Julian,

Thank you for engaging, as you always do.

This is not about my definition of strict or anyone else’s. It’s about the role of standards to enable and empower individuals. 

For example, as I understand it, digi.me has an ontology component and a consent component. The ontology component can and does add value because it has access to the data in the clear. The consent component can and does add value because it can control use of the data without access to the clear text data itself. (It could, in principle, control the flow of data directly from a streaming source to a data processor destination.)

The decision on how to connect the ontology component to the consent component of digi.me is entirely up to digi.me. They could choose to use a standard like UMA internally and also expose that control connection externally. This would empower the individual customer to make separate choice of their ontology or their consent managers. This, in turn, reduces lock-in and promotes competition, both of which can benefit the customer. 

The tradeoff comes when a service provider that builds on separation of concerns, such as our HIE of One Trustee project, cannot find investors to sponsor the added standards work and risk of customer churn. Separation of Concerns is therefore a finance problem more than it is a standards problem.

I’m aware of only a few groups that have chosen to tackle the finance problem and they are quite immature. One is the Digital Life Collective (by Philip Sheldrake) others look more like Decentralized Autonomous Organizations (DAO) and more recently, Decentralized Finance (DeFi). These groups are so busy re-inventing management structures that they can’t be bothered with mundane things like standards process. 

The other group worth mentioning is MyData. They are also immature and have partitioned this Separation of Concerns issue into a MyData Operator discussion (where digi.me is a participant). What MyData does has some impact on immature EU Data Privacy regulations. Our handling of the SoC and standards will be, IMHO, the real test of the MyData model.

(Privacy regulators are the most immature group of all. They are still oblivious to the relationship between standards and competition. The giant platform vendors are desperately hoping to be regulated as giant platforms rather than give innovators the opportunity that comes with Separation of Concerns.)

In other words, customers almost always come second to finance. The sole exception seems to be open source software projects which dispense with finance by design and deal with management as little as possible.

- Adrian

On Sun, Mar 1, 2020 at 10:57 AM Julian Ranger <Julian@jranger.com> wrote:

Adrian,

 

Re “the pushback is that no private business wants to be strictly a data controller and forego access to the data itself as part of their business model”

 

Some businesses, i.e. digi.me, want to be neither a data controller nor have access to the data itself – and that is ultimately the right answer.  Don’t see, touch ro hold the data.  Now whether current implementations (ours included) meet you strict definition of SoC I don’t know, but to me it is clear that the individual’s data stores should only be handled by software that the individual chooses to run and that processing should sit within thinteh inidividual’s domain (until such time as the individual specifically allows data to leave their domain).

 

Jules

 

 

From: Doc Searls <anitadrink@gmail.com>
Sent: 24 February 2020 20:02
To: Adrian Gropper <agropper@healthurl.com>
Cc: Tim Reiniger <tsreiniger@gmail.com>; LaVonne Reimer <lreimer@lumeno.us>; ProjectVRM list <projectvrm@eon.law.harvard.edu>; wg-uma@kantarainitiative.org WG <WG-UMA@kantarainitiative.org>
Subject: Re: [WG-UMA] [projectvrm] A ... not sure what, exactly ... development in India

 

 

On Feb 24, 2020, at 11:49 AM, Adrian Gropper <agropper@healthurl.com> wrote:

 

This is a good thing. There’s some overlap between the Solid folks and those of us working on SSI standards. Although they don’t say it publicly, I’ve been assured that Inrupt will implement and respect what I call Separation of Concerns standards.

 

I saw the same potential synergies.


Separation of Concerns means that the data controller can be specified by the data subject separately form the data storage or other data processors. UMA2 can already do that and it’s likely that the upcoming IETF OAuth3 standards will also support SoC. A pod would then be a special case of a co-located controller and storage.

 

Our HIE of One Trustee project has always done this. We keep separate github repos for the two separate concerns in order to demonstrate the standards that connect them and to highlight gaps in the standards that still need improvement. 

 

Defining agency as requiring SoC seems to be controversial. There’s pushback because the standards are immature. I suspect another, unstated reason for the pushback is that no private business wants to be strictly a data controller and forego access to the data itself as part of their business model.

 

Sounds right.


I’m curious what others on this list think about defining agency in terms of SoC.

 

My own small thought on it (having not thought or known enough about it, so far) is that it makes sense. Given the ease of data spread—with lost personal agency in the midst—it's important to keep ambiguities minimized and separate responsibilities clear.

 

Doc

 

- Adrian 

 

 

 

On Mon, Feb 24, 2020 at 4:26 PM Tim Reiniger <tsreiniger@gmail.com> wrote:

Adrian,

 

Thank you for compiling this great list! If you haven't seen this story, this might become an addition: https://www.schneier.com/blog/archives/2020/02/inrupt_tim_bern.html. See what you think!

