honour and reputation, a record that extended trust to a third party.

Trust has always been a key component of human interaction. A receipt, as a record of this trust, has been the inclusive, non-discriminatory method that has evolved over time as a tool to scale trust to more than one party. As a record, it a reliable, transparent, and verifiable way to document exchanges, ensuring that all parties could rely on a shared understanding. Today, a notice receipt is required but disguised as a cookie, or meta-data record.

As records and receipt enabled governance to be advanced, so too did trade and commerce, through the distribution of benefits that came with transparent and regulated marketplaces.

The first receipts, circa 3200 BCE, were preserved on clay tablets, a key development in the evolution of writing and record-keeping. They are the first example of a distributed identifier expressed as an attribute that represented an asset and verified through keeping a record of the asset and its trading activity.

This ritual of creating a record of an interaction brought with it enlightenment, and advanced financial exchanges, where receipts evolved into a commercially signed paper and eventually into currency. An invention that first began with a notarised banking promissory notice, to be used between two banks, the security of commercial paper advanced quickly with the printing press to special paper and an unique identifier printed on each bill. Receipts were then used when currency was exchanged, to share the record of exchange, wherein the receipt and a ledger were used to track financial transactions. This ledger served to log the transaction so that the transaction can be used as evidence by both parties, and/or kept by a third party, which became a bank.

Receipts enable benefits: decentralised governance as a proof of purchase; a way to return faulty and unwanted items; and enable interacting parties to mitigate risks independent of legal enforcement. A tool to co-regulate and to enable peer to peer security and privacy infrastructure, extending trust with its assurance.

About the Presentation

While the “consent receipt” developed further in 27560, it wasn’t interpreted as a profile for the ISO/IEC 29184:2020 Online Notice and Consent Standard, instead a of a notice record information structure, a consent record information structure was developed focused on the surveillance of the PII Principle.

The original work, called the MVCR “Minimum Viable Consent Receipt”, authored by Mark Lizar was adopted into ISO from the Kantara Consent and Information Sharing WG. It focused on the minimum requirements for notice, so that a receipt could be used for consent. creating a record of notice that the PII Principal could use to replace cookies in browsers and terms of service online. Not only a well documented dark pattern, but also not being regularly enforced against by regulators. Demonstrating a need for a standard international solution for transparency and consent.

The presentation of the notice receipt, is the introduction of an anonymous receipt flow, where the PII is able to Control and managed and even negotiate the use of personal data processing with standardised transparency.

Learning from the 27560, this introduces a PII Controller identity record information structure that is extended to the notice receipt, and then a notice receipt event log, to provide assurance. Specified in accordance with Convention 108+ Article 14, 15, for Controller Identity Record schema, to Article 30 for the notice receipt to be a record of processing activity, and Article 88 for a log of the processing, to provide the international assurance required to scale consent based data controls.

The proposed profile or possible NWIP, introduces a Two Factor Notice that is Consent by Default and is extensible as the PII Controller identity record schema is used to generate a notice receipt, and subsequent notice receipt event log.

It is envisioned that this profile will then be used to operationalise personal data and personal data control held by PII Controllers, breaking data silo’s frozen under data protection regulation, enabling people to self-identify themselves anonymously online.

The re-use of the notice receipt as a consent token is the most exciting aspect of this work, as it can be used for providing id-verification of id and attributes, under the control of the individual, without having to provide raw personal security information across the internet. Significantly for Regulators and Data Privacy officers, the use of a notice receipt for a secondary purpose aims to dramatically increased the ROI of surveillance technologies, reducing the cost of ownership by increasing their functionality. This work promises significant impacts for data control.

Article actions