Trust Frameworks and Other Fundamentals (1J)

Session Topic:Trust Frameworks and Other Fundamentals (T1J)

Convener: Scott David

Notes-taker(s): Chad Grant

Tags for the session - technology discussed/ideas considered: 

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

A trust framework is based on the need for voluntary agreements amongst relying parties, data subject, and an identity provider. The challenge is how to achieve this at a scale as large as the Internet. Two examples were given:

1. Scenario one included a states DMV as the IdP, a citizen as the data subject, and a bar as the relying party that authorizes an individual to drink at a certain age.

2. Scenario two was related to the credit card system with the banking industry as the IdP, the consumer as the data subject, and the retailers as the relying parties.

Both scenarios need to have a degree of accepted trust amongst participants.

It was highlighted that the goal s to make the trust framework interoperable, but it must be done incrementally by starting small. These arrangements may comprise of contracts between parties, a SLA, or other various options.

Several questions were asked during the session. Including:
 * What is the role of the auditor and who is watching the watchers?
 * How does a framework become enforceable?

These questions led to a discussion on privacy and how terms and conditions are generally in favor of the company because of the desired benefit of the service.

It was brought to the groups attention that a newly formed group, Customer Commons, is going to look at was to provide ratings for trust frameworks. This model would be based on the way Consumers Report gives industry and product analysis. The website should be up in approximately a week.

Questions left to consider from the discussion:

1. What would a trust framework look like from the perspective of the data subject (citizen, consumer, etc.)?

2. In relation to terms and conditions, are citizens competent enough to make educated decisions on the services that collect data about them?

Quote of the session: "trust algorithms, not people"