Privacy is not Agreement, Consent is not Permission

Privacy is not Agreement.png

 (towards a rule of thumb approach for privacy best practice in the identity management and surveillance systems )

To make it easy to approach privacy by design in identity management developers and implementors should understand that a contract doesn’t replace privacy rights. Legally, privacy(rights) are not an agreement (contract) and consent is not a permission.

Both consent and agreement are represented with a tick in a box, a toggle, or the click of an ‘OK’ button in most identity and access management workflows.

Replacing privacy with a contract is a bad thing to do and unfortunately, the ‘I agree’ to this privacy statement is a widespread  practice that uses a contract clause for privacy rights. This bad practice, prevents people from control and transparency of personal data. This practice has undermined the security of personal data, enabling dark patterns, massive deceptions and today, we are experiencing the effects of wide scale issues with the abuse, an mis use of personal data.

Privacy rights are critical to democracy, and our ability to gain autonomy in privacy and identity management is a very important issue.  This is even more apparent in contrast to China. Consent doesn’t exist in China where the government dictates the social contract, there is only permission and agreement. Privacy rights are a key weapon that protects democracies against security and identity systems produced for surveillance capitalism and control.

Combined correctly, privacy + agreement has the power to transform privacy and trust online. Combined correctly, these are powerful tools to combat surveillance state with usable privacy transparency.   For example, a project called FIHR companies privacy and contract to produce, consent directives. Consent directives being with the privacy rights scope, then add the use of a contract for the provision an management of the state of rights with a directive. These are transformed into identity management scopes that convert the directive into read, write, delete and access permissions.

Approaches that extends privacy rights with IdM are very powerful.  They can transform context, empower community and support democracy. But in practical terms, when done correctly, they enable sharing of sensitive and highly personal data for more valuable and deeply rich engagements in a digital relationship.   

A good practical example is the idea of a cookie consent. The only way a cookie could be consented too, is if it consent is provided before a cookie is placed and used. In all other scenario’s this is called a cookie permission. Today, we see a lot of things that pretend to be trustworthy, or call themselves consent, when in fact it is surveillance and permission.

Today privacy is commonly misunderstood as an agreement online, rather than a shared state based on privacy expectations.  This is a critical mis-understanding, and perpetuated online with patterns that transfer the privacy burden onto people. I.e. - it’s your responsibility to read this privacy policy for changes, or click I understand to agree to a privacy statement that has no meaning. This is fake privacy.

TO make it simple:

1.    Privacy rights are about the state of society in which we all live. Privacy rights provide stateful governance for how to define the power and control in a relationships.

2.    A contract is about collaboration or engaging with each other and transacting. The dis/agreement(s) we engage in with, on a one on one basis, is about the maintenance of the identity relationship, not defining the state to which all these systems are governed.

In short, the rule of thumb for IdM and security professionals;

1 - Privacy define the state of the relationship to which security and identity apply

2- Contract maintains the state of the relationship with agreements

To fix your fake privacy, book an appointment with our Privacy Concierge.