UMA business-legal telecon notes 2019-07-09
(If you want to discuss particular points, please consider starting a new email thread with a different subject line.) https://kantarainitiative.org/confluence/display/uma/UMA+legal+subgroup+note... 2019-07-09 Attending: Eve, Lisa, Adrian, Domenico, Andi, Thomas, Tim, Colin (regrets: Cigdem, Nancy) Eve briefly walked through the paper that she and Lisa have submitted to the IEEE ComSoc CfP <https://www.comsoc.org/publications/magazines/ieee-communications-standards-magazine/cfp/dawn-internet-identity-layer-and>. It's called Beyond Consent: A Right-to-Use Licensing Agreement for Mutual Agency. The argument made by the paper is that digital consent and Terms acceptance (perceived as consent) are failing and don't meet a strict definition of consent (Nancy Kim's *Consentability <https://www.amazon.com/Consentability-Consent-Nancy-S-Kim-ebook/dp/B07N45GFR3/ref=sr_1_1?crid=JR0QMFLW30KV&keywords=consentability+consent+and+its+limits&qid=1562688224&s=gateway&sprefix=consentability%2Caps%2C231&sr=8-1>* framework is used), and using a Me2B <https://www.me2b.us/> lens (centering on the user of the digital services) shows that a licensing agreement is more appropriate. A taxonomy for license agreement contents is proposed, and some challenges are discussed. The paper points to the UMA report where a license is already proposed, but starts "earlier" in the personal data usage chain to be more comprehensive. What about consent receipts? They record the results of consent. Lisa and Eve meant to cite them in the paper and hope to have a chance to add this. Adrian discusses a link between DIDs and standards such as UMA; the link is what's called the service endpoint. The DTD standards don't talk about what the service endpoint might be. They're trying to put a personal data store there. Thomas spoke with Microsoft's Ankur Patel (who was with Preeti Rastogi) at Identiverse about the challenge of getting personal data into wallets/personal data stores. There seems to be a lack of recognition of this challenge. It should be kept in mind that the paper treats personal data permission use cases that go beyond UMA. Tim recommends removing the "IANAL" disclaimer in the paper! Lisa and Eve have both worked with many lawyers and have sourced ideas from legal experts. We started to walk through the Right-to-Use License Agreement (Figure 5 in the paper) and analyze which would already be baked into some artifact, such as the RPT, and which might need to be captured separately. For example, the digital asset, grantee (licensee), and actions, would be captured as resource ID, requesting party and client, and scopes. But other information might need to be captured in some other structure, with perhaps a link off to it that is stored in the token. If a requesting party or client received and agreed to such a license, maybe by signing it, the result might be a "receipt". Trunomi has something called a "certificate", which sounds similar, as their consent receipt. Eve will email a copy of the paper to all interested to review. *Eve Maler*Cell or Signal +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
Nice Notes Eve — Regrets for not being on the call - I wish I could make this call time more often.
On 9 Jul 2019, at 18:11, Eve Maler <eve@xmlgrrl.com> wrote:
Eve briefly walked through the paper that she and Lisa have submitted to the IEEE ComSoc CfP <https://www.comsoc.org/publications/magazines/ieee-communications-standards-magazine/cfp/dawn-internet-identity-layer-and>. It's called Beyond Consent: A Right-to-Use Licensing Agreement for Mutual Agency. The argument made by the paper is that digital consent and Terms acceptance (perceived as consent) are failing and don't meet a strict definition of consent (Nancy Kim's Consentability <https://www.amazon.com/Consentability-Consent-Nancy-S-Kim-ebook/dp/B07N45GFR3/ref=sr_1_1?crid=JR0QMFLW30KV&keywords=consentability+consent+and+its+limits&qid=1562688224&s=gateway&sprefix=consentability%2Caps%2C231&sr=8-1> framework is used), and using a Me2B <https://www.me2b.us/> lens (centering on the user of the digital services) shows that a licensing agreement is more appropriate. A taxonomy for license agreement contents is proposed, and some challenges are discussed. The paper points to the UMA report where a license is already proposed, but starts "earlier" in the personal data usage chain to be more comprehensive.
