[WG-UMA] Notes from UMA legal subgroup telecon 2015-09-11

Eve Maler eve at xmlgrrl.com
Fri Sep 11 13:33:04 CDT 2015

Attending: Eve, Jon, Jim, Adrian, Dazza, Jeff, Domenico, Paul Laurent

Our meeting setup:

For this call, let us take the following “negative use case”, growing out of the agency and “RS risk” discussion we’ve been having:

“I, a US hospital, have an online service that exposed a FHIR API for electronic medical records. Alice set up policies at her consumer-grade AS, and I accepted outsourcing authorization there. The token from the AS told me that it was okay to give client MobileApp and requesting party Bob access, so I did. But then Alice sued me/complained/reported me/(something else bad)”. (Adrian can comment on real-life examples somewhat analogous to this, with breaches and such.)

Dazza has offered to facilitate a discussion of the following points:
What are the key legal issues presented by this scenario? 
What legal role(s) and corresponding rules apply to the actions and data of the parties in this scenario?  
What are the potential or probable outcomes if things go wrong (eg: result of enforcement actions, allocation of loss or other dispute resolutions)? 
What advice or other resources for parties seeking to adopt UMA could help them manage legal risks and/or structure legal affairs to expand or create new value? 
And I will scribe. :-)

To prepare for tomorrow's agenda, here is the composite list of real-life examples of negatives. Please read these in the context of a Resource Server holding records for 4.5 Million Alices and accessible to some 10,000 Bobs:
Was it really Bob that accessed the resource or someone that Bob shared credentials with in his office?
Why is it that the Resource Server did not implement a Bob authentication means that would mitigate sharing of credentials by Bob?
Why was it that Bob's staff member, who is not an employee of the Resource Server institution, could get access even though they were not trained in security practices by the institution?
Why didn't the Resource Server system notice that Bob had no prior relationship with this particular patient and kick the request out for enhanced audit?
Why doesn't the Resource Server notify Alice of significant events such as a new Bob in a remote location getting access to her resource?
Why does the Resource Server depend on an honor code and whistle blowers to detect breaches?
Why does it take 6 months and 4.5 Million records breached to detect a breach had taken place?
Why did it take a month for the Resource Server to investigate and respond to Alice's complaint (this escalates the cost of the damages caused by the breach.)
Was the Resource Server following typical industry practice in managing the security of their system? - The jury said yes :-(

Today we are working to apply law, specifically agency law, to facts. Dazza has enhanced the relevant GitHub wiki page <https://github.com/KantaraInitiative/wg-uma/wiki/UMA-Legal:-Mapping-Between-UMA-and-Agency-Law>.

Eve has provided a “negative use case”, where something has gone wrong. Lawyers call this “another day at the office”.

Adrian’s list of negatives is not comprehensive and fairly straightforward. The liability goes in a few different directions: is Alice at fault? is Bob at fault? is the institution (the resource server operator) at fault?

Our mappings are in a new wiki page <https://github.com/KantaraInitiative/wg-uma/wiki/Legal-Analysis-of-Hypothetical-Agency-Fact-Patterns>.

We could have two different use cases: One where the hospital itself hosts the client app and Bob works for the hospital, and one where Bob and the client are outside (e.g. in a separate practice).

Commentary: Jon: Dr. Bob is acting in the capacity of an agent, but we haven’t broken out a “sub-Bob”, with whom Bob shared credentials inappropriately. He acts outside the scope of his authority in some of his actions. Adrian: There are several agency subtleties around Bob. … Sub-Bob is an agent of Bob, but neither is an agent of Alice.

We’ve started to collect an outline of a brushed-up set of facts, so the use case has gotten a little more specific. We still need to enhance it with more details. We’re now mapping the parties to UMA roles, legal roles, and privacy roles.

Homework for next week: Can everyone (who’s able and interested) please comment on the details still missing from the use case that will help answer the remaining questions we might have that would be necessary to create a “case squib”? You can send email, or edit in GitHub if you like. Thanks!

Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl at gmail.com <mailto:xmlgrrl at gmail.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-uma/attachments/20150911/b3417b4b/attachment.html>

More information about the WG-UMA mailing list