Do you mind if I…? Towards better online consent models

Consent is an increasingly frequent and intrusive part of our online experience and is handled in many different ways by the apps and websites we use. Even the best designs for consent make two mistakes:

Consent isn’t just about cookie preferences, consent includes how we manage access to our financial data and our health data. We need a better way to implement and manage consent for all contexts and to the benefit of all parties.

Emerging technologies and standards offer a way to associate consent with data access rights, and to enable us to self-manage our consent. Think of Digital Rights Management for artists/publishers, but instead a Consent Right Management for the user, or in even shorter hand: decentralised dynamic consent.

This article explores how we got to where we’ve got to with online consent, what I learnt by exploring some sectors, and how I think recent developments in open standards and technology and the evolution of thinking about online consent can combine to provide a better consent model for organisations and people alike. While this may seem a long article, there are many elements that deserve more attention and topics that I haven’t introduced. I’ll leave those for another piece or two, and I’d welcome suggestions and comments on the areas that need most attention.

Consent is a big issue in our professional and personal lives. Just a short while ago, when browsing online, we would blithely scroll past screeds of unintelligible legalise and “tick and flick” an agreement – if we saw one at all. We would sail between websites blissfully unaware of the number of cookies our browser’s hull had clinging to it. Now, as regulations tighten and legal operators want to stay legal in all the jurisdictions that they operate in, we’re often forced to make an explicit choice amongst options before we’re allowed to see the page we’ve come to see. Picking the right option isn’t always an easy choice (see “A Consent Catch-22”).

The friction this presents is frustrating, however it is equally wrong to get rid of all friction in our online experiences. Some friction, even if it frustrates, can be a good thing, especially when it encourages us to think sensibly about the consequences of our actions. Presenting just the right amount of friction is also a challenge to UX designers who want to minimise drop-out but remain compliant.

In general, in our “real-world” lives, we are expected (and expect) to give some form of consent whenever another organisation or person wants to perform an action on our behalf. From personalising content to providing first aid, where possible the consent of the subject is requested before the action is performed on their behalf. 

Consent is a fundamental building block for consumer and competition oriented concepts such as the UK and New Zealand’s “Open Banking” initiatives, and the Australian “Consumer Data Right” [ref 15], the first phase of which is also an “open-banking” initiative. Consent, correctly constructed and obtained, is the opening gambit for the relationship and its promises and liabilities.

The design of the Australian Open Banking model is similar to the others, and means that you need to tell an organisation holding data about you that you consent to another organisation accessing that data (and you need to tell the organisation accessing your data what you consent to them doing with that data). I’m not a fan of this model, and I’ve explored the issues this model raises in previous articles. Here is an early and rather provocative initial opinion on the Australian Open Banking initiative that I published in LinkedIn: https://www.linkedin.com/pulse/why-open-banking-win-consumers-john-phillips/.

Basically, we need to rethink how we do online consent across a range of subject areas: from cookies, to finances, to genomic and personal health data.

We might start with a general idea that, where possible, we should hold and have control over the data that is important to us, and this data should be “verifiable” – i.e. its source, integrity and validity should be able to be verified by any organisation that we choose to share it with, without them having to contact the issuer. In other words, we should be able to hold verifiable data about ourselves, and we should be able to select the data we share, and who we share it with, and under what conditions. Here when I refer to the concept of “holding” data I’m including both the “subject present” access with consent and the subject not present (but consent present) access to data.

However, even if we hold and control the data ourselves, we still need to think about how we design for consent. 

We can consider online consent to be a form of initial contract involving an agreement between two parties [ref 14]. Mostly in the online world, the offer is that if you share your data then you will get a more personal experience, something tailor made for you. This is often the “prenup” to the more serious agreement that comes later (if you decide to cement the relationship by creating an account or subscribing and agreeing to the additional terms and conditions).

My concern isn’t so much that these consent interactions aren’t well designed. Many aren’t, a few are. Even if they were all designed brilliantly, they would still present a siloed view of consent as a once-and-done instance and they would ignore the cumulative challenge: where repeated consent requests create “consent fatigue” and a consent management headache.

