Versions Compared

Old Version 100

changes.mady.by.user Eve Maler

Saved on

compared with

New Version 101

changes.mady.by.user Eve Maler

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

2017-05-26

  • Reviewing deliverable #2

Attending: Eve, JohnW, Kathleen, Tim, Andrew, Scott D, Mark L

Eve shared the experience of presenting to the Cloud, Big Data, and AI legal conference on May 23. She got to try out the elevator pitch for our nascent legal framework and the rest of the work. She'll point to the PDF of her slides when available.

The first key element of this deliverable, as discussed previously, is the conceptual orange/blue chart. Communications are required in an electronic protocol context. The Communication/Autonomy nexus includes Consent(Autonomy/Law), Sharing(Autonomy/Commerce), and Protocols(Autonomy/Communication).

Scott notes: "Consciousness" as part of this might sound "frilly", but as part of law it's actually not – it's a "meeting of the minds", so it's fundamental to contract formation. There are famous cases every law student learns regarding this concept. John comments, channelling Doc regarding contracts of adhesion: How does this play in? The problem of the human mind and questions of human authority are fundamental. We ultimately have to map UMA to law. Eve: Going by the matrix, this looks like Consent (Law/Autonomy), Access Authorization (Law/Reciprocity), License (Law/Objectivity).

Reciprocity supports enforceability of transactions.

How do we get to a grant of access rights? UMA's permission tokens are an anchor. The word "delegation" from a legal perspective doesn't make sense, quite. Kathleen observes that DRM is a technology that is literally used to effect access licensing already.

Is it possible to get to the point of breaking the law by accessing some digital resource? Who controls the access relationship? Any requirement for consent is a basis for the authority we are looking to ensconce. So the various regulations that strengthen consent requirements, such as PIPEDA, GDPR, PSD2, and others (such as "patient right of access", which is an "economic clout-oriented" strength, as Kathleen points out) strengthen our ability to make these connections. Eve thinks FIPPS is too "soft power", in that it needs to be operationalized through other regulatory structures.

(Eve reminds us all to focus on the "hard power" we have, which is to develop the framework and toolkits to influence those actually deploying services. Our "soft power" to influence policymakers to make law and regulation is to be done only through the framework level as interesting written material, and through other means. That's why we don't have a Resource Regulator role formally.)

Scott remarks that "consent" is sort of a legacy system that isn't fit for purpose, but is well understood. He also notes that the word "control" is a difficult one; a "co-management regime" over digital resources is a more realistic way of seeing the challenge.

Kathleen points out that consumers have the power to fill their profiles with false information; she calls it discombobulation. Eve points to The Economics of Privacy, which provides evidence that savvy consumers can manipulate businesses/organizations, and that greater data sharing can benefit (e.g.) patients.

Eve agrees about stepping back two steps from "data ownership": from "own", and again from "control", to "management". Also from "data" to "(digital) resource" (because sometimes the data is very transient, e.g. provided through a streaming API). Scott adds that a person's relationship to a thing should really be a relationship to another person vis a vis the thing.

Eve wonders if we can publish a Talmudic-style commentary version of deliverable #2 (or turn all the deliverables into eventual WG deliverables, or whatever) for benefit of the wider audience we're going for. Scott notes that the UCC Commentary provides a potential model; it's citable. Mark notes that trade associations are trying to figure out how to develop codes of conduct that are GDPR-conforming.

Eve points to A Typology of Privacy, and specifically its typology of the objects of the rights to privacy, as great additional commentary that could extend our analysis of Communication; it puts "mediated communication" under the "semi-privacy zone" (which came from Westin's work).

John points further to the NIST Privacy Engineering work; see page 17. Similar to the security concept of CIA, it proposes "predictability, manageability, and disassociability".

Regarding the opportunities to combine forces and possibly have a KI-wide Legal WG that at least encompasses the scope of the current UMA Legal and CIS legal-related work: There's consent receipt lifecycles, User Submitted Terms as ready-made licensing terms, a CR version of the orange/blue matrix?, and possibly more. Eve noted that the current UMA Legal mission is very much like a charter.

The French court had said it was a derogation of human rights to give too-broad permission. (And GDPR has now ensconced a requirement to give specific purpose of use!) So Scott had suggested at the legal conference that maybe it could be possible to delegate to a fiduciary layer some broad ability to manage permissions, and then that layer could give more reliability around this. This was the point at which Eve leaned over and whispered, "Like an authorization server?" (smile) (Or the authorization server operator, to be precise.) The theory Eve has had is that a Resource Owner (Grantor as was) and Authorization Server Operator should be able to negotiate the former delegating to the latter the ability not just to execute to the former's protection policies, but to set policies on their behalf, e.g. setting default policies. This is a real use case that has come up in HEART, and we have even defined one of the profiles to account for this. Tim says this is where the word agent comes in, so it should be covered.

Next steps: Everyone to review the document as sent in email by next week for deliverable #3 purposes.

AI: Eve: Review deliverable #2 for copy-editing/Kantara approval purposes ASAP.

2017-05-12

  • Reviewing draft deliverable #3 – #2 – which is now a proposal paper!

...

  • Reviewing draft deliverable #3#2

Attending: Eve, JimH, Tim, Adrian, JohnW

...

  • Reviewing draft deliverable #3#2
  • "Resource Regulator" role

...