[WG-UMA] UMA Legal Sub group Notes - Mon May 12
mark at smartspecies.com
Wed Jul 14 18:23:54 EDT 2010
Only two of us were on the call. Aaron Titus and Myself,
A great discussion between Aaron and myself emerged and I was happy to
have a chance to talk to Aaron about UMA. Here are some notes that
were captured there was a lot of good points that didn't make the notes.
Aaron asked me to explain a bit more about UMA, I gave a brief intro
of an authorising user, access manager and host that works with the
Oauth 2.0. I
I brought up the idea of user driven policy and User Managed Access.
The idea that individuals will have a say in setting the access policy
Aaron talked about the disconnect between what privacy policies cover
and what the user wants from a policy.
E.g. what type of an impact is this policy going to have on my
ability to make purchases, reputation?
(Note: Interesting to discuss metrics users may want to see for making
policy decisions around access)
Discussed how it is unclear what the future impact of information
sharing is, we are all still waiting to see what access management
issues occur. E.g. how will policies change when your Mom joins
I ask Aaron if he thought User driven Policy would need to constantly
Aaron explained some of what he has learned from his experience with
readable version, (corporations do have a lot to deal with), on the
other hand policy needs to be easy to use. (example of telephone as
an easy to use complex network)Which is why Aaron supports the
creative commons approach to policy.
Aaron explained that the creative commons approach is useful and may
be relevant in this context.
I explained my interest in policy for User Managed Access and the use
of a Standard Agreement with use of UMA.
Aaron explains that he went down the path of a standard agreement and
ran into some roadblocks and that standard agreements were of limited
He spent alot of time on this with Privacy Commons and has never seen
a standard agreement that actually works.
This he says is due to every business being unique and taking into
consideration the needs of a corporation for every transaction or
industry may be extremely difficult.
Although there may be standard activities which he has also spent some
- privacy consideration by industries e.g. health
We discussed enforcement of user driven policy. Aaron mentions the
recent FTC roundtables and the FTC favouring the angle that unfair and
deceptive practices,(TOSA, PP) along with plain old contract law is an
effective enforcement perspective and perhaps the most appropriate
explained that its better looked at as the perceived least worst
Aaron explained that regulation may not be addressing what users want
to know when giving access to information.
Discussed transaction costs to user and the cost of tailored policy to
the enterprise. Discussed the issues and transaction costs of
negotiating and renegotiating consent. e.g. when information was paper
based there was a high transaction cost to disturbing privacy. Today
this is significantly lower and agrees that we need a low transaction
cost solution for these issues. Negotiating consent online has a high
transaction cost online.
Discussed transaction costs and risks in the UMA legal scenario with
tripit to ical to flickr sharing scenario.
This inspired Aaron to bring up the CFC on a Draft white house
strategy for an identity ecosystem. National Strategy for Trusted
Identities in Cyberspace which may be of interest to some people on
the list. I do think it is relevant to UMA. Especially the Summary of
Identity Ecosystem Characteristics section.
In the end I think it was a great UMA discussion :-)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the WG-UMA