I think there is a better way to request, remember and manage consent for organisations and people. I’ve seen encouraging developments from different spaces that I think can help to create a better consent model.

We can trace the origins of our current online consent model from the original development of “privacy acts” that consider data and the digital realm, to the more recent data protection rights and acts. 

The original privacy acts were designed to address direct data capture and use by websites in the emerging digital world around the late 1980s and 1990s. Some years later, from around 2016 onwards, Data Protection acts and Rights were introduced to protect consumers and privacy acts were updated and augmented. These new acts are intended to provide protection against the data collection, processing and real time auctioning that we now might associate with Soshana Suzboff’s “Surveillance Capitalism” [ref 17]), activities that had fuelled significant global commercial markets for some time before 2016. They are also designed to enable and regulate markets that demand and supply data.

In parallel, data types such as personal health data, were recognised as needing special attention and protections by regulators and health data practitioners alike and resulted in special provisions in acts and regulations and the use of ethics committees to review the design of research programs and proposed capture and use of health data.

So we now have an abundance of privacy and data acts, regulations and rights across many jurisdictions in the world, each placing subtly different rights and duties on people and organizations depending on where they operate and what kind of data they want to collect and/or process.

Here are just 3 examples of many definitions of consent in a digital context:

There are many other definitions that are all reasonably similar. However, for my purposes, I think the Australian CDR definition provides a good combination of concepts, specifically the inclusion of “time limited” and “easily withdrawn” criteria.

I referred earlier to the notion of “holding” data about you that you can then share with others. I was echoing one of the tenets of Self-Sovereign Identity thinking, so I thought I’d ask the SSI community for help and ideas.

Back in October 2021 I asked for help from the attendees of the 33rd Internet Identity Workshop “IIW” (hence “IIW33”) on how we might view “consent” in the context of “self-sovereign identity” frameworks, by which I mean those built with technology such as W3C Verifiable Credentials, Decentralised Identifiers, and DIF’s DIDcomm. IIW has been, and is still, the cradle of many innovations in internet identity thinking since 2005, the transcripts of all workshops are available from the IIW website: https://internetidentityworkshop.com/ 

My request was a consequence of my investigations into the current “state of the art” of online consent. Since July 2021 we had been working with CSIRO (an Australian Commonwealth Research Organisation) and a local SSI (and other emerging technologies) company, Verida, looking at a prototype on the use of decentralised consent and data access management for genomic data research, This was part of the Australian “National Approach to Genomic Information Management” (NAGIM) Blueprint initiative, looking at prototypes for new concepts. As I read into the existing work, I was finding more questions than answers.

In fact, by October 2021 (when IIW33 was held), I was somewhere in the middle of a Damien Newman design squiggle (see below). I think I’m nearer the right hand side now…

My discussion with the SSI community at IIW33 built on the thinking I’d seen developed within the community and evidenced by working groups in Europe (eSSIF-LAB) and internationally (ToIP). In general terms these communities illustrate trust frameworks using diagrams like the one shown below from ToIP.

The working groups spend a lot of time discussing the roles of the actors, the nature of the data that traverses these links, and how and when the data traverses them.

My observation/realisation was that we seemed to be missing the “why”.

For example, Why is the Holder presenting a proof to the Verifier? Because they received a proof request? Why did the Holder trigger the proof request? Why did the Verifier make the proof request? 

While these “whys” are sometimes partially explained by a specific use case (Alice wants to rent an apartment…), their nature is often not explored explicitly.

After some consideration, it seems to me that, before any issuing, requesting, and proving interactions, some preliminary form of exploration and bargaining has occurred. In any given instance, two parties (issuer – holder, holder – verifier, issuer – governance authority etc.) have engaged in a dialogue and reached an agreement, explicitly or implicitly. We might say that “consent”, in some form, has been agreed, a bargain has been struck, whether fair or Faustian.

