Legal Use Case - User Managed vs. Controlled Access
Pushing the penny forward an inch. As a follow up to the MVCR, there are it seems, some legal considerations that surround the application of policy in terms of what takes precedent, the privacy policy, the terms of use policies. As well, liability around who owns, controls and manages the data is also critical and needs to be clear. T A simple way to start putting this all together is to look at applying the MVCR roles ( that are anchored in ISO 29100 “roles") as an overlay to Adrian's (and any other) UMA use cases to address the legal questions and topics that arrise. To get things going here are a couple of items and their flows for the legal eagles. . A. Data Rights Ownership; User Managed Access Vs. User Controlled Access. (see use case below) B. Are T&C’s subjected to a Privacy Policy? Does the legal chain of authority that leads to the provisioning of roles and privileges, for access to personal attributes, start with the privacy policy for enrolment, then the terms and conditions? For example: 1. In the MVCR their is an undiscussed assumption that the privacy policy which provides the consent is counted as the primary contract for the use of personal information so the service provider may then use the personal information. At which point, The service provider uses the PI provided with the consent and then enrols the service user with a secondary policy, the terms and conditions, which Alice needs to contractually abide by, to use the service. As the requirement for a privacy policy and consent is legal infrastructure, and the T&C’s is organisation specific, the T&C’s are subjected to the privacy policy. i.e. legal requirements trump the business requirements in a court of law. 2. In regards to the above Issue 2 . What are the legal connotations - I.e. If a user blocks access to a PII resources (using EU law), the terms for that service might be that the service is stopped. But, the user may be required by the contract to keep paying for that service according to the contract and licence agreed too, and the service may be legally required to keep the user data while still charging for the service. (of course this is over simplified) i.e. the org indemnifies themself by give the functionality to users to manage the access to a copy of the user data the org controls. But in a very privacy by design way. The point being, this would appear to be different UMA Legal Flows than the user (in control of her own data) licensing access to the use of an attribute using UMA, which seems to me, like a different legal flavour of UMA all together. (closer to the UMA Health Flow) I.e.. Alice can turn on and off access to all or just a single attribute at any time in any scoped context. 3. Legal Flow/Use Case: User Managed Access Vs. User Controlled Access. UMA profile that is of two flavours Flavour A. Alice controls access to her own PII, authorises access using UMA to personal profile Flavour B. Alice Manages Access to her own PII . Using UMA installed behind a company siloed (and own Company copy of PII that the user maintains) that runs UMA so users can have more functionality through this silo. Note: this is the difference between the user being the data controller or the user being the data subject. Who controls and owns the data rights? if the service user is also the data controller, then data protection and privacy laws are effected in that the liability and policy for protecting the data lies with the service user, and the liability or contract/license for the usage of the data lies with the company. - this would be a different policy structure, with a consent directive and UMA, for orgs to agree too. Like a Personal Privacy Policy (PPP) to cover the different liability. liability of being a data controller no longer applies the same way as data protection liability is moved (reduced, or changed into another form) if the data subject is owner/controller of the data and its access. For Example: A good example here is in health care where consent directives and laws and frameworks are mature. (i.e. consent and access controls are being bound together already) With Flavour A, Alice Owns and Manages PII, gets to see how many times her personal data (medical records) were accessed, when and by whom Flavour B, Alice, gives away PII - that is already under the T&C’s of service, and owed by the company or institution. in the second circumstance she does not get to see how many times her data was accessed or even what the live status is of her active consents and medical data usage, unless she pays a fee to the Experian like company that owns them. With the MVCR based authorisation log Alice knows that her permission and access to her data should line up to the purpose of the sharing, the permission to access data, and the specified purpose of the active consent the company now maintains for her This would be a very helpful tool for alice to quickly understand medical sharing policies Without clarity between UMA Flavour A & B, does UMA have the opportunity to be : incredibly good (the good guys), because Alice is in full control of their own data incredibly bad, because Alice thinks she has control of a copy of their data. Or that another service provider, that she is forced to trust, has her best interests at hear. should their be a different flavour of UMA (in terms of legal considerations) that designates between A & B? Can their be a flavour of UMA that is both A&B? The MVCR - Binding A & B Together A consent receipt is being developed as a tool that will help bind consent and legal requirements to access roles and policy rules for sharing data. The MVCR is designed to make explicit the policies and notice requirements to make binding these together legitimate and understandable - i.e. this can be used to tie the role of data subject to the liability of access controls and vice versa For example the various frameworks that are used in the space of consent and access control can be added to a receipt. In this scenario, we would see Alice is at a hospital in the US Alice consents to provide PII to hospital for medical treatment Alice gets a consent receipt On receipt is UMA Icon and a HIPPA icon linked to legal requirements, or maybe just a field for a URI that links directly to the PPP, which has all the links and info needed for Alice’s medical records and consent directives (from her AS) Every test or comment can be then linked to her PPP and available for the next health data context This receipt under info sharing would have the PPP Icon, the HIPPA TrustMark icon, and the UMA icon all linked to the audit, enforcement and complaint processes that all of these frameworks require. In parallel to the US health System The UK’s heath care system is the reverse and has the same problems but for different reasons it is a universl health care system, where it costs the infrastructure money to provide medical services. (as oppose to the US) where the infrastructure makes money by providing medical services. In the UK you (the patient) are unable to see if you have consented to sharing PII, with whom you have shared, what medical records you have with Sensitive Medical Data spread on computers ranging from win 95 and up. An UMA enabled doctors office in the UK should be able to receive consent, use the medical data from the US and provide seamless service. So how would a consent receipt look like if it was used to bind ths A Consent Receipt extend the MVCR by: Adding UMA Framework Adding PPP (Personal Privacy Policy: Like a Consent Directive) police requirements Adding HIPPA: Add UK Jurisdiction profile and Medical PII profile to the consent requirements, add these processes at point of consent or enrollment at UK health care centre. These might all appear as ICONS of the above listed to the receipt and managed by 3rd parties operating the trust frameworks for the above elements. Mark
On 10 Aug 2015, at 18:36, Dazza Greenwood
mailto:dazza@civics.com> wrote: Ok Eve, I'm on it. Looking forward to see the negative cases.
Hi Mark, do you have any additional use cases to consider?
Thanks, - Dazza
_ _ _ _ _ _ _ _ _ _ _ _ _ _ | Dazza Greenwood, JD | CIVICS.com http://civics.com/, Founder & Principal | MIT Media Lab, Visiting Scientist | Vmail: 617.500.3644 | Email: dazza@CIVICS.com mailto:dazza@CIVICS.com | Biz: http://CIVICS.com http://civics.com/ | MIT: https://law.MIT.edu https://law.mit.edu/ | Me: DazzaGreenwood.com http://dazzagreenwood.com/ | Twitter: @DazzaGreenwood | Google+: google.com/+DazzaGreenwood http://google.com/+DazzaGreenwood | LinkedIn: linkedin.com/in/DazzaGreenwood http://linkedin.com/in/DazzaGreenwood | GitHub: github.com/DazzaGreenwood/Interface http://github.com/DazzaGreenwood/Interface | Postal: P.O. Box 425845 Cambridge, MA 02142 | _ _ _ _ _ _ _ _ _ _ _ _ _ _
On Mon, Aug 10, 2015 at 3:44 PM, Eve Maler
mailto:eve@xmlgrrl.com> wrote: Hi Dazza— Please feel free to send links and updates to the list. I have an action item to work on additional use cases (“negative” ones), and health use case patterns definitely aren’t the only ones we want to consider (nor am I positive that Adrian has captured all of those). Mark may want to contribute some too. And we probably want to spend more than one week on reviewing and understanding them. :-) Eve
On 10 Aug 2015, at 12:12 PM, Dazza Greenwood
mailto:dazza@civics.com> wrote: Update - As promised, I put the draft mission, use cases and other background materials on the current GitHub wiki and am UMA-customizing a basic "how to use GitHub issues and wiki pages - for lawyers" faq.
Are the use cases from Adrian solid enough to work on and reflect the business case(s) you need to focus on? Also, do these use cases correctly and completed highlight the UMA functions and flows or is anything off base, incomplete etc?
Anything else needed before next meeting? Should probably send links and ask people to contribute or think about something. Minimally, I'd suggest maintaining some focus on the use cases for now, to ensure an apples to apples anchor for legal conversation and to provide a double check basis for mapping stuff people say from legal to tech and vice versa.
Thanks, - Dazza
| Sent from my iPhone | Please Forgive Typos _________________ | Dazza Greenwood, JD | CIVICS.com http://civics.com/, Founder & Principal | MIT Media Lab, Visiting Scientist | Vmail: 617.500.3644 tel:617.500.3644 | Email: dazza@CIVICS.com mailto:dazza@CIVICS.com | Biz: http://CIVICS.com http://civics.com/ | MIT: https://law.MIT.edu https://law.mit.edu/ | Me: DazzaGreenwood.com http://dazzagreenwood.com/ | Twitter: @DazzaGreenwood | Google+: google.com/+DazzaGreenwood http://google.com/+DazzaGreenwood | LinkedIn: linkedin.com/in/DazzaGreenwood http://linkedin.com/in/DazzaGreenwood | GitHub: github.com/DazzaGreenwood/Interface http://github.com/DazzaGreenwood/Interface
On Aug 10, 2015, at 2:59 PM, Eve Maler
mailto:eve@xmlgrrl.com> wrote: I created a (really huge) swimlane and a pro/con list, and a bit more... I ended up writing a recommendation. You can find the whole thing linked from here:
https://docs.google.com/document/d/1OsIqPbVNx66vypnCzjxoFjX0AHCD_rEmgP8Q-5hn... https://docs.google.com/document/d/1OsIqPbVNx66vypnCzjxoFjX0AHCD_rEmgP8Q-5hn...
Eve
Eve Maler | cell +1 425.345.6756 tel:%2B1%20425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com mailto:xmlgrrl@gmail.com
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org mailto:WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 tel:%2B1%20425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com mailto:xmlgrrl@gmail.com
Mark, I've read this twice, and I don't follow the distinction you're making. I can't think of any reason that Alice would want to have a separate server for her consent receipts and her data sharing authorizations. Both of these require a set of standards acceptable to the various other actors. The major difference I see between consent and authorization is that consent seems to focus on the registration of a relationship while authorization seems to focus on the info sharing pursuant to that relationship. My sense is that, from a legal perspective, the registration and sharing are inseparable and we would do well to merge consent and authorization lest we confuse the standards and our message. Adrian On Friday, August 14, 2015, Mark Lizar wrote:
Pushing the penny forward an inch.
As a follow up to the MVCR, there are it seems, some legal considerations that surround the application of policy in terms of what takes precedent, the privacy policy, the terms of use policies. As well, liability around who owns, controls and manages the data is also critical and needs to be clear. T
A simple way to start putting this all together is to look at applying the MVCR roles ( that are anchored in ISO 29100 “roles") as an overlay to Adrian's (and any other) UMA use cases to address the legal questions and topics that arrise.
To get things going here are a couple of items and their flows for the legal eagles. .
A. Data Rights Ownership; User Managed Access Vs. User Controlled Access. (see use case below)
B. Are T&C’s subjected to a Privacy Policy? Does the legal chain of authority that leads to the provisioning of roles and privileges, for access to personal attributes, start with the privacy policy for enrolment, then the terms and conditions?
For example: 1. In the MVCR their is an undiscussed assumption that the privacy policy which provides the consent is counted as the primary contract for the use of personal information so the service provider may then use the personal information. At which point, The service provider uses the PI provided with the consent and then enrols the service user with a secondary policy, the terms and conditions, which Alice needs to contractually abide by, to use the service. As the requirement for a privacy policy and consent is legal infrastructure, and the T&C’s is organisation specific, the T&C’s are subjected to the privacy policy. i.e. legal requirements trump the business requirements in a court of law.
2. In regards to the above Issue 2 . What are the legal connotations - I.e. If a user blocks access to a PII resources (using EU law), the terms for that service might be that the service is stopped. But, the user may be required by the contract to keep paying for that service according to the contract and licence agreed too, and the service may be legally required to keep the user data while still charging for the service. (of course this is over simplified) i.e. the org indemnifies themself by give the functionality to users to manage the access to a copy of the user data the org controls. But in a very privacy by design way.
The point being, this would appear to be different UMA Legal Flows than the user (in control of her own data) licensing access to the use of an attribute using UMA, which seems to me, like a different legal flavour of UMA all together. (closer to the UMA Health Flow) I.e.. Alice can turn on and off access to all or just a single attribute at any time in any scoped context.
3. Legal Flow/Use Case: User Managed Access Vs. User Controlled Access.
- UMA profile that is of two flavours -
- Flavour A. Alice controls access to her own PII, authorises access using UMA to personal profile - Flavour B. Alice Manages Access to her own PII . Using UMA installed behind a company siloed (and own Company copy of PII that the user maintains) that runs UMA so users can have more functionality through this silo. - Note: this is the difference between the user being the data controller or the user being the data subject.
- Who controls and owns the data rights? - if the service user is also the data controller, then data protection and privacy laws are effected in that the liability and policy for protecting the data lies with the service user, and the liability or contract/license for the usage of the data lies with the company. - this would be a different policy structure, with a consent directive and UMA, for orgs to agree too. Like a Personal Privacy Policy (PPP) to cover the different liability. - liability of being a data controller no longer applies the same way as data protection liability is moved (reduced, or changed into another form) if the data subject is owner/controller of the data and its access.
For Example:
- A good example here is in health care where consent directives and laws and frameworks are mature. - (i.e. consent and access controls are being bound together already)
- With Flavour A, Alice Owns and Manages PII, gets to see how many times her personal data (medical records) were accessed, when and by whom - Flavour B, Alice, gives away PII - that is already under the T&C’s of service, and owed by the company or institution. - in the second circumstance she does not get to see how many times her data was accessed or even what the live status is of her active consents and medical data usage, unless she pays a fee to the Experian like company that owns them. - With the MVCR based authorisation log Alice knows that her permission and access to her data should line up to the purpose of the sharing, the permission to access data, and the specified purpose of the active consent the company now maintains for her - This would be a very helpful tool for alice to quickly understand medical sharing policies - Without clarity between UMA Flavour A & B, does UMA have the opportunity to be : - incredibly good (the good guys), because Alice is in full control of their own data - incredibly bad, because Alice thinks she has control of a copy of their data. Or that another service provider, that she is forced to trust, has her best interests at hear. - should their be a different flavour of UMA (in terms of legal considerations) that designates between A & B? - Can their be a flavour of UMA that is both A&B? - The MVCR - Binding A & B Together - A consent receipt is being developed as a tool that will help bind consent and legal requirements to access roles and policy rules for sharing data. - The MVCR is designed to make explicit the policies and notice requirements to make binding these together legitimate and understandable - i.e. this can be used to tie the role of data subject to the liability of access controls and vice versa - For example - the various frameworks that are used in the space of consent and access control can be added to a receipt. - In this scenario, we would see - Alice is at a hospital in the US - Alice consents to provide PII to hospital for medical treatment - Alice gets a consent receipt - On receipt is UMA Icon and a HIPPA icon linked to legal requirements, or maybe just a field for a URI that links directly to the PPP, which has all the links and info needed for Alice’s medical records and consent directives (from her AS) - Every test or comment can be then linked to her PPP and available for the next health data context - This receipt under info sharing would have the PPP Icon, the HIPPA TrustMark icon, and the UMA icon all linked to the audit, enforcement and complaint processes that all of these frameworks require.
