Do you mind if I…? Towards better online consent models
Consent is an increasingly frequent and intrusive part of our online experience and is handled in many different ways by the apps and websites we use. Even the best designs for consent make two mistakes:
- Consent is seen as a point in time transaction. Contexts change and hence consent changes over time. What was once consented to may no longer be so.
- Consent is all too often seen as a siloed and stand-alone transaction. Repeated and inconsistent consent requests lead to fatigue and break down resistance. The challenge of managing and remembering multiple requests over time and across many organisations becomes a consent management nightmare for the consumer
Consent isn’t just about cookie preferences, consent includes how we manage access to our financial data and our health data. We need a better way to implement and manage consent for all contexts and to the benefit of all parties.
Emerging technologies and standards offer a way to associate consent with data access rights, and to enable us to self-manage our consent. Think of Digital Rights Management for artists/publishers, but instead a Consent Right Management for the user, or in even shorter hand: decentralised dynamic consent.
This article explores how we got to where we’ve got to with online consent, what I learnt by exploring some sectors, and how I think recent developments in open standards and technology and the evolution of thinking about online consent can combine to provide a better consent model for organisations and people alike. While this may seem a long article, there are many elements that deserve more attention and topics that I haven’t introduced. I’ll leave those for another piece or two, and I’d welcome suggestions and comments on the areas that need most attention.
Consent is a big issue in our professional and personal lives. Just a short while ago, when browsing online, we would blithely scroll past screeds of unintelligible legalise and “tick and flick” an agreement – if we saw one at all. We would sail between websites blissfully unaware of the number of cookies our browser’s hull had clinging to it. Now, as regulations tighten and legal operators want to stay legal in all the jurisdictions that they operate in, we’re often forced to make an explicit choice amongst options before we’re allowed to see the page we’ve come to see. Picking the right option isn’t always an easy choice (see “A Consent Catch-22”).
The friction this presents is frustrating, however it is equally wrong to get rid of all friction in our online experiences. Some friction, even if it frustrates, can be a good thing, especially when it encourages us to think sensibly about the consequences of our actions. Presenting just the right amount of friction is also a challenge to UX designers who want to minimise drop-out but remain compliant.
In general, in our “real-world” lives, we are expected (and expect) to give some form of consent whenever another organisation or person wants to perform an action on our behalf. From personalising content to providing first aid, where possible the consent of the subject is requested before the action is performed on their behalf.
Consent is a fundamental building block for consumer and competition oriented concepts such as the UK and New Zealand’s “Open Banking” initiatives, and the Australian “Consumer Data Right” [ref 15], the first phase of which is also an “open-banking” initiative. Consent, correctly constructed and obtained, is the opening gambit for the relationship and its promises and liabilities.
The design of the Australian Open Banking model is similar to the others, and means that you need to tell an organisation holding data about you that you consent to another organisation accessing that data (and you need to tell the organisation accessing your data what you consent to them doing with that data). I’m not a fan of this model, and I’ve explored the issues this model raises in previous articles. Here is an early and rather provocative initial opinion on the Australian Open Banking initiative that I published in LinkedIn: https://www.linkedin.com/pulse/why-open-banking-win-consumers-john-phillips/.
Basically, we need to rethink how we do online consent across a range of subject areas: from cookies, to finances, to genomic and personal health data.
Towards a better design
We might start with a general idea that, where possible, we should hold and have control over the data that is important to us, and this data should be “verifiable” – i.e. its source, integrity and validity should be able to be verified by any organisation that we choose to share it with, without them having to contact the issuer. In other words, we should be able to hold verifiable data about ourselves, and we should be able to select the data we share, and who we share it with, and under what conditions. Here when I refer to the concept of “holding” data I’m including both the “subject present” access with consent and the subject not present (but consent present) access to data.
However, even if we hold and control the data ourselves, we still need to think about how we design for consent.
