2022-03-24 Human Experience WG Meeting

Time

Item

Lead

Notes

5 min

• Welcome & antitrust notice

• Agenda review

Kalin

• Antitrust Policy Notice: Attendees are reminded to adhere to the meeting agenda and not participate in activities prohibited under antitrust and competition laws. Only members of ToIP who have signed the necessary agreements are permitted to participate in this activity beyond an observer role.

10 mins

Introduction of new members & Updates

All

@Mark Lizar- Working on field of Notice & Consent for a long time, and couple of projects - specification of notice & consent standards & data governance for that.  Privacy as Expected, EU-funded project uses notice / receipts for privacy as expected signals over time to remove need for reading privacy policies.  Based in Canada close to Toronto.

Forthcoming Expert Series:

May 19th   AGENCY Project: Reducing complex online harms using user-centred tech and governance - title TBC

Dr Karen Elliot (Associate Professor & Senior Lecturer in Enterprise/Innovation (FinTech)) & Professor Aad van Moorsel (Professor of Distributed Systems) both from Newcastle University (UK).

2nd June :    “How Might we Design Consent Experiences for Data Sharing?” 

Dr Arianna Rossi  & Xengie Doan both from the Interdisciplinary Center for Security, Reliability and Trust (SnT) at the University of Luxembourg

@Judith Fleenor (Deactivated)see template for posting linked in events in Comms Committee G-Drive 

10min

Follow up on Actions & Decisions from the last meeting

Kalin

Where developing outside the G-Drive (not for specifications), then make sure you include a short-cut in the ToIP members only share drive so that members can easily find it.

20 mins

Deliverables

Nicky

• Video update - Nicky is purchasing the video content and donating to ToIP

  • Comms Committee: can't funnel funds through ToIP as directed funding, be cautious 

  • Brief can serve when we find alternative provider who can support within the $1k budget

• Informed Consent (Jim St Clair) potential link with Notice & Consent TF from ISWG

  • Focused on extending a notice record to controller credential - aim is to embed transparency & compliance information into a credential 

  • Evolved from Identity Commons, to Kantara to ISO - designed for anyone to be able to take a record of a notice and then assess that and see who controls your data, part of trust building.

  • Can generate a receipt every time you use a service and check against last time you used the service and then compare the quality of data controler-ship

  • How can this work in ToIP?  Have doc, 'controller credential' - notice credential (privacy, AI, Health & Safety) - controller type included in the credential schema, identifies the scope of provenance, legal mandate, accountability and traceability baked into the credential, regulated credential.  Knowing who is the controller of personal data, public policy infrastructure law rather than contract law.  Put operational privacy policies into tech so that his scales through the supply line.

  • 2 factor notice - generates a record and receipt - improve UX by reducing friction.

  • Liability transference and tracking, signals support human decision-making - operational privacy is measured using KPI.

  • Access in context to privacy rights - can audit on the basis of these KPI's measuring operational privacy - can benchmark

• Defining terms related to trust, trustworthiness vs assurance, consent vs permission. Human meaning vs Computer meaning

• @Phil WolffConsent scales far beyond any human capacity to deal, thousands per day, per hour, per minute. So we turn to agents, bots that act on our behalf. /1 How do we learn to trust our consent bots? There's an engineering view, doing their job well. But even if it runs perfectly, how do you know that this particular bot is trustworthy? /2 We need user research to inform #uxdesign for consent agents. To understand how to present and navigate consent space. To learn the flavors and boundaries of cognitive burden that interactions must fit in. To learn what agency feels like, vs overwhelm. /3 We also need #userresearch about how people understand a bot's contexts. Its legal power, jurisdictions, and its legal limits. It's ownership. How it is governed. How it chooses consent actions, and why. When to distrust your bot. What to do about it. /4 As data protection laws craft roles for trusted "intermediaries", as personal data holders aspire to fiduciary status, we need HX for these new relationships. /5

• @Jim StClairproblems in healthcare - consent fatigue, education levels, instructional aids, & tools, cognitive bots, who watches the watchers

• @Mark Lizaraim is to standardise those mechanisms of consent and condense or simplify them.   Micro-credentials that are effectively 'consent tokens' - semantically enforceable, and machine readable, proof of knowledge also needed.

• Blog post on research agenda - what do we know / what don't we know.

• @Jim StClairhas a use case he can share

• Not covered

  • Scenario-building (Andrew & Bentley)

  • Review the deliverables document (Andrew)

5

Wrap-up / Action Items