(I’m going to snip the lower part of this thread to focus on the “data by reference” point. I’m also going to inject UMA technical terms so we can be very clear about our mappings.)
UMA does not inject a new “data by reference” solution where before there was none. So I don’t know if we have a super-duper new set of tools at our disposal. Some concrete examples:
1. Alice sets up a resource server RS1 at home to host her self-asserted personal information (she prefers “aisle”, “nonsmoking”, “room near the elevator”, and nickname “Allie”). RS1 is at
alice.com, managed entirely by here, hosted by her ISP. She hooks it up to an authorization server AS1 to control release of this information to her travel agent, requesting party Bob, using client app C1 for making travel arrangements.
Importantly, the client app really does “GET” her data. It may cache or store it for short or long periods of time, possibly depending on her (nontechnically imposed) constraints, and it may refresh what it stored periodically, if her policies allow that.
2. Same, except
alice.com is managed by Google.
Meant to highlight the “cloud” aspect of hosting.
3. Alice uploads a photo she took to RS2,
Flixr.com. The requesting party is Charlie at the framing shop and the client app is C2 for printing photos on canvas, for mounting. Otherwise the same.
Meant to highlight the “joint data rights ownership” aspect, and that she has nothing to do with the hosting.
4. Alice uses RS3, which hosts her credit score and credit record, to check out her financial picture. The requesting party is financial officer David and the client app is C3 for assessing bank clients’ suitability for personal loans. Otherwise the same.
Meant to highlight that Alice “owns” even fewer aspects of the data, in that she didn’t even contribute anything to the “value” of the data.
5. Alice is a video game community manager, and for work she uses RS4, which is Twitter — a modern Twitter that is UMA-enabled. Its API is very rich, and it allows calls for both GETting and POSTing status updates. The requesting party is her colleague Eric, and he uses a client app C4, a third-party Twitter app that posts status updates to the corporate account she controls. Otherwise the same.
Meant to highlight that clients don’t just receive data, they can insert data into a supposedly “authoritative source” RS.
====
I realize that in today’s pre-UMA environment, there’s a robust understanding of data controllers and data processors (in various jurisdictions), but I’m not sure exactly how the lines are drawn. In an environment with UMA in the picture, does anything change? What roles would the AS, the not-Alice requesting parties, and the resource servers and client applications in play?
Eve
HI Jeff,
[some comments inline]
I think you are suggesting that there needs to be a scenario in which Alice controls certain data and authorizes specific uses of the data without transferring the data to Bob. Bob can view or print (as in a label), but cannot electronically save the data. (Of course, printing the data is a form of saving the data, because the label can be copied or OCRed to recover Alice's address in electronic form.)
Perhaps Bobs Health Widget uses a delivery company, which uses a 3rd party trust framework, that is verified and audited by another intdependant third party to ensure to Alice that her address is not accessed, saved or copied by Bob’s Health Widgets. So the name, the contents of the package and the address are separated so no one party can have all three bits of data?
How does Bob’s widgets advertise that they have these privacy and security practices, which are different than Dave’s Widget company? Is Bob’s Widgets more trust worthy than Dave’s?
In one context, Privacy by Design is a container for trusting process that Dave’s company asserts when collecting Alice’s consent and data ( to effectively control the data rights management) Because Dave’s company holds Alice’s data, Dave’s company is subject then to Data Protection laws and Privacy by Design certifies that he encrypts Alices data and doesn’t leak it. 3
In the context of Bob’s Health widgets’ he doesn’t need privacy by design, and is not liable to data protection, because Bob may never hold’s Alice’s Data.
Notionally, this sounds like a good idea, but enforcement would be tricky. If Bob is actually Bob's Widget company and Alice orders a widget and provides her address under this scenario, what happens if Alice's widget never arrives? Bob cannot tell Alice what address the widget shipped to, because he no longer has a record of the address.
Enforcement can happen in a number of ways:
- fines by law
- breach of contract
- reputation damage
- 3rd party audit for compliance
- trust framework enrolment process or customer software
and so on.
The issue that we are running into full speed is that some data does not have a single "owner". When Alice transacts with Bob, both are parties to the transaction. Whether or not Bob is an individual or an institution, I would assert that the transaction data is as much his as it is Alice's. In fact, in many jurisdictions, there are legal reasons (e.g., "Know Your Customer" in the US) for Bob to maintain certain information about Alice. And when a third-party payment system is involved (e.g., a credit card or PayPal), they would also have a stake in the transaction, giving them a stake in (some of) the data, as well.
This problem has not been solved, yet. And I don't think that there is anything in UMA that takes on this challenge. UMA solves several use cases, but does not claim to solve this one.
I think we need to be careful trying to avoid applying UMA to problems that are beyond its scope just because it is such an elegant solution to portions of the problem.
I think what we are exploring here is the transference of liability, through consent, access control, and data control scenario’s. If Alice has the freshest copy of her own aggregate data, and she sets a notice that Dave no longer has a accurate data, then legally, with the proposed EU laws I believe Dave will no longer be allowed to process that data.
In this regard I can imagine IOT scenario’s where data is only valid when it’s live data. (but that’s just me)
Best ,
Mark
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com