Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Meeting Date

28 Nov The DMRWG meets bi-weekly on Tuesdays at 12:00-13:00 PT / 16:00-17:00 UTC. Check the ToIP Calendar for meeting dates.

Zoom Meeting Link / Recording

Attendees

...

  • Travel planning is online first. In 2023, each travel service typically collects a traveller's profile (requirements and preferences) through a direct ask or via incremental collection via pages and questionnaires shaped by the travel, accommodation and "things to do" context. While nominally being asked (consent) to share personal information, in practice, services are over-gathering personal information, clarifying what information is necessary to provide the service vs. collecting information to benefit the service for targeted marketing and other purposes.
  • The current Travel Profile is quite a large model (see model diagram, below) containing PII/Sensitive data far beyond most examples of PII, and is designed to capture requirements and preferences in may many different contexts.  It needs some work for formal modeling as objects and database schema, plus notes on how the model can safely be extended
  • How does this data model mesh with SSI, Verifiable Data, and Privacy, including across jurisdictions?
  • What are all the interaction models (workflows) and their impact on consent, selective disclosure, "intent" broadcasting?
  • What are the mechanisms for collection (direct ask and observed behavior) in different contexts, and who stores and controls that data?
    • Given that travel organizations are being faced with GDPR, for which holding onto personal data is becoming a liability, particularly for breaches, what does a future mechanism look like (traveler controlled, on-demand selective disclosure to services, very limited lifetime service data regetion) and what are the prospects for a smooth transition?

...

TimeAgenda ItemLeadNotes
5 min
  • Start recording
  • Welcome & antitrust notice
  • Introduction of new members
  • Agenda review
Chairs
  • Antitrust Policy Notice: Attendees are reminded to adhere to the meeting agenda and not participate in activities prohibited under antitrust and competition laws. Only members of ToIP who have signed the necessary agreements are permitted to participate in this activity beyond an observer role.
55 minsTopics (see above)All

IIW Session Summaries

  • Selective Disclosure - allows users to express what data they wish to disclose for a particular purpose, but as so much of your personal data is already disclosed and being shared by online services, it is of questionable use in ensuring either Data Privacy or Confidentiality.
  • Anonymization of personal data - is also highly questionable as current and coming correlation and related algorithms can still identify you with a sufficient variety of anonymized records about you. Cited example (Academic paper) - correlating hand/head movement w PII  can be very accurate.
  • Consent - legally valid consent requires demonstrable understanding by the user of what they agree to and the potential harms. That "bar" cannot be met by an individual consenting, alone on their smartphone or laptop.
  • Data lifetimes - current practice is PII/Personal data are retained by services. This is counter to data privacy and, in 2023+, unnecessary as the data can be re-requested from the user (or from secure storage under their control). Organizations (Google) have expressed that risks are increasing (breach, etc.) of retaining personal data after initial use.  

DIF, ToIP WG and TFs Data issues

  • Consent/Privacy - A new proposal based on IIW discussions on a change of strategy for ensuring confidentiality and online safety for users is in development, through requiring much higher transparency on personal data processing by services and 3rd party (human/AI) assistance to ensure legally valid user consent.
  • DIF Hospitality and Travel SIG. ToIP Attraction Pass
    • Data Schema for a common Traveler Profile - a comprehensive, largely self-attested list of a person's characteristics, health, religious, dietary needs and other factors, plus travel and accommodation preferences. It is proposed as a new standard for the travel industry.
      • Recognizes that people have different profiles, such as business travel, solo vs. family travel, etc.
    • Dealing with groups of travelers (an extension of the Guardianship work at Sovrin)
    • Applying SSI trust chains to customer and service provider relationships for Attraction ticket sales and redemption. 
    • Personal Data Collection by Services - example: stated vs actual preferences. Travel services collect a large amount of data, including all the details of your itinerary plans and how they unfolded on your trip, including spending patterns and what you selected or did vs your stated preferences. This is both a privacy problem and a large opportunity for both travelers and services to improve both privacy and traveler satisfaction. 
    • Working uses cases of trust for concert ticket attractions including the secure selling, reselling and redemption of passes/tickets
  • Tracking what is going on with Data and Privacy legislation and regulation in N/A and the EU.
  • Related work on Data Agreements with ISO 27000 (IT security), including 27001, 27701 (privacy information management), and 27560 consent receipt (work by Mark Lizar and Jan Lindquist, who are ToIP members)
    • Strengths and weaknesses of current data sharing agreements and consent
  • The impact of jurisdictions and their specific legislation on SSI, consent, data privacy, etc.
  • Authentic Data and Trust - lineage/provenance of data, how it was produced/collected and how it transformed

