This document details the feasibility of utilizing and extending the existing ISO 24751 (AccessForAll) standard as a mechanism that ultimately empowers consumers to determine and assert personal privacy preferences when negotiating or interacting with personal data collecting applications and services. The intent is to create an instrument to reclaim more granular control of personal data than current service agreements and privacy terms provide, especially for individuals vulnerable to the abuse of personal data.
Activities to determine the feasibility of this endeavour have been carried out as part of a one-year project supported by the Office of the Privacy Commissioner’s Contributions Program called Understanding, Discovering and Asserting Personal Privacy Preferences; these activities are detailed below in Section 2.
In addition to the completed activities, Section 3 of the report details a plan for the development of the draft standard to an international standard that can be referenced and complied with to effectively determine and assert personal preferences for privacy of personal data. An assessment of feasibility must respond to two specific questions:
- Can the existing ISO 24751 standard be extended to act as an effective means for introducing a standardized method of determining and asserting consumer personal privacy preferences?
- Can the newly extended standard be leveraged to require that product and service providers that collect personal data attend to the privacy preferences of consumers?
This document provides a discussion of these questions.
An International standard for asserting personal privacy preferences is possibly an important instrument to be referenced in policies and regulations intended to protect individuals from the misuse of private information. Standards allow the global creation of inter-operable systems and reduce the cost of inclusion. They provide the technical details required to build systems that enable the reuse of standard-conforming technologies. At the same time standards development requires a long range and abstract view of the problem space being addressed, since the usefulness and longevity of a standard is determined by its ability to accommodate the specific needs of today along with future possibilities. Creating an international standard is a consensus-based activity and is best done with a diversity of perspectives. Ideally, standards development will include real-world implementations of the prospective standard, which will provide an opportunity to refine the normative language based on feedback from the people using it. This will ensure that the standard is both useful and feasible to implement. The success of a standard, however, is not just in its development but also in the will to implement and follow it. These aspects are discussed more fully in the following document.
Background to ISO 24751 (AccessForAll) Standard
The ISO 24751 standard, also referred to as AccessForAll, is an international standard that addresses the requirements of individuals who are not served by resources or services designed for the typical or average user or consumer. When fully implemented, the standard enables individuals to set their preferences for viewing and utilizing digital interfaces by creating a portable needs and preferences file. This file supports an automatic response in any interface, service or transaction device encountered. For example, someone who requires large, high contrast print in Spanish can make these preferences appear in compliant bank machines, ticket kiosks, multi-user workstations and Web portals. The encoded portable preferences file can be transported on a smart card, NFC device, USB stick or kept in the cloud. This user-controlled approach for setting and using preferences is a plausible model for management of access to personal information. The ISO 24751 standard and the associated tools and services implementing the standard could be leveraged to discover, assert, match and evaluate personal privacy and identity management preferences.
Relating ISO 24751 to Privacy Preference Setting
The ability to provide consumers with mechanisms that give them greater control over the use and exchange of their personal information, and tools that allow them to make informed choices, requires implementation and compliance to the standard from a complex set of stakeholders. ISO 24751 has already made significant progress in this area. The AccessForAll effort has garnered the collaboration of many of the stakeholders and private sector entities who would need to be engaged in a privacy standard, since they require consumers to provide personal information (e.g.: application developers, telecommunications companies, banks, ecommerce platforms, etc.).
This existing stakeholder engagement makes ISO 24751 an excellent fit for a new privacy protection standard which will be introduced as a New Work Item and Committee Draft. The ISO 24751 committee has the task of carefully weighing each detail of the proposed work item to determine if it:
- will address the full range of current requirements,
- will be extensible enough to hold up to change over time,
- can be implemented in the real world.
Standards review is a slow process and involves many political and technical interests. It can take 3-5 years to find the correct balance of implementation detail with sufficient flexibility to encompass new uses of the standard and to find compromises that address the concerns of the diversity of stakeholders and national bodies. This negotiation involves finding a compromise between specificity and flexibility. Flexibility helps to ensure that the standard will be able to grow in response to societal and technical flux.
Work Completed to Query and Demonstrate Feasibility
The main goal of this project is to provide individualized privacy protection for people most vulnerable to the misuse of private information. This task includes envisioning possible privacy preferences, strategies for setting them, approaches for respecting privacy, and standardization. Table 1 below outlines the tasks that have been carried out within the project to move this goal forward. To achieve real world change in the space of individualized privacy, work must continue beyond the scope of this project. Figure 2 below provides a suggested plan and timeline to complete this goal beyond the close of the project. Each step is described in more detail in the sections that follow.