In parallel to the US health System
- The UK’s heath care system is the reverse and has the same problems but for different reasons - it is a universl health care system, where it costs the infrastructure money to provide medical services. (as oppose to the US) where the infrastructure makes money by providing medical services. - In the UK you (the patient) are unable to see if you have consented to sharing PII, with whom you have shared, what medical records you have with Sensitive Medical Data spread on computers ranging from win 95 and up. - An UMA enabled doctors office in the UK should be able to receive consent, use the medical data from the US and provide seamless service. - So how would a consent receipt look like if it was used to bind ths - A Consent Receipt extend the MVCR by: - Adding UMA Framework - Adding PPP (Personal Privacy Policy: Like a Consent Directive) police requirements - Adding HIPPA: - Add UK Jurisdiction profile and Medical PII profile to the consent requirements, add these processes at point of consent or enrollment at UK health care centre. - These might all appear as ICONS of the above listed to the receipt and managed by 3rd parties operating the trust frameworks for the above elements.
Mark
On 10 Aug 2015, at 18:36, Dazza Greenwood
javascript:_e(%7B%7D,'cvml','dazza@civics.com');> wrote: Ok Eve, I'm on it. Looking forward to see the negative cases.
Hi Mark, do you have any additional use cases to consider?
Thanks, - Dazza
_ _ _ _ _ _ _ _ _ _ _ _ _ _ | Dazza Greenwood, JD | CIVICS.com, Founder & Principal | MIT Media Lab, Visiting Scientist | Vmail: 617.500.3644 | Email: dazza@CIVICS.com javascript:_e(%7B%7D,'cvml','dazza@CIVICS.com'); | Biz: http://CIVICS.com http://civics.com/ | MIT: https://law.MIT.edu https://law.mit.edu/ | Me: DazzaGreenwood.com | Twitter: @DazzaGreenwood | Google+: google.com/+DazzaGreenwood | LinkedIn: linkedin.com/in/DazzaGreenwood | GitHub: github.com/DazzaGreenwood/Interface | Postal: P.O. Box 425845 Cambridge, MA 02142 | _ _ _ _ _ _ _ _ _ _ _ _ _ _
On Mon, Aug 10, 2015 at 3:44 PM, Eve Maler
javascript:_e(%7B%7D,'cvml','eve@xmlgrrl.com');> wrote: Hi Dazza— Please feel free to send links and updates to the list. I have an action item to work on additional use cases (“negative” ones), and health use case patterns definitely aren’t the only ones we want to consider (nor am I positive that Adrian has captured all of those). Mark may want to contribute some too. And we probably want to spend more than one week on reviewing and understanding them. :-)
Eve
On 10 Aug 2015, at 12:12 PM, Dazza Greenwood
javascript:_e(%7B%7D,'cvml','dazza@civics.com');> wrote: Update - As promised, I put the draft mission, use cases and other background materials on the current GitHub wiki and am UMA-customizing a basic "how to use GitHub issues and wiki pages - for lawyers" faq.
Are the use cases from Adrian solid enough to work on and reflect the business case(s) you need to focus on? Also, do these use cases correctly and completed highlight the UMA functions and flows or is anything off base, incomplete etc?
Anything else needed before next meeting? Should probably send links and ask people to contribute or think about something. Minimally, I'd suggest maintaining some focus on the use cases for now, to ensure an apples to apples anchor for legal conversation and to provide a double check basis for mapping stuff people say from legal to tech and vice versa.
Thanks, - Dazza
| Sent from my iPhone | Please Forgive Typos _________________ | Dazza Greenwood, JD | CIVICS.com http://civics.com/, Founder & Principal | MIT Media Lab, Visiting Scientist | Vmail: 617.500.3644 | Email: dazza@CIVICS.com javascript:_e(%7B%7D,'cvml','dazza@CIVICS.com'); | Biz: http://CIVICS.com http://civics.com/ | MIT: https://law.MIT.edu https://law.mit.edu/ | Me: DazzaGreenwood.com http://dazzagreenwood.com/ | Twitter: @DazzaGreenwood | Google+: google.com/+DazzaGreenwood | LinkedIn: linkedin.com/in/DazzaGreenwood | GitHub: github.com/DazzaGreenwood/Interface
On Aug 10, 2015, at 2:59 PM, Eve Maler
javascript:_e(%7B%7D,'cvml','eve@xmlgrrl.com');> wrote: I created a (really huge) swimlane and a pro/con list, and a bit more... I ended up writing a recommendation. You can find the whole thing linked from here:
https://docs.google.com/document/d/1OsIqPbVNx66vypnCzjxoFjX0AHCD_rEmgP8Q-5hn...
Eve
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com javascript:_e(%7B%7D,'cvml','xmlgrrl@gmail.com');
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org javascript:_e(%7B%7D,'cvml','WG-UMA@kantarainitiative.org'); http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com javascript:_e(%7B%7D,'cvml','xmlgrrl@gmail.com');
-- Adrian Gropper MD RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/
Hi Adrian,
On 16 Aug 2015, at 10:58, Adrian Gropper
wrote: Mark,
I've read this twice, and I don't follow the distinction you're making. I can't think of any reason that Alice would want to have a separate server for her consent receipts and her data sharing authorizations. Both of these require a set of standards acceptable to the various other actors.
I agree with you, in an UMA deployment I can not think of a reason why these would be separate.
The major difference I see between consent and authorization is that consent seems to focus on the registration of a relationship while authorization seems to focus on the info sharing pursuant to that relationship.
My sense is that, from a legal perspective, the registration and sharing are inseparable and we would do well to merge consent and authorization lest we confuse the standards and our message.
This might be a good idea, I have been unclear about how a consent record will be maintained and if a consents provides authority for a range of practices that happens long after the point of consent, if this is called something else, i.e. an authorisation. In this case are their other types of ‘authorisation’ records that deals with privilege management and I have wondered how these might relate or be chained together.
Adrian
On Friday, August 14, 2015, Mark Lizar mailto:mark@smartspecies.com> wrote: Pushing the penny forward an inch.
As a follow up to the MVCR, there are it seems, some legal considerations that surround the application of policy in terms of what takes precedent, the privacy policy, the terms of use policies. As well, liability around who owns, controls and manages the data is also critical and needs to be clear. T
A simple way to start putting this all together is to look at applying the MVCR roles ( that are anchored in ISO 29100 “roles") as an overlay to Adrian's (and any other) UMA use cases to address the legal questions and topics that arrise.
To get things going here are a couple of items and their flows for the legal eagles. .
A. Data Rights Ownership; User Managed Access Vs. User Controlled Access. (see use case below)
B. Are T&C’s subjected to a Privacy Policy? Does the legal chain of authority that leads to the provisioning of roles and privileges, for access to personal attributes, start with the privacy policy for enrolment, then the terms and conditions?
For example: 1. In the MVCR their is an undiscussed assumption that the privacy policy which provides the consent is counted as the primary contract for the use of personal information so the service provider may then use the personal information. At which point, The service provider uses the PI provided with the consent and then enrols the service user with a secondary policy, the terms and conditions, which Alice needs to contractually abide by, to use the service. As the requirement for a privacy policy and consent is legal infrastructure, and the T&C’s is organisation specific, the T&C’s are subjected to the privacy policy. i.e. legal requirements trump the business requirements in a court of law.
2. In regards to the above Issue 2 . What are the legal connotations - I.e. If a user blocks access to a PII resources (using EU law), the terms for that service might be that the service is stopped. But, the user may be required by the contract to keep paying for that service according to the contract and licence agreed too, and the service may be legally required to keep the user data while still charging for the service. (of course this is over simplified) i.e. the org indemnifies themself by give the functionality to users to manage the access to a copy of the user data the org controls. But in a very privacy by design way.
The point being, this would appear to be different UMA Legal Flows than the user (in control of her own data) licensing access to the use of an attribute using UMA, which seems to me, like a different legal flavour of UMA all together. (closer to the UMA Health Flow) I.e.. Alice can turn on and off access to all or just a single attribute at any time in any scoped context.
3. Legal Flow/Use Case: User Managed Access Vs. User Controlled Access. UMA profile that is of two flavours Flavour A. Alice controls access to her own PII, authorises access using UMA to personal profile Flavour B. Alice Manages Access to her own PII . Using UMA installed behind a company siloed (and own Company copy of PII that the user maintains) that runs UMA so users can have more functionality through this silo. Note: this is the difference between the user being the data controller or the user being the data subject.
Who controls and owns the data rights? if the service user is also the data controller, then data protection and privacy laws are effected in that the liability and policy for protecting the data lies with the service user, and the liability or contract/license for the usage of the data lies with the company. - this would be a different policy structure, with a consent directive and UMA, for orgs to agree too. Like a Personal Privacy Policy (PPP) to cover the different liability. liability of being a data controller no longer applies the same way as data protection liability is moved (reduced, or changed into another form) if the data subject is owner/controller of the data and its access.
For Example: A good example here is in health care where consent directives and laws and frameworks are mature. (i.e. consent and access controls are being bound together already)
With Flavour A, Alice Owns and Manages PII, gets to see how many times her personal data (medical records) were accessed, when and by whom Flavour B, Alice, gives away PII - that is already under the T&C’s of service, and owed by the company or institution. in the second circumstance she does not get to see how many times her data was accessed or even what the live status is of her active consents and medical data usage, unless she pays a fee to the Experian like company that owns them. With the MVCR based authorisation log Alice knows that her permission and access to her data should line up to the purpose of the sharing, the permission to access data, and the specified purpose of the active consent the company now maintains for her This would be a very helpful tool for alice to quickly understand medical sharing policies Without clarity between UMA Flavour A & B, does UMA have the opportunity to be : incredibly good (the good guys), because Alice is in full control of their own data incredibly bad, because Alice thinks she has control of a copy of their data. Or that another service provider, that she is forced to trust, has her best interests at hear. should their be a different flavour of UMA (in terms of legal considerations) that designates between A & B? Can their be a flavour of UMA that is both A&B? The MVCR - Binding A & B Together A consent receipt is being developed as a tool that will help bind consent and legal requirements to access roles and policy rules for sharing data. The MVCR is designed to make explicit the policies and notice requirements to make binding these together legitimate and understandable - i.e. this can be used to tie the role of data subject to the liability of access controls and vice versa For example the various frameworks that are used in the space of consent and access control can be added to a receipt. In this scenario, we would see Alice is at a hospital in the US Alice consents to provide PII to hospital for medical treatment Alice gets a consent receipt On receipt is UMA Icon and a HIPPA icon linked to legal requirements, or maybe just a field for a URI that links directly to the PPP, which has all the links and info needed for Alice’s medical records and consent directives (from her AS) Every test or comment can be then linked to her PPP and available for the next health data context This receipt under info sharing would have the PPP Icon, the HIPPA TrustMark icon, and the UMA icon all linked to the audit, enforcement and complaint processes that all of these frameworks require.
In parallel to the US health System The UK’s heath care system is the reverse and has the same problems but for different reasons it is a universl health care system, where it costs the infrastructure money to provide medical services. (as oppose to the US) where the infrastructure makes money by providing medical services. In the UK you (the patient) are unable to see if you have consented to sharing PII, with whom you have shared, what medical records you have with Sensitive Medical Data spread on computers ranging from win 95 and up. An UMA enabled doctors office in the UK should be able to receive consent, use the medical data from the US and provide seamless service. So how would a consent receipt look like if it was used to bind ths A Consent Receipt extend the MVCR by: Adding UMA Framework Adding PPP (Personal Privacy Policy: Like a Consent Directive) police requirements Adding HIPPA: Add UK Jurisdiction profile and Medical PII profile to the consent requirements, add these processes at point of consent or enrollment at UK health care centre. These might all appear as ICONS of the above listed to the receipt and managed by 3rd parties operating the trust frameworks for the above elements.
Mark
On 10 Aug 2015, at 18:36, Dazza Greenwood
> wrote: Ok Eve, I'm on it. Looking forward to see the negative cases.
Hi Mark, do you have any additional use cases to consider?
Thanks, - Dazza
_ _ _ _ _ _ _ _ _ _ _ _ _ _ | Dazza Greenwood, JD | CIVICS.com http://civics.com/, Founder & Principal | MIT Media Lab, Visiting Scientist | Vmail: 617.500.3644 | Email: dazza@CIVICS.com <> | Biz: http://CIVICS.com http://civics.com/ | MIT: https://law.MIT.edu https://law.mit.edu/ | Me: DazzaGreenwood.com http://dazzagreenwood.com/ | Twitter: @DazzaGreenwood | Google+: google.com/+DazzaGreenwood http://google.com/+DazzaGreenwood | LinkedIn: linkedin.com/in/DazzaGreenwood http://linkedin.com/in/DazzaGreenwood | GitHub: github.com/DazzaGreenwood/Interface http://github.com/DazzaGreenwood/Interface | Postal: P.O. Box 425845 Cambridge, MA 02142 | _ _ _ _ _ _ _ _ _ _ _ _ _ _
On Mon, Aug 10, 2015 at 3:44 PM, Eve Maler
> wrote: Hi Dazza— Please feel free to send links and updates to the list. I have an action item to work on additional use cases (“negative” ones), and health use case patterns definitely aren’t the only ones we want to consider (nor am I positive that Adrian has captured all of those). Mark may want to contribute some too. And we probably want to spend more than one week on reviewing and understanding them. :-) Eve
On 10 Aug 2015, at 12:12 PM, Dazza Greenwood
> wrote: Update - As promised, I put the draft mission, use cases and other background materials on the current GitHub wiki and am UMA-customizing a basic "how to use GitHub issues and wiki pages - for lawyers" faq.
Are the use cases from Adrian solid enough to work on and reflect the business case(s) you need to focus on? Also, do these use cases correctly and completed highlight the UMA functions and flows or is anything off base, incomplete etc?