Action Items

  • Create a model of the 5W2H transparency model, leveraging and building a model/diagram from the Data Privacy Vocabulary work to handle more specific data and purpose definitions for data sharing consent agreements.
  • Complete the Consent Replacement proposal document.
  • Why Data Agreements are/are not Ricardian Contracts
    • Plus - Ricardian contracts are based on legal contracts, are human and machine-readable, support terms and conditions and are cryptographically digitally signed
    • Minus - are primarily about the exchange of financial value, primarily Bitcoin and/or financial transaction agreements and are Blockchain dependent. They do have issues, are not widely deployed, and the roadmap is uncertain.
5 mins
  • Review decisions/action items
  • Planning for next meeting 
Chairs50 minDiscussionAll

Background - The proposed Travel Profile TF is currently working on completing a first pass on a core information about a traveler plus looking at how requirements (must have) and preferences (desired options) apply against different travel, hospitality and attractions (things to do) contexts. Investigations have also explored how this model can be extended for more traveler information and additional contexts.

The next stages on the project is to look at this from two perspectives

  • How (raw data model) can be enhanced to support SSI and Data Privacy in general and DIF/ToIP in particular.
  • How interactions (and there are clearly several different depths of data sharing and interactions) work, including doing a first deep dive into what does a verifier (in this case a travel service) ask for required and optional personal information pertinent to a given travel event or travel service

It is proposed to look at three levels of purpose - Intent broadcasting, selective disclosure and consent (these last two are closely coupled). A partial definition of intent broadcasting would: put out a requirement for travel and accommodation, with sufficient information for a travel provider to be able to offer a "travel package", revealing as little PII as possible. More detailed inquiries and then finalization of travel plans likely requires increasing personal information, so consent that data, precisely how it can be used and it's lifetime storage needs to be determined to minimize the risks for both the traveler and the service provider.  

Key points from discussion:

To some extent looking at the travel profile is looking at concrete inter-actions of a traveler (Holder) on a non-trivial set of their personal data, interacting with a Verifier (travel service) , at different levels of depth, where an important consideration is ensuring that the Verifier/travel service is asking for a set of data, some of which is mandator for a service provider to provide and answer or a proposed service and other data is optional, which the traveller can chose not to provide. This may be tempered by the service offering additional benefits to the traveller if they disclose more information. However, that raises the issue of a traveller understanding the consequences of additional disclosure, including harms.  This is a good stress use case for real-life consent.

  • Sankarshan - Intent broadcasting builds on the concepts of Doc Searls (The Intention Economy: When Customers Take Charge)
  • Carly - Preferences (in many cases) can be context dependent - eg. you are a vegetarian on an airline flight, but you will eat meat in a restaurant
  • Sankarshan - Current practice is travel services over-collect personal information (including information for their benefit vs the traveler) and they keep it. However, with GDPR and similar legislation, travel services are starting to understand that retaining personal information puts them at cybersecurity risk, which increases their cybersecurity operational insurance costs (as much as 50%).
    • The industry maybe persuadable to leave storage and disclosure with the traveller, only requesting when required and destroying after a service is completed. The term Zero-Party Data applies.
  • Neil - Service providers will need to be aware of jurisdictional differences as to what constitutes sensitive data, which likely differ across jurisdictions. And as travel frequently crosses two or more jurisdictions, service providers (and travelers) will need guidance as to determining how they will manage PII they processing. This includes the concept of Blinding Bits. This also raises the concept of having a data schema with overlays for additional metadata, including table/property PII levels and also language translation overlays as can be found in the Overlay Capture Architecture, which is currently being supported by the Human Colossus organization.
    • The Traveler will also benefit from understanding what PII attributes and records are sensitive
  • Carly - Travelers can use preferences to "scam the system". For example, stating a preference for a Halal meal on aircraft merely because they will be served first (special diets served first), not because of their religion or culture.
  • Neil - Travelers will have different sets of preferences depending on, for example: business vs personal and individual vs family vs group preferences across may classes and categories of preferences, so the combination is non-trivial, both to initially specify, but also to maintain. 
    • Collection of both requirements and preferences is an iterative process, collected over multiple travel experiences, which continually evolve. The challenge is how to manage this without overwhelming the traveller.
    • The flip side is if this is done correctly, it will provide much higher levels of seamless and enjoyable travel (that meets expectations) that is also simpler for travel services to deliver.
  • Neil - There are stated and observed (by travel providers) preferences. How could that be fed back to the traveler for their benefit. How would they incorporate that into their model? Unknown and possible very different (on a person by person basis. Would that information be stored with the traveler, but accessible by a service provider (with traveler permission/consent)?
    • A person may have stated preferences and requirements, but may make different choices in real-time, including stating they are low-cost driven during travel planning, but actually select upmarket options when traveling.
  • Sankarshan - Consent needs to provide users control over machine learning (and other processing) that exploits your personal data and context for targeted marketing (and worse) - the goal to offer compelling deals you might not consider (and are more than you wanted to spend). This is much higher level of control than currently available.
  • Neil - In a travel scenario, what data is retained may change frequently. The planning process may include different scenarios where personal information shared to explore different travel options, many of which may may be discarded to when plans are finalized. This would suggest that data shared for discarded options are discarded immediately. And information that is used once travel starts may contain additional information (e.g. travel tickets, visas, etc.) which would be discarded as the travel occurs, leaving potentially no operational travel data with any service provider by the end of the trip.
  • Sankarshan - Note - schema.org doesn't remotely have anything resembling a travel profile. There are bits and pieces, but it's interesting that none exists.
  • Intent broadcasting - what are the details. Is there a strategy as to how much (or little) that I, as a traveler, have to provide in order to get bidders on my travel needs.
  • Sankarshan - there is support for Point A to B travel for a date/time range (what options and costs). For example Expedia providing information on flights on a departure and return data, with cost and time options, which also includes hotels and rental cars.
    • Search for travel is much more specific than for text search. However, service providers over-reach in terms of the data they ask for, which is not
  • Sankarshan - in looking at consent and data sharing we should not be prescriptive. Holders, to day really have not agency over their data.  
  • Neil - this approach would be in line with the Issuer Requirements document which provides guidance on what an Issuer needs to consider in their requirements, driven by risk assessment. Not here is what you must do, but "here is what you need to think about/resolve" with suggestions on how this might be achieved
  • Neil - Users are NOT going to be able to understand how to capture and interact with their entire portfolio of travel requirements and preferences. They will need guidance from a combination of humans (travel agents specializing in information disclosure) and automated agents (who capture and recall preferences from similar circumstances). In other words an opportunity for AI assist in managing consent.
    • Legislation/regulation may provide substantial guidance on this process

