Versions Compared

Old Version 95

changes.mady.by.user Eve Maler

Saved on

compared with

New Version 96

changes.mady.by.user Eve Maler

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

2017-04-21

  • Reviewing draft deliverable #2

Attending: Eve, Tim, John, Mark

Tim's insight around identifying the "harms" to the parties in the #2 exercise helped guide the development of the draft deliverables we're looking at today. John opines that this view elides the "rights" basis for privacy breaches because it's property-based. Well, this is the question. What can we effectively achieve with our clauses and other tools? If agreements/contracts are the basis for what can be achieved between/among a resource owner and other parties, what are all the choices for legal theories? Tim is proposing a licensing basis. (We discussed this back in 2017-04-15 and seemed to reject this, but what are other alternatives?) There is a governance function and also an economic function.

Looking at Sec 2.1 of the EDPS opinion on digital content, John points to some commentary on the VRM list where someone was troubled by the "market for personal data". The point they were making was that someone could agree to selling organs (or their body into slavery or whatever), but this shouldn't perhaps be possible with selling data. We in UMA take a different, more empowered/powerful, position.

Tim's Chart 1 is more of a windup to chart 2, and he will supply more explanatory text for it. The "Communicative Behavior" column means how the requirements for Value, Meaning, and Information are conveyed/communicated, e.g., trust frameworks, regulations, configuration documents, API documentation, etc.

Both are about the relationships formed, and are explicitly not about "data ownership". Chart 2 is the "money chart".

So can we state the following?

  • The data subject has rights over the information about them.
    • True as part of the Universal Declaration of Human Rights.
    • Different jurisdictions ensconce this right to different degrees in law/regulation or not.
    • True of information even prior to its being digitized.
  • The data controller and the data processor have property rights related to records containing a data subject's information.
    • The records could be in digital form or not.
  • The formal "interface" (communicative behavior) defined between data controllers, data processors, and data subjects is regulations.
  • UMA has the potential to enable data subjects ("resource subjects") and their proxies (resource owners), or even data subjects on their own, to consent to data ("resource") access by third parties ("requesting parties") in such a way that the third party is a data processor.
    • We believe the regulations are currently blind to:
      • The proxying opportunity in UMA
      • The potential ability for UMA to distinguish between granting access to someone who fills the role of a "data processor" vs. "another data controller"
    • UMA only has soft technical constraints (the "Adrian clause") around jurisdictional nonfunctional requirements for things like data localization.
      • The potential extension for "cascading authorization servers" would provide a potential hard technical solution.
      • We have the potential for providing legal toolkits that give legal solutions that may suffice.

Do we need a Resource Regulator role?

If you're interested, there is a SAMHSA Consent2Share webinar on April 25 at 3:30pm ET. Registration link is here.

2017-03-24

...