Anything else needed before next meeting? Should probably send links and ask people to contribute or think about something. Minimally, I'd suggest maintaining some focus on the use cases for now, to ensure an apples to apples anchor for legal conversation and to provide a double check basis for mapping stuff people say from legal to tech and vice versa.
Thanks, - Dazza
| Sent from my iPhone | Please Forgive Typos _________________ | Dazza Greenwood, JD | CIVICS.com http://civics.com/, Founder & Principal | MIT Media Lab, Visiting Scientist | Vmail: 617.500.3644 tel:617.500.3644 | Email: dazza@CIVICS.com <> | Biz: http://CIVICS.com http://civics.com/ | MIT: https://law.MIT.edu https://law.mit.edu/ | Me: DazzaGreenwood.com http://dazzagreenwood.com/ | Twitter: @DazzaGreenwood | Google+: google.com/+DazzaGreenwood http://google.com/+DazzaGreenwood | LinkedIn: linkedin.com/in/DazzaGreenwood http://linkedin.com/in/DazzaGreenwood | GitHub: github.com/DazzaGreenwood/Interface http://github.com/DazzaGreenwood/Interface
On Aug 10, 2015, at 2:59 PM, Eve Maler
> wrote: I created a (really huge) swimlane and a pro/con list, and a bit more... I ended up writing a recommendation. You can find the whole thing linked from here:
https://docs.google.com/document/d/1OsIqPbVNx66vypnCzjxoFjX0AHCD_rEmgP8Q-5hn... https://docs.google.com/document/d/1OsIqPbVNx66vypnCzjxoFjX0AHCD_rEmgP8Q-5hn...
Eve
Eve Maler | cell +1 425.345.6756 tel:%2B1%20425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com <>
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <> http://kantarainitiative.org/mailman/listinfo/wg-uma http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 tel:%2B1%20425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com <>
--
Adrian Gropper MD
RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/ http://patientprivacyrights.org/donate-2/ _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org mailto:WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma http://kantarainitiative.org/mailman/listinfo/wg-uma
Mark, I’m not sure I’m following the distinction you were making with user-managed vs. user-controlled either, but I didn’t think it was a separation of consent receipt vs. authorization (policy?) storage. I thought it was more in the direction — perhaps — of data that is self-asserted (Alice is literally in control of saying whether she prefers aisle vs. window) vs. data that is about her but that she can’t control the value of (Alice can manage access to her credit score, but there’s no way she can control its content). Is that the distinction? If so, is the first one “controlled” and the second one “managed”? And if so, where does Alice-as-data-controller in law come in? If that’s not the distinction, could you provide an example that highlights more sharply what it is? Eve
On 16 Aug 2015, at 7:12 PM, Mark Lizar mailto:mark@smartspecies.com> wrote:
Hi Adrian,
On 16 Aug 2015, at 10:58, Adrian Gropper
mailto:agropper@healthurl.com> wrote: Mark,
I've read this twice, and I don't follow the distinction you're making. I can't think of any reason that Alice would want to have a separate server for her consent receipts and her data sharing authorizations. Both of these require a set of standards acceptable to the various other actors.
I agree with you, in an UMA deployment I can not think of a reason why these would be separate.
The major difference I see between consent and authorization is that consent seems to focus on the registration of a relationship while authorization seems to focus on the info sharing pursuant to that relationship.
My sense is that, from a legal perspective, the registration and sharing are inseparable and we would do well to merge consent and authorization lest we confuse the standards and our message.
This might be a good idea, I have been unclear about how a consent record will be maintained and if a consents provides authority for a range of practices that happens long after the point of consent, if this is called something else, i.e. an authorisation. In this case are their other types of ‘authorisation’ records that deals with privilege management and I have wondered how these might relate or be chained together.
Adrian
On Friday, August 14, 2015, Mark Lizar mailto:mark@smartspecies.com> wrote: Pushing the penny forward an inch.
As a follow up to the MVCR, there are it seems, some legal considerations that surround the application of policy in terms of what takes precedent, the privacy policy, the terms of use policies. As well, liability around who owns, controls and manages the data is also critical and needs to be clear. T
A simple way to start putting this all together is to look at applying the MVCR roles ( that are anchored in ISO 29100 “roles") as an overlay to Adrian's (and any other) UMA use cases to address the legal questions and topics that arrise.
To get things going here are a couple of items and their flows for the legal eagles. .
A. Data Rights Ownership; User Managed Access Vs. User Controlled Access. (see use case below)
B. Are T&C’s subjected to a Privacy Policy? Does the legal chain of authority that leads to the provisioning of roles and privileges, for access to personal attributes, start with the privacy policy for enrolment, then the terms and conditions?
For example: 1. In the MVCR their is an undiscussed assumption that the privacy policy which provides the consent is counted as the primary contract for the use of personal information so the service provider may then use the personal information. At which point, The service provider uses the PI provided with the consent and then enrols the service user with a secondary policy, the terms and conditions, which Alice needs to contractually abide by, to use the service. As the requirement for a privacy policy and consent is legal infrastructure, and the T&C’s is organisation specific, the T&C’s are subjected to the privacy policy. i.e. legal requirements trump the business requirements in a court of law.
2. In regards to the above Issue 2 . What are the legal connotations - I.e. If a user blocks access to a PII resources (using EU law), the terms for that service might be that the service is stopped. But, the user may be required by the contract to keep paying for that service according to the contract and licence agreed too, and the service may be legally required to keep the user data while still charging for the service. (of course this is over simplified) i.e. the org indemnifies themself by give the functionality to users to manage the access to a copy of the user data the org controls. But in a very privacy by design way.
The point being, this would appear to be different UMA Legal Flows than the user (in control of her own data) licensing access to the use of an attribute using UMA, which seems to me, like a different legal flavour of UMA all together. (closer to the UMA Health Flow) I.e.. Alice can turn on and off access to all or just a single attribute at any time in any scoped context.
3. Legal Flow/Use Case: User Managed Access Vs. User Controlled Access. UMA profile that is of two flavours Flavour A. Alice controls access to her own PII, authorises access using UMA to personal profile Flavour B. Alice Manages Access to her own PII . Using UMA installed behind a company siloed (and own Company copy of PII that the user maintains) that runs UMA so users can have more functionality through this silo. Note: this is the difference between the user being the data controller or the user being the data subject.
Who controls and owns the data rights? if the service user is also the data controller, then data protection and privacy laws are effected in that the liability and policy for protecting the data lies with the service user, and the liability or contract/license for the usage of the data lies with the company. - this would be a different policy structure, with a consent directive and UMA, for orgs to agree too. Like a Personal Privacy Policy (PPP) to cover the different liability. liability of being a data controller no longer applies the same way as data protection liability is moved (reduced, or changed into another form) if the data subject is owner/controller of the data and its access.
For Example: A good example here is in health care where consent directives and laws and frameworks are mature. (i.e. consent and access controls are being bound together already)
With Flavour A, Alice Owns and Manages PII, gets to see how many times her personal data (medical records) were accessed, when and by whom Flavour B, Alice, gives away PII - that is already under the T&C’s of service, and owed by the company or institution. in the second circumstance she does not get to see how many times her data was accessed or even what the live status is of her active consents and medical data usage, unless she pays a fee to the Experian like company that owns them. With the MVCR based authorisation log Alice knows that her permission and access to her data should line up to the purpose of the sharing, the permission to access data, and the specified purpose of the active consent the company now maintains for her This would be a very helpful tool for alice to quickly understand medical sharing policies Without clarity between UMA Flavour A & B, does UMA have the opportunity to be : incredibly good (the good guys), because Alice is in full control of their own data incredibly bad, because Alice thinks she has control of a copy of their data. Or that another service provider, that she is forced to trust, has her best interests at hear. should their be a different flavour of UMA (in terms of legal considerations) that designates between A & B? Can their be a flavour of UMA that is both A&B? The MVCR - Binding A & B Together A consent receipt is being developed as a tool that will help bind consent and legal requirements to access roles and policy rules for sharing data. The MVCR is designed to make explicit the policies and notice requirements to make binding these together legitimate and understandable - i.e. this can be used to tie the role of data subject to the liability of access controls and vice versa For example the various frameworks that are used in the space of consent and access control can be added to a receipt. In this scenario, we would see Alice is at a hospital in the US Alice consents to provide PII to hospital for medical treatment Alice gets a consent receipt On receipt is UMA Icon and a HIPPA icon linked to legal requirements, or maybe just a field for a URI that links directly to the PPP, which has all the links and info needed for Alice’s medical records and consent directives (from her AS) Every test or comment can be then linked to her PPP and available for the next health data context This receipt under info sharing would have the PPP Icon, the HIPPA TrustMark icon, and the UMA icon all linked to the audit, enforcement and complaint processes that all of these frameworks require.
In parallel to the US health System The UK’s heath care system is the reverse and has the same problems but for different reasons it is a universl health care system, where it costs the infrastructure money to provide medical services. (as oppose to the US) where the infrastructure makes money by providing medical services. In the UK you (the patient) are unable to see if you have consented to sharing PII, with whom you have shared, what medical records you have with Sensitive Medical Data spread on computers ranging from win 95 and up. An UMA enabled doctors office in the UK should be able to receive consent, use the medical data from the US and provide seamless service. So how would a consent receipt look like if it was used to bind ths A Consent Receipt extend the MVCR by: Adding UMA Framework Adding PPP (Personal Privacy Policy: Like a Consent Directive) police requirements Adding HIPPA: Add UK Jurisdiction profile and Medical PII profile to the consent requirements, add these processes at point of consent or enrollment at UK health care centre. These might all appear as ICONS of the above listed to the receipt and managed by 3rd parties operating the trust frameworks for the above elements.
Mark
On 10 Aug 2015, at 18:36, Dazza Greenwood
> wrote: Ok Eve, I'm on it. Looking forward to see the negative cases.
Hi Mark, do you have any additional use cases to consider?
Thanks, - Dazza
_ _ _ _ _ _ _ _ _ _ _ _ _ _ | Dazza Greenwood, JD | CIVICS.com http://civics.com/, Founder & Principal | MIT Media Lab, Visiting Scientist | Vmail: 617.500.3644 | Email: dazza@CIVICS.com <> | Biz: http://CIVICS.com http://civics.com/ | MIT: https://law.MIT.edu https://law.mit.edu/ | Me: DazzaGreenwood.com http://dazzagreenwood.com/ | Twitter: @DazzaGreenwood | Google+: google.com/+DazzaGreenwood http://google.com/+DazzaGreenwood | LinkedIn: linkedin.com/in/DazzaGreenwood http://linkedin.com/in/DazzaGreenwood | GitHub: github.com/DazzaGreenwood/Interface http://github.com/DazzaGreenwood/Interface | Postal: P.O. Box 425845 Cambridge, MA 02142 | _ _ _ _ _ _ _ _ _ _ _ _ _ _
On Mon, Aug 10, 2015 at 3:44 PM, Eve Maler
> wrote: Hi Dazza— Please feel free to send links and updates to the list. I have an action item to work on additional use cases (“negative” ones), and health use case patterns definitely aren’t the only ones we want to consider (nor am I positive that Adrian has captured all of those). Mark may want to contribute some too. And we probably want to spend more than one week on reviewing and understanding them. :-) Eve
On 10 Aug 2015, at 12:12 PM, Dazza Greenwood
> wrote: Update - As promised, I put the draft mission, use cases and other background materials on the current GitHub wiki and am UMA-customizing a basic "how to use GitHub issues and wiki pages - for lawyers" faq.
Are the use cases from Adrian solid enough to work on and reflect the business case(s) you need to focus on? Also, do these use cases correctly and completed highlight the UMA functions and flows or is anything off base, incomplete etc?
Anything else needed before next meeting? Should probably send links and ask people to contribute or think about something. Minimally, I'd suggest maintaining some focus on the use cases for now, to ensure an apples to apples anchor for legal conversation and to provide a double check basis for mapping stuff people say from legal to tech and vice versa.
Thanks, - Dazza
| Sent from my iPhone | Please Forgive Typos _________________ | Dazza Greenwood, JD | CIVICS.com http://civics.com/, Founder & Principal | MIT Media Lab, Visiting Scientist | Vmail: 617.500.3644 tel:617.500.3644 | Email: dazza@CIVICS.com <> | Biz: http://CIVICS.com http://civics.com/ | MIT: https://law.MIT.edu https://law.mit.edu/ | Me: DazzaGreenwood.com http://dazzagreenwood.com/ | Twitter: @DazzaGreenwood | Google+: google.com/+DazzaGreenwood http://google.com/+DazzaGreenwood | LinkedIn: linkedin.com/in/DazzaGreenwood http://linkedin.com/in/DazzaGreenwood | GitHub: github.com/DazzaGreenwood/Interface http://github.com/DazzaGreenwood/Interface
On Aug 10, 2015, at 2:59 PM, Eve Maler
> wrote: I created a (really huge) swimlane and a pro/con list, and a bit more... I ended up writing a recommendation. You can find the whole thing linked from here:
https://docs.google.com/document/d/1OsIqPbVNx66vypnCzjxoFjX0AHCD_rEmgP8Q-5hn... https://docs.google.com/document/d/1OsIqPbVNx66vypnCzjxoFjX0AHCD_rEmgP8Q-5hn...
Eve
Eve Maler | cell +1 425.345.6756 tel:%2B1%20425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com <>
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <> http://kantarainitiative.org/mailman/listinfo/wg-uma http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 tel:%2B1%20425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com <>
--
Adrian Gropper MD
RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/ http://patientprivacyrights.org/donate-2/ _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org mailto:WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma http://kantarainitiative.org/mailman/listinfo/wg-uma
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org mailto:WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com mailto:xmlgrrl@gmail.com
Ah yes, I see the confusion. I thought these were two issues were separate. 1. Comparing the terms Consent and Authorisation and 2. liability and data rights management The 2nd issue: A. User controlled vs. B. User Managed. —> The data rights ownership issue, A: Refers to the data subject (Alice) who is in control and owns her own profile of her own personal information, independently from a service provider, as opposed to B. filing in personal information (PI) into forms presented by a company as to create a copy of her (PI) and to give it to a company to owns and keep. This issue is specifically related to: Who owns the data the User is managing access to? This is also very similar to the design principle of: Always knowing who to sue. I think this also could be considered apart of the liability, ownership and data control discussion we have been having. What I am specifically interested in, is if, data protection regulation is relevant in the context of A: When a user controls their own data. Would the liability (or legal requirements) for data protection be on the data subject themselves? Is the liability for attribute access and use only permission the same as take a copy of all Personal Information. If B - when the personal data is controlled and a copy owned by a company, then the liability (for its protection and use) is with the organisation and hypothetically the user needs to trust the organisation more than in scenario A: where the User controls their own copy of their data and can turn on and off access. (Sort of like turning on and off automatic monthly payments to a service provider at the bank.) For Example: company A, only gets to see Alice’s Address when they print a label and Alice's AS give Company A Access to print only a label from Alice’s personal resource server, then Alice can block access to her address at any time. IF company A, gets alice to give over Alice’s address, then they can access Alice’s address at any time and don’t need to ask alice for permission to use it etc. One scenario requires much more trust from Alice than the other. In A - Alice controls her data, in B- Alice Manages her data another company owns and keeps for her. Does this make any sense? - Mark
On 18 Aug 2015, at 00:00, Eve Maler
wrote: Mark, I’m not sure I’m following the distinction you were making with user-managed vs. user-controlled either, but I didn’t think it was a separation of consent receipt vs. authorization (policy?) storage. I thought it was more in the direction — perhaps — of data that is self-asserted (Alice is literally in control of saying whether she prefers aisle vs. window) vs. data that is about her but that she can’t control the value of (Alice can manage access to her credit score, but there’s no way she can control its content).