Recent changes and some thoughts on where ToIP/SSI/DIF/Data Privacy needs to go:

Neil

  • a case in point is that Sam Smith who built sophisticated selective disclosure built into the ACDC model (and his Partner Timothy Ruff) were the ones who stood up and said "my baby is ugly, selective disclosure is useless" at Fall 2023 IIW. Which is one of the difficult questions/realizations we need to find a better answer for.
  • The Travel Profile and travel use cases are an excellent real world non-trivial model with which to stress test understanding of the problem and a good test of answers.

Steven - build a profile incrementally, vs overwhelming people with 

Carly - I don't want it to record all of my preferences - I want to only fill in what I need for immediate needs.

Steven - the problem is understanding what are one time choices that are not an indication of preferences? Is that an algorithm that has a threshold of repeated stated preferences or behavior to identify a potential requirement or preference? This implies sophisticated context-sensitive inference to discover preferences (separate one-time choices). These suggests offering a traveller as to what appear to be preferences/requirements.

Sankarshan - should requirements and preferences be VCs (Neil, Carly - no they should be Verifiable/Signed Data) - much simpler approach.

  • Traveller waiving privacy in exchange for "delight" - If a traveler says, No, I grant free access to my behavior and choices, because I want to be delighted, anticipating all my needs and store my data for infinity, then that's hard to resolve against data and retention minimization.
    • The problem is that service provider data breaches in the last two years have been high, which suggests that the data in user's storage with "as needed" access may be a welcome alternative to service providers. 

Neil - what if we turn the processing of your travel choices is performed by your personal agent vs a service provider? It may not be be on your computing devices, but it is done through services you pay for and control. 

Sankarshan - if it is my data, I want to hold it myself (or with a service I control)

Carly - the problem is, many data privacy agnostic people (who will consent free access to their data in exchange for "free" benefits). However, regulation may get to the point where penalties are painful enough for service providers that they can no-longer offer that due to liability related risk/losses considerations

Sankarshan - what we are discussing is going to upend existing economic models (especially as it intersects regulation)

Users who, in the past who have not cared about data privacy/agency are likely going to be very afraid of actually owning and managing their data

Does the technology + governance exist at this point, even within the next two years that is going to be real, regardless of what has been happening in Aruba, which is only a very thin slice of this experience

5 minPlans for 2024All
  • Sankarshan - Challenges across ToIP/DIF, there are hard questions that being discussed, but which we can't answer yet We have a general idea of the landscape, but it's not mature enough. 
  • Sankarshan - DIF/ToIP need wider participation and new participants.ToIP and DIF meetings have trended over time to be handfuls of people (Trust Registries, KERI/ACDC and Trust Spanning layer are in the range of 20, others 5 - 10, and the number of new members has dropped of substantially. 
    • We do a write up for ToIP blog which presents these difficult questions and point to the groups who are working to resolve them (e.g. Hospitality/Travel, Attraction Pass, etc.). And make it easy for existing and new members to get involved.

Need better communication (more blog posts/articles)





Screenshots/Diagrams (numbered for reference in notes above)

#1An older image of the traveler profile model

Image Added


Decisions

  • Sample Decision Item

...