The project explored consumer concepts related to personal digital privacy, including ways to communicate privacy related issues, and ways to allow more individual control over personal information. Common themes in existing privacy preferences research were identified by working with stakeholders, including privacy researchers such as Ann Cavoukian, the former Information and Privacy Commissioner for Ontario. Privacy preferences creation and editing tools were developed using a co-design process that engages end-users and other stakeholders at multiple points in the development process. From this research and tool development, a list of important privacy preferences was developed. This list was used to create a draft standard of privacy preferences. Real-world systems that comply to the standard will be built to enable user testing. Feedback from this user-testing will be gathered and used to fine-tune and improve the standard.
Assess the feasibility of extending ISO 24751
Research existing privacy preferences and tools
Co-design privacy preferences creation and editing tools
Develop resources about inclusive design and privacy
Conduct a risk, security and PIPEDA assessment
Derive a preferences standard from existing and new tools
Create a JSON binding for the standard
Create a New Work Item and Committee Draft for ISO 24751
Table 1: Project Task Roadmap
1) Initial Assessment of the Feasibility of Extending ISO 24751
The strategy for achieving the project goals involved creating an extension to the ISO 24751 (AccessForAll) standard that adds privacy related preferences. To determine if this was feasible, it was important to engage a variety of stakeholders including companies who would implement the standard, individuals who would use the resulting software and services and the ISO 24751 committee. As part of this process we worked with stakeholders to envision how this extension could be used and whether it would meet the goal of individualized privacy protection. In addition to this groundwork, we assessed the suitability of extending ISO 24751 and found that it was viable and beneficial to utilize the standard as a mechanism to create an international standard for personalized privacy preferences because it already encompasses the tools and mechanisms for individualized preferences setting and it has buy-in and support from private sector entities that have access to personal information such as banks and e-commerce platforms.
The workflow for co-designing the privacy preferences standard is presented in Figure 1. We began by engaging the inclusive design and privacy design community in brainstorming sessions to determine existing needs and desires in this space. We then organized a series of five co-design sessions with stakeholders, including potential end-users, designers, developers and privacy and security experts. Tools and solutions including designs for privacy preferences setting, a privacy story builder (https://wiki.fluidproject.org/display/fluid/Personal+Privacy+Storybuilder+Prototype) and wireframes reflecting the Personal Information Protection and Electronic Documents Act (PIPEDA) collect, use and disclose levels of privacy were then refined through an iterative co-design process.
Figure 1: Workflow for Co-designing the Privacy Preferences Standard
Figure 1 description
A set of four tasks represented by a sequence of circles in a clockwise pattern. The first task is "Engage Community". The result of that consultation leads to "Co-design solutions", which in turn leads to "Develop Tools/Solutions", then to "Draft/Refine Standard", and finally back to "Engage Community"
The learnings over the course of this project have been incorporated into our existing inclusive design resources. A “Design for Privacy” section was added to our Inclusive Design Guide (https://guide.inclusivedesign.ca/practices/DesignForPrivacy.html) and a new privacy section will be added to the Inclusive Learning Design Handbook (https://docs.google.com/document/d/1rsAzUwbJldU7FAmq9dBajaV2u6JNoaCoLcaoEvm0cu8) . These resources describe how protecting users’ personal privacy is an important aspect of inclusive design, and contain concrete suggestions for incorporating privacy into any design.
4) Completion of a Risk, Security and PIPEDA Assessment
Security is of utmost importance when dealing with privacy. Without comprehensive security, there is no possibility of maintaining personal privacy. During the co-design process, a risk and security assessment was conducted three times. This assessment included engaging technical security experts in analyzing the designed tools for possible security issues, while keeping the PIPEDA in mind. Strategies to mitigate risks were formed and explored. The results and strategies from the risk and security assessments (notes on these activities are located on the project wiki) informed the co-design process to ensure that the developed tools will be able to meet the highest standards for security. A separate Privacy Preferences Design: Risk and Security Assessment Report has been submitted as a UDAPP deliverable. Along with a security assessment, the document provides an overview of identified risks to users, organizations and the privacy preferences initiative. Strategies to mitigate these security and privacy risks are suggested.
The initial development of a standard can take many forms. This project used a co-design process to create a standard that meets the privacy needs of individuals and is reasonable to implement by service providers. Existing tools and the tools that were developed through the co-design process in this project were studied and a privacy needs and preferences list was compiled. This list served as the foundation for the preferences standard. These concurrent activities enabled iterative changes in the designs. This process produced a conceptual model of the standard that was then made concrete through the development of the JSON binding.