We can consider online consent to be a form of initial contract involving an agreement between two parties [ref 14]. Mostly in the online world, the offer is that if you share your data then you will get a more personal experience, something tailor made for you. This is often the “prenup” to the more serious agreement that comes later (if you decide to cement the relationship by creating an account or subscribing and agreeing to the additional terms and conditions).
My concern isn’t so much that these consent interactions aren’t well designed. Many aren’t, a few are. Even if they were all designed brilliantly, they would still present a siloed view of consent as a once-and-done instance and they would ignore the cumulative challenge: where repeated consent requests create “consent fatigue” and a consent management headache.
I think there is a better way to request, remember and manage consent for organisations and people. I’ve seen encouraging developments from different spaces that I think can help to create a better consent model.
How we got to consent
We can trace the origins of our current online consent model from the original development of “privacy acts” that consider data and the digital realm, to the more recent data protection rights and acts.
The original privacy acts were designed to address direct data capture and use by websites in the emerging digital world around the late 1980s and 1990s. Some years later, from around 2016 onwards, Data Protection acts and Rights were introduced to protect consumers and privacy acts were updated and augmented. These new acts are intended to provide protection against the data collection, processing and real time auctioning that we now might associate with Soshana Suzboff’s “Surveillance Capitalism” [ref 17]), activities that had fuelled significant global commercial markets for some time before 2016. They are also designed to enable and regulate markets that demand and supply data.
In parallel, data types such as personal health data, were recognised as needing special attention and protections by regulators and health data practitioners alike and resulted in special provisions in acts and regulations and the use of ethics committees to review the design of research programs and proposed capture and use of health data.
So we now have an abundance of privacy and data acts, regulations and rights across many jurisdictions in the world, each placing subtly different rights and duties on people and organizations depending on where they operate and what kind of data they want to collect and/or process.
What is [online] consent anyway?
Here are just 3 examples of many definitions of consent in a digital context:
- Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
GDPR, Article 4(11) [ref 16]
- The use of personal information by companies should be permitted only in those instances where consent was specific, express, and voluntary.
“Internet Giants as Quasi-Governmental Actors and the Limits of Contractual Consent”, Nancy S. Kim, D. A. Jeremy Telman, 2015, Missouri Law Review [ref 5]
- …consent given by a consumer is voluntary, express, informed, specific as to purpose, time limited and easily withdrawn.
Australian Consumer Data Right [ref 15]
There are many other definitions that are all reasonably similar. However, for my purposes, I think the Australian CDR definition provides a good combination of concepts, specifically the inclusion of “time limited” and “easily withdrawn” criteria.
What does the SSI community think?
I referred earlier to the notion of “holding” data about you that you can then share with others. I was echoing one of the tenets of Self-Sovereign Identity thinking, so I thought I’d ask the SSI community for help and ideas.
Back in October 2021 I asked for help from the attendees of the 33rd Internet Identity Workshop “IIW” (hence “IIW33”) on how we might view “consent” in the context of “self-sovereign identity” frameworks, by which I mean those built with technology such as W3C Verifiable Credentials, Decentralised Identifiers, and DIF’s DIDcomm. IIW has been, and is still, the cradle of many innovations in internet identity thinking since 2005, the transcripts of all workshops are available from the IIW website: https://internetidentityworkshop.com/
My request was a consequence of my investigations into the current “state of the art” of online consent. Since July 2021 we had been working with CSIRO (an Australian Commonwealth Research Organisation) and a local SSI (and other emerging technologies) company, Verida, looking at a prototype on the use of decentralised consent and data access management for genomic data research, This was part of the Australian “National Approach to Genomic Information Management” (NAGIM) Blueprint initiative, looking at prototypes for new concepts. As I read into the existing work, I was finding more questions than answers.
In fact, by October 2021 (when IIW33 was held), I was somewhere in the middle of a Damien Newman design squiggle (see below). I think I’m nearer the right hand side now…
My discussion with the SSI community at IIW33 built on the thinking I’d seen developed within the community and evidenced by working groups in Europe (eSSIF-LAB) and internationally (ToIP). In general terms these communities illustrate trust frameworks using diagrams like the one shown below from ToIP.
