Consent vs. Authorization: what’s the diff?

CTO Lounge
, , , , ,
#1

Consent vs. Authorization: what’s the diff?

Consent vs. Authorization: what’s the diff? I was recently considering the differences between the terms Authorization and Consent …

  • 1. Consent vs. Authorization: what’s the diff?

Steve Venema

I was recently considering the differences between the terms Authorization and Consent in our digital data interactions: are these terms really distinct or are they synonymous at some level?

Consent is often used in the context of granting permission to some online entity to collect, use, and/or share data about a user–cookie banners, EULA terms, etc. It is also used in, for example, medical settings, where a patient consents to some treatment or procedure. In short, it seems consent is about giving permission to some entity to perform some digital or physical action that is otherwise prohibited by law, regulation or ethical considerations.

Authorization, on the other hand, is often used in the context of giving permission to some party to access or act on a particular digital resource or interface. For example, we define authorization policies that encode permissions for certain subjects to perform particular actions on particular resources. This allows access decisions to be made consistent with those policies. For example, I may be authorized to read but not modify a particular digital document, or I may be authorized to access my employer’s office building only on weekdays.

Both Consent and Authorization seem to revolve around the concept of permission. So are they in fact really the same thing? I think the answer is a qualified “yes”: under the covers, both require some sort of permission check but the linguistic usage of the two terms is somewhat different. That said, the linguistic usages are inconsistent. For example, I might say, “I consent to medical treatment”. But I could just as validly say that “I authorize medical treatment”. No difference really.

What do you think?

Steve Venema
Distinguished Engineer
ForgeRock

1 Like
#2

  • 2. RE: Consent vs. Authorization: what’s the diff?

Very succinctly put! Well done!

Lori Goldman
ForgeRock

1 Like
#3

  • 3. RE: Consent vs. Authorization: what’s the diff?

Eve Maler

The healthcare example is really good. In that world, there is also the notion of “consent directives”, which remind me of nothing more than authorization policies, since they’re not simple opt-in/opt-outs. :slight_smile:

Once upon a time, I put out a paper that mused on the wider thesaurus-ish space that these words inhabit. “The ordinary word consent has several senses: the capture of fully considered and empowered permission (with a synonym of authorization); or of harmonious approval (agreement); or of passive assent (acquiescence).” So there’s something of an empowerment continuum. More here.

Interestingly, “consent” has a bunch of legal definitions, not all perfectly aligned with each other, because of data protection/data privacy laws and regulations. I don’t know if authorization has any similar legal structures. Anyone?

But there is a common thread running through those definitions. Since we’ve had a book bundle post recently, I’ll flesh this thought out with a book recommendation! Consentability: Consent and Its Limits

Eve Maler
CTO, ForgeRock

1 Like