6) Creation of a JSON Binding for the Standard
7) Creation of a New Work Item and Committee Draft for ISO 24751
In order for the ISO 24751 committee to consider the privacy preferences for standardization, a draft of the proposed standard extension must be created. This process has been carried out using the outputs from the project and with guidance and collaboration from people experienced in the ISO processes. A New Work Item and Committee Draft have been submitted as a separate deliverable to the OPC.
The following steps for implementation of the privacy standard are beyond the scope of the initial project, and outline the next steps, actors, timelines, and technical requirements necessary to achieve the project’s ultimate goal. Table 2 provides a summary of the next steps, which are discussed in more detail in the sections that follow. These next steps require further investment to support the required resources and activities and have dependencies on regulators as well as entities that collect personal data.
Implement the privacy preferences tools in real-world settings
User test and refine the privacy preferences tools for specific contexts
Update the privacy preferences standard
2) Development team
3) Setting collaborators
1) Development team
2) Stakeholder co-designers
3) Setting collaborators
4) End users of the system
1) ISO 24751 committee
2) Standard development team
1) Data Regulators
2) Data Collecting Entities
1) JSON binding
2) Implementer: ie., GPII/APCP
1) Tool implementation
2) Feedback from real world implementation
1) Iterative designs
2) Final design
1) Use of the standard regulatory tool
2) Motivation to implement
Three months planning and three seven-month design and development cycles
Concurrent with implementation design cycles
Concurrent with design cycles and one additional year
Table 2: Post-project tasks, actors, requirements and time estimates
The privacy tools that were designed in this project should be built and integrated into existing applications as real world examples of compliance with the standard. This will both determine the effectiveness of the standard and will help to refine the prospective standard prior to final standardization. Using the JSON binding and the designs and wireframes from this project, it is possible to implement the standard and engage service providers to begin integrations into their systems. The implementation stage and steps that follow it require funding to support the activities of the development team and possibly to the collaborating project to offset labour costs associated with implementation of the standard into their existing system.
Implementation must include a solution for supporting users in negotiating with services in cases where service functionality may be partially or entirely limited by the user’s privacy preferences. In this setting, the system could provide a warning dialogue (with information provided by the service) to inform the user of the essential features of the service that will not be available if their privacy preferences are met. Ideally, the service would provide options to the user, such as alternate features that can be used, or the option to apply a temporary exception to their preferences, allowing the service to access the necessary information only while the service is in use (or while certain features of the service are in use). Part of the negotiation would include ensuring that the user’s personal information will no longer be accessed and/or will be erased upon quitting the service. For example, if a user has declared a general preference for blocking location tracking, and then attempts to use a mapping service that requires location tracking, the user could be given the option to “allow only at this time,” or to “only allow when the service is in use.” Another example might be in the case where a service adds new features, or changes ownership and new personal information access is implemented (for example, adding a new feature that requests access to the user’s contacts). Upon opening or logging into the service, the service should re-access the user’s privacy preferences to ensure that they are not violated by the change, and where they are, to offer alternatives as described above.
A recommended implementation platform is the Global Public Inclusive Infrastructure (GPII), which contains extensive personal preferences setting tools and implements the current ISO 24751 standard. After several years of research and development, the GPII is deploying a major pilot implementation called APCP (Automated Personalization Computing Project). The pilot implementation will take place in American Job Centers in the summer of 2017 and in other settings (libraries, post-secondary institutions) through to 2020. This project is an ideal setting for real-world testing of the draft standard and tools because, in addition to already implementing ISO 24751, it has a focus on ensuring privacy and security for users of the system. Extending the existing user settings preferences control in the GPII to include the privacy preferences standard will leverage the network of GPII integrators, collaborators and users as well as the development team that was responsible for the initial design and implementation of the ISO 24751 standard. The implementation will also provide feedback from actual users which will be used to refine the prospective standard and determine if it is ready for standardization.
2) User Test and Refine the Privacy Preferences Tools for Specific Contexts
The privacy tools that were designed as part of this project are general tools that can be used “out of the box,” however, they were also designed to be adapted to different types of applications and types of transactions. When implementing the standard in a specific application, the designers of the application may want to remove parts of the tools that are not relevant – for example if the application does not have a cost model there would be no need to consider credit card information. Ideally, the tools will be developed to be openly licensed and reused in applications across different sectors and that are built with various technologies. A set of openly-licensed privacy user interface components and tools would encourage greater compliance with the standard. These tools can be housed in a repository for ease of use and sharing. Once the tools have been integrated into applications, usability testing should be conducted. Any feedback from the usability testing will be taken back to the community through further co-design sessions and will be used to improve the generalized designs and tools. Sometimes real-world implementations expose issues with a standard such as missing concepts or parts that are impossible to implement. If this is discovered, an amendment to the standard will be proposed.
