Consent Hack Day at Media Lab

Event site: https://mitmedialab.github.io/Consent-HackDay/

UX Mockups

Note: These are just rough mockups, subject to change, pretend they're drawn on back of napkin.

UI Todo:

• Add badge/icon indicator to extension icon to denote that the site you've visited acknowledged your preferences etc.

ConsentHackDay

Functional Aspects

0. Provide individuals an easy to use method for expressing they do not consent to add tracking in a way that services must comply with

1. What is the policy? (Content)

2. How is the policy rendered for user independently of whoever created it? (format, language, display)

3. How is the policy coded? (Which bits mean what?)

GDPR Connection

• In context of GDPR consent, use of this cookie approach should be structured to become part of the consent process and the result should include agreement on the user terms with the vendor terms

• The Nightmare letter: https://www.linkedin.com/pulse/nightmare-letter-subject-access-request-under-gdpr-karbaliotis/

Other considerations

• Substitutability
  • Where you inherit policies from
  • Where you get the rendering

… carrots for the ad industry

• Intent casting
• Better signaling
• Better programmatic framework
• Eliminate fraud and malware
• Speed up load time
• Increasing operational efficiencies in a world where consent is in play
• Risk reduction, efficient audit reporting
• IAB Europe clearly states in their documents that the 'cookie' solution is a temporary measure. We can help them with design inputs that are more person-friendly.

Technical Aspects

• There is a cookie capability that could be a good fit. There are a handful of flags that can be set.

Technical Links

IABE Cookie Format: https://www.google.com/url?q=https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/Draft_for_Public_Comment_Transparency%2520%26%2520Consent%2520Framework%2520-%2520cookie%2520and%2520vendor%2520list%2520format%2520specification%2520v1.0a.pdf&sa=D&ust=1523464528097000

JSON file for purposes & vendors (from above link): https://vendorlist.consensu.org/vendorlist.json

IAB JS Library: https://www.google.com/url?q=https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/Draft_for_Public_Comment_Transparency%2520%26%2520Consent%2520Framework%2520Formatted%2520CMP%2520JS%2520API%2520v1.0.pdf&sa=D&ust=1523464528097000

GDPR https://gdpr-info.eu

Registered CMPs http://advertisingconsent.eu/iab-europe-transparency-consent-framework-list-of-registered-cmps/

CMP Registration Video https://www.youtube.com/watch?v=X25npcxInFU

List of Laws from EC https://ec.europa.eu/digital-single-market/en/laws/76023/3565

Organizations who could participate

• Kantara Initiative https://kantarainitiative.org
  • Consent & Information Sharing WG - Produced the Consent Receipt Specification
  • Consent Management Solutions WG - Developing a compendium of consent management practices from companies that claim to 'do' consent management. Will become a Best Current Practice doc then a certification program.
• EFF
• IEEE
• Wymsical/Wault
• AARP
• Consumer Reports
• Consumer Federation of America
• Girl scouts, boy scouts, PTA ("keep kids safe" - > GDPR)
• HIE of One
• Hyperledger Indy
• Sovrin Foundation
• TUCOWS (hover et al.)
• OpenConsent
• Customer Commons
• IAB Europe :)
• EU supervisory authorities
  • CNIL - France
• Aligned Orgs/Companies/etc.
  • DCN (formerly Online Publishers Association in USA)
  • ITEGA
  • Mozilla
  • Cliqz Browser
  • Brave Browser
  • IAB Lab
  • Berkman Klein Center (Kathy Pham)
  • Medium
  • PRX
  • RadioPublic

Quick Hack Teams

Legal: Applicable Rules and Terms

• Elizabeth
• Dazza
• Robert Mahari
• Stephanie
• Andrea Servida - DG Connect e-governnment & trust unit

Technical: Hack the Cookie Terms

hang out link: https://hangouts.google.com/call/f71g1SrzihwRublHgFC2AAEE

• Sal (seek a privacy dashboard for individuals)
• Sean
• Hanno
• Sam
• Sherry
• Andrew (from time to time)

Business: Describe "Go to Market" Use Case in Engineerable Way

• Doc
• Joyce
• Dazza
• Sean
• Stephanie
• Kathy
• Bill
• Adrian
• Dmitri

End of Day Report Outs

Business (Go-to-Market)

Ideas

• Getting Mozilla, et. al. to add this to the browser
• Getting EFF to put this in Privacy Badger
• Getting friendly startups
• Q: What differentiates the different CMPs?
• Two approaches: 1. Customer Commons listed as CMP 2. Customer Commons hijacks CMP's UI

Buildable description (scope)

• Make an engineerable spec, something buildable, that we can evaluate against the intention
• New Deal on Data (HBS - Sandy Pentland)

DRAFT Indications for Use:

• Indications for Use for each Party:
  • Provide data subjects a method for expressing they do not consent to profiling in a manner acceptable to data controllers.
  • Provide data controllers language and technology crafted to be compliant with GDPR and provide a clear understanding of data subject's ad-tech requirements.
  • Provide data processors with reduced risk by helping the data controller offer guidance that are GDPR compliant and reflect the data sububject's ad-tech requirements.
• Definitions
  • Tracking is: ad tracking, profiling by third parties
  • Data subjects are defined by the GDPR
  • Manner acceptable is a cookie or equivalent

GDPR Article 6 - Lawfulness of processing

Elevator Pitch

A cookie that puts the individual in front of the data flow on websites, and sites in alignment with the GDPR. The cookie signals consent to site tracking, but not to third party tracking.

Narrative to Technical Engineering Teams

Narrative to Users (Tech Wizards and Muggles)

Go to Market

Possible promotional partners

• Linux Journal
• (See others above)

Use customer commons as a certification provider

• Very heavy, slow process - lots of work

Benefits

Data Subjects

• Peace of mind
• Removal of consent wall
• Faster load time

Data Controllers (= IAB E publisher)

• Reduced operating cost / risk
• Align values with data subjects (= less friction e.g. on-boarding)
• Reduced incentives for ad-blocking

Data Processor

• Reduced operating cost / risk

IAB E

Publisher (website owner)

• Faster load time
• IAB PDF about why Publishers should use their framework - includes benefits and value to publishers. http://advertisingconsent.eu/wp-content/uploads/2018/04/TCF-Publisher-Facstsheet-2504.pdf

Vendor (owns ad inventory / ad tech / data broker)

Consent Manager Provider (CMP)

Civil Society / GDPR DPA

Technical (Hack the Cookie)

• link to notes doc: https://docs.google.com/document/d/1F5TSucLbIyU_4xJZy-RkTnRtzEaSK2R2qfScVKAbYj4/edit?ts=5ae21fd7

Table to be updated! Link above up to date

Basic Chrome Extension demonstrating cookie setting mechanism: https://github.com/TelegramSam/ConsentCookieManager

Legal (Terms and Rules)

Questions:

• To what degree does a blanket "do not track me" cookie satisfy the GDPR requirements for specific consent?
• Does a chrome extension give the data subject sufficient clear info?
• What are the requirements of GDPR's certification idea and how could we satisfy them? Could this act as an additional incentive?
• What are the transparent icons GDPR speaks about, who defines them (UI task)?

Roadmap

1. Customer Commons Cookbook/ Commandments
2. User can set config
   • Cookies
3. Service provider can
   • accept
   • reject
4. Accept by service provider
   • Acknowledge
5. Options
   • (Simple Email - Day 1)
   • CMP - Day 1
   • Consent/Info receipt - ?