Re: Consent

On Mon, Aug 20, 2001 at 02:07:56PM -0500, James M. Polk wrote:
>
> Adam
>
> I'm glad someone brought this up as a starting point for discussion....
> comments below
>
> At 02:46 PM 8/20/2001 -0400, Adam Shostack wrote:
> >I'm finding myself asking a lot of questions about what people mean by
> >phrases they use including the word "consent."
> >
> >May I suggest that we use the following terminology:
> >
> >Consentual-disclosure: The end-user has chosen to reveal
> >information. This choice is freely given, not mandated or required.
>
> But is this given explicitly or implicitly (and yes I've read below)? Is
> everyone defaulted to be allowed or not-allowed to discover location of
> another. What about in letting others discover my location?

I think there are two issues, one of which is how we reach a consent
decision, and then second, what we do with it. This set of ideas was
(implicitly) designed for signalling what form of consent is being
asked for or assumed.

My location is personally identifiable information in which I have a
strong privacy interest. Under the Fair Information Practices, I need
to have notice and consent if that information is given to others.
There are exceptions, such as for law enforcement or 911, which is why
theres the mandated-disclosure category.

If we can agree that these are useful categories, we can start to
decide how to put things into categories and use them.

I think that in Europe, Canada, Australia, and other places where data
protection laws apply to private firms, the default would need to be
that your consent is required before the disclosure of information to
friends, family, or companies that want to see it.

> >Mandated-disclosure: There is a legal requirement to reveal
> >information.
>
> again, explicitly or implicitly?

I'm not sure I understand your question. How can a law imply that you
must do something? Don't laws need to be explicit?

If you're asking in the context of a protocol, then I think that a
disclosure is mandated by law should accompany
- the demand for data (if the end user device is involved in the
request, the user preference software can't ignore it. There are also
authorization requirements, otherwise I'll just tag all my packets
with a mandatory bit)

- the data as it goes elsewhere. The fact that it was demanded
probably places limits on how it can be used and revealed onwards.
For example, while there are a set of uses for E911 data that have
been listed, the fact that I dialed 911 should not mean that the
service provider can now reveal my location to starbucks.

Adam

> >Needed-disclosure: There is a requirement to reveal the
> >information in order to make the service work. For example, if I call
> >1-800-find-gas to get the nearest gas station, I may expect that my
> >location will be transmitted.
> >
> >Explicit-consent-action: The user performs a GUI action to reveal or
> >conceal information at the time of the request
> >
> >Default-conset-action: The user has set a preference for some
> >recipient, class of recipient, etc.
> >
> >Adam
>
> *************************************
> "People generally demand more respect for their own rights than they are
> willing to allow for others"
>
> James M. Polk
> Consulting Engineer
> Office of the CTO
>
> Cisco Systems
> 18581 N. Dallas Parkway
> Dallas, Texas 75287
> w) 972.813.5208
> f) 972.813.5280
> www.cisco.com

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume