[OpenID-Specs-eKYC-IDA] Data Rights Protocol and eKYC

[John Gronberg]

Hello eKYC WG,

I'm part of a consortium of privacy infrastructure and technology
businesses working to create an open standard for Data Subject Rights (DSR)
Requests for businesses under the jurisdiction of the CCPA. You can read a
little bit more about the protocol here: http://datarightsprotocol.org

"This specification defines a web protocol encoding a set of standardized
request/response data flows such that End-Users can exercise Personal Data
Rights provided under regulations like the California Consumer Privacy Act,
General Data Protection Regulation, and other regulatory or voluntary
bases, and receive affirmative responses in standardized formats.

We aim to make the data rights protocol integrable with an ecosystem of
data rights middlewares, agent services, automation tool kits, and
privacy-respecting businesses which empower and build trust with consumers
while driving the cost of compliance towards zero."

We believe that the eKYC extension to OIDC would be a good fit for our use
case. I will lay out the scenario below

These are the relevant entities:

   -

   a data subject: A natural person about whom a controller holds personal
   data and who can be identified, directly or indirectly, by reference to
   that personal data
   -

   an authorized agent: A third party designated by a Consumer to perform
   Data Subject Requests on their behalf. This would be like a user agent/app.
   -

   a Privacy Infrastructure Provider (PIP): a technology solution that can
   orchestrate a DSR request for a business.
   -

   a covered business: A natural or legal person, public authority, agency
   or other body which, alone or jointly with others, determines the purposes
   and means of the processing of personal data and is subject to the CCPA.

A data subject will initiate one or more data subject requests through an
authorized agent. The authorized agent will create these requests with one
or more covered businesses. The covered business will have certain
requirements in place for establishing the identity of the data subject.
Once the requirements are met, the businesses will process the rights
requests (for erasure, access, etc) based on their internal processes, or
the PIP will do so on behalf of the covered business. Upon completion of
the internal processes, the results of the rights request will be returned
to the authorized agent for delivery to the data subject.

We're trying to answer the following questions:

   1.

   Identity claims could be supplied by the authorized agent or the
   PIP/covered business. What is the proper trust model and how can we
   establish confidence in the claims?
   2.

   The PIP/covered business may need to get identity claims that the
   authorized agent does not yet have (for instance, if the covered business
   is an ecommerce company it may want to know the date of the last order
   placed by the data subject). What is the right model for us to establish
   such claims?
   3.

   Presumably, for the API authorization that would go along with the
   identity claims, we would be able to use the standard OIDC flow with the
   PIP/covered business acting as the authorization server and the authorized
   agent acting as a user agent, correct?
   4.

   Do you have any concerns or other questions as we figure out how to meet
   our DSR use cases with OIDC?

We've put together a few explanatory diagrams in this document
<https://github.com/consumer-reports-digital-lab/data-rights-protocol/blob/main/files/eKYC-WG-feedback.pdf>
for further explanation.

We're looking forward to your input! I will be unavailable via email for
the next week, but will respond to comments upon my return.

Cheers,

John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ekyc-ida/attachments/20211001/1548b7f0/attachment.html>