search

decentralized-identity / presentation-exchange

Specification that codifies an inter-related pair of data formats for defining proof presentations (Presentation Definition) and subsequent proof submissions (Presentation Submission)
https://identity.foundation/presentation-exchange
Apache License 2.0
86 stars 37 forks source link

Inadequate explanation of purpose property #307

Closed JanLin closed 2 years ago

JanLin commented 2 years ago

The "purpose" property as described in the latest draft may be included to explain the presentation definition inputs being requested. From a privacy perspective (GDPR) the level of transparency is not sufficient and more work needs to explain the privacy considerations if that was the intent of having a property "purpose". A new work item is being started data agreement that will be working in adding clarity to the notice to an individual when requesting to process personal personal data.

To put the data agreement in context the core profile stack should reflect that a new layer 3/4 for "data agreement" will be introduced which the presentation exchange can bind to at a future point. Included is a diagram shown at the recent DIFConn F2F of the binding can look like. Note the attributes will be bound ID not shown in the diagram.

Thank you for your consideration of this issue. presentation-exchange-and-data-agreement

Recommending an additional paragraph to the explanation of the property:

"Note: guidance in the usage of purpose will be expanded in a future release of presentation exchange in order to satisfy privacy requirements for full transparency by a verifier on the processing of personal data."

bumblefudge commented 2 years ago

I think the key here is figuring out how purpose can point to an external object (ideally a machine-readable, versioned, collectively-governed ontology, etc) that can offer some guidance in how to parse additional VCs sent in the same interaction. What kind of URL or binding is a complex topic, but I don't think anyone ever thought a single undefined string would cover this, just cover a way to cover this :D See also this PR for some back-history

David-Chadwick commented 2 years ago

@bumblefudge My understanding of purpose is that this is a string that is meant to be displayed to the wallet user to tell the user the RP's purpose for requesting this VC e.g. We need your credit card details for the payment, or, We need your address to prove your residency etc. So I don't understand how pointing to an external object containing an ontology will actually help the user in deciding which VC to choose.

@JanLin I don't understand the privacy implications of the RP sending this string to the user. The RP is not revealing any PII of the user in this string. The RP probably does not know who the user is at this point in time. Whilst it is true that the RP is requesting PII from the user, the purpose property is telling the user what the purpose of the requested PII is, which seems to be in conformance to GDPR.

JanLin commented 2 years ago

Good questions and comments. Consent and privacy transparency is more than displaying purpose. I can list a number of information that should be included for example how long is data going to be kept, where is it kept, are any of the attributes sensitive in nature, etc. We plan in the "data agreement" working group list the requirements motivating to expand beyond simply purpose. We can have a joint call between presentation exchange working group and data agreement if it helps clarify or eventually we will have more documentation to point at.

JanLin commented 2 years ago

Here is a proposed change to the text discussed in the data agreement working group. Please consider for inclusion. The roadmap statement is optional.

Current text

purpose - The Presentation Definition MAY contain a purpose property. If present, its value MUST be a string that describes the purpose for which the Presentation Definition's inputs are being requested.

NEW Proposed text

purpose - The Presentation Definition MAY contain a purpose property. If present, its value MUST be a string that describes the purpose for which the Presentation Definition's inputs are being used for. By including purpose is not consent but is only informative to the user.

In certain regulatory jurisdictions the usage of the purpose field may be in conflict with the privacy regulatory requirements. The field should not be included if prior data sharing agreements are not in place for transferring personal data using presentation exchange.

Roadmap: DIF Claims & Credentials data agreement work group is developing an addition for privacy regulator compliance (GDPR, CCPA, other) and method for creating immutable records of consent records (data agreements) for using personal data.

dtmcg commented 2 years ago

link https://github.com/decentralized-identity/presentation-exchange/pull/325

nklomp commented 2 years ago

This issue can be closed given #325 has been merged right?