[Openid-specs-risc] connecting with privacy people
adam.cooper at digital.cabinet-office.gov.uk
Tue Sep 29 09:56:30 UTC 2015
In the UK we have a Privacy and Consumer Advisory Group (
that advises us on how to best approach privacy when providing online
access to government services using verified identities.
This group includes representatives from our key regulator (Information
Commissioner's Office), academia, the British Computer Society, and groups
such as Big Brother Watch and NO2ID. All with a direct interest in privacy
and the consumer.
This group meets next in November - happy to get your proposal around
consent on the agenda for their feedback if you think that would be useful.
What are the dates / time constraints you are working to for feedback?
On 29 September 2015 at 05:32, Nat Sakimura <sakimura at gmail.com> wrote:
> With so much echoing today, I did not dig in any further, but I still
> think it is a good idea to involve privacy regulators early on. As someone
> who is closely connected to the privacy regulators, academics and lawyers,
> I believe there is a good chance that we can get them on our side.
> While we tend to position the account takeover as a security issue, it is
> a grave privacy issue as well. Like security, privacy is not black-or-white
> thing. We have to deal with a risk framework and there we measure the
> benefit against cost. Since the user is already using the email provider
> (IDP) as the reset link, there seem to be little privacy cost compared to
> the benefit of explicitly sharing them between the provider and the service
> and making the probability of chained compromise less.
> Also, I would have to point out that user action of "consent" is not
> always the best way to address the "meaningful consent". That's the
> position of many regulators in EU, at least as I understand. Perhaps you
> might want to look at the explanation of "conditions for processing" by ico
> (UK regulator.)
> In any case, we would have to do the PIA before completing the spec and
> start the trust framework, and that has to happen pretty early on:
> otherwise, we may have to re-do everything. IMHO, it is wise to start
> involving experts from regulating bodies at least informally would be a
> good idea. It will eventually travel up to the Article 29 Working party
> (WP29, the group of EU privacy regulators) and it cannot be avoided. Then,
> why not involve them early on and work together?
> OpenID Foundation will be sending out liaison statement to ISO/IEC JTC
> 1/SC 27/WG 5 (the committee that deals with privacy technology) in a couple
> of weeks. My proposal is to include couple of paragraphs on the pros and
> cons of explicit consent / bulk roll-in, and opt-out/no-opt-out scenarios.
> WG meetings are very busy and usually they will not craft a detailed custom
> responses, but they might eventually. At least, they will be aware of the
> fact that they had an opportunity to input.
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> Openid-specs-risc mailing list
> Openid-specs-risc at lists.openid.net
Identity Assurance Programme
Government Digital Service
125 Kingsway, London, WC2B 6NH
Tel: 07973 123 038
official: adam.cooper at digital.cabinet-office.gov.uk
official sensitive: adam.cooper at govdigital.gsi.gov.uk
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-risc