[WG-UMA] Notes from UMA legal subgroup telecon 2015-10-16

Eve Maler eve at xmlgrrl.com
Fri Oct 16 11:04:22 CDT 2015

Fri Oct 16 8-9am PT
Voice: Skype: +99051000000481 or US +1-805-309-2350 (international dial-in lines <https://www.turbobridge.com/join.html>), room code 178-2540#
Screen sharing: http://join.me/findthomas <http://join.me/findthomas> - NOTE: IGNORE the join.me <http://join.me/> dial-in line shown here in favor of the dial-in info above (Kantara "line C" and the Skype line)
UMA calendar: http://kantarainitiative.org/confluence/display/uma/Calendar <http://kantarainitiative.org/confluence/display/uma/Calendar>
Report from the APAC-friendly UMA sync discussion <https://groups.google.com/forum/#!topic/kantara-initiative-uma-wg/1vA-frUlovk>
Take a look at the latest CommonAccord artifacts and progress
What are the appropriate next steps and timeline? What artifacts will give concrete assistance to UMA deployers in 2015?
Anything worth retaining/saving from Binding Obs? Should we sunset it?
Attending: Eve, Steve, Ann, Domenico, Andrew, Jon, Tom, Dazza, Jim, Adrian, Tim, Paul, David

David Maisenberg is a nonpracticing attorney who works with startups and law firms - "UMA is the solution" to many things he’s working on.

In discussing some of the challenges of multi-AS environments that are specific to access control propositions (e.g., might Alice want to control whether the RqP is allowed to share her resource further? might the answer want to turn on which AS the RqP has chosen?), Adrian points out that this is related to 42CFR Part 2 regulations. This relates to substance abuse/mental health data. You can ask a patient to consent generically to release; you have to list explicitly who will see it, and come back to the patient if you want to share it beyond that circle. And data must be tagged with that specific type of sensitivity, and be redacted to the point of obscuring whether it ever existed if it wasn’t consented to be shared. What if Alice were in jurisdiction A and Bob were in jurisdiction B?

CommonAccord could handle multi-jurisdiction challenges. We would try to cover as much of the jurisdictional differences as we can ahead of time, but it may be an 80/20 approach. “Lawyers are there for error correction” — could be before or after the fact. Text could be tweaked as further deltas are identified.

Could the rule set text call out to the relevant laws/rules by reference? “These rules are subject to the laws of the state of MD” or whatever. There are limits to this approach.

What would be productive to work on: UMA-specific model text, non-specific text, both? Could be both. If we could throw together some candidate “stacks” (the “legal stack” and “technology stack” concepts of CommonAccord) and try them out, that would be valuable. Jim’s candidate UMA text was just thrown together — don’t take it too seriously!

Model forms would also be hugely useful. GA4GH has a lot of similar problems.

Finally, at a granular level, what would the layers of consents, resource exchange, etc. be? This sounds like it’s about “semantic interop”. Jim sez: it’s “technical emojis”. :-) Each community of interest might have different sets of these.

So, three tasks: stacks, clauses, semantics.

For the stack task, how does the CommonAccord logic work regarding flowing through to different jurisdictions? It appears that once you’ve designed and tested these flows, they can be captured and reused. And you can scope the results, so that (e.g.) the French guys can work on an outline independently when it’s specific to them.

For the clauses task, how do you ensure that (e.g.) the French and English versions mean the same thing? This is metaphysical and cultural. The experts in that field end up having to make a judgment. In Germany, the shape of a consent may be different from in the US. (Eve points to this book <https://en.wikipedia.org/wiki/Le_Ton_beau_de_Marot>!)

For the stack and clauses tasks, are these anticipated to be pairwise, and if so, do we simply focus on the 3-4 pairwise “liability tensions” (meta-use cases) that have been identified as being of most interest so far?

RO-RqP: for example, purpose-of-use or other constraints on further downstream use (as discussed in this chain-link confidentiality paper <http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2045818>); and our question about the relevance of licensing comes up here (IP/real property rights)
RS-AS: traditionally, services have done authorization jobs themselves and now we’re talking about their outsourcing this; they might have security/privacy requirements
RO-AS: would the resource owner feel comfortable trusting, say, a “social” AS to do this job correctly?
AS-(OAuth client): we do have some example agreement text <https://github.com/KantaraInitiative/wg-uma/wiki/UMA-Legal:-Examples-of-Terms-and-Conditions-for-Acquiring-Social-IdP-OAuth-Client-Credentials> for this in the social IdP realm

Jim suggests looking at existing examples and starting from there.

Jon asks: How pairwise or non-pairwise are these, really?

Delving into the distinction between “informed consent” and “authorization” and statutory use, in US healthcare regulations, there are implications regarding whether you have to do Accounting for Disclosures. There are perhaps interesting distinctions between different ways of deploying UMA-enabled applications when it comes to whether something counts as “consented” sharing. If your app (RS) provides a “share” button, is that consent? If your app (RS) hooks up to an AS that has a “share” button? If your AS supports a “pending requests approval” flow? If your app (RS) and client and AS collaborate to simulate a typical OAuth flow that is guaranteed to let you “uncheck scopes”?

Next steps:

AI: Steve, Dazza: Research “meaning of consent” and UMA usage patterns for next week.
AI: Eve: Share links with Steve/Dazza to help in their task.
AI: Jim: Help the rest of us understand how to “build stacks” — a tutorial.

Dazza has announced the FutureCommerce Legal Hackathon! Should there be an UMA track? He’ll send out a link about this!

Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl at gmail.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-uma/attachments/20151016/8e088e28/attachment-0001.html>

More information about the WG-UMA mailing list