This friction of consent - definitely needs to be called out better. Consent as an operational concept needs work to be explained relative to the context of digital identity technologies and protocols. Failing seems a bit strong (or that consent is just mis-understood) A big differentiator that seems obvious here, is if a person is the one requesting or starting the 'sharing flow' (of what ever type of resource) then in the starting protocol - the UMA context - there is no need for the awareness notice - policy - friction part of consent - as the person is aware and defining the terms and presumably the license is the artefact. Consent legally appears to be wielded when people need to be made aware of what the sharing is all about, the risks and their obligations. UMA is great because, the duty of making the person aware in the framework from which they are sharing is pushed to the awareness of the identity protocol framework implementation and its client technology, which the person controls for user managed sharing (obviously). What a great thread (chat) Questions: With Mutual Agency in the title, is this licensing method specific to a peer to peer (person to person) or person to anyone/anything? - Mark
Hi Mark, I’ll share the paper with you as well. Thanks for the comments. More below. Eve Maler (sent from my iPad) | cell +1 425 345 6756
On Jul 9, 2019, at 2:14 PM, Mark @ OC <mark@openconsent.com> wrote:
Nice Notes Eve
— Regrets for not being on the call - I wish I could make this call time more often.
On 9 Jul 2019, at 18:11, Eve Maler <eve@xmlgrrl.com> wrote:
Eve briefly walked through the paper that she and Lisa have submitted to the IEEE ComSoc CfP. It's called Beyond Consent: A Right-to-Use Licensing Agreement for Mutual Agency. The argument made by the paper is that digital consent and Terms acceptance (perceived as consent) are failing and don't meet a strict definition of consent (Nancy Kim's Consentability framework is used), and using a Me2B lens (centering on the user of the digital services) shows that a licensing agreement is more appropriate. A taxonomy for license agreement contents is proposed, and some challenges are discussed. The paper points to the UMA report where a license is already proposed, but starts "earlier" in the personal data usage chain to be more comprehensive.
This friction of consent - definitely needs to be called out better. Consent as an operational concept needs work to be explained relative to the context of digital identity technologies and protocols. Failing seems a bit strong (or that consent is just mis-understood)
We do take a pretty strong (provocatively so?) stance in the paper, in order to kickstart a conversation towards alternatives. But surely it’s not the first such argument? Kim’s definition in her book makes what we experience as consent in digital contexts truly seem like the farthest thing from meeting the definition, particularly the closer you get to the beginning of a service provider-user relationship.
A big differentiator that seems obvious here, is if a person is the one requesting or starting the 'sharing flow' (of what ever type of resource) then in the starting protocol - the UMA context - there is no need for the awareness notice - policy - friction part of consent - as the person is aware and defining the terms and presumably the license is the artefact.
Yes, good point. UMA has this awareness generally built in (though we need to be conscious that “policy setting UX” is not dictated by the protocol). But UMA use cases are only a subset of all sharing use cases. The paper elucidates those.
Consent legally appears to be wielded when people need to be made aware of what the sharing is all about, the risks and their obligations. UMA is great because, the duty of making the person aware in the framework from which they are sharing is pushed to the awareness of the identity protocol framework implementation and its client technology, which the person controls for user managed sharing (obviously).
What a great thread (chat) Questions: With Mutual Agency in the title, is this licensing method specific to a peer to peer (person to person) or person to anyone/anything?
Most definitely person to anyone/anything, with service providers (and their affiliates beyond them) being a particular target because the power imbalance is most keenly felt there.
- Mark
Ah, thanks for the clarification.
On 9 Jul 2019, at 21:40, Eve Maler <eve@xmlgrrl.com> wrote:
We do take a pretty strong (provocatively so?) stance in the paper, in order to kickstart a conversation towards alternatives. But surely it’s not the first such argument? Kim’s definition in her book makes what we experience as consent in digital contexts truly seem like the farthest thing from meeting the definition, particularly the closer you get to the beginning of a service provider-user relationship.
I need to go read Kim’s stuff. But that definitely makes sense, calling digital things consent - with no transparency, awareness or notice, is not the social, legal or even human understanding of consent. In this way the law for consent may be behind the times, or, it could be mis use of the term. I associate the concept with autonomy and choice in how my personal data is treated by traditional infrastructure an systems. Perhaps the digital consent being alluded to needs a better distinction than consent ? It does seem pretty clear - privacy law does not manage digital identity gaps very well. Looking forward to the paper. Mark
participants (2)
-
Eve Maler -
Mark @ OC