HIMSIG20081030
Liberty Alliance Project
VPI SIG
Teleconference Meeting Notes
October 30, 2008
1:00pm-2:05pm EDT
Author: Kurt Kolok
Attendance:
Mark Dixon, Sun
Trent Adams, Data Portability Project
Asa Hardcastle, BRM
Kevin O’Neill, ISTPA/Cyva Research
Iain Henderson, Mydex
Dean Landsford, Consultant
Joe Andrieu, Switchbook
Doug Serles, Berkman Center at Harvard
Brett McDowell , Liberty Staff
Joni Brennan, Liberty Staff
Kurt Kolok, Liberty Staff
Agenda:
1) Introductions
2) Review the charter
--Identify & discuss deliverables
--Discuss next steps
3) Possible call schedule/frequency
4) AOB
1) Introductions
What do you hope to get from the SIG?:
Kevin O’Neill: Personal identity information management and exchange/security and privacy aspects (control of processing of that data).
Trent Adams: Concept of volunteering information and accessing it across controls. (look at the distinctions between the two sets of use cases).
Asa Hardcastle: Currently focused on developing ID-WSF Java for Liberty and interested in applying ID-WSF to the VPI ideals.
Joni Brennan: Interested to see where we can go with this group and focused on supporting the group, driving actions and coordinating calls/tools as necessary.
Brett McDowell: From a Liberty Alliance Project point of view we are happy to be hosting this group. There is an FT article that will be circulated to the list which gives some high level perspective. Interested in creating a program around protecting personal identity information. Much of what Liberty has done in other groups is applicable for this group and it would be beneficial to make some introductions and make sure the right people are involved. This work is applicable to the ID-Governance framework activity.
Mark Dixon: Affiliated with a project that is involved with exposing subsets of one’s identity information for the configuration of physical devices and interactions of others.
Doug Serles: Responsible for running a VRM project at the Berkman Center at Harvard University and central contributor to the thinking and organization of VRM in various places. Interested in supporting this VPI group/activity. Selective disclosure is essential to what we are trying to do with VRM (putting customers in charge of their relationships and initiating relationships). It is essential to equip participants in the marketplace (independence is a central element).
Dean Landsford: Involved with VRM, VPI starts the equivalent of grass roots for people to volunteer and own their information and control it without being a vendor.
2) Review the charter
--Identify & discuss deliverables
--Discuss Next Steps
We will work on white papers, use cases, and proofs of concept so people will have something to look at. Some specific prototype code may be part of our focus.
Description of Liberty working method (Brett McDowell): The SIG is given a mail list and wiki which are public; anyone can join since there is no IP being contributed by anyone. Expert Groups are put together to create solutions based on intellectual property of members. We should take advantage of the wiki and build use cases, white papers, etc… Membership agreement points out the overall processes associated with the SIGs. We may decide at some point to create an Expert Group within Liberty to develop deliverables for Liberty publication. The wiki is the most efficient source of communication, but there is nothing against distributing documents via email.
Summarization of goals:
--Develop the wiki as a useful resource
--Build use cases
--Create white papers
--We may want to look at developing a Roadmap laying out the features, functionality, requirements, capabilities, and possible evolution of the VPI SIG. The expectation re: a Roadmap is that it will take a VPI performance program to market and may include other works such as IAF and others (projects/elements/attributes of VPI). We will not reinvent things that have been done before.
Kevin O’Neill: There are key aspects of mapping legislative/regulatory requirements to features or functions. That problem domain is ‘how do you link to existing regulatory management?’. OPEN SI Stack is a reference model used to define functionality. It is not forcing vendors to come up with specific implementations. ID Management book—FAM website: diagrams, stacks, how do you manipulate notification services? A requirement is needed to notify the consumer before you do collection. What are all the requirements to make consumers comfortable and give them the control they need? There are many policy debates re: what is control (what about post processing?, etc…).
Iain Henderson: We have fundamental problems to address in that organizations (private or public) have structural imperatives that make them wish to do more with personal information than the individual would have them do not knowing what is going on. VPI is about building counter-balancing capabilities on the side of the individual, but doing so in ways which give organizations huge incentives to comply.