Is that the distinction? If so, is the first one “controlled” and the second one “managed”? And if so, where does Alice-as-data-controller in law come in?
If that’s not the distinction, could you provide an example that highlights more sharply what it is?
Eve
On 16 Aug 2015, at 7:12 PM, Mark Lizar mailto:mark@smartspecies.com> wrote:
Hi Adrian,
On 16 Aug 2015, at 10:58, Adrian Gropper
mailto:agropper@healthurl.com> wrote: Mark,
I've read this twice, and I don't follow the distinction you're making. I can't think of any reason that Alice would want to have a separate server for her consent receipts and her data sharing authorizations. Both of these require a set of standards acceptable to the various other actors.
I agree with you, in an UMA deployment I can not think of a reason why these would be separate.
The major difference I see between consent and authorization is that consent seems to focus on the registration of a relationship while authorization seems to focus on the info sharing pursuant to that relationship.
My sense is that, from a legal perspective, the registration and sharing are inseparable and we would do well to merge consent and authorization lest we confuse the standards and our message.
This might be a good idea, I have been unclear about how a consent record will be maintained and if a consents provides authority for a range of practices that happens long after the point of consent, if this is called something else, i.e. an authorisation. In this case are their other types of ‘authorisation’ records that deals with privilege management and I have wondered how these might relate or be chained together.
Adrian
On Friday, August 14, 2015, Mark Lizar mailto:mark@smartspecies.com> wrote: Pushing the penny forward an inch.
As a follow up to the MVCR, there are it seems, some legal considerations that surround the application of policy in terms of what takes precedent, the privacy policy, the terms of use policies. As well, liability around who owns, controls and manages the data is also critical and needs to be clear. T
A simple way to start putting this all together is to look at applying the MVCR roles ( that are anchored in ISO 29100 “roles") as an overlay to Adrian's (and any other) UMA use cases to address the legal questions and topics that arrise.
To get things going here are a couple of items and their flows for the legal eagles. .
A. Data Rights Ownership; User Managed Access Vs. User Controlled Access. (see use case below)
B. Are T&C’s subjected to a Privacy Policy? Does the legal chain of authority that leads to the provisioning of roles and privileges, for access to personal attributes, start with the privacy policy for enrolment, then the terms and conditions?
For example: 1. In the MVCR their is an undiscussed assumption that the privacy policy which provides the consent is counted as the primary contract for the use of personal information so the service provider may then use the personal information. At which point, The service provider uses the PI provided with the consent and then enrols the service user with a secondary policy, the terms and conditions, which Alice needs to contractually abide by, to use the service. As the requirement for a privacy policy and consent is legal infrastructure, and the T&C’s is organisation specific, the T&C’s are subjected to the privacy policy. i.e. legal requirements trump the business requirements in a court of law.
2. In regards to the above Issue 2 . What are the legal connotations - I.e. If a user blocks access to a PII resources (using EU law), the terms for that service might be that the service is stopped. But, the user may be required by the contract to keep paying for that service according to the contract and licence agreed too, and the service may be legally required to keep the user data while still charging for the service. (of course this is over simplified) i.e. the org indemnifies themself by give the functionality to users to manage the access to a copy of the user data the org controls. But in a very privacy by design way.
The point being, this would appear to be different UMA Legal Flows than the user (in control of her own data) licensing access to the use of an attribute using UMA, which seems to me, like a different legal flavour of UMA all together. (closer to the UMA Health Flow) I.e.. Alice can turn on and off access to all or just a single attribute at any time in any scoped context.
3. Legal Flow/Use Case: User Managed Access Vs. User Controlled Access. UMA profile that is of two flavours Flavour A. Alice controls access to her own PII, authorises access using UMA to personal profile Flavour B. Alice Manages Access to her own PII . Using UMA installed behind a company siloed (and own Company copy of PII that the user maintains) that runs UMA so users can have more functionality through this silo. Note: this is the difference between the user being the data controller or the user being the data subject.
Who controls and owns the data rights? if the service user is also the data controller, then data protection and privacy laws are effected in that the liability and policy for protecting the data lies with the service user, and the liability or contract/license for the usage of the data lies with the company. - this would be a different policy structure, with a consent directive and UMA, for orgs to agree too. Like a Personal Privacy Policy (PPP) to cover the different liability. liability of being a data controller no longer applies the same way as data protection liability is moved (reduced, or changed into another form) if the data subject is owner/controller of the data and its access.
For Example: A good example here is in health care where consent directives and laws and frameworks are mature. (i.e. consent and access controls are being bound together already)
With Flavour A, Alice Owns and Manages PII, gets to see how many times her personal data (medical records) were accessed, when and by whom Flavour B, Alice, gives away PII - that is already under the T&C’s of service, and owed by the company or institution. in the second circumstance she does not get to see how many times her data was accessed or even what the live status is of her active consents and medical data usage, unless she pays a fee to the Experian like company that owns them. With the MVCR based authorisation log Alice knows that her permission and access to her data should line up to the purpose of the sharing, the permission to access data, and the specified purpose of the active consent the company now maintains for her This would be a very helpful tool for alice to quickly understand medical sharing policies Without clarity between UMA Flavour A & B, does UMA have the opportunity to be : incredibly good (the good guys), because Alice is in full control of their own data incredibly bad, because Alice thinks she has control of a copy of their data. Or that another service provider, that she is forced to trust, has her best interests at hear. should their be a different flavour of UMA (in terms of legal considerations) that designates between A & B? Can their be a flavour of UMA that is both A&B? The MVCR - Binding A & B Together A consent receipt is being developed as a tool that will help bind consent and legal requirements to access roles and policy rules for sharing data. The MVCR is designed to make explicit the policies and notice requirements to make binding these together legitimate and understandable - i.e. this can be used to tie the role of data subject to the liability of access controls and vice versa For example the various frameworks that are used in the space of consent and access control can be added to a receipt. In this scenario, we would see Alice is at a hospital in the US Alice consents to provide PII to hospital for medical treatment Alice gets a consent receipt On receipt is UMA Icon and a HIPPA icon linked to legal requirements, or maybe just a field for a URI that links directly to the PPP, which has all the links and info needed for Alice’s medical records and consent directives (from her AS) Every test or comment can be then linked to her PPP and available for the next health data context This receipt under info sharing would have the PPP Icon, the HIPPA TrustMark icon, and the UMA icon all linked to the audit, enforcement and complaint processes that all of these frameworks require.
In parallel to the US health System The UK’s heath care system is the reverse and has the same problems but for different reasons it is a universl health care system, where it costs the infrastructure money to provide medical services. (as oppose to the US) where the infrastructure makes money by providing medical services. In the UK you (the patient) are unable to see if you have consented to sharing PII, with whom you have shared, what medical records you have with Sensitive Medical Data spread on computers ranging from win 95 and up. An UMA enabled doctors office in the UK should be able to receive consent, use the medical data from the US and provide seamless service. So how would a consent receipt look like if it was used to bind ths A Consent Receipt extend the MVCR by: Adding UMA Framework Adding PPP (Personal Privacy Policy: Like a Consent Directive) police requirements Adding HIPPA: Add UK Jurisdiction profile and Medical PII profile to the consent requirements, add these processes at point of consent or enrollment at UK health care centre. These might all appear as ICONS of the above listed to the receipt and managed by 3rd parties operating the trust frameworks for the above elements.
Mark
On 10 Aug 2015, at 18:36, Dazza Greenwood
> wrote: Ok Eve, I'm on it. Looking forward to see the negative cases.
Hi Mark, do you have any additional use cases to consider?
Thanks, - Dazza
_ _ _ _ _ _ _ _ _ _ _ _ _ _ | Dazza Greenwood, JD | CIVICS.com http://civics.com/, Founder & Principal | MIT Media Lab, Visiting Scientist | Vmail: 617.500.3644 | Email: dazza@CIVICS.com <> | Biz: http://CIVICS.com http://civics.com/ | MIT: https://law.MIT.edu https://law.mit.edu/ | Me: DazzaGreenwood.com http://dazzagreenwood.com/ | Twitter: @DazzaGreenwood | Google+: google.com/+DazzaGreenwood http://google.com/+DazzaGreenwood | LinkedIn: linkedin.com/in/DazzaGreenwood http://linkedin.com/in/DazzaGreenwood | GitHub: github.com/DazzaGreenwood/Interface http://github.com/DazzaGreenwood/Interface | Postal: P.O. Box 425845 Cambridge, MA 02142 | _ _ _ _ _ _ _ _ _ _ _ _ _ _
On Mon, Aug 10, 2015 at 3:44 PM, Eve Maler
> wrote: Hi Dazza— Please feel free to send links and updates to the list. I have an action item to work on additional use cases (“negative” ones), and health use case patterns definitely aren’t the only ones we want to consider (nor am I positive that Adrian has captured all of those). Mark may want to contribute some too. And we probably want to spend more than one week on reviewing and understanding them. :-) Eve
On 10 Aug 2015, at 12:12 PM, Dazza Greenwood
> wrote: Update - As promised, I put the draft mission, use cases and other background materials on the current GitHub wiki and am UMA-customizing a basic "how to use GitHub issues and wiki pages - for lawyers" faq.
Are the use cases from Adrian solid enough to work on and reflect the business case(s) you need to focus on? Also, do these use cases correctly and completed highlight the UMA functions and flows or is anything off base, incomplete etc?
Anything else needed before next meeting? Should probably send links and ask people to contribute or think about something. Minimally, I'd suggest maintaining some focus on the use cases for now, to ensure an apples to apples anchor for legal conversation and to provide a double check basis for mapping stuff people say from legal to tech and vice versa.
Thanks, - Dazza
| Sent from my iPhone | Please Forgive Typos _________________ | Dazza Greenwood, JD | CIVICS.com http://civics.com/, Founder & Principal | MIT Media Lab, Visiting Scientist | Vmail: 617.500.3644 tel:617.500.3644 | Email: dazza@CIVICS.com <> | Biz: http://CIVICS.com http://civics.com/ | MIT: https://law.MIT.edu https://law.mit.edu/ | Me: DazzaGreenwood.com http://dazzagreenwood.com/ | Twitter: @DazzaGreenwood | Google+: google.com/+DazzaGreenwood http://google.com/+DazzaGreenwood | LinkedIn: linkedin.com/in/DazzaGreenwood http://linkedin.com/in/DazzaGreenwood | GitHub: github.com/DazzaGreenwood/Interface http://github.com/DazzaGreenwood/Interface
On Aug 10, 2015, at 2:59 PM, Eve Maler
> wrote: I created a (really huge) swimlane and a pro/con list, and a bit more... I ended up writing a recommendation. You can find the whole thing linked from here:
https://docs.google.com/document/d/1OsIqPbVNx66vypnCzjxoFjX0AHCD_rEmgP8Q-5hn... https://docs.google.com/document/d/1OsIqPbVNx66vypnCzjxoFjX0AHCD_rEmgP8Q-5hn...
Eve
Eve Maler | cell +1 425.345.6756 tel:%2B1%20425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com <>
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <> http://kantarainitiative.org/mailman/listinfo/wg-uma http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 tel:%2B1%20425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com <>
--
Adrian Gropper MD
RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/ http://patientprivacyrights.org/donate-2/ _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org mailto:WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma http://kantarainitiative.org/mailman/listinfo/wg-uma
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org mailto:WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com mailto:xmlgrrl@gmail.com
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
Mark, You seem to be saying that the Institution has less liability when accessing Alice's attribute "by Reference" rather than "by Value". I agree. Less risk of breach. Less risk of using stale data. Less liability to provide Alice with a verification and correction mechanism. I would agree, and out UMA as enabling access "by Reference" in more use-cases. Adrian On Tuesday, August 18, 2015, Mark Lizar wrote:
Ah yes,
I see the confusion. I thought these were two issues were separate. 1. Comparing the terms Consent and Authorisation and 2. liability and data rights management
The 2nd issue:
A. User controlled vs. B. User Managed. —> The data rights ownership issue,
A: Refers to the data subject (Alice) who is in control and owns her own profile of her own personal information, independently from a service provider, as opposed to B. filing in personal information (PI) into forms presented by a company as to create a copy of her (PI) and to give it to a company to owns and keep.
This issue is specifically related to: Who owns the data the User is managing access to?
This is also very similar to the design principle of: Always knowing who to sue. I think this also could be considered apart of the liability, ownership and data control discussion we have been having.
What I am specifically interested in, is if, data protection regulation is relevant in the context of A: When a user controls their own data. Would the liability (or legal requirements) for data protection be on the data subject themselves? Is the liability for attribute access and use only permission the same as take a copy of all Personal Information.
If B - when the personal data is controlled and a copy owned by a company, then the liability (for its protection and use) is with the organisation and hypothetically the user needs to trust the organisation more than in scenario A: where the User controls their own copy of their data and can turn on and off access. (Sort of like turning on and off automatic monthly payments to a service provider at the bank.)
For Example: company A, only gets to see Alice’s Address when they print a label and Alice's AS give Company A Access to print only a label from Alice’s personal resource server, then Alice can block access to her address at any time.
IF company A, gets alice to give over Alice’s address, then they can access Alice’s address at any time and don’t need to ask alice for permission to use it etc. One scenario requires much more trust from Alice than the other.
In A - Alice controls her data, in B- Alice Manages her data another company owns and keeps for her.
Does this make any sense?
