2022-05-05 HXWG Meeting

16.00 UTC = 9:00 PT = 12.00 ET =18:00 CEST = 21:30 IST Zoom Meeting Link https://zoom.us/j/99429712733?pwd=K214bTM4cG54YzZYVnZCL1I5MEdQQT09

Meeting Recording

Main Goal of this meeting: Expert Series 3.

AttendeesNicky Hickman Former user (Deleted) Phil Wolff Andrew Slack Rebekah Skeete, Xengi Doan, Arianna Rossi, Burak Serdar Anita Rao, Iain Agnew; Judith Fleenor Ifeoma Iilobodo.


TimeItemLeadNotes
2 mins
  • Welcome & antitrust notice

  • Agenda review
Andrew 
  • Antitrust Policy Notice: Attendees are reminded to adhere to the meeting agenda and not participate in activities prohibited under antitrust and competition laws. Only members of ToIP who have signed the necessary agreements are permitted to participate in this activity beyond an observer role.

  • Consent to meeting recording?
8 minsIntro's & UpdatesAndrew

Jan Lindquist - from Privacy & Risk TF, Co-editor of 27560 ISO Standard on consent & receipts

Iain Agnew - Nat West Group, Head of Marketing Preference Strategy - How do we capture consents for data capture & processing.

Anita Rao - W3C & ToIP member, very interested in how this impacts experiences

Rebekah Skeete - new to ToIP from Schellman, Information Security Analyst for Schellman

Burak Serdar - Co-Founder of Cloud Privacy Labs, work involves consent mgt

Phil Wolff - Consultant at Wider Team, participant in ToIP Harms TF, HXWG and EFWG, also at DIF and Sovrin and some IEEE groups

Andrew Slack - Design Strategist at SICPA working with digital ID and digital currencies, consent mgt is a large part of role

40 mins

 “How Might we Design Consent Experiences for Data Sharing?” 

Dr Arianna Rossi & Xengie Doan

Summary:

The complex ecosystem where manifold transactions can be automatically enabled by smart contracts contributes, at least in principle, to establish greater transparency about data use towards the many parties involved. However, the mere fact of building such a verifiable and traceable architecture does not automatically translate into understandable communications, easily applicable instructions and smooth transactions for human beings. For instance, informed consent is hindered by the complex mix of legal, medical and technical information through which participants need to orient themselves when they make decisions about data sharing permissions. In data-driven environments, the way options are designed and presented can stimulate privacy-preserving practices or, on the contrary, unwanted data disclosure. This talk will address some challenges and discuss possible solutions currently experimented in consent design.

Speakers

Arianna Rossi is an associate researcher at the Interdisciplinary Center for Security, Reliability and Trust (SnT) of the University of Luxembourg. She carries out research at the intersection between design, computer science, law, and linguistics concerning online manipulation, usable privacy and legal design. Arianna has a mixed background, with a joint international Doctoral Degree in Law, Science and Technology (University of Bologna) and a Ph.D. degree in Computer Science (University of Luxembourg). She holds a M.Sc. in Linguistics with a focus on Natural Language Processing. She has been an invited speaker at international conferences in EU and US and she routinely gives seminars about law, design and technology to academic students and practitioners.
She also organizes events to promote an open culture for law and technology with the Luxembourg chapter of the global grassroots movement Legal Hackers.

Xengie Doanreceived a Master’s in Bioinformatics from the University of Oregon and a Bachelor’s in Biology from Willamette University where their interest in collaborative research began. Prior to joining the Interdisciplinary Centre for Security, Reliability and Trust (SnT) at the University of Luxembourg, they worked as a bioinformatician at the Stowers Institute for Medical Research and at Sage Bionetworks in the US. Their PhD topic is part of Legality-Attentive Data Scientists (LeADS), an EU funded project, with the IRISC lab researching transparent, secure, and private user-centered eHealth data sharing for the EU.

Notes and Discussion

Applied and original research with partnerships with industry

Unique and new (2 years) focused on socio-technical systems 


Transparency mentioned by many but very often limited in different ways - can mean many things 

Still dealing with lots of complexity and not fit for the intended audience, some innovation recently introduced by GDPR, some examples of how to enhance transparency

1st layer of 2 layered privacy policy which developed in our group.  Licensed under Creative Commons

Completely different needs and abilities - e.g. this co-designed with kids

Also been working on design patterns e.g. Timelines.

This example refers to the withdrawal of consent.


Time matters!!!  Everything up-front, but shouldn't be only time, look at different dimensions of presenting consents

EG contextual permissions in mobile apps



How can we proactively make sure that people know how their data is used?  

 This in healthcare for clinical trials - INFORMED Consent


Consent as a process not a single event, enable user to change preferences over time




Some caveats but many benefits


There should be 3 layers of licensing had same process for developing 

By formalising the GDPR concepts through the computational ontology, combined with co-design workshops for developing icons .  Iterative design 

Using legal coding language able to automatize presentation of correct icons (great example of how governance flows through tech to HX)

Other ideas: Privacy Ratings


Current research project






Comic lowest ranking

DISCUSSION

Former user (Deleted)- Just in Time consent presentation - how do you include purpose, finer detail of how data is shared and used?

Very crucial question - relevant information that is concise but still needs to be complete - especially with shrinking screen sizes and attention spans, so layered approach is needed.  Key is understandability - less is more, so use of settings for general preferences then not 

Area of interest in ToIP - how to manage presentation exchanges in holder, issuer, verifier triangle

Many contextual variations, many differences as to what is understanding.  How do you customize enough but can also scale and personalise.

Andrew Slackcommented not over-burdening users, have you looked into gamification to promote engagement in consents.  Interesting concept but can't oblige people to participate in a game, and second can you really gamify everything

Former user (Deleted)commented that standardised icons are useful, but Arianna commented that there are limits, and should limit to key concepts, who certifies that use of icons represents use of the practices

Concerns ref consent overload - how much will folks tolerate? Many layers of consent and complexity - how do we resolve?  Another topic, trust does not only require transparency, in fact sometimes when you are too transparent you get to the opposite of trust.  EG Certifications, Trust Marks, metrics and thresholds that measure trust - calculated.

5 minsFollow up on actions / decisions from last meetingKalin
  • Jim StClair to share use case / case study
  • Phil Wolff to outline potential blog post: "Challenges of human consent at scale"
    • List of challenges: Cognitive limits. Useful fictions and metaphors. Opacity of devices with wallets. Friends-of-Friends-of... consent cascades. Consent on behalf of private enterprises, families, etc. Consent for audiences (different ages, languages, abilities, cultural references). How to communicate threat models, chances, and consequences of each decision in ways that allow for meaningful consent. UX design concerns: timing relative to contexts, user goals, usability, accessibility, visual emphasis, semiotics. Avoiding dark patterns. 
    • Applying the list to the ToIP stack, to product design, to research agendas.
  • Nicky Hickman to add HX Terms Wiki
  • Kalin to map stakeholders and steps in decision making to achieve goals using Alice Faber ACME use case, then we can map decisions against it. 
  • Kalin to see if Dan Gisolfi will join us for first implementer interview.. Also potential reach out to Darrell O'Donnell Riley Hughes and Karl Kneis
5 minsA.O.B.Kalin

New Actions
  • Nicky to send ToIP membership links to Arianna & Xenjii