A Call for Privacy Best Practices in Identity Management Systems

Privacy is not Agreement, Consent is not Permission. (a rule of thumb approach towards developing best privacy practices in the IdM industry)

Despite this fact, both consent and permission are often presented with a tick in a box, a toggle, or the click of an OK button in many identity and access management workflows. Legally, privacy(rights) are not the same as an agreement (contract) and consent is not a permission and can’t be used to contract away privacy rights.

A tick box, asking for agreement to a privacy policy in an identity management flow is fake privacy and a bad practice. Confusion between contract and rights is bad and unfortunately a widespread and one of the key problems that a privacy profile addresses.

Privacy rights are a critical democratic tool and provides the ability to combine autonomy and identity management in a single system, with the core concept of a common shared state of privacy.  

Rights do not exist in a place like China where the government dictates the social contract. Activating privacy rights are a secret weapon for competing globally against security and identity systems produced out of a surveillance state incubator.

Privacy is a state and can be used to greatly simplify rights management. It does so by providing a defined scope for the access and management of attributes and credentials. Privacy protect people from abuse by bad agreements (either fake privacy or other “fake” contracts).

Combined correctly, privacy + agreement, has the power to transform society and combat surveillance states with actional transparency we call Operational Privacy. A stateful approach needs to be referenced in the contract, for example, consent directives, which combine privacy scope, with identity management scopes that are extended by contract and protocol.

Approaches that use contract and agreements to extend privacy rights with IdM technology are very powerful and used throughout a supply chain .  In the context of a shared understanding of privacy state, contract can be used to manage (or even extend) the expected state of privacy. A gateway technology for people to share sensitive, more valuable, deeply rich and personal information.   

Today privacy is most understood as a Dis/agreement rather than a shared state protected and defined in law.  This is a critical misunderstanding, perpetuated by fake privacy policies styles as contracts and agreements.   A misunderstanding in which, online engagement is divisive, splinters communities and undermines a concerted response from standards, aimed at advancing privacy, personal data control, and security (protection) for people.  

To illustrate:

  1. Privacy rights refer to mature laws that govern the shared state of society in which we all live.

    1. Governance for how to define power and control in relationships.

  2.  A contract is about collaboration or engaging with each other and transacting day to day

    1. The dis/agreement(s) we engage in with on a one on one basis is about the maintenance of the identity relationship, not defining the state.

For IdM and security professionals; privacy rights are critically important since they:

1 - Define the active/default state of a relationship to which security applies

2- A contract maintains the state of privacy with identity and security

An existing example of privacy based terms in an IdM System which are done correctly can be found in the concept of;

  • Consent Directives

    • https://www.hl7.org/fhir/consent.html

      • Notice how the privacy term encapsulates the agreement term which is called a different class of agreement - aka directive

    • This is a correct privacy state approach for the application of identity management technology in a shared information environment.  

    • It’s anchored on consent which is a privacy expectation that is defined in HIPPA and operationally presented in CFR42A

  • The state of consent can be better described and defined with FIHR as a starting point, going into detail about how the state of the person’s understanding of health information and health identity is managed and shared in a human centric understanding protected by privacy rights.

Mark Lizarmain