- Mark
On 18 Aug 2015, at 00:00, Eve Maler
javascript:_e(%7B%7D,'cvml','eve@xmlgrrl.com');> wrote: Mark, I’m not sure I’m following the distinction you were making with user-managed vs. user-controlled either, but I didn’t think it was a separation of consent receipt vs. authorization (policy?) storage. I thought it was more in the direction — perhaps — of data that is self-asserted (Alice is literally in control of saying whether she prefers aisle vs. window) vs. data that is about her but that she can’t control the value of (Alice can manage access to her credit score, but there’s no way she can control its content).
Is that the distinction? If so, is the first one “controlled” and the second one “managed”? And if so, where does Alice-as-data-controller in law come in?
If that’s not the distinction, could you provide an example that highlights more sharply what it is?
Eve
On 16 Aug 2015, at 7:12 PM, Mark Lizar javascript:_e(%7B%7D,'cvml','mark@smartspecies.com');> wrote:
Hi Adrian,
On 16 Aug 2015, at 10:58, Adrian Gropper
javascript:_e(%7B%7D,'cvml','agropper@healthurl.com');> wrote: Mark,
I've read this twice, and I don't follow the distinction you're making. I can't think of any reason that Alice would want to have a separate server for her consent receipts and her data sharing authorizations. Both of these require a set of standards acceptable to the various other actors.
I agree with you, in an UMA deployment I can not think of a reason why these would be separate.
The major difference I see between consent and authorization is that consent seems to focus on the registration of a relationship while authorization seems to focus on the info sharing pursuant to that relationship.
My sense is that, from a legal perspective, the registration and sharing are inseparable and we would do well to merge consent and authorization lest we confuse the standards and our message.
This might be a good idea, I have been unclear about how a consent record will be maintained and if a consents provides authority for a range of practices that happens long after the point of consent, if this is called something else, i.e. an authorisation. In this case are their other types of ‘authorisation’ records that deals with privilege management and I have wondered how these might relate or be chained together.
Adrian
On Friday, August 14, 2015, Mark Lizar javascript:_e(%7B%7D,'cvml','mark@smartspecies.com');> wrote:
Pushing the penny forward an inch.
As a follow up to the MVCR, there are it seems, some legal considerations that surround the application of policy in terms of what takes precedent, the privacy policy, the terms of use policies. As well, liability around who owns, controls and manages the data is also critical and needs to be clear. T
A simple way to start putting this all together is to look at applying the MVCR roles ( that are anchored in ISO 29100 “roles") as an overlay to Adrian's (and any other) UMA use cases to address the legal questions and topics that arrise.
To get things going here are a couple of items and their flows for the legal eagles. .
A. Data Rights Ownership; User Managed Access Vs. User Controlled Access. (see use case below)
B. Are T&C’s subjected to a Privacy Policy? Does the legal chain of authority that leads to the provisioning of roles and privileges, for access to personal attributes, start with the privacy policy for enrolment, then the terms and conditions?
For example: 1. In the MVCR their is an undiscussed assumption that the privacy policy which provides the consent is counted as the primary contract for the use of personal information so the service provider may then use the personal information. At which point, The service provider uses the PI provided with the consent and then enrols the service user with a secondary policy, the terms and conditions, which Alice needs to contractually abide by, to use the service. As the requirement for a privacy policy and consent is legal infrastructure, and the T&C’s is organisation specific, the T&C’s are subjected to the privacy policy. i.e. legal requirements trump the business requirements in a court of law.
2. In regards to the above Issue 2 . What are the legal connotations - I.e. If a user blocks access to a PII resources (using EU law), the terms for that service might be that the service is stopped. But, the user may be required by the contract to keep paying for that service according to the contract and licence agreed too, and the service may be legally required to keep the user data while still charging for the service. (of course this is over simplified) i.e. the org indemnifies themself by give the functionality to users to manage the access to a copy of the user data the org controls. But in a very privacy by design way.
The point being, this would appear to be different UMA Legal Flows than the user (in control of her own data) licensing access to the use of an attribute using UMA, which seems to me, like a different legal flavour of UMA all together. (closer to the UMA Health Flow) I.e.. Alice can turn on and off access to all or just a single attribute at any time in any scoped context.
3. Legal Flow/Use Case: User Managed Access Vs. User Controlled Access.
- UMA profile that is of two flavours -
- Flavour A. Alice controls access to her own PII, authorises access using UMA to personal profile - Flavour B. Alice Manages Access to her own PII . Using UMA installed behind a company siloed (and own Company copy of PII that the user maintains) that runs UMA so users can have more functionality through this silo. - Note: this is the difference between the user being the data controller or the user being the data subject.
- Who controls and owns the data rights? - if the service user is also the data controller, then data protection and privacy laws are effected in that the liability and policy for protecting the data lies with the service user, and the liability or contract/license for the usage of the data lies with the company. - this would be a different policy structure, with a consent directive and UMA, for orgs to agree too. Like a Personal Privacy Policy (PPP) to cover the different liability. - liability of being a data controller no longer applies the same way as data protection liability is moved (reduced, or changed into another form) if the data subject is owner/controller of the data and its access.
For Example:
- A good example here is in health care where consent directives and laws and frameworks are mature. - (i.e. consent and access controls are being bound together already)
- With Flavour A, Alice Owns and Manages PII, gets to see how many times her personal data (medical records) were accessed, when and by whom - Flavour B, Alice, gives away PII - that is already under the T&C’s of service, and owed by the company or institution. - in the second circumstance she does not get to see how many times her data was accessed or even what the live status is of her active consents and medical data usage, unless she pays a fee to the Experian like company that owns them. - With the MVCR based authorisation log Alice knows that her permission and access to her data should line up to the purpose of the sharing, the permission to access data, and the specified purpose of the active consent the company now maintains for her - This would be a very helpful tool for alice to quickly understand medical sharing policies - Without clarity between UMA Flavour A & B, does UMA have the opportunity to be : - incredibly good (the good guys), because Alice is in full control of their own data - incredibly bad, because Alice thinks she has control of a copy of their data. Or that another service provider, that she is forced to trust, has her best interests at hear. - should their be a different flavour of UMA (in terms of legal considerations) that designates between A & B? - Can their be a flavour of UMA that is both A&B? - The MVCR - Binding A & B Together - A consent receipt is being developed as a tool that will help bind consent and legal requirements to access roles and policy rules for sharing data. - The MVCR is designed to make explicit the policies and notice requirements to make binding these together legitimate and understandable - i.e. this can be used to tie the role of data subject to the liability of access controls and vice versa - For example - the various frameworks that are used in the space of consent and access control can be added to a receipt. - In this scenario, we would see - Alice is at a hospital in the US - Alice consents to provide PII to hospital for medical treatment - Alice gets a consent receipt - On receipt is UMA Icon and a HIPPA icon linked to legal requirements, or maybe just a field for a URI that links directly to the PPP, which has all the links and info needed for Alice’s medical records and consent directives (from her AS) - Every test or comment can be then linked to her PPP and available for the next health data context - This receipt under info sharing would have the PPP Icon, the HIPPA TrustMark icon, and the UMA icon all linked to the audit, enforcement and complaint processes that all of these frameworks require.
In parallel to the US health System
- The UK’s heath care system is the reverse and has the same problems but for different reasons - it is a universl health care system, where it costs the infrastructure money to provide medical services. (as oppose to the US) where the infrastructure makes money by providing medical services. - In the UK you (the patient) are unable to see if you have consented to sharing PII, with whom you have shared, what medical records you have with Sensitive Medical Data spread on computers ranging from win 95 and up. - An UMA enabled doctors office in the UK should be able to receive consent, use the medical data from the US and provide seamless service. - So how would a consent receipt look like if it was used to bind ths - A Consent Receipt extend the MVCR by: - Adding UMA Framework - Adding PPP (Personal Privacy Policy: Like a Consent Directive) police requirements - Adding HIPPA: - Add UK Jurisdiction profile and Medical PII profile to the consent requirements, add these processes at point of consent or enrollment at UK health care centre. - These might all appear as ICONS of the above listed to the receipt and managed by 3rd parties operating the trust frameworks for the above elements.
Mark
On 10 Aug 2015, at 18:36, Dazza Greenwood
wrote: Ok Eve, I'm on it. Looking forward to see the negative cases.
Hi Mark, do you have any additional use cases to consider?
Thanks, - Dazza
_ _ _ _ _ _ _ _ _ _ _ _ _ _ | Dazza Greenwood, JD | CIVICS.com http://civics.com/, Founder & Principal | MIT Media Lab, Visiting Scientist | Vmail: 617.500.3644 | Email: dazza@CIVICS.com | Biz: http://CIVICS.com http://civics.com/ | MIT: https://law.MIT.edu https://law.mit.edu/ | Me: DazzaGreenwood.com http://dazzagreenwood.com/ | Twitter: @DazzaGreenwood | Google+: google.com/+DazzaGreenwood | LinkedIn: linkedin.com/in/DazzaGreenwood | GitHub: github.com/DazzaGreenwood/Interface | Postal: P.O. Box 425845 Cambridge, MA 02142 | _ _ _ _ _ _ _ _ _ _ _ _ _ _
On Mon, Aug 10, 2015 at 3:44 PM, Eve Maler
wrote: Hi Dazza— Please feel free to send links and updates to the list. I have an action item to work on additional use cases (“negative” ones), and health use case patterns definitely aren’t the only ones we want to consider (nor am I positive that Adrian has captured all of those). Mark may want to contribute some too. And we probably want to spend more than one week on reviewing and understanding them. :-)
Eve
On 10 Aug 2015, at 12:12 PM, Dazza Greenwood
wrote: Update - As promised, I put the draft mission, use cases and other background materials on the current GitHub wiki and am UMA-customizing a basic "how to use GitHub issues and wiki pages - for lawyers" faq.
Are the use cases from Adrian solid enough to work on and reflect the business case(s) you need to focus on? Also, do these use cases correctly and completed highlight the UMA functions and flows or is anything off base, incomplete etc?
Anything else needed before next meeting? Should probably send links and ask people to contribute or think about something. Minimally, I'd suggest maintaining some focus on the use cases for now, to ensure an apples to apples anchor for legal conversation and to provide a double check basis for mapping stuff people say from legal to tech and vice versa.
Thanks, - Dazza
| Sent from my iPhone | Please Forgive Typos _________________ | Dazza Greenwood, JD | CIVICS.com http://civics.com/, Founder & Principal | MIT Media Lab, Visiting Scientist | Vmail: 617.500.3644 | Email: dazza@CIVICS.com | Biz: http://CIVICS.com http://civics.com/ | MIT: https://law.MIT.edu https://law.mit.edu/ | Me: DazzaGreenwood.com http://dazzagreenwood.com/ | Twitter: @DazzaGreenwood | Google+: google.com/+DazzaGreenwood | LinkedIn: linkedin.com/in/DazzaGreenwood | GitHub: github.com/DazzaGreenwood/Interface
On Aug 10, 2015, at 2:59 PM, Eve Maler
wrote: I created a (really huge) swimlane and a pro/con list, and a bit more... I ended up writing a recommendation. You can find the whole thing linked from here:
https://docs.google.com/document/d/1OsIqPbVNx66vypnCzjxoFjX0AHCD_rEmgP8Q-5hn...
Eve
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
--
Adrian Gropper MD
RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org javascript:_e(%7B%7D,'cvml','WG-UMA@kantarainitiative.org'); http://kantarainitiative.org/mailman/listinfo/wg-uma
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org javascript:_e(%7B%7D,'cvml','WG-UMA@kantarainitiative.org'); http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com javascript:_e(%7B%7D,'cvml','xmlgrrl@gmail.com');
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org javascript:_e(%7B%7D,'cvml','WG-UMA@kantarainitiative.org'); http://kantarainitiative.org/mailman/listinfo/wg-uma
-- Adrian Gropper MD RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/
Mark,
I think you are suggesting that there needs to be a scenario in which Alice
controls certain data and authorizes specific uses of the data without
transferring the data to Bob. Bob can view or print (as in a label), but
cannot electronically save the data. (Of course, printing the data is a
form of saving the data, because the label can be copied or OCRed to
recover Alice's address in electronic form.)
Notionally, this sounds like a good idea, but enforcement would be tricky.
If Bob is actually Bob's Widget company and Alice orders a widget and
provides her address under this scenario, what happens if Alice's widget
never arrives? Bob cannot tell Alice what address the widget shipped to,
because he no longer has a record of the address.
The issue that we are running into full speed is that some data does not
have a single "owner". When Alice transacts with Bob, both are parties to
the transaction. Whether or not Bob is an individual or an institution, I
would assert that the transaction data is as much his as it is Alice's. In
fact, in many jurisdictions, there are legal reasons (e.g., "Know Your
Customer" in the US) for Bob to maintain certain information about Alice.
And when a third-party payment system is involved (e.g., a credit card or
PayPal), they would also have a stake in the transaction, giving them a
stake in (some of) the data, as well.
This problem has not been solved, yet. And I don't think that there is
anything in UMA that takes on this challenge. UMA solves several use
cases, but does not claim to solve this one.
I think we need to be careful trying to avoid applying UMA to problems that
are beyond its scope just because it is such an elegant solution to
portions of the problem.
Jeff
---------------------------------
Jeff Stollman
stollman.j@gmail.com
1 202.683.8699
Truth never triumphs — its opponents just die out.
Science advances one funeral at a time.
Max Planck
On Tue, Aug 18, 2015 at 6:40 AM, Adrian Gropper
Mark,
You seem to be saying that the Institution has less liability when accessing Alice's attribute "by Reference" rather than "by Value". I agree. Less risk of breach. Less risk of using stale data. Less liability to provide Alice with a verification and correction mechanism.
I would agree, and out UMA as enabling access "by Reference" in more use-cases.
Adrian
On Tuesday, August 18, 2015, Mark Lizar wrote:
Ah yes,
I see the confusion. I thought these were two issues were separate. 1. Comparing the terms Consent and Authorisation and 2. liability and data rights management
The 2nd issue:
A. User controlled vs. B. User Managed. —> The data rights ownership issue,
A: Refers to the data subject (Alice) who is in control and owns her own profile of her own personal information, independently from a service provider, as opposed to B. filing in personal information (PI) into forms presented by a company as to create a copy of her (PI) and to give it to a company to owns and keep.
This issue is specifically related to: Who owns the data the User is managing access to?
This is also very similar to the design principle of: Always knowing who to sue. I think this also could be considered apart of the liability, ownership and data control discussion we have been having.
What I am specifically interested in, is if, data protection regulation is relevant in the context of A: When a user controls their own data. Would the liability (or legal requirements) for data protection be on the data subject themselves? Is the liability for attribute access and use only permission the same as take a copy of all Personal Information.