The working groups spend a lot of time discussing the roles of the actors, the nature of the data that traverses these links, and how and when the data traverses them.
My observation/realisation was that we seemed to be missing the “why”.
For example, Why is the Holder presenting a proof to the Verifier? Because they received a proof request? Why did the Holder trigger the proof request? Why did the Verifier make the proof request?
While these “whys” are sometimes partially explained by a specific use case (Alice wants to rent an apartment…), their nature is often not explored explicitly.
After some consideration, it seems to me that, before any issuing, requesting, and proving interactions, some preliminary form of exploration and bargaining has occurred. In any given instance, two parties (issuer – holder, holder – verifier, issuer – governance authority etc.) have engaged in a dialogue and reached an agreement, explicitly or implicitly. We might say that “consent”, in some form, has been agreed, a bargain has been struck, whether fair or Faustian.
Now we ‘kinda’ have consent in the design of most SSI wallets. In fact all of the SSI wallets (a half dozen or more) that I’ve used require some form of explicit consent for each wallet transaction. I’m offered a yes/no choice to accept connections, a yes/no to accept credentials and a yes/no and choice of data source(s) to respond to proof requests.
We might consider this useful, necessary even, but it is not sufficient. A key missing ingredient is that there is no evidence of the ‘why’ of the exchange, the nature of the ‘deal’ being offered and agreed to. All that stuff is outside of standard wallets. Further, these SSI wallet interactions aren’t “consents” in the normally accepted sense (see example consent definitions above).
The discussions at IIW33 introduced me to Mark Lizar and his work with the Kantara Initiative on Consent Receipts [ref 13]. This work anticipated some of the problems that I was seeing and proposed a standard “receipt” for the consent that we negotiate so that we might better understand and manage the consents that we give. While prescient, this 2018 work indicates areas of future consideration, including: consent best practice; status and revocation of consent; consent management, validation, and other aspects of consent lifecycle.
Medical data research and consent
In our work with CSIRO and the NAGIM prototypers during 2021, we were looking at if, and how, SSI could provide a better model for consent management for genomic data research.
Exploring this area led me to read into the concept of “Dynamic Consent” as it is used within medical data research. Here’s an explanation of Dynamic Consent given by Teare, Prictor, and Kaye in the introduction to their 2021 paper: “reflections on dynamic consent in biomedical research: the story so far” [ref 4]
“[Dynamic Consent] is an approach to informed consent that allows communication and engagement through a secure digital portal in ways that have not been possible before, with individuals being able to revisit and review consent decisions and preferences over time, as and when they choose. By using a digital platform, information can be presented in new ways, through video clips to reach broader and more diverse audiences, but also enabling participants to input their own information and complete online questionnaires. It is dynamic because it can be tailored to the research endeavour and the expectations of participants, as well as when consent and interactions are needed at different points along the clinical or research pathway.”
Note the expectation that the design would involve a “portal” that the subject/participant can revisit when they choose. Consent(s) in this model are held by a central system but can be managed by the participant through capabilities provided by the portal. This is similar to how the Australian CDR Open Banking implementations have so far interpreted the definition of “easily withdrawn”, the consumer (aka participant in medical research use case) needs to visit the portal(s) (organisations) they set up the consent(s) on to withdraw the consent. That doesn’t seem easy to me, certainly not if you’ve got lots of consents to manage across many organisations.
Another important initiative from the medical data research field is the “Data Use Ontology” (DUO), developed by the Global Alliance for Genomics and Health (GA4GH) [ref 12]. DUO enables medical data research consent to be encoded in “machine readable” format, so that when the consent of a patient on how their data might be used in research is encoded in DUO format it can be compared with the intent of a research program when that is encoded in DUO format, so that a match can be tested.