In previous work Iain, with input from Privacy Lawyers and Information Security experts, has developed an assessment mechanism that is a) rooted in the best of privacy legislation, b) enhanced with VRM thinking, and c) runs the assessment mechanism from the perspective of an individual being asked to share personal data with an organization. This amounts to 12 questions, with 5 point scales, compliance/ help text and an weighting/ scoring mechanism that are offered to the VPI group as an input/ platform on which to build.
The 12 questions an individual would ask of each of their supplier organizations (or have asked on their behalf) are as below. Eight (8) are lifted from European privacy legislation and four (4) come from a VRM perspective:
1. How would you describe the overall approach your organisation takes to managing personal information?
2. What safeguards does your organisation have in place around the collection of personal information?
3. Does the organisation have processes and controls in place to ensure that my personal information is used only for the purposes I have agreed to in providing it to you?
4. To what extent does the organisation deploy the principle of retaining the minimum information to support the use being made of it?
5. How does your organisation ensure that the accuracy of my personal information is maintained?
6. Does the organisation have a comprehensive, accessible policy around how long it retains personal information, and how it disposes of it on completion of use?
7. How does the organisation approach the principle that I should be able to access the personal information stored on me?
8. How does the organisation ensure the security of my personal information when it is their hands?
9. How does your organisation ensure the security and integrity of personal data when you share it with other your suppliers, partners and other third parties?
10. How does your organisation enable me to understand the risks that exist around your management of my personal information, where liabilities lie and what remedies will be brought to bear in the event of a data breach?
11. Does the organisation have a process in place to proactively contact me if an information breach occurs that exposes personal information about me to risk?
12. To what extent does the organisation enable me to access/ download/ utilise the information within your systems to add value to me?
Post meeting input from Iain – I have added an example of this assessment mechanism in practice in an appendix to the minutes.
Questions on the above:
What about security or assurance when you do share the information? You want to give the user access to the information you have on them (they have a right to see the data the organization has on them. The other security things do not address security and assurance re: who my information is being shared with (apply Best Practices).
Context recovery: How does context drive sharing of information and what are the consequences re: sharing across many organizations that have different mechanisms and policies? Once consumers fill out the form there is currently very little transparency. We should explain circumstances where an organization assigns individual terms and conditions (the current solution does not work well).
What exactly does control mean? How do I know there has been a violation if there is no transparency? We need to work on that. If we set the bar, there will be competitive advantage for organizations to apply our solution.
Standards grid: There will be a lot of overlap. Iain is pointing out a deeper and more focused perspective in determining a solution. We are using the same nomenclature. There is a vast amount of guess work in CRM.
Are you including some sort of standard in attributes? If there are existing standards in use by the companies being profiled in the standards grid then they will be included as they are deemed relevant to parts of the specifications the group is following/tracking.
Have you named particular policy languages? No, it is still in the very early stage of building out infrastructure for specification compliance at a high level.
Brett: It would be beneficial to get people knowledgeable in IGF to participate in this group as well as those involved in IAF. We need to make sure we are cross-pollinating effectively.
Has that group created a specification for policy language? Yes…the IGF MRD has been published. The requirements are documented and Asa is working to build out ID-WSF and there is another group building up IGF. There are three components of IGF: one piece published as a draft specification, a second piece has not yet been released as public draft and the third piece (IGF Privacy Constraints Specification) has been published along with a KARML profile of IGF privacy constraints.
Action 20081030-01: Joni will forward the links for the IGF published documents to the mail list and the wiki.
3) Possible call schedule and frequency:
We will run a call every two weeks. We will begin discussing use cases we can begin mapping out on our next call. We should take Iain’s 12 item requirements list and circulate it to other EGs/SIGs in order to begin collecting top solutions to help people reach level 5 in some instances. We should consider sending the teleconference invitation to a variety of other groups.
Action 20081030-02: Kurt will check into why the local number from Scotland did not seem to work.
4) AOB
None.
Meeting Adjourned