3) Update the Privacy Preferences Standard
Implementation, integration and user testing of the privacy preferences tools that were designed in this project will have many benefits. It will jump start the use of the proposed standard, produce reusable tools to enable easier compliance with the standard, and find any areas where the standard could be improved. The implementations should happen during the committee stage of the ISO process, allowing amendments to be discussed and integrated into the standard prior to final standardization.
4) Reference the Extended Standard in Regulations
The newly extended international standard can be referenced in privacy regulations as a way to vest greater control of private information with the consumer and to counteract the convention of a binary choice within privacy agreements (i.e., agree to all terms regarding your private information or don’t use the service). This is dependent on privacy regulators at various levels and is beyond the control of the project team, however the existence of an international standard provides a potentially powerful instrument for regulators to inform and reassert consumer control over their own data.
Assessing the feasibility of extending ISO 24571 to include privacy preference settings in the initial project work entailed two key questions:
- Can the existing ISO 24571 standard be extended to act as an effective means for introducing a standardized method of determining and asserting consumer personal privacy preferences?
- Can the newly extended standard be leveraged to require that product and service providers that collect personal data attend to the privacy preferences of consumers?
Based on our work we believe that an extension of ISO 24571 would be an effective means for introducing greater, more fine-grained, consumer control over private information. There are compelling reasons to choose ISO 24751 as the mechanism, including existing support from the private sector and availability of implementations of the standard in projects such as the GPII. However, extending the standard and obtaining approval for a strong version of the standard can be a difficult process. It is conceivable that industry groups will push back on the recommended standard and prevent or significantly weaken the standard before it reaches approval.
Once the extended standard is approved its success is not guaranteed. The standard provides a tool for regulators to use or point to when developing policies and legal requirements around privacy. It is unlikely that companies and organizations that the standard might apply to will adopt the standard voluntarily. The private sector will need to either see a benefit in implementing the standard or will need to be compelled to utilize the standard. In some cases, industry groups will self-regulate but this usually occurs because there is a likelihood that they will be regulated. Balancing self-regulation vs regulatory structures will be an additional challenge since self-regulation (using an industry-determined standard) may be another way that the standard becomes weakened after implementation.
An appeal to social corporate responsibility can be used to garner support for, and implementation of, the standard. In much the same way that that there has been a surge in corporate social responsibility programs to garner consumer appreciation and loyalty, concern for the privacy of individuals as demonstrated by implementing the standard is an opportunity for companies to build trust with consumers and differentiate from their competitors. An approach that engages companies as champions of the standard can help support its adoption. The 'SWOT' analysis below illustrates how industry could relate to the development and implementation of the standards.
The standard can be applied across multiple contexts and it enables individuals to choose when they will share private information.
The standard will rely upon implementation by organizations that may not be motivated to use it and could be diminished by self-regulatory structures developed in response to the standard.
Companies can use the standard as a way to build consumer trust, differentiate from their competitors and promote their commitment to individual privacy.
Industry groups may attempt to weaken or prevent the standard because they are accustomed to harvesting information or generate revenue from harvesting personal information.
The opportunity to leverage and build upon the existing ISO 24751 standard to determine and assert personal privacy preferences is relatively feasible and efficient. The initial steps have been completed in this process. The standard development has moved from initial concept to concrete form as both an implementable tool (based on the wire-frames, the designs and the JSON binding) as well as an articulated draft standard for review as a New Work Item and Committee Draft for the ISO 24751 working group.
The remaining steps require further support to continue the implementation, integration, user testing, co-design and evaluation of the tools in a real-world setting. Design and development expertise will be required along with a knowledge and active participation with ISO. It will be essential to have a community of participating stakeholders, businesses and end users including an engagement with related projects such as the GPII. This would provide the necessary information to improve and finalize the prospective standard as it moves through the ISO standardization process.
It is estimated that the implementation and refinement of the tool and standard will require an additional two years and that finalization of the standard by ISO will be an additional year. Once completed and even during its movement through the ISO process, the standard can be an effective tool for policy developers and regulators to demonstrate privacy requirements and encourage development of implementation plans.