If B - when the personal data is controlled and a copy owned by a company, then the liability (for its protection and use) is with the organisation and hypothetically the user needs to trust the organisation more than in scenario A: where the User controls their own copy of their data and can turn on and off access. (Sort of like turning on and off automatic monthly payments to a service provider at the bank.)
For Example: company A, only gets to see Alice’s Address when they print a label and Alice's AS give Company A Access to print only a label from Alice’s personal resource server, then Alice can block access to her address at any time.
IF company A, gets alice to give over Alice’s address, then they can access Alice’s address at any time and don’t need to ask alice for permission to use it etc. One scenario requires much more trust from Alice than the other.
In A - Alice controls her data, in B- Alice Manages her data another company owns and keeps for her.
Does this make any sense?
- Mark
On 18 Aug 2015, at 00:00, Eve Maler
wrote: Mark, I’m not sure I’m following the distinction you were making with user-managed vs. user-controlled either, but I didn’t think it was a separation of consent receipt vs. authorization (policy?) storage. I thought it was more in the direction — perhaps — of data that is self-asserted (Alice is literally in control of saying whether she prefers aisle vs. window) vs. data that is about her but that she can’t control the value of (Alice can manage access to her credit score, but there’s no way she can control its content).
Is that the distinction? If so, is the first one “controlled” and the second one “managed”? And if so, where does Alice-as-data-controller in law come in?
If that’s not the distinction, could you provide an example that highlights more sharply what it is?
Eve
On 16 Aug 2015, at 7:12 PM, Mark Lizar wrote:
Hi Adrian,
On 16 Aug 2015, at 10:58, Adrian Gropper
wrote: Mark,
I've read this twice, and I don't follow the distinction you're making. I can't think of any reason that Alice would want to have a separate server for her consent receipts and her data sharing authorizations. Both of these require a set of standards acceptable to the various other actors.
I agree with you, in an UMA deployment I can not think of a reason why these would be separate.
The major difference I see between consent and authorization is that consent seems to focus on the registration of a relationship while authorization seems to focus on the info sharing pursuant to that relationship.
My sense is that, from a legal perspective, the registration and sharing are inseparable and we would do well to merge consent and authorization lest we confuse the standards and our message.
This might be a good idea, I have been unclear about how a consent record will be maintained and if a consents provides authority for a range of practices that happens long after the point of consent, if this is called something else, i.e. an authorisation. In this case are their other types of ‘authorisation’ records that deals with privilege management and I have wondered how these might relate or be chained together.
Adrian
On Friday, August 14, 2015, Mark Lizar wrote:
Pushing the penny forward an inch.
As a follow up to the MVCR, there are it seems, some legal considerations that surround the application of policy in terms of what takes precedent, the privacy policy, the terms of use policies. As well, liability around who owns, controls and manages the data is also critical and needs to be clear. T
A simple way to start putting this all together is to look at applying the MVCR roles ( that are anchored in ISO 29100 “roles") as an overlay to Adrian's (and any other) UMA use cases to address the legal questions and topics that arrise.
To get things going here are a couple of items and their flows for the legal eagles. .
A. Data Rights Ownership; User Managed Access Vs. User Controlled Access. (see use case below)
B. Are T&C’s subjected to a Privacy Policy? Does the legal chain of authority that leads to the provisioning of roles and privileges, for access to personal attributes, start with the privacy policy for enrolment, then the terms and conditions?
For example: 1. In the MVCR their is an undiscussed assumption that the privacy policy which provides the consent is counted as the primary contract for the use of personal information so the service provider may then use the personal information. At which point, The service provider uses the PI provided with the consent and then enrols the service user with a secondary policy, the terms and conditions, which Alice needs to contractually abide by, to use the service. As the requirement for a privacy policy and consent is legal infrastructure, and the T&C’s is organisation specific, the T&C’s are subjected to the privacy policy. i.e. legal requirements trump the business requirements in a court of law.
2. In regards to the above Issue 2 . What are the legal connotations - I.e. If a user blocks access to a PII resources (using EU law), the terms for that service might be that the service is stopped. But, the user may be required by the contract to keep paying for that service according to the contract and licence agreed too, and the service may be legally required to keep the user data while still charging for the service. (of course this is over simplified) i.e. the org indemnifies themself by give the functionality to users to manage the access to a copy of the user data the org controls. But in a very privacy by design way.
The point being, this would appear to be different UMA Legal Flows than the user (in control of her own data) licensing access to the use of an attribute using UMA, which seems to me, like a different legal flavour of UMA all together. (closer to the UMA Health Flow) I.e.. Alice can turn on and off access to all or just a single attribute at any time in any scoped context.
3. Legal Flow/Use Case: User Managed Access Vs. User Controlled Access.
- UMA profile that is of two flavours -
- Flavour A. Alice controls access to her own PII, authorises access using UMA to personal profile - Flavour B. Alice Manages Access to her own PII . Using UMA installed behind a company siloed (and own Company copy of PII that the user maintains) that runs UMA so users can have more functionality through this silo. - Note: this is the difference between the user being the data controller or the user being the data subject.
- Who controls and owns the data rights? - if the service user is also the data controller, then data protection and privacy laws are effected in that the liability and policy for protecting the data lies with the service user, and the liability or contract/license for the usage of the data lies with the company. - this would be a different policy structure, with a consent directive and UMA, for orgs to agree too. Like a Personal Privacy Policy (PPP) to cover the different liability. - liability of being a data controller no longer applies the same way as data protection liability is moved (reduced, or changed into another form) if the data subject is owner/controller of the data and its access.
For Example:
- A good example here is in health care where consent directives and laws and frameworks are mature. - (i.e. consent and access controls are being bound together already)
- With Flavour A, Alice Owns and Manages PII, gets to see how many times her personal data (medical records) were accessed, when and by whom - Flavour B, Alice, gives away PII - that is already under the T&C’s of service, and owed by the company or institution. - in the second circumstance she does not get to see how many times her data was accessed or even what the live status is of her active consents and medical data usage, unless she pays a fee to the Experian like company that owns them. - With the MVCR based authorisation log Alice knows that her permission and access to her data should line up to the purpose of the sharing, the permission to access data, and the specified purpose of the active consent the company now maintains for her - This would be a very helpful tool for alice to quickly understand medical sharing policies - Without clarity between UMA Flavour A & B, does UMA have the opportunity to be : - incredibly good (the good guys), because Alice is in full control of their own data - incredibly bad, because Alice thinks she has control of a copy of their data. Or that another service provider, that she is forced to trust, has her best interests at hear. - should their be a different flavour of UMA (in terms of legal considerations) that designates between A & B? - Can their be a flavour of UMA that is both A&B? - The MVCR - Binding A & B Together - A consent receipt is being developed as a tool that will help bind consent and legal requirements to access roles and policy rules for sharing data. - The MVCR is designed to make explicit the policies and notice requirements to make binding these together legitimate and understandable - i.e. this can be used to tie the role of data subject to the liability of access controls and vice versa - For example - the various frameworks that are used in the space of consent and access control can be added to a receipt. - In this scenario, we would see - Alice is at a hospital in the US - Alice consents to provide PII to hospital for medical treatment - Alice gets a consent receipt - On receipt is UMA Icon and a HIPPA icon linked to legal requirements, or maybe just a field for a URI that links directly to the PPP, which has all the links and info needed for Alice’s medical records and consent directives (from her AS) - Every test or comment can be then linked to her PPP and available for the next health data context - This receipt under info sharing would have the PPP Icon, the HIPPA TrustMark icon, and the UMA icon all linked to the audit, enforcement and complaint processes that all of these frameworks require.
In parallel to the US health System
- The UK’s heath care system is the reverse and has the same problems but for different reasons - it is a universl health care system, where it costs the infrastructure money to provide medical services. (as oppose to the US) where the infrastructure makes money by providing medical services. - In the UK you (the patient) are unable to see if you have consented to sharing PII, with whom you have shared, what medical records you have with Sensitive Medical Data spread on computers ranging from win 95 and up. - An UMA enabled doctors office in the UK should be able to receive consent, use the medical data from the US and provide seamless service. - So how would a consent receipt look like if it was used to bind ths - A Consent Receipt extend the MVCR by: - Adding UMA Framework - Adding PPP (Personal Privacy Policy: Like a Consent Directive) police requirements - Adding HIPPA: - Add UK Jurisdiction profile and Medical PII profile to the consent requirements, add these processes at point of consent or enrollment at UK health care centre. - These might all appear as ICONS of the above listed to the receipt and managed by 3rd parties operating the trust frameworks for the above elements.
Mark
On 10 Aug 2015, at 18:36, Dazza Greenwood
wrote: Ok Eve, I'm on it. Looking forward to see the negative cases.
Hi Mark, do you have any additional use cases to consider?
Thanks, - Dazza
_ _ _ _ _ _ _ _ _ _ _ _ _ _ | Dazza Greenwood, JD | CIVICS.com http://civics.com/, Founder & Principal | MIT Media Lab, Visiting Scientist | Vmail: 617.500.3644 | Email: dazza@CIVICS.com | Biz: http://CIVICS.com http://civics.com/ | MIT: https://law.MIT.edu https://law.mit.edu/ | Me: DazzaGreenwood.com http://dazzagreenwood.com/ | Twitter: @DazzaGreenwood | Google+: google.com/+DazzaGreenwood | LinkedIn: linkedin.com/in/DazzaGreenwood | GitHub: github.com/DazzaGreenwood/Interface | Postal: P.O. Box 425845 Cambridge, MA 02142 | _ _ _ _ _ _ _ _ _ _ _ _ _ _
On Mon, Aug 10, 2015 at 3:44 PM, Eve Maler
wrote: Hi Dazza— Please feel free to send links and updates to the list. I have an action item to work on additional use cases (“negative” ones), and health use case patterns definitely aren’t the only ones we want to consider (nor am I positive that Adrian has captured all of those). Mark may want to contribute some too. And we probably want to spend more than one week on reviewing and understanding them. :-)
Eve
On 10 Aug 2015, at 12:12 PM, Dazza Greenwood
wrote: Update - As promised, I put the draft mission, use cases and other background materials on the current GitHub wiki and am UMA-customizing a basic "how to use GitHub issues and wiki pages - for lawyers" faq.
Are the use cases from Adrian solid enough to work on and reflect the business case(s) you need to focus on? Also, do these use cases correctly and completed highlight the UMA functions and flows or is anything off base, incomplete etc?
Anything else needed before next meeting? Should probably send links and ask people to contribute or think about something. Minimally, I'd suggest maintaining some focus on the use cases for now, to ensure an apples to apples anchor for legal conversation and to provide a double check basis for mapping stuff people say from legal to tech and vice versa.
Thanks, - Dazza
| Sent from my iPhone | Please Forgive Typos _________________ | Dazza Greenwood, JD | CIVICS.com http://civics.com/, Founder & Principal | MIT Media Lab, Visiting Scientist | Vmail: 617.500.3644 | Email: dazza@CIVICS.com | Biz: http://CIVICS.com http://civics.com/ | MIT: https://law.MIT.edu https://law.mit.edu/ | Me: DazzaGreenwood.com http://dazzagreenwood.com/ | Twitter: @DazzaGreenwood | Google+: google.com/+DazzaGreenwood | LinkedIn: linkedin.com/in/DazzaGreenwood | GitHub: github.com/DazzaGreenwood/Interface
On Aug 10, 2015, at 2:59 PM, Eve Maler
wrote: I created a (really huge) swimlane and a pro/con list, and a bit more... I ended up writing a recommendation. You can find the whole thing linked from here:
https://docs.google.com/document/d/1OsIqPbVNx66vypnCzjxoFjX0AHCD_rEmgP8Q-5hn...
Eve
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
--
Adrian Gropper MD
RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
--
Adrian Gropper MD
RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
Jeff,
The problem you describe is very important in healthcare where malpractice
suits and claims audits require the provider to produce documentation.
Having to keep this documentation also exposes the provider to a cost and a
risk of breach. Personal information kept as a documentation, including
logs, is not the same as information kept for routine processing. It can be
less accessible, encrypted with multiple keys, or even in escrow with
another party.
UMA can play a role in facilitating more access to data by reference and it
can certainly facilitate accounting for disclosures.
On Tuesday, August 18, 2015, j stollman
Mark,
I think you are suggesting that there needs to be a scenario in which Alice controls certain data and authorizes specific uses of the data without transferring the data to Bob. Bob can view or print (as in a label), but cannot electronically save the data. (Of course, printing the data is a form of saving the data, because the label can be copied or OCRed to recover Alice's address in electronic form.)
Notionally, this sounds like a good idea, but enforcement would be tricky. If Bob is actually Bob's Widget company and Alice orders a widget and provides her address under this scenario, what happens if Alice's widget never arrives? Bob cannot tell Alice what address the widget shipped to, because he no longer has a record of the address.
The issue that we are running into full speed is that some data does not have a single "owner". When Alice transacts with Bob, both are parties to the transaction. Whether or not Bob is an individual or an institution, I would assert that the transaction data is as much his as it is Alice's. In fact, in many jurisdictions, there are legal reasons (e.g., "Know Your Customer" in the US) for Bob to maintain certain information about Alice. And when a third-party payment system is involved (e.g., a credit card or PayPal), they would also have a stake in the transaction, giving them a stake in (some of) the data, as well.
This problem has not been solved, yet. And I don't think that there is anything in UMA that takes on this challenge. UMA solves several use cases, but does not claim to solve this one.
I think we need to be careful trying to avoid applying UMA to problems that are beyond its scope just because it is such an elegant solution to portions of the problem.
Jeff
--------------------------------- Jeff Stollman stollman.j@gmail.com javascript:_e(%7B%7D,'cvml','stollman.j@gmail.com'); 1 202.683.8699
Truth never triumphs — its opponents just die out. Science advances one funeral at a time. Max Planck
On Tue, Aug 18, 2015 at 6:40 AM, Adrian Gropper
javascript:_e(%7B%7D,'cvml','agropper@healthurl.com');> wrote: Mark,
You seem to be saying that the Institution has less liability when accessing Alice's attribute "by Reference" rather than "by Value". I agree. Less risk of breach. Less risk of using stale data. Less liability to provide Alice with a verification and correction mechanism.
I would agree, and out UMA as enabling access "by Reference" in more use-cases.
Adrian
On Tuesday, August 18, 2015, Mark Lizar javascript:_e(%7B%7D,'cvml','mark@smartspecies.com');> wrote:
Ah yes,
I see the confusion. I thought these were two issues were separate. 1. Comparing the terms Consent and Authorisation and 2. liability and data rights management
The 2nd issue:
A. User controlled vs. B. User Managed. —> The data rights ownership issue,
A: Refers to the data subject (Alice) who is in control and owns her own profile of her own personal information, independently from a service provider, as opposed to B. filing in personal information (PI) into forms presented by a company as to create a copy of her (PI) and to give it to a company to owns and keep.
