Scribing Template --Tues., Nov 12, 2013 at 4:15pm - Marina del Rey Room
TOPIC: Scalable Privacy Work / NSTIC
CONVENER: Ken Klingenstein
SCRIBE: Mike Grady
# of ATTENDEES: 14
MAIN ISSUES DISCUSSED:
Ken explained the privacy scope he is talking about. Attributes released from your IdP, not what you choose to share once you get in the app, and also can't control downstream sharing. At least not other than thru policy/code of conduct/etc. approaches.
Privacy Manager -- what UI works, the intelligence issues, understandable to an average end user. Realtime & quasi-realtime release of attributes.
Consumer marketplace. Looking at attributes released to social2saml gateway has been eye-opening, usually all or nothing.
Aside on SOUPS conference -- looking at wrong problems, almost all of their studies are tested with social sites/social identities, would their results vary if meaningful data/business sector stuff was involved?
- Banks would be willing to participate in studies/pilots
Corporate sector, there will be value. What about enterprise sector?
Two use cases that are driving this work:
- attribute release to research wiki, services that need fine-grained info for a few folks from an institution, can't get institutional release policy for such.
- accessibility issues. GPII, Global Public Inclusive Infrastructure, taking ITU standard schema for content presentation preferences. Build preference profile, allow authorized services to access those preferences, adapt content according to those preferences. What about refactoring content for disabilities/needs that require such? Think that this work will be important to institutions, they will want to leverage these profilesOther use cases:
- age-based access controls, COPPA compliance, define schema for minorsDemo of the Carnegie Mellon Univ. Privacy Manager ….
- showing the interface
- highlighting attribute values are shown
- but really highlighting the "I" button -- "tell me more", brings up info on exactly why that attribute is required/desired
- but where else can the "I" button take you -- maybe end entity tags, reputation systems, etc.Planning to port the UI to other types of protocols/flows.
Hook the same UI on top of anonymous credentials work also.
Meta-attribute concepts -- name, phone, how do we handle those?
COPPA
- Mushi monsters - chat room, shopping room
- PRIVO - certifying applications as to their attribute needs in this space
- Broad legislation in this space, from FTCDo enterprises want to put privacy control in the hands of the users?
- user control, service to them
- will it be combination of institutional control and user control?Difference between data stewardship and the person who the data is about. Who has the responsibility -- it is the institutional responsibility, that is who will get sued.
Example -- U Washington, phone number is self-asserted, requests to release it (hasn't been yet). Who will control, decide if it can be released?
If you can't get the service unless you release the attribute, and its an essential service, can there really be user consent?
Self-asserted attribute examples:
- Working title
- Preferred name
- Mobile phone
How do I get people/institutions to play with this? Play with it, or pilot it? Find institution where there is an acceptable use policy at the institutional level. Can we get 5 - 8 institutions to really engage with this, trying technology, policy, metadata, everything or anything about it? What would it take? There is money available, if it can help.
Request for participation, who would it be sent to? Are the folks in this room the right people? Tracy Mitrano would be a good person to engage with. She is very interested in helping to drive an institutional commitment to privacy, which leads to an institutional commitment to consent.
Is this a transfer of liability? But that could hinge on whether that is really considered to be informed consent.
ACTIVITIES GOING FORWARD / NEXT STEPS:
If slides are used in the session, please ask presenters to convert their slides to PDF and email them to acamp-info@incommon.org