Episode 033: 07‐25‐2024 Consent Is Dead: How Bad Is It Really - GluuFederation/identerati-office-hours GitHub Wiki
Title: Consent Is Dead: How Bad Is It Really?
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Eve Maler, Digital identity futurist and strategist
- Co-Host: Jean-François Lombardo, AWS, Principal Solution Architect, Security Specialist
Description
At EIC24, Eve laid out a case that digital consent is a fiction. How bad is the situation? How does it impact identity, security, and privacy? And do identitarians need to start getting their heads around the identity resolution industry?
Homework
- Pervasive identity surveillance for marketing purposes A technical report on personal data processing for LiveRamp’s “RampID” identity graph system based on an analysis of software documentation with a focus on Europe by Wolfi Christi and Alan Toner.
- Sustainable Privacy by Samuel M. Smith, Phd
Extra Credit Homework
- Legal Paper: Chain-Link Confidentiality approach to protecting online privacy.
- Summary IIW 37 Session 11B Selective Disclosure is Useless: We Have Receipts
Takeaways
-
Eve introduced this idea of recursive consent revocation to address how identity data is sold and re-sold downstream. For example, if I leave Facebook, I not only want FB to delete my data, I want the myriad third parties they shared my data with to comply with my request to be forgotten. However, compliance will be a challenge--how can a government or even a person even know who has their data?
-
"License" might be the best model to control our personal data downstream... something like digital rights management for your content.
-
As the homework illustrates, even non-PII might can be used to identify someone if you have enough data. For example, your browser resolution, city, and the time of day might be enough. Luckily, the main application for this tech is to target ads, not identify specific people.
-
Selective disclosure is good--only release the minimum data required. But verifiers introduce a lot of trust issues, and perhaps we need more collective bargaining power to get downstream brokers of identity data to respect our consent.