Privacy-as-Expected: Consent Gateway

Motivation

The issues with Privacy and Consent on the websites are well-known at this point. The balance of power is skewed in favour of actors that abuse the status-quo and use malpractices to obtain consent or pretend that they do so. The user in all this is powerless to accept the conditions as they are, with no option to prove or demonstrate the abuse of their right to privacy. Even though revent legislations such as the GDPR aim to solve this, the problems are taking time being resolved due to the difficulties of investigating compliance at web-scale.

PaE:CG Project

To resolve this, the Privacy-as-Expected: Consent Gateway (PaE:CG) project will develop, implement, and trial a solution in the form of 'Consent architecture and system'. The crux of the project's work rests on the principle of accountability regarding the 'claim' of consent. To that end, it will assist in answering the following questions:

1. How can the website demonstrate it has collected valid consent?
2. How can the individual demonstrate that they did not give consent or that they refused consent?
3. How can a 'snapshot' of the consent interaction be captured in a manner that can be used as 'proof' in a legal compliance investigation?

To achieve this, we will use the concept of 'Consent Receipt' that will provide the individual and/or websites with a 'receipt' of the 'consent transaction'. Where websites do not support the provision of a receipt, we use an external 'claims notary' called 'Consent Gateway' that will act to validate the receipts for the individual. The aims for doing this are:

• protect Users and Organisations against abuse from Organisations while generating a fair and actionable expectation of Privacy
• dramatically improve usability of online services by creating express trust and removing the vast majority of notices and online permission prompts
• create an infrastructure that dramatically helps Regulators to monitor Privacy abuses and action accountability while engaging the whole ecosystem (People, Communities, Organisations, Institutions, Civil Entities, Regulators)
• create efficient and inexpensive means for Organisations and Institutions to trivially demonstrate Regulatory Compliance with Transparency requirements
• bring transparency and clarifies the operational roles and duties of the Privacy ecosystem and fosters participation of civil entities in a system which is envisioned to self monitor and nearly independent of any central point or government agencies, unless strictly needed

Outcomes of the Project

1. consent record specification: to represent the information involved in a consent transaction
2. browser extension: to manage the provision of receipts in the individual's web browser
3. a server component: to assist websites in providing receipts
4. a Consent Gateway: to act as an external 'claims notary' in signing receipts

The 'consent record specification' will be an update to the existing 'Consent Receipt' specification published by Kantara and used by ISO/IEC 27560 (proposed) in its standardisation effort. We plan to contribute our work to these groups as feedback for progressing the state of standardisation.

Committment to Open Accessibility

All the resources we develop in the project, both in terms of documentation as well as code, will be published in a public repository (GitHub) under an open and permissible license so as to encourage its adoption in a free and transparent manner.

Partners involved in the Project

The PaE:CG project is a collaboration between the three partners:

• Trinity College Dublin, Ireland
• Open Consent Ltd, United Kingdom
• Birmingham City University, United Kingdom

Funding Acknowledgements

The Privacy-as-Expected: Consent Gateway project has been funded under the European Union's Horizon 2020 research and innovation programme under NGI TRUST Grant#825618. The work performed at Trinity College Dublin involves the ADAPT SFI Centre for Digital Media Technology, which is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant #13/RC/2106.