[WG-UMA] Notes from UMA legal subgroup telecon 2015-10-02

Eve Maler eve at xmlgrrl.com
Fri Oct 2 11:04:07 CDT 2015

Check on AI status:
[DONE <https://github.com/KantaraInitiative/wg-uma/wiki/UMA-Legal:-Business-Models>] Business model wiki page
[DONE <https://github.com/KantaraInitiative/wg-uma/wiki/UMA-Legal:-Examples-of-Terms-and-Conditions-for-Acquiring-Social-IdP-OAuth-Client-Credentials>] Collection of sources of contract terms for getting OAuth client credentials
Jon: Thoughts on IoT liability tensions
Determine roughly what our outputs should look like
Develop a list of unknowns without which we can’t finish our work
How to prioritize the rest of the work?
Gather which unknowns? Who?
Examine/analyze OAuth contract terms? Who?
Examine/analyze existing Binding Obligations? Who?
What are our key milestones in the final three months?
Attending: Eve, Jon, Jeff, Adrian, Steve, Jim, Thomas, Scott, Dazza

Steve Greenberg is a new UMAnitarian. He was in the technical game long ago, an LDAPer, an AOL employee, then into consent management (mostly recently at Privo doing delegated consent for parents — COPPA stuff).

Jim notes that “A legal document - whether policy , consent or otherwise - is always "ours" in the sense that is belongs  to and binds both parties.  The problem is friction means that in practice it is more or less owned by one party.  Goal should be to reduce and eliminate friction - which is to say to start a process of transparency.” So, in talking about Alice choosing "her own AS”, we should be aware that, while technically, she does choose, in practice some business models disempower her more over some others. Famously, most people don’t read the privacy policy, even though they’re bound by it. There are often clauses in a contract that are there because you’re afraid to take it out. (There are 1M lawyers in the US!)

Real standards have the advantage of eliminating much of the friction and imbalance. This is where our work can come in. Jim advocates modularity here, in the model of open-source with forking and agile methods and iteration and so on. It’s how you can “get to something like yes” on exceedingly complex matters efficiently and quickly. Committees (people!) don’t help. An operating document that works today, for now, is what’s needed. This sounds like a “good enough for now” principle, with versioning to allow change later. In law, the "operative thing” would be, say, a privacy policy; that’s the “object” that has to be tracked and versioned.

Jon speaks in favor of giving the parties on both sides "something to work with”, which speeds the process. It’s not just about machine readability. And it’s not even just about “empowering Alice”. Adrian brings up Bitcoin as an example of how to enable dynamicism in a “free love” way.  Scott speaks in favor of modularity as a cause and an engine. The commodities market runs on it; so we could coax a market into being and stabilization. Business people who don’t care about code will find these examples resonating. Steve mentions Creative Commons as well.

With lots of unknowns in this data market, let’s stabilize it.

For a long time, Eve has talked about Alice’s disempowerment in terms of human-vs-company and client-vs-browser — and also “contract of adhesion”. But apparently the latter is too strong a statement in legal terms. It’s more like she’s just following the crowd and that’s a constraint and compulsion. We’re seeing that business model #2 starts to be one end of a continuum that ends in #3, if we can more fully empower Alice to “choose her AS” through contract and enable more dynamic business relationships through our work here.

In notice and consent, there has always been a feeling of “take it or leave it”. Eve’s hope in the original Binding Obs work was to turn Alice’s enforceable service terms in using a website and sharing her PII with it into Bob’s enforceable service terms for accessing her stuff. Jim notes: Pragmatically, a good way to get the dynamic of codification going would be to list the kinds of documents that are currently used, find a couple of examples of each, do outlines for each of them, and begin to populate. Scott advocates leveraging selfish interest.

RO-RqP: The use cases tend to be “delegation", “share", "give access to”, “purpose of use”, “meaningful use"… (Scott warns to be careful to distinguish “assignment of rights in the delegation of duties” / “assignment of rights and duties”).

RS-AS: Jim: From perspective of the merchant, regulatory compliance is a concern. A modular approach to text can take much of the burden off of them.  Because it can be shared and scrutinized in a general context instead of them having to wing it.  This is where a lot of regulations seem to come in - healthcare, merchant, etc., where modularity could help - an IoT hardware vendor may insist on “owning” the data and where it goes (?) - maybe also just web apps, as in Ashley Madison (RTBF)? Example terms: http://my.commonaccord.org/index.php?action=source&file=D/Fridge/MyFridge_GerryGrape_NDA.md <http://my.commonaccord.org/index.php?action=source&file=D/Fridge/MyFridge_GerryGrape_NDA.md> Jon notes that connected cars are most difficult, but with wearables, there are questions about communications between devices and the (e.g.) “house fog” (a house cloud — this is a Cisco term <http://www.cisco.com/web/solutions/trends/iot/fog-computing.html> . Would the controls over it be UMA controls? Adrian has a great example <https://dl.dropboxusercontent.com/u/8909568/MMS%20May%207%20AG.pdf> of ICD data communications using the “house fog” model. Dazza observes that there’s a localization of control — there’s still a question of who owns and controls the systems, all the way up. Buying a disconnected fridge and taking it home means you can do whatever you want to it. But in Europe, there’s “moral rights” that still connect the creator of the thing to the thing — the shoemaker to the shoes, the painter to the painter (“preference for restraint on alienation <https://en.wikipedia.org/wiki/Restraint_on_alienation>  or something like that?). With IoT, it’s thus like inviting hackers into one’s living room because of the net connection!

RO-AS: What contract terms might be relevant here?

Jim: Could we make a list of docs that we think Alice is confronted with in the course of a year or two of banging around in this field?

If UMA is about the human being at the center, and we’re focusing on zones that are private (looking at Anglo-American law), and the body, home, and car are places that are particularly relevant for privacy, and there is real market demand for privacy…

Scott: In the US, the Fourth Amendment protects one on one’s home. Bringing a sensor into the home is inviting an intruder into “information space”/cyberspace/Internet space, which is a new important kind of space alongside physical space. We don’t yet have rules for this; UMA enables having rules for that new space. He recommends treating this as privatized space: like putting a sign up that says “This is the private property of X”.

Next steps: Everyone please contribute “mile-wide, inch-deep examples on contract terms examples across all three meta-use cases — at least one of each kind — for next week.

Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl at gmail.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-uma/attachments/20151002/b543aee6/attachment-0001.html>

More information about the WG-UMA mailing list