 

Regards,

 

Tim

 

On Thu, Feb 13, 2020 at 1:02 PM Adrian Gropper <agropper@healthurl.com> wrote:

This is an important development in the global context of giving agency to individuals. Here is my current  list of related initiatives. Note that all of these are works-in-progress.  In no particular order:

 

 

The common thread across all of these is an authorization server acting on behalf of a data subject. This is a very different model from GDPR, HIPAA, CCPA, the proposed India Personal Data Protection Bill or the other 9 privacy bills being considered in Washington.

 

- Adrian

 

 

 

 

On Tue, Feb 11, 2020 at 2:07 PM LaVonne Reimer <lreimer@lumeno.us> wrote:

Thanks for bringing this to our attention.

 

This is squarely my area (by way of Descant). I'm a bit crunched at the moment so not able to provide a thorough analysis relative to VRM but if you think back to everything I've said in past VRM days as well as on these threads, it claims to provide a data facilitator platform congruent with all that working code I've been sitting on for much too long!

 

First, thoughts on the article. Then below that, a reference to the Equifax announcement yesterday.

 

A couple characteristics that fit the VRM way, and that are at least implied in the article:

  • It revisits the flows of data for credit analysis "through the eyes of" the subjects of the data. It's always important to question the extent of this agency when it's banks rolling out the solution but the spirit of subject-driven data flows seems to be present.
  • It addresses a gap in data pipeline management on a narrower basis than will be necessary to scale and than we offer via Descant. See the specific reference to an India-specific requirement that financial data be reported in a standard, machine-readable format. More on this below.
  • It suggests consents will be easier to understand because data subjects can choose to share portions of data. This is a very big challenge and one we've largely solved by enabling UI/UX that spreads out consents across touchpoints. Easier to provide for context-based consent in that manner. It's not clear that India is thinking in these terms. Indeed the intent seems to be that fintech startups will build apps on top of the platform. Unless there are constraints on the spirit and intent of such apps, they could be heading back to opacity with little opportunity to pull it back. Also, more on this below.

Data pipeline management:

Of all the big data challenges addressed over the past decade, pipeline management has only recently popped up as a significant area. I have only seen developments (and patent filings) for pipelines within enterprises. The essence is that applying transformation, processing, and governance to data while in motion streamlines its path to insights. As the category implies, it's a more fluid approach to data management for sure as compared to the old ETL model and arguably data lakes.

 

A facilitator platform that replaces credit bureaus will need to management multiple pipelines, each potentially presenting different levels of privacy-sensitivity and latency concerns. The solution announced by this article is a reasonable start but not as extensive as would be needed to truly replace an Equifax. I didn't see a plan to, say, open source the system so extensions for additional data pipelines could emerge.

 

Note that this data challenge is not obviously about privacy but it is critical if the goal is to replace intermediated data solutions. This is a good a place as any to include a link to an opinion in yesterday's NYT about the indictment of Chinese hackers for the Equifax breach. Author makes the point that the whole model underlying Equifax and data brokers is the problem. And that is a more complicated data pipeline problem than consents.

 

 

Context-based consent etc:

Just adding a short note that I've been studying recent efforts to add language to open source licenses that encompasses privacy, data rights, and/or human dignity. As far as I can see, this is all new territory. In the "humanitarian license," the author combines language from the MIT open source license with language out of the UN's declaration of human rights. So far OSI seems poised to reject it as a "blessed" open source license. NYU School of Law also has some similar projects underway.

 

I care about this because when I think about open sourcing the data-sharing platform of Descant, I worry much more about extensions in conflict with the ethos of people in charge of their own data than specific uses of the source code. This goes to my concern that opening up for fintech startups would be problematic if there's no way to police data usage.

 

Again, this is all off the top of my head. The title is correct that it is better than the US but then we are a dark and surveilled country headed for very bad days unless we can get a grip.

 

Let me know of any questions/afterthoughts.

 

Thanks again Doc!!

 

LaVonne

503-720-0690

 

On Tue, Feb 11, 2020 at 1:31 PM Doc Searls <anitadrink@gmail.com> wrote:

Headlines:

 

India’s About to Hand People Data Americans Can Only Dream Of
By Saritha Rai
January 12, 2020, 11:01 PM EST

•  New system aims to protect data and unlock the credit market

•  India joins a growing movement to give consumers data control

 

<https://www.bloomberg.com/news/articles/2020-01-13/india-s-about-to-hand-people-data-americans-can-only-dream-of>

 

Anybody familiar with this want to lay it out in VRM terms (good, bad or otherwise)?

 

Doc



--

LaVonne Reimer, Founder
Lumenous
503-720-0690 (cell)
lavonnereimer (skype)

www.lumenous.net

 

_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
https://kantarainitiative.org/mailman/listinfo/wg-uma