This issue is specifically related to: Who owns the data the User is managing access to?
This is also very similar to the design principle of: Always knowing who to sue. I think this also could be considered apart of the liability, ownership and data control discussion we have been having.
What I am specifically interested in, is if, data protection regulation is relevant in the context of A: When a user controls their own data. Would the liability (or legal requirements) for data protection be on the data subject themselves? Is the liability for attribute access and use only permission the same as take a copy of all Personal Information.
If B - when the personal data is controlled and a copy owned by a company, then the liability (for its protection and use) is with the organisation and hypothetically the user needs to trust the organisation more than in scenario A: where the User controls their own copy of their data and can turn on and off access. (Sort of like turning on and off automatic monthly payments to a service provider at the bank.)
For Example: company A, only gets to see Alice’s Address when they print a label and Alice's AS give Company A Access to print only a label from Alice’s personal resource server, then Alice can block access to her address at any time.
IF company A, gets alice to give over Alice’s address, then they can access Alice’s address at any time and don’t need to ask alice for permission to use it etc. One scenario requires much more trust from Alice than the other.
In A - Alice controls her data, in B- Alice Manages her data another company owns and keeps for her.
Does this make any sense?
- Mark
On 18 Aug 2015, at 00:00, Eve Maler
wrote: Mark, I’m not sure I’m following the distinction you were making with user-managed vs. user-controlled either, but I didn’t think it was a separation of consent receipt vs. authorization (policy?) storage. I thought it was more in the direction — perhaps — of data that is self-asserted (Alice is literally in control of saying whether she prefers aisle vs. window) vs. data that is about her but that she can’t control the value of (Alice can manage access to her credit score, but there’s no way she can control its content).
Is that the distinction? If so, is the first one “controlled” and the second one “managed”? And if so, where does Alice-as-data-controller in law come in?
If that’s not the distinction, could you provide an example that highlights more sharply what it is?
Eve
On 16 Aug 2015, at 7:12 PM, Mark Lizar wrote:
Hi Adrian,
On 16 Aug 2015, at 10:58, Adrian Gropper
wrote: Mark,
I've read this twice, and I don't follow the distinction you're making. I can't think of any reason that Alice would want to have a separate server for her consent receipts and her data sharing authorizations. Both of these require a set of standards acceptable to the various other actors.
I agree with you, in an UMA deployment I can not think of a reason why these would be separate.
The major difference I see between consent and authorization is that consent seems to focus on the registration of a relationship while authorization seems to focus on the info sharing pursuant to that relationship.
My sense is that, from a legal perspective, the registration and sharing are inseparable and we would do well to merge consent and authorization lest we confuse the standards and our message.
This might be a good idea, I have been unclear about how a consent record will be maintained and if a consents provides authority for a range of practices that happens long after the point of consent, if this is called something else, i.e. an authorisation. In this case are their other types of ‘authorisation’ records that deals with privilege management and I have wondered how these might relate or be chained together.
Adrian
On Friday, August 14, 2015, Mark Lizar wrote:
Pushing the penny forward an inch.
As a follow up to the MVCR, there are it seems, some legal considerations that surround the application of policy in terms of what takes precedent, the privacy policy, the terms of use policies. As well, liability around who owns, controls and manages the data is also critical and needs to be clear. T
A simple way to start putting this all together is to look at applying the MVCR roles ( that are anchored in ISO 29100 “roles") as an overlay to Adrian's (and any other) UMA use cases to address the legal questions and topics that arrise.
To get things going here are a couple of items and their flows for the legal eagles. .
A. Data Rights Ownership; User Managed Access Vs. User Controlled Access. (see use case below)
B. Are T&C’s subjected to a Privacy Policy? Does the legal chain of authority that leads to the provisioning of roles and privileges, for access to personal attributes, start with the privacy policy for enrolment, then the terms and conditions?
For example: 1. In the MVCR their is an undiscussed assumption that the privacy policy which provides the consent is counted as the primary contract for the use of personal information so the service provider may then use the personal information. At which point, The service provider uses the PI provided with the consent and then enrols the service user with a secondary policy, the terms and conditions, which Alice needs to contractually abide by, to use the service. As the requirement for a privacy policy and consent is legal infrastructure, and the T&C’s is organisation specific, the T&C’s are subjected to the privacy policy. i.e. legal requirements trump the business requirements in a court of law.
2. In regards to the above Issue 2 . What are the legal connotations - I.e. If a user blocks access to a PII resources (using EU law), the terms for that service might be that the service is stopped. But, the user may be required by the contract to keep paying for that service according to the contract and licence agreed too, and the service may be legally required to keep the user data while still charging for the service. (of course this is over simplified) i.e. the org indemnifies themself by give the functionality to users to manage the access to a copy of the user data the org controls. But in a very privacy by design way.
The point being, this would appear to be different UMA Legal Flows than the user (in control of her own data) licensing access to the use of an attribute using UMA, which seems to me, like a different legal flavour of UMA all together. (closer to the UMA Health Flow) I.e.. Alice can turn on and off access to all or just a single attribute at any time in any scoped context.
3. Legal Flow/Use Case: User Managed Access Vs. User Controlled Access.
- UMA profile that is of two flavours -
- Flavour A. Alice controls access to her own PII, authorises access using UMA to personal profile - Flavour B. Alice Manages Access to her own PII . Using UMA installed behind a company siloed (and own Company copy of PII that the user maintains) that runs UMA so users can have more functionality through this silo. - Note: this is the difference between the user being the data controller or the user being the data subject.
- Who controls and owns the data rights? - if the service user is also the data controller, then data protection and privacy laws are effected in that the liability and policy for protecting the data lies with the service user, and the liability or contract/license for the usage of the data lies with the company. - this would be a different policy structure, with a consent directive and UMA, for orgs to agree too. Like a Personal Privacy Policy (PPP) to cover the different liability. - liability of being a data controller no longer applies the same way as data protection liability is moved (reduced, or changed into another form) if the data subject is owner/controller of the data and its access.
For Example:
- A good example here is in health care where consent directives and laws and frameworks are mature. - (i.e. consent and access controls are being bound together already)
- With Flavour A, Alice Owns and Manages PII, gets to see how many times her personal data (medical records) were accessed, when and by whom - Flavour B, Alice, gives away PII - that is already under the T&C’s of service, and owed by the company or institution. - in the second circumstance she does not get to see how many times her data was accessed or even what the live status is of her active consents and medical data usage, unless she pays a fee to the Experian like company that owns them. - With the MVCR based authorisation log Alice knows that her permission and access to her data should line up to the purpose of the sharing, the permission to access data, and the specified purpose of the active consent the company now maintains for her - This would be a very helpful tool for alice to quickly understand medical sharing policies - Without clarity between UMA Flavour A & B, does UMA have the opportunity to be : - incredibly good (the good guys), because Alice is in full control of their own data - incredibly bad, because Alice thinks she has control of a copy of their data. Or that another service provider, that she is forced to trust, has her best interests at hear. - should their be a different flavour of UMA (in terms of legal considerations) that designates between A & B? - Can their be a flavour of UMA that is both A&B? - The MVCR - Binding A & B Together - A consent receipt is being developed as a tool that will help bind consent and legal requirements to access roles and policy rules for sharing data. - The MVCR is designed to make explicit the policies and notice requirements to make binding these together legitimate and understandable - i.e. this can be used to tie the role of data subject to the liability of access controls and vice versa - For example - the various frameworks that are used in the space of consent and access control can be added to a receipt. - In this scenario, we would see - Alice is at a hospital in the US - Alice consents to provide PII to hospital for medical treatment - Alice gets a consent receipt - On receipt is UMA Icon and a HIPPA icon linked to legal requirements, or maybe just a field for a URI that links directly to the PPP, which has all the links and info needed for Alice’s medical records and consent directives (from her AS) - Every test or comment can be then linked to her PPP and available for the next health data context - This receipt under info sharing would have the PPP Icon, the HIPPA TrustMark icon, and the UMA icon all linked to the audit, enforcement and complaint processes that all of these frameworks require.
In parallel to the US health System
- The UK’s heath care system is the reverse and has the same problems but for different reasons - it is a universl health care system, where it costs the infrastructure money to provide medical services. (as oppose to the US) where the infrastructure makes money by providing medical services. - In the UK you (the patient) are unable to see if you have consented to sharing PII, with whom you have shared, what medical records you have with Sensitive Medical Data spread on computers ranging from win 95 and up. - An UMA enabled doctors office in the UK should be able to receive consent, use the medical data from the US and provide seamless service. - So how would a consent receipt look like if it was used to bind ths - A Consent Receipt extend the MVCR by: - Adding UMA Framework - Adding PPP (Personal Privacy Policy: Like a Consent Directive) police requirements - Adding HIPPA: - Add UK Jurisdiction profile and Medical PII profile to the consent requirements, add these processes at point of consent or enrollment at UK health care centre. - These might all appear as ICONS of the above listed to the receipt and managed by 3rd parties operating the trust frameworks for the above elements.
Mark
On 10 Aug 2015, at 18:36, Dazza Greenwood
wrote: Ok Eve, I'm on it. Looking forward to see the negative cases.
Hi Mark, do you have any additional use cases to consider?
Thanks, - Dazza
_ _ _ _ _ _ _ _ _ _ _ _ _ _ | Dazza Greenwood, JD | CIVICS.com http://civics.com/, Founder & Principal | MIT Media Lab, Visiting Scientist | Vmail: 617.500.3644 | Email: dazza@CIVICS.com | Biz: http://CIVICS.com http://civics.com/ | MIT: https://law.MIT.edu https://law.mit.edu/ | Me: DazzaGreenwood.com http://dazzagreenwood.com/ | Twitter: @DazzaGreenwood | Google+: google.com/+DazzaGreenwood | LinkedIn: linkedin.com/in/DazzaGreenwood | GitHub: github.com/DazzaGreenwood/Interface | Postal: P.O. Box 425845 Cambridge, MA 02142 | _ _ _ _ _ _ _ _ _ _ _ _ _ _
On Mon, Aug 10, 2015 at 3:44 PM, Eve Maler
wrote: Hi Dazza— Please feel free to send links and updates to the list. I have an action item to work on additional use cases (“negative” ones), and health use case patterns definitely aren’t the only ones we want to consider (nor am I positive that Adrian has captured all of those). Mark may want to contribute some too. And we probably want to spend more than one week on reviewing and understanding them. :-)
Eve
On 10 Aug 2015, at 12:12 PM, Dazza Greenwood
wrote: Update - As promised, I put the draft mission, use cases and other background materials on the current GitHub wiki and am UMA-customizing a basic "how to use GitHub issues and wiki pages - for lawyers" faq.
Are the use cases from Adrian solid enough to work on and reflect the business case(s) you need to focus on? Also, do these use cases correctly and completed highlight the UMA functions and flows or is anything off base, incomplete etc?
Anything else needed before next meeting? Should probably send links and ask people to contribute or think about something. Minimally, I'd suggest maintaining some focus on the use cases for now, to ensure an apples to apples anchor for legal conversation and to provide a double check basis for mapping stuff people say from legal to tech and vice versa.
Thanks, - Dazza
| Sent from my iPhone | Please Forgive Typos _________________ | Dazza Greenwood, JD | CIVICS.com http://civics.com/, Founder & Principal | MIT Media Lab, Visiting Scientist | Vmail: 617.500.3644 | Email: dazza@CIVICS.com | Biz: http://CIVICS.com http://civics.com/ | MIT: https://law.MIT.edu https://law.mit.edu/ | Me: DazzaGreenwood.com http://dazzagreenwood.com/ | Twitter: @DazzaGreenwood | Google+: google.com/+DazzaGreenwood | LinkedIn: linkedin.com/in/DazzaGreenwood | GitHub: github.com/DazzaGreenwood/Interface
On Aug 10, 2015, at 2:59 PM, Eve Maler
wrote: I created a (really huge) swimlane and a pro/con list, and a bit more... I ended up writing a recommendation. You can find the whole thing linked from here:
https://docs.google.com/document/d/1OsIqPbVNx66vypnCzjxoFjX0AHCD_rEmgP8Q-5hn...
Eve
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
--
Adrian Gropper MD
RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
--
Adrian Gropper MD
RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org javascript:_e(%7B%7D,'cvml','WG-UMA@kantarainitiative.org'); http://kantarainitiative.org/mailman/listinfo/wg-uma
-- Adrian Gropper MD RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/
HI Jeff, [some comments inline]
I think you are suggesting that there needs to be a scenario in which Alice controls certain data and authorizes specific uses of the data without transferring the data to Bob. Bob can view or print (as in a label), but cannot electronically save the data. (Of course, printing the data is a form of saving the data, because the label can be copied or OCRed to recover Alice's address in electronic form.)
Perhaps Bobs Health Widget uses a delivery company, which uses a 3rd party trust framework, that is verified and audited by another intdependant third party to ensure to Alice that her address is not accessed, saved or copied by Bob’s Health Widgets. So the name, the contents of the package and the address are separated so no one party can have all three bits of data? How does Bob’s widgets advertise that they have these privacy and security practices, which are different than Dave’s Widget company? Is Bob’s Widgets more trust worthy than Dave’s? In one context, Privacy by Design is a container for trusting process that Dave’s company asserts when collecting Alice’s consent and data ( to effectively control the data rights management) Because Dave’s company holds Alice’s data, Dave’s company is subject then to Data Protection laws and Privacy by Design certifies that he encrypts Alices data and doesn’t leak it. 3 In the context of Bob’s Health widgets’ he doesn’t need privacy by design, and is not liable to data protection, because Bob may never hold’s Alice’s Data.
Notionally, this sounds like a good idea, but enforcement would be tricky. If Bob is actually Bob's Widget company and Alice orders a widget and provides her address under this scenario, what happens if Alice's widget never arrives? Bob cannot tell Alice what address the widget shipped to, because he no longer has a record of the address.
Enforcement can happen in a number of ways: - fines by law - breach of contract - reputation damage - 3rd party audit for compliance - trust framework enrolment process or customer software and so on.
The issue that we are running into full speed is that some data does not have a single "owner". When Alice transacts with Bob, both are parties to the transaction. Whether or not Bob is an individual or an institution, I would assert that the transaction data is as much his as it is Alice's. In fact, in many jurisdictions, there are legal reasons (e.g., "Know Your Customer" in the US) for Bob to maintain certain information about Alice. And when a third-party payment system is involved (e.g., a credit card or PayPal), they would also have a stake in the transaction, giving them a stake in (some of) the data, as well.
