Yes, well stated, and this is in fact why we have add Legal to the UMA activities -- recognizing a variety of "sources of liability tension", most particularly individual data protection-data transparency-data control requirements (thanks to Mark L for putting together the two ends of that see-saw for me :-) ), and also moving to the general case so that we can build successful ecosystems for all.


Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl


On Tue, Apr 25, 2017 at 8:17 AM, John Wunderlich <john@wunderlich.ca> wrote:
Fair point about the immutable notes.

It seems to me that we achieved consensus that 

  • it's not inherently wrong for a person to engage in activities where there may be direct or indirect commercial uses of their personal data. 
  • nonetheless, some controllers or processors may use personal information in ways that would be found to be offensive (by the user and/or by social norms and/or by regulation)
  • therefore, UMA could consider how to address implementation of constraints
I think that is the point that we got to with the possibility of adding another actor in the UMA cast - the Resource Regulator. This recognises (whether we like it or not) that in some contexts a regulator may put a constraint on what can be authorised by an AS. The simplest case being the one with data localisation regimes that bar citizen data from being transferred across borders.



John Wunderlich, BA, MBA

IAPP Fellow of Information Privacy
CISA, CIPM, CIPP/C, PbD Ambassador
@PrivacyCDN & Privacist

On 25 April 2017 at 10:54, Eve Maler <eve@xmlgrrl.com> wrote:
The notes are now historical, so I don't see a huge point to changing them, but discussing what we mean here is fair game. (The mail archive is a record too.)

The point, I thought, was that some others (influential others, in fact) were opining it may be inherently wrong to enable an individual to take part in a market for personal data because it is potentially antithetical to human rights, and people who work on UMA don't believe it's inherently wrong.

Surely legislating away the ability to engage in such a market would be a drastic course, if the wrongness were taken as absolute? I could also point to the analysis in The Economics of Privacy, which shows a) benefits as well as harms to individuals in data flow and b) ways in which even relatively disempowered individuals can act to gain control at the margin.


Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl


On Tue, Apr 25, 2017 at 7:42 AM, John Wunderlich <john@wunderlich.ca> wrote:
  • Eve;

WRT to the following from the notes:

"Looking at Sec 2.1 of the EDPS opinion on digital content, John points to some commentary on the VRM list where someone was troubled by the "market for personal data". The point they were making was that someone could agree to selling organs (or their body into slavery or whatever), but this shouldn't perhaps be possible with selling data. We in UMA take a different, more empowered/powerful, position."

Can I suggest the following modification: "We in UMA provide a solution that empowers individual users where markets and contexts allow meaningful choices."

I agree that UMA is an empowering solution, but it is the case that it the effective empowerment is constrained depending on the context. It seems to me that one useful construct is to think of three axes for information sharing:

X axis (knowledge): 
  • How much information does Alice have about how and with whom her information will be shared?
  • UMA - AS policies

Y axis (control): 
  • How much control does Alice have over who receives information about her and what they do with it?
  • UMA provides control over access but less so over subsequent uses (which are more administrative/legal than UMA access controls).

Z axis (choice):
  • How many choices are there for Alice to share her information with (i.e. is there a market with real competition in which Alice can choose between competing services)
  • This is out of scope for UMA.







John Wunderlich, BA, MBA

IAPP Fellow of Information Privacy
CISA, CIPM, CIPP/C, PbD Ambassador
@PrivacyCDN & Privacist

On 21 April 2017 at 15:38, Eve Maler <eve@xmlgrrl.com> wrote:
http://kantarainitiative.org/confluence/display/uma/UMA+legal+subgroup+notes#UMAlegalsubgroupnotes-2017-04-21

2017-04-21

  • Reviewing draft deliverable #2

Attending: Eve, Tim, John, Mark

Tim's insight around identifying the "harms" to the parties in the #2 exercise helped guide the development of the draft deliverables we're looking at today. John opines that this view elides the "rights" basis for privacy breaches because it's property-based. Well, this is the question. What can we effectively achieve with our clauses and other tools? If agreements/contracts are the basis for what can be achieved between/among a resource owner and other parties, what are all the choices for legal theories? Tim is proposing a licensing basis. (We discussed this back in 2017-04-15 and seemed to reject this, but what are other alternatives?) There is a governance function and also an economic function.

Looking at Sec 2.1 of the EDPS opinion on digital content, John points to some commentary on the VRM list where someone was troubled by the "market for personal data". The point they were making was that someone could agree to selling organs (or their body into slavery or whatever), but this shouldn't perhaps be possible with selling data. We in UMA take a different, more empowered/powerful, position.

Tim's Chart 1 is more of a windup to chart 2, and he will supply more explanatory text for it. The "Communicative Behavior" column means how the requirements for Value, Meaning, and Information are conveyed/communicated, e.g., trust frameworks, regulations, configuration documents, API documentation, etc.

Both are about the relationships formed, and are explicitly not about "data ownership". Chart 2 is the "money chart". (Eve screenshared them, and Tim will be revising these and making them available to all before next week's meeting.)

So can we state the following?

  • The data subject has rights over the information about them.
    • True as part of the Universal Declaration of Human Rights.
    • Different jurisdictions ensconce this right to different degrees in law/regulation or not.
    • True of information even prior to its being digitized.
  • The data controller and the data processor have property rights related to records containing a data subject's information.
    • The records could be in digital form or not.
  • The formal "interface" (communicative behavior) defined between data controllers, data processors, and data subjects is regulations.
  • UMA has the potential to enable data subjects ("resource subjects") and their proxies (resource owners), or even data subjects on their own, to consent to data ("resource") access by third parties ("requesting parties") in such a way that the third party is a data processor.
    • We believe the regulations are currently blind to:
      • The proxying opportunity in UMA
      • The potential ability for UMA to distinguish between granting access to someone who fills the role of a "data processor" vs. "another data controller"
    • UMA only has soft technical constraints (the "Adrian clause") around jurisdictional nonfunctional requirements for things like data localization.
      • The potential extension for "cascading authorization servers" would provide a potential hard technical solution.
      • We have the potential for providing legal toolkits that give legal solutions that may suffice.

Do we need a Resource Regulator role?

If you're interested, there is a SAMHSA Consent2Share webinar on April 25 at 3:30pm ET. Registration link is here.


Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl


_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma




This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.




This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.