Privacy Definitions

[PrivacyCDN]

For the purposes of privacy-enhancing mobile credentials, I propose that the PEMC WG use the following as an operational definition of privacy for the recommendation. I came up with this starting from my view that privacy in our context can not be a characteristic of the data, but rather a characteristic of the relationship between the holder and the verifier, mediated by the issuer who sets out some of the requirements or constraints for disclosure.

Proposed Definition

When a mobile credential holder discloses information about herself to acquire or use a mobile credential, her privacy is preserved when she is able to choose what attributes she discloses and can reasonably expect that the recipient of the disclosed attributes will use, disclose, retain, and destroy those attributes only in fulfilment of the purpose for which the attributes were disclosed.

Discussion

Wikipedia describes privacy as the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. While this seems a reasonable high-level view from 50,000 feet it fails to provide sufficient guidance for defining and applying operational protections and controls consistently.

Privacy or Data Protection legislation such as Canada’s PIPEDA or the EU’s GDPR do not define privacy per se. Rather they set their scope to be the protection of personal information or data and take pains to define the types of data or information that is in the scope of the legislation. Note that this presumes a particular kind of data flow whereby the individual (or holder in our case) loses control of the data about them as it passes under the control of the entity that is bound by the particular law. For the purposes of mobile credentials, where there is a three-party architecture and a dynamic relationship, a static assignment of accountability is insufficient.

Further, the framing of data protection statutes assumes a client-server architecture representing the data subject and the data controller respectively. This architecture may apply but disallows other architectures where there may be co-management of the data or where the data subject may retain custody and control of the data. These approaches can be seen in work on data trusts, information fiduciaries, and MyData Operators all of which reduce the ceded control by the data subject. Privacy Enhancing Mobile Credentials may be delivered using any of these approaches.

It seems to me that a more appropriate way to view privacy as I’ve expressed it above is to think about it in terms of a graph database. Rather than a server and a client, we have nodes, edges, and relationships. In this context an individual (a node) chooses to disclose information about themselves to another node or nodes, creating a relationship that expresses or should express a shared understanding or agreement about how the information that has been shared will be treated. This edge relationship then defines the terms of the co-management of the information. Whether we are talking about ISO 18013-5, Verifiable Credentials, or Self-Sovereign Identity models we have three entities (or nodes) with edge relationships to the other entities that include rights and obligations with respect to the data shared between them.

I should note that privacy is regarded as a human right in many jurisdictions such as the EU Charter of Fundamental Rights (Article 8), or the Universal Declaration of Human Rights (Article 12). I will note specifically 8.1 of the EU Charter of Fundamental Rights which states that, “…data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid.”

For those that are interested in going down a rathole of details for definitions of privacy, see the references below.

References

1. Koops, Bert-Jaap and Newell, Bryce Clayton and Timan, Tjerk and Škorvánek, Ivan and Chokrevski, Tom and Galič, Maša, A Typology of Privacy (March 24, 2016). University of Pennsylvania Journal of International Law 38(2): 483-575 (2017), Tilburg Law School Research Paper No. 09/2016, Available at SSRN: https://ssrn.com/abstract=2754043
2. Solove, Daniel J., A Taxonomy of Privacy. University of Pennsylvania Law Review, Vol. 154, No. 3, p. 477, January 2006, GWU Law School Public Law Research Paper No. 129, Available at SSRN: https://ssrn.com/abstract=667622
3. Wikipedia, Communication privacy management theory, https://en.wikipedia.org/wiki/Communication_privacy_management_theory

[TomCJones]

New proposal for the definition or principles of enhanced privacy:
n.b. I deliberately removed the word “attribute” and focused on the word “purpose”
Privacy of data stored in a mobile credential is enhanced when the following principals are followed:

1. The holder is given a request for data that shows the purpose for which the data is required by the verifier in human understandable terms.
2. The holder will know which data is required for the transaction to be completed.
3. If any data is requested that is not required, the user may remove that data from the list.
4. If any data is retained beyond the completion of the transaction, the user may request that all data is removed as permitted by jurisdictional laws and regulations.
5. The verifier will be able to communicate any breach of the conditions for which the data was collected.
6. No data is shared with third parties beyond the purpose stated to the user.
7. The holder experience of the data sharing is tested to assure that holder is aware of the consequences of accepting the transaction.
8. Any delegated access will require that the subject of the data has provided informed consent.

[TomCJones]

i found that trying to answer the question about the "definition" did not permit addressing the questions that were in that definition and decide that principles was better.

[TomCJones]

not sure how this issue got closed - perhaps my fault?

[PrivacyCDN]

Turning into a rathole, so work group consensus is to not define privacy at this time