The nominations for Legal Subgroup deliverables so far (just in the order received):

* Recommendations for how to make audit logs usable tools for legal compliance/enforcement

* Some example legal provisions one would expect to see at key moments

* Mapping between UMA and Agency Law

The Agency Law mapping could serve to achieve all three, because the process necessarily includes reference to the contractual terms, if any, applicable among the parties and also surfaces how evidence is created and preserved and will highlight what evidence is most relevant (hence we will hit the issues/options for priority log data and other business records).

We should take care to avoid advocating the interests of parties responsible for Resource Servers above other parties in other roles. We can and should identify the need for prioritizing adoptability by parties responsible for Resource Servers and also identify and address the needs of the other key parties. A more neutral multi-vantage-point Agency Law analysis can provide voice to deep expectations and motivations of UMA-using parties in relationships with each other. Humans are social animals and we should use agency to see how UMA can enhance existing (or create new) mutually beneficial key relationships, fueled by the proposition of greater economic and other value for all key players. I suggest sustained adoption could be better served by taking a generally neutral stance and affording due priority and respect for the interests/needs of all players, including OAuth 2 Client and Authorization Server providers, definitely the Principal Individuals and also Resource Server providers.

Thanks,

- Dazza

On Wed, Sep 2, 2015 at 2:04 PM, Adrian Gropper <agropper@healthurl.com> wrote:

I think the most important deliverable is a clear explanation and demonstration of how implementing UMA will provide the Resource Server institution increased cybersecurity and a safe harbor for exposing an interface to the public Internet. Although many of us are mostly motivated by other goals including consumer protection and the hope of selling software to the operators of authorization servers, these will not drive adoption of UMA without new laws and regulations. Let's see how far we can get with the current laws.

To this end, Dazza has provided a wonderful document about Restatement of Agency Law.

I've tried to map the essential elements of Agency: Principal, Agent, and Third Party into a very simple document https://docs.google.com/document/d/1N6tocmA0KaBE6v3u-cZSyw0N52lG_LdWHAaPybS_vM0/edit that is open for discussion and editing.

Eve and I had a very long session trying to understand the gaps between the Agency Law and UMA. These gaps are represented in the table toward the end of the Gdocument.

I think that mapping UMA to Agency Law is more important and easier than standardizing or formalizing Terms of Use and Privacy Policies. To the extent that we can map UMA to Agency Law without introducing any specific profiling for healthcare, education, or any other vertical domain, we will be doing the best job of promoting adoption of UMA for the benefit of the RSs, the ROs, and the AS business.

Adrian

On Wed, Sep 2, 2015 at 1:11 PM, Dazza Greenwood <notifications@github.com> wrote:
In conversations during the Legal subgroup meetings, some people have suggested including example, sample or "standard" legal wording for ToS and other legal instruments for use with UMA deployments. Not yet sure what those would say, but it would be a sign of success to get to the point of recommending such terms. If the subgroup deliverables includes both recommended terms and an approach to audit logs for legal compliance or enforceability, we would have a strong set of deliverables.

—
Reply to this email directly or view it on GitHub.

--

Adrian Gropper MD

RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/