Consent based usage control

How does this project fit into your broader strategy?

IDSA focuses on data sovereignty/ ownership. FarmStack wants to build software on top of the trusted connector and make use of the technology in the agriculture sector enabling farmers to control their data. This aligns with the government policies as well as DG’s broader vision.

Team

Project owner: @Vineet Singh 

Team members: @Razak K M @Gerd Brost (Unlicensed) @Michael Lux (Unlicensed) 

Status

IN PROGRESS

Problem Space

Problem statement:

How we may enable farmers to assert control on their data?

Farmers, specially small holder have to make multiple decisions that affects their livelihood directly. With agriculture tech ecosystem getting more focus, the importance of data is increasingly becoming important in aiding the decision making process. The data typically involves sensitive information and also transaction information which can’t be shared without consent from the farmers.

Impact of this problem:

Sharing this information unlocks potential of new services for the farmers as well as ecosystem actors as they can bundle services together leading to better experience of the farmers.

How do we judge success?

  1. Farmers consent to share their information maintained by one org to another to get a service they find useful

  2. Some percentage of farmers avail the service and find it beneficial

  3. Farmers are able to understand the value of their data and are willing to participate even more in future

  4. Org maintaining data and providing service see value with improved farmer satisfaction

What are possible solutions?

There are two broad ways to solve this problem:

  1. Each application provider publishes the data back to the farmers who maintain the data in some data wallet and share it at their own convenience

  2. Today most of the applications ask permissions to capture information of the farmers at the time of onboarding. The farmers, in the same way can give consent to share the data captured to avail some services beyond what is provided by the application. The consent can be a token that is collected against the user. The data itself is not maintained by the farmers but in stead they control with whom and for what it is shared.

Validation

Policy level signals/ insights:

  1. Globally, GDPR is being seen as a reference document and GDPR focuses heavily on consent and restricting purpose, time, storage etc.

  2. Government of India has already come up with a consent framework, here are some resources:

    1. Presentation: Data Empowerment & Protection Architecture (DEPA)

    2. They are already working on integrating a confidential compute with the consent framework

    3. Agriculture and Healthcare are the focus area with adoption in banking sector already setting precedence

    4. A pilot is being proposed in the state of Karnataka that takes consents from the farmers

Do farmers want it?

  1. Farmers are sensitive about some information: here is one news report and DG has seen that the farmers are sensitive about landholding size/ earning as opposed to crop grown.

  2. Farmers need to see tangible benefit. Data is as good as the benefit it can create for farmers - privacy takes backseat.

  3. Farmers like most users are not aware of how their data is being used and don’t like connecting to service that is irrelevant

Further questions

  1. User side:

    1. How do we get informed consent? - possibly use visual cues to explain not the terms but purpose

    2. Do we need to raise awareness for enforcing control over data? - not initially, rather we capture how willing are farmers to control their data

    3. How do the farmers and/or organisations get value ? - please see the use cases here

  2. Backend tech:

    1. What does consent look like? - we use consent artefact as defined in DEPA architecture adopted by Government of India, it defines issuer, collector, requester and signature.

    2. How does consent relate to usage control? consent is a token in DEPA used primarily for verifying issuer, collector, data provider and consumer. It also has a section called purpose and access type. The purpose is just a text now which can become the application hash or a list of orgs where it can be shared. If the farmer details are in a row, each row will refer to a consent and the data transfer will happen as per the consent provided.

    3. Is the usage control imposed on provider or consumer or both? - stage 1: enforce on provider to whom and how data can be shared, stage 2: enforce on provider what part of data can be shared and stage 3: enforce on provider what part of data can be shared to whom and what the consumer can do.

Further reading

Consent use case

Requirement formulation

Additional resources

Depa book:

 

 

Related pages