These concepts were combined in the development by Australian Genomics of CTRL [ref 8], one objective of which is that participants can be presented with human readable (in plain, layperson, English) medical research consent questions that can then be translated to machine readable DUO format.
Some key ingredients for better consent designs
These sources gave me some ideas on the ingredients we need for better consent designs. Including:
- Participant Consent should be directly (cryptographically) associated with control over data access, with defined rights and responsibilities and enabling decryption of data by those with a valid “consent key” that provides verified access.
- Participants should be able to actively manage granular and dynamic consent for the use of their data.
- Data Processors (for example, Medical Research Programs) should be able to prove/test/check the consent that they’ve been given to the data that they are using, and this should include the provenance of consent and the associated medical data.
- Data intermediaries (for example Research program platforms) should provide advertising, coordination, matching, and communication services
- Governance Authorities with rules, regulations and protections are needed to ensure trust and regulate the operation.
Refocusing on the medical data research field, we can represent these ingredients in a modified trust “diamond” model like the one shown below.
Some of the key elements of this design include:
- The management of consents is directly managed by the participant holder – for example through an “app” on a device or through a cloud or web based based agent – and presented in terms they understand that can be translated to “machine readable” formats.
- The holder can see all of the consents that they have currently provided including the details of what they have consented with which organisations. Extensions of this could include seeing the consents you’ve rejected, and those that are awaiting a response.
- The data and the consent are linked cryptographically, so that an organisation wishing to use the data needs a valid access key from the user’s consent to access the data. If the key (consent) is withdrawn, the data cannot be accessed.
- Research organisations (data processors) can use the verification of consent together with the provenance of source data to ensure research integrity.
Putting genuine control into the hands of the data subject or participant through decentralised technologies offers significant benefits to all parties and all sectors, from genomic data research to open-banking.
Models that scatter and silo consent across organisations and platforms, and that disassociate consent from the data it pertains to, provide a problematic, if not a broken, design approach to consent and data access control for and by users.
Using emerged and emerging open standards such as W3Cs Verifiable Credentials and Decentralised Identifiers, DIF’s DIDComm and KERI we can see how the consent to use data about someone can be better, and directly, managed by that someone, to their benefit and the benefit of organisations that want to be compliant with privacy and data protection regulations and want to be able to prove their compliance.
Personally I’d like to be able to see all the consents I’ve given on my device (or via my cloud and/or web based service agent), in language I understand, and be able to change them how I want, when I want.
What do you think?
|Ref||Title||Comments in the context of consent models…|
|1||World Economic Forum. 2020. “Redesigning Data Privacy: Reimagining Notice & Consent for human-technology interaction”, https://www.weforum.org/reports/redesigning-data-privacy-reimagining-notice-consent-for-humantechnology-interaction||Useful summary of key challenges and opportunities|
|2||Jenkins, Georgia. 2021. “An Extended Doctrine of Implied Consent – A Digital Mediator?”, https://link.springer.com/article/10.1007/s40319-021-01024-2|
|3||“FAIR Digital Objects for Science: From Data Pieces to Actionable Knowledge Units”, https://bora.uib.no/bora-xmlui/bitstream/handle/11250/2737212/publications-08-00021.pdf?sequence=2&isAllowed=y||Indirect relevance to consent models|
|4||Teare, H.J.A. Prictor, Megan. Kaye, Jane.2021: “reflections on dynamic consent in biomedical research: the story so far”, https://www.nature.com/articles/s41431-020-00771-z||Discussion on Dynamic Consent.|
