[WG-UMA] UMA Legal Sub group Notes - Mon May 12

Mark Lizar mark at smartspecies.com
Wed Jul 14 18:23:54 EDT 2010

Only two of us were on the call.  Aaron Titus and Myself,

A great discussion between Aaron and myself emerged and I was happy to  
have a chance to talk to Aaron about UMA.   Here are some notes that  
were captured there was a lot of good points that didn't make the notes.


Aaron asked me to explain a bit more about UMA, I gave a brief intro  
of an authorising user, access manager and host that works with the  
Oauth 2.0.   I

I brought up the idea of user driven policy and User Managed Access.  
The idea that individuals will have a say in setting the access policy  
to information.

Aaron talked about the disconnect between what privacy policies cover  
and what the user wants from a policy.
E.g.  what type of an impact is this policy going to have on my  
ability to make purchases, reputation?

(Note: Interesting to discuss metrics users may want to see for making  
policy decisions around access)

Discussed how it is unclear what the future impact of information  
sharing is, we are all still waiting to see what access management  
issues  occur. E.g. how will policies change when your Mom joins  

I ask Aaron if he thought User driven Policy would need to constantly  

Aaron explained some of what he has learned from his experience with  

Explaining that Privacy Policy must be complex, you do need a lawyer  
readable version, (corporations do have a lot to deal with), on the  
other hand policy needs to be easy to use.  (example of telephone as  
an easy to use complex network)Which is why Aaron supports the  
creative commons approach to policy.

Aaron explained that the creative commons approach is useful and may  
be relevant in this context.

I explained my interest in policy for User Managed Access and the use  
of a Standard Agreement with use of UMA.

Aaron explains that he went down the path of a standard agreement and  
ran into some roadblocks and that standard agreements were of limited  

He spent alot of time on this with Privacy Commons and has never seen  
a standard agreement that actually works.
This he says is due to every business being unique and taking into  
consideration the needs of a corporation for every transaction or  
industry may be extremely difficult.

Although there may be standard activities which he has also spent some  
time reviewing
- privacy consideration by industries e.g. health

We discussed enforcement of user driven policy.  Aaron mentions the  
recent FTC roundtables and the FTC favouring the angle that unfair and  
deceptive practices,(TOSA, PP) along with plain old contract law is an  
effective enforcement perspective and perhaps the  most appropriate  
legal regimes for privacy policy and enforcement in the US.  Aaron  
explained that its better looked at as the perceived least worst  

Aaron explained that  regulation may not be addressing what users want  
to know when giving access to information.

Discussed transaction costs to user and the cost of tailored policy to  
the enterprise.  Discussed the issues and transaction costs of  
negotiating and renegotiating consent. e.g. when information was paper  
based there was a high transaction cost to disturbing privacy.  Today  
this is significantly lower and agrees that we need a low transaction  
cost solution for these issues.  Negotiating consent online has a high  
transaction cost online.

Discussed transaction costs and risks in the UMA legal scenario with  
tripit to ical to flickr sharing scenario.

This inspired Aaron to bring up the CFC on a Draft white house  
strategy for an identity ecosystem.   National Strategy for Trusted  
Identities in Cyberspace which may be of interest to some people on  
the list. I do think it is relevant to UMA. Especially the Summary of  
Identity Ecosystem Characteristics section.

In the end I think it was a great UMA discussion :-)

- Mark

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-uma/attachments/20100714/ecc484b4/attachment.html 

More information about the WG-UMA mailing list