Transparency by Design: Governing Digital Trust

System Administrator - 2025-01-14 10:54 - (0 Reads)

Critical information for the governance, control and access to information in society is closed, non-standard, with terminology like Identity defined by advertising industry. Old vocabulary reflects legislation, and rules for analogue privacy drafted in the 1970's called 'data protection regulation'. Terms like identity, digital trust, governance, privacy and consent have different technical definitions that are exclusive, as they dont use the intuitive definition from a human perspective.

The Imperative for Transparency to Standardise Digital Trust

In an age of rapid technological advancement, the concept of data protection must evolve from its analog roots to address the complex challenges of digital privacy. This article argues for a paradigm shift in how we approach data control, security, and protection in the digital spaces, emphasising the need for transparency, consent, and individual empowerment for trustworthy digital identification technologies.

The Importance of Terminology

Digital identification, technology terminology like holder, verifier, or issuer obfuscate control, transparency and accountability, treating identification features and processes as roles unto themselves. The misuse of terms like "decentralised identity" and "self-sovereign identity" blur the lines between surveillance and privacy. They increase confusion and inflate security risks. A more accurate and trustworthy approach would be to use phrases like "Digital identification you control" or "Transparently governed digital identification authority."

Identity vs. Identification

There's a crucial distinction between identity and identification. Identity refers to how individuals conceive their autonomous selves in society, while identification is the process of surveilling someone's identity. Digital systems often conflate these concepts, leading to problematic and harmful implementations.

Consent vs Permission

Consent and permission, while often used interchangeably, serve distinct roles in digital transparency and identity management. Consent is a human-centric process that requires individuals to make informed decisions about overall data processing purposes, sensitive data handling, and situations requiring active choice. It involves providing clear information about identity, legal authority, legitimate purpose, and potential risks. Consent is managed by humans and is fundamental to establishing trust and legal compliance in digital interactions.

Permission, is granular and system-oriented, typically managed by services rather than individuals directly. It relates to specific access controls for granular authorisations for use of surveillance in particular physical and digital contexts. Critical as personal technologies often involve the use of secure, restricted, sensitive and very personal information. Permissions are set for specific features, data types, or actions within a system.

The distinction between consent and permission is crucial in digital identification management, as confusing the two is a dark pattern most infamously called 'surveillance capitalism' secret and misleading surveillance for profit. Security misinformation, misleads individuals into being 'users' of services, required to share personal data to 'use' services.

Trust and Consent

Fundamental to any form of trust is consent and consensus. Trust emerges from consensus, good faith, and belief. Trust scales with standardised transparency through notice, notification, and disclosures as specified in law. However, the digital identification industry overlooks this crucial aspect, leading to a disconnect between user expectations and industry practices.

The Misuse of 'Trust' and 'Identity' in Digital Contexts

A critical issue in the current digital landscape is to cover the disconnect between individual data control and digital identity by co-opting terms like "trust" and "identity" by the ‘identity’ management industry. These words carry significant social, cultural, and personal meaning, and their misuse in digital contexts lead to serious misunderstandings, security risks, and mass secret commercial surveillance. New EU regulation called the Digital Market Act and the Digital
Services Act, provide regulatory tools to address these significant issues.

The Role of the Digital Privacy Officer in Governing the Identification Industry

The authority to govern identification use and protect individual identity should lie with the digital privacy industry, not the identity management sector. This distinction becomes increasingly important as surveillance technologies are marketed under the guise of "digital trust."

Surveillance by Default: A Global Concern

The concept of "digital trust" originates from contexts where privacy protections are minimal. For instance, in the United States, privacy commissioners are absent, and companies can legally surveil non-U.S. citizens. This environment of "surveillance by default" undermines genuine privacy controls.

Kantara: ANCR Transparency Performance Report

A significant development in addressing the issues of identity and trust in the digital identification and authentication industry is the Kantara ANCR Transparency Performance Report. This research-based initiative utilises ISO/IEC 29100 security and privacy framework, to generate a report that focuses on several key aspects:
1. Operational transparency for security and privacy, examining service providers' notice, notification, disclosures, and policies. In particular, timing, to validate consent. By assessing if data is collected and processed prior to Controller identification, notice and consent.
2. Capturing the physical and technical service context, such as mobile device usage or website interactions.
3. Identifying if required identification, authority, and lawful basis are provided.
4. Assessing the provision of controller identification and service provider location to validate consent for cross-border data flow.
5. Evaluating if the provided information allows users to make informed choices about sharing personally identifiable information (PII) before and after data processing.
6. Determining if privacy rights features are accessible within the technical session and context of collection and processing, or if they are provided out of context.
7. Assessing the accessibility of required transparency information for privacy access.
This compliance report aims to enhance transparency and user empowerment in digital identity systems.

Recommendations for Ethical Digital Identification

To address these issues, several guidelines should be followed:
1. Avoid co-opting human terms like identity and trust to describe surveillance activities.
2. Ensure all digital identification technologies are consent-based and transparent.
3. Implement notice event based logging to legitimise all data processing activities.
4. Maintain transparency in changes to privacy policies and notify users of changes.
5. Adopt a privacy-centric perspective that considers systems as Users of personal data.

For rapid scaling and adoption of digital identification technologies try Global Privacy rights 0PN digital privacy policy. It is a policy that is Privacy by design and Consent by default. 0PN Policy requires a transparency and consent notice or privacy statement, which identifies who the controller prior to processing personal data. The notice must disclosed the legal justification, and a scope of disclosure, for trust and security . Find out more @ Global Privacy Rights.

Conclusion: A Call for Transparency in Digital Trust

The digital identification industry must reconsider its use of terminology and prioritise user privacy and control in the context of surveillance based seucrity. By focusing on transparency, consent, and individual empowerment, we can build genuine trust in digital systems together. This shift is essential not only for protecting individual privacy but also for ensuring the long-term viability and public acceptance of digital identification technologies.

As we move forward, it's crucial to remember that true digital trust can only be achieved when the rights and autonomy of individuals are respected and protected in our shared digital spaces. Initiatives like the Kantara ANCR Transparency Performance Report represent significant steps towards transparency standard, this goal, providing a framework for evaluating and improving the transparency and trustworthiness of digital identification systems.

Sources

All sources for this article are routed in standards and law, which have matured for the last 45 years, and are now finally enforceable.
ANCR WG Transparency Performance Report
CoE Treaty, Convention 108+
ISO/IEC 29100 Security and privacy framework

Article actions