|5||Kim, Nancy S. Telman, D.A.J. 2015: “Internet Giants as Quasi-Governmental Actors and the Limits of Contractual Consent”, https://scholarship.law.missouri.edu/mlr/vol80/iss3/7/||Includes a suggestion of “Specific, Express and Voluntary” as required attributes of consent.|
|6||Solove, Daniel J. 2015. “Introduction: Privacy Self-Management and the Consent Dilemma”: https://harvardlawreview.org/wp-content/uploads/pdfs/vol126_solove.pdf||Legally based and an interesting explanation of Privacy Self Management and Consent|
|7||Neil Richards and Woodrow Hartzog, “The Pathologies of Digital Consent”, 96 WASH. U. L. REV. 1461 (2019). Available at: https://openscholarship.wustl.edu/law_lawreview/vol96/iss6/11||Four key contributions:- vocabulary of pathologies of consent- ideal circumstances for consent- arguing against/explaining the privacy paradox- theory of consumer trust|
|8||Matilda A. Haas. Harriet Teare. Megan Prictor. Gabi Ceregra. Miranda E. Vidgen. David Bunker. Jane Kaye. Tiffany Boughtwood. 2020. “‘CTRL’: an online, Dynamic Consent and participant engagement platform working towards solving the complexities of consent in genomic research”, https://www.nature.com/articles/s41431-020-00782-w||Describes experience and lessons learnt in building of CTRL which uses online forms to generate DUO compliant statements about the constraints / use of the data about the patient for research.|
|9||W. Nicholson Price II, JD, PhD and I. Glenn Cohen, JD. 2019. “Privacy in the age of Medical Big Data”, https://www.nature.com/articles/s41591-018-0272-7|
|10||“Contracting Around Privacy – The (Behavioral) Law and Economics of Consent and Big Data”, https://www.jipitec.eu/issues/jipitec-8-1-2017/4529||Argues for the use of behavioural and “traditional” interventions in privacy law.|
|11||MEF Whitepaper: Understanding Digital Consent, 2017 (I think), https://mobileecosystemforum.com/programmes/personal-data/whitepaper-understanding-digital-consent/||“Mobile Ecosystem Forum” – provides a historic and global overview and advice to businesses on consent with a specific focus on data. Includes an observation on page 11 that “[a]s of 2017, there is clearly no consensus on ‘good’ consent.” Not sure things are any better in 2022! There are somewhat dated and misleading references to blockchain and DLT (see Evernym reference on page 19)|
|12||DUO – the Data Use Ontology – the essentialshttps://github.com/EBISPOT/DUO||The (GA4GH) Data Use Ontology (DUO) includes terms describing data use conditions, particularly for research data in the health/clinical/biomedical domain.|
|13||Kantara Initiative: Consent Receipt Specification: https://kantarainitiative.org/download/7902||The Kantara initiative’s 2018 technical specification recommendation for Consent Receipt. Aims to specify a standard for consent receipt records that enable individuals, and organisations, to better understand and manage what has been consented to.|
Indicates areas of future consideration as including: consent best practice; status and revocation of consent; and consent management, validation, and other aspects of its lifecycle.
|14||ELECTRONIC CONTRACTS AND THE ILLUSION OF CONSENTBy Brett Frischmann, February 19, 2019:http://cyberlaw.stanford.edu/blog/2019/02/electronic-contracts-and-illusion-consent||Explores the reality of the clicking-to-consent, how this isn’t just about privacy (although that is important), and how we might better consider this as clicking-to-contract|
|15||Australian Consumer Data Right:|
Consumer Page: https://www.cdr.gov.au/ Explanation of legislation and rules: https://www.oaic.gov.au/consumer-data-right/cdr-legislation
|Government source pages for the Consumer Data Right, both consumer oriented information, and the legislation and regulations that underpin CDR.|
|16||General Data Protection Regulation, https://eur-lex.europa.eu/eli/reg/2016/679/2016-05-04||Official but readable transcript of GDPR (there are several sites offering easier navigation)|
|17||Shoshana Zuboff, The Age of Surveillance Capitalism, 2018. https://shoshanazuboff.com/book/about/||A must read. An example review:|
“An intensively researched, engagingly written chronicle of surveillance capitalism’s origins and its deleterious prospects for our society.… This is the rare book that we should trust to lead us down the long hard road of understanding.”Jacob Silverman, New York Times Book Review