Now we ‘kinda’ have consent in the design of most SSI wallets. In fact all of the SSI wallets (a half dozen or more) that I’ve used require some form of explicit consent for each wallet transaction. I’m offered a yes/no choice to accept connections, a yes/no to accept credentials and a yes/no and choice of data source(s) to respond to proof requests.

We might consider this useful, necessary even, but it is not sufficient. A key missing ingredient is that there is no evidence of the ‘why’ of the exchange, the nature of the ‘deal’ being offered and agreed to. All that stuff is outside of standard wallets. Further, these SSI wallet interactions aren’t “consents” in the normally accepted sense (see example consent definitions above). 

The discussions at IIW33 introduced me to Mark Lizar and his work with the Kantara Initiative on Consent Receipts [ref 13]. This work anticipated some of the problems that I was seeing and proposed a standard “receipt” for the consent that we negotiate so that we might  better understand and manage the consents that we give. While prescient, this 2018 work indicates areas of future consideration, including: consent best practice; status and revocation of consent; consent management, validation, and other aspects of consent lifecycle.

In our work with CSIRO and the NAGIM prototypers during 2021, we were looking at if, and how, SSI could provide a better model for consent management for genomic data research. 

Exploring this area led me to read into the concept of “Dynamic Consent” as it is used within medical data research. Here’s an explanation of Dynamic Consent given by Teare, Prictor, and Kaye in the introduction to their 2021 paper: “reflections on dynamic consent in biomedical research: the story so far” [ref 4]

“[Dynamic Consent] is an approach to informed consent that allows communication and engagement through a secure digital portal in ways that have not been possible before, with individuals being able to revisit and review consent decisions and preferences over time, as and when they choose. By using a digital platform, information can be presented in new ways, through video clips to reach broader and more diverse audiences, but also enabling participants to input their own information and complete online questionnaires. It is dynamic because it can be tailored to the research endeavour and the expectations of participants, as well as when consent and interactions are needed at different points along the clinical or research pathway.”

Note the expectation that the design would involve a “portal” that the subject/participant can revisit when they choose. Consent(s) in this model are held by a central system but can be managed by the participant through capabilities provided by the portal. This is similar to how the Australian CDR Open Banking implementations have so far interpreted the definition of “easily withdrawn”, the consumer (aka participant in medical research use case) needs to visit the portal(s) (organisations) they set up the consent(s) on to withdraw the consent. That doesn’t seem easy to me, certainly not if you’ve got lots of consents to manage across many organisations.

Another important initiative from the medical data research field is the “Data Use Ontology” (DUO), developed by the Global Alliance for Genomics and Health (GA4GH) [ref 12]. DUO enables medical data research consent to be encoded in “machine readable” format, so that when the consent of a patient on how their data might be used in research is encoded in DUO format it can be compared with the intent of a research program when that is encoded in DUO format, so that a match can be tested.

These concepts were combined in the development by Australian Genomics of CTRL [ref 8], one objective of which is that participants can be presented with human readable (in plain, layperson, English) medical research consent questions that can then be translated to machine readable DUO format.

These sources gave me some ideas on the ingredients we need for better consent designs. Including:

Refocusing on the medical data research field, we can represent these ingredients in a modified trust “diamond” model like the one shown below.

Some of the key elements of this design include:

Putting genuine control into the hands of the data subject or participant through decentralised technologies offers significant benefits to all parties and all sectors, from genomic data research to open-banking. 

Models that scatter and silo consent across organisations and platforms, and that disassociate consent from the data it pertains to, provide a problematic, if not a broken, design approach to consent and data access control for and by users.

Using emerged and emerging open standards such as W3Cs Verifiable Credentials and Decentralised Identifiers, DIF’s DIDComm and KERI we can see how the consent to use data about someone can be better, and directly, managed by that someone, to their benefit and the benefit of organisations that want to be compliant with privacy and data protection regulations and want to be able to prove their compliance.

Personally I’d like to be able to see all the consents I’ve given on my device (or via my cloud and/or web based service agent), in language I understand, and be able to change them how I want, when I want.

What do you think?