October 31, 2017 UXC Meeting Page

From IDESG Wiki
Jump to: navigation, search


October 31, 2017

  • Mary Hodder
  • Tom Jones
  • Jim Kragh
  • Linda Braun, Global Inventures

Meeting Minutes

  • Mary Hodder reported that UXC needs to respond to Jenn Behrens about the level of changes to the UXC requirements. UXC is proposing to change 1, 2 and 7, but other requirements may change as well, including supplemental guidance.
  • Roles: UXC will focus on Identity Providers, Intermediaries, Attribute Providers and Relying Parties roles. The UXC requirements update will focus on these four roles from the Functional Model.
  • Mary reviewed her slides she will present to the Executive Committee “IDEF Registry Proposal for Extension to add third party Certification.”
  • The team reviewed the changes to Usable-7 requirement and supplemental guidance as presented by Tom Jones.
  • Usable Req 7
  • Wherever public open STANDARDS or legal requirements exist for collecting user requirements, entities conducting digital identity management functions MUST offer structured opportunities for USERS to document and express their interface and accessibility requirements, early in their interactions with those functions. Entities MUST provide a response to those user requirement communications on a reasonably timely basis.
  • Any entity "collecting personal data," whether they are first or third parties, would mean that the entity is interacting with USERS directly and therefore should provide a response to user requests early on in the interaction or collection. Website USER do-not-track requests are an example of a USER request. An example of a site that handles responses to Do Not Track (DNT) requests in this manner is Medium.com which sends a single popup to new users, whether or not they are registered, about how they will handle the DNT request.
  • As a general principle, consent choices or other similar must-see-this-first information should be exchanged in a first encounter, and then honored in and presented in a consistent manner thereafter.
  • Suggested ways for User Experience mitigation includes using pop-up boxes or email responses to user requests. Links to information regarding additional use should provide adequate time for users to read the information presented to them.
  • The entity gathering requests should state whether identity information is being used, and the user must be notified.
  • Please note that the IDESG Privacy Requirements apply to these interactions and the data they generate.
  • Proposed text:
  • Any entity "collecting personal data," must respect users’ rights to stipulate their requirements with respect to the use and retention of that data. This requirement applies equally to entities that interact directly with the user as well as entities that collect the data from third parties. So when a user stipulates (for example) “DO NOT TRACK (DNT)” on their interaction, that stipulation must apply to any party (for example advertisement providers) to the interaction. Any user experience must inform the user of the user stipulations that apply either directly on the site or by way of a message to the user.
  • Whenever the user choses some transaction with an entity that would loosen any restriction, that loosening must be clearly evident to the user prior to the initiation of the transaction. This requirement includes voluntary changes initiated or approved by the user as well as involuntary changes made necessary by laws, regulations or unforeseen events like leakage from the entity’s data stores. Timely notification is dependent on many factors, but the suggested default is 72 hours after the change is confirmed for unforeseen events.
  • More information about Do Not Track can be found at these links: FTC website on Do Not Track: https://www.ftc.gov/news-events/media-resources/protectingconsumer-privacy/do-not-track Do Not Track standard work at the W3C: http://www.w3.org/2011/tracking-protection/
  • As of 4/12/2017 “Forty-eight states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.” From the site: http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx. While there is no consensus at this time, it seems that less than 72 hours after the breach has be validated would be best practice. See: https://www2.idexpertscorp.com/knowledge-center//single/how-long-should-organizations-take-to-notify-after-a-breach.
  • The Kantara Consent & Information Sharing Work Group (CISWG) now has a draft standard for informing the user of the status of the user stipulations. That draft is recommended to entities looking to understand how consent receipts are distributed to users. See: https://kantarainitiative.org/confluence/display/infosharing/Home.

  • Adjourn
    • 12.59 p.m. EDT

  • Next UXC meeting is scheduled for November 14, 2017
[[Category: User Experience]