This problem has not been solved, yet. And I don't think that there is anything in UMA that takes on this challenge. UMA solves several use cases, but does not claim to solve this one.
I think we need to be careful trying to avoid applying UMA to problems that are beyond its scope just because it is such an elegant solution to portions of the problem.
I think what we are exploring here is the transference of liability, through consent, access control, and data control scenario’s. If Alice has the freshest copy of her own aggregate data, and she sets a notice that Dave no longer has a accurate data, then legally, with the proposed EU laws I believe Dave will no longer be allowed to process that data. In this regard I can imagine IOT scenario’s where data is only valid when it’s live data. (but that’s just me) Best , Mark
Jeff
--------------------------------- Jeff Stollman stollman.j@gmail.com <> 1 202.683.8699
Truth never triumphs — its opponents just die out. Science advances one funeral at a time. Max Planck
On Tue, Aug 18, 2015 at 6:40 AM, Adrian Gropper
> wrote: Mark, You seem to be saying that the Institution has less liability when accessing Alice's attribute "by Reference" rather than "by Value". I agree. Less risk of breach. Less risk of using stale data. Less liability to provide Alice with a verification and correction mechanism.
I would agree, and out UMA as enabling access "by Reference" in more use-cases.
Adrian
On Tuesday, August 18, 2015, Mark Lizar > wrote: Ah yes,
I see the confusion. I thought these were two issues were separate. 1. Comparing the terms Consent and Authorisation and 2. liability and data rights management
The 2nd issue:
A. User controlled vs. B. User Managed. —> The data rights ownership issue,
A: Refers to the data subject (Alice) who is in control and owns her own profile of her own personal information, independently from a service provider, as opposed to B. filing in personal information (PI) into forms presented by a company as to create a copy of her (PI) and to give it to a company to owns and keep.
This issue is specifically related to: Who owns the data the User is managing access to?
This is also very similar to the design principle of: Always knowing who to sue. I think this also could be considered apart of the liability, ownership and data control discussion we have been having.
What I am specifically interested in, is if, data protection regulation is relevant in the context of A: When a user controls their own data. Would the liability (or legal requirements) for data protection be on the data subject themselves? Is the liability for attribute access and use only permission the same as take a copy of all Personal Information.
If B - when the personal data is controlled and a copy owned by a company, then the liability (for its protection and use) is with the organisation and hypothetically the user needs to trust the organisation more than in scenario A: where the User controls their own copy of their data and can turn on and off access. (Sort of like turning on and off automatic monthly payments to a service provider at the bank.)
For Example: company A, only gets to see Alice’s Address when they print a label and Alice's AS give Company A Access to print only a label from Alice’s personal resource server, then Alice can block access to her address at any time.
IF company A, gets alice to give over Alice’s address, then they can access Alice’s address at any time and don’t need to ask alice for permission to use it etc. One scenario requires much more trust from Alice than the other.
In A - Alice controls her data, in B- Alice Manages her data another company owns and keeps for her.
Does this make any sense?
- Mark
On 18 Aug 2015, at 00:00, Eve Maler
> wrote: Mark, I’m not sure I’m following the distinction you were making with user-managed vs. user-controlled either, but I didn’t think it was a separation of consent receipt vs. authorization (policy?) storage. I thought it was more in the direction — perhaps — of data that is self-asserted (Alice is literally in control of saying whether she prefers aisle vs. window) vs. data that is about her but that she can’t control the value of (Alice can manage access to her credit score, but there’s no way she can control its content).
Is that the distinction? If so, is the first one “controlled” and the second one “managed”? And if so, where does Alice-as-data-controller in law come in?
If that’s not the distinction, could you provide an example that highlights more sharply what it is?
Eve
On 16 Aug 2015, at 7:12 PM, Mark Lizar > wrote:
Hi Adrian,
On 16 Aug 2015, at 10:58, Adrian Gropper
> wrote: Mark,
I've read this twice, and I don't follow the distinction you're making. I can't think of any reason that Alice would want to have a separate server for her consent receipts and her data sharing authorizations. Both of these require a set of standards acceptable to the various other actors.
I agree with you, in an UMA deployment I can not think of a reason why these would be separate.
The major difference I see between consent and authorization is that consent seems to focus on the registration of a relationship while authorization seems to focus on the info sharing pursuant to that relationship.
My sense is that, from a legal perspective, the registration and sharing are inseparable and we would do well to merge consent and authorization lest we confuse the standards and our message.
This might be a good idea, I have been unclear about how a consent record will be maintained and if a consents provides authority for a range of practices that happens long after the point of consent, if this is called something else, i.e. an authorisation. In this case are their other types of ‘authorisation’ records that deals with privilege management and I have wondered how these might relate or be chained together.
Adrian
On Friday, August 14, 2015, Mark Lizar > wrote: Pushing the penny forward an inch.
As a follow up to the MVCR, there are it seems, some legal considerations that surround the application of policy in terms of what takes precedent, the privacy policy, the terms of use policies. As well, liability around who owns, controls and manages the data is also critical and needs to be clear. T
A simple way to start putting this all together is to look at applying the MVCR roles ( that are anchored in ISO 29100 “roles") as an overlay to Adrian's (and any other) UMA use cases to address the legal questions and topics that arrise.
To get things going here are a couple of items and their flows for the legal eagles. .
A. Data Rights Ownership; User Managed Access Vs. User Controlled Access. (see use case below)
B. Are T&C’s subjected to a Privacy Policy? Does the legal chain of authority that leads to the provisioning of roles and privileges, for access to personal attributes, start with the privacy policy for enrolment, then the terms and conditions?
For example: 1. In the MVCR their is an undiscussed assumption that the privacy policy which provides the consent is counted as the primary contract for the use of personal information so the service provider may then use the personal information. At which point, The service provider uses the PI provided with the consent and then enrols the service user with a secondary policy, the terms and conditions, which Alice needs to contractually abide by, to use the service. As the requirement for a privacy policy and consent is legal infrastructure, and the T&C’s is organisation specific, the T&C’s are subjected to the privacy policy. i.e. legal requirements trump the business requirements in a court of law.
2. In regards to the above Issue 2 . What are the legal connotations - I.e. If a user blocks access to a PII resources (using EU law), the terms for that service might be that the service is stopped. But, the user may be required by the contract to keep paying for that service according to the contract and licence agreed too, and the service may be legally required to keep the user data while still charging for the service. (of course this is over simplified) i.e. the org indemnifies themself by give the functionality to users to manage the access to a copy of the user data the org controls. But in a very privacy by design way.
The point being, this would appear to be different UMA Legal Flows than the user (in control of her own data) licensing access to the use of an attribute using UMA, which seems to me, like a different legal flavour of UMA all together. (closer to the UMA Health Flow) I.e.. Alice can turn on and off access to all or just a single attribute at any time in any scoped context.
3. Legal Flow/Use Case: User Managed Access Vs. User Controlled Access. UMA profile that is of two flavours Flavour A. Alice controls access to her own PII, authorises access using UMA to personal profile Flavour B. Alice Manages Access to her own PII . Using UMA installed behind a company siloed (and own Company copy of PII that the user maintains) that runs UMA so users can have more functionality through this silo. Note: this is the difference between the user being the data controller or the user being the data subject.
Who controls and owns the data rights? if the service user is also the data controller, then data protection and privacy laws are effected in that the liability and policy for protecting the data lies with the service user, and the liability or contract/license for the usage of the data lies with the company. - this would be a different policy structure, with a consent directive and UMA, for orgs to agree too. Like a Personal Privacy Policy (PPP) to cover the different liability. liability of being a data controller no longer applies the same way as data protection liability is moved (reduced, or changed into another form) if the data subject is owner/controller of the data and its access.
For Example: A good example here is in health care where consent directives and laws and frameworks are mature. (i.e. consent and access controls are being bound together already)
With Flavour A, Alice Owns and Manages PII, gets to see how many times her personal data (medical records) were accessed, when and by whom Flavour B, Alice, gives away PII - that is already under the T&C’s of service, and owed by the company or institution. in the second circumstance she does not get to see how many times her data was accessed or even what the live status is of her active consents and medical data usage, unless she pays a fee to the Experian like company that owns them. With the MVCR based authorisation log Alice knows that her permission and access to her data should line up to the purpose of the sharing, the permission to access data, and the specified purpose of the active consent the company now maintains for her This would be a very helpful tool for alice to quickly understand medical sharing policies Without clarity between UMA Flavour A & B, does UMA have the opportunity to be : incredibly good (the good guys), because Alice is in full control of their own data incredibly bad, because Alice thinks she has control of a copy of their data. Or that another service provider, that she is forced to trust, has her best interests at hear. should their be a different flavour of UMA (in terms of legal considerations) that designates between A & B? Can their be a flavour of UMA that is both A&B? The MVCR - Binding A & B Together A consent receipt is being developed as a tool that will help bind consent and legal requirements to access roles and policy rules for sharing data. The MVCR is designed to make explicit the policies and notice requirements to make binding these together legitimate and understandable - i.e. this can be used to tie the role of data subject to the liability of access controls and vice versa For example the various frameworks that are used in the space of consent and access control can be added to a receipt. In this scenario, we would see Alice is at a hospital in the US Alice consents to provide PII to hospital for medical treatment Alice gets a consent receipt On receipt is UMA Icon and a HIPPA icon linked to legal requirements, or maybe just a field for a URI that links directly to the PPP, which has all the links and info needed for Alice’s medical records and consent directives (from her AS) Every test or comment can be then linked to her PPP and available for the next health data context This receipt under info sharing would have the PPP Icon, the HIPPA TrustMark icon, and the UMA icon all linked to the audit, enforcement and complaint processes that all of these frameworks require.
In parallel to the US health System The UK’s heath care system is the reverse and has the same problems but for different reasons it is a universl health care system, where it costs the infrastructure money to provide medical services. (as oppose to the US) where the infrastructure makes money by providing medical services. In the UK you (the patient) are unable to see if you have consented to sharing PII, with whom you have shared, what medical records you have with Sensitive Medical Data spread on computers ranging from win 95 and up. An UMA enabled doctors office in the UK should be able to receive consent, use the medical data from the US and provide seamless service. So how would a consent receipt look like if it was used to bind ths A Consent Receipt extend the MVCR by: Adding UMA Framework Adding PPP (Personal Privacy Policy: Like a Consent Directive) police requirements Adding HIPPA: Add UK Jurisdiction profile and Medical PII profile to the consent requirements, add these processes at point of consent or enrollment at UK health care centre. These might all appear as ICONS of the above listed to the receipt and managed by 3rd parties operating the trust frameworks for the above elements.
Mark
On 10 Aug 2015, at 18:36, Dazza Greenwood
> wrote: Ok Eve, I'm on it. Looking forward to see the negative cases.
Hi Mark, do you have any additional use cases to consider?
Thanks, - Dazza
_ _ _ _ _ _ _ _ _ _ _ _ _ _ | Dazza Greenwood, JD | CIVICS.com http://civics.com/, Founder & Principal | MIT Media Lab, Visiting Scientist | Vmail: 617.500.3644 tel:617.500.3644 | Email: dazza@CIVICS.com <> | Biz: http://CIVICS.com http://civics.com/ | MIT: https://law.MIT.edu https://law.mit.edu/ | Me: DazzaGreenwood.com http://dazzagreenwood.com/ | Twitter: @DazzaGreenwood | Google+: google.com/+DazzaGreenwood http://google.com/+DazzaGreenwood | LinkedIn: linkedin.com/in/DazzaGreenwood http://linkedin.com/in/DazzaGreenwood | GitHub: github.com/DazzaGreenwood/Interface http://github.com/DazzaGreenwood/Interface | Postal: P.O. Box 425845 Cambridge, MA 02142 | _ _ _ _ _ _ _ _ _ _ _ _ _ _
On Mon, Aug 10, 2015 at 3:44 PM, Eve Maler
> wrote: Hi Dazza— Please feel free to send links and updates to the list. I have an action item to work on additional use cases (“negative” ones), and health use case patterns definitely aren’t the only ones we want to consider (nor am I positive that Adrian has captured all of those). Mark may want to contribute some too. And we probably want to spend more than one week on reviewing and understanding them. :-) Eve
On 10 Aug 2015, at 12:12 PM, Dazza Greenwood
> wrote: Update - As promised, I put the draft mission, use cases and other background materials on the current GitHub wiki and am UMA-customizing a basic "how to use GitHub issues and wiki pages - for lawyers" faq.
Are the use cases from Adrian solid enough to work on and reflect the business case(s) you need to focus on? Also, do these use cases correctly and completed highlight the UMA functions and flows or is anything off base, incomplete etc?
Anything else needed before next meeting? Should probably send links and ask people to contribute or think about something. Minimally, I'd suggest maintaining some focus on the use cases for now, to ensure an apples to apples anchor for legal conversation and to provide a double check basis for mapping stuff people say from legal to tech and vice versa.
Thanks, - Dazza
| Sent from my iPhone | Please Forgive Typos _________________ | Dazza Greenwood, JD | CIVICS.com http://civics.com/, Founder & Principal | MIT Media Lab, Visiting Scientist | Vmail: 617.500.3644 tel:617.500.3644 | Email: dazza@CIVICS.com <> | Biz: http://CIVICS.com http://civics.com/ | MIT: https://law.MIT.edu https://law.mit.edu/ | Me: DazzaGreenwood.com http://dazzagreenwood.com/ | Twitter: @DazzaGreenwood | Google+: google.com/+DazzaGreenwood http://google.com/+DazzaGreenwood | LinkedIn: linkedin.com/in/DazzaGreenwood http://linkedin.com/in/DazzaGreenwood | GitHub: github.com/DazzaGreenwood/Interface http://github.com/DazzaGreenwood/Interface
On Aug 10, 2015, at 2:59 PM, Eve Maler
> wrote: > I created a (really huge) swimlane and a pro/con list, and a bit more... I ended up writing a recommendation. You can find the whole thing linked from here: > > https://docs.google.com/document/d/1OsIqPbVNx66vypnCzjxoFjX0AHCD_rEmgP8Q-5hn... https://docs.google.com/document/d/1OsIqPbVNx66vypnCzjxoFjX0AHCD_rEmgP8Q-5hn... > > Eve > > Eve Maler | cell +1 425.345.6756 tel:%2B1%20425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com <> > > _______________________________________________ > WG-UMA mailing list > WG-UMA@kantarainitiative.org <> > http://kantarainitiative.org/mailman/listinfo/wg-uma http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 tel:%2B1%20425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com <>
--
Adrian Gropper MD
RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/ http://patientprivacyrights.org/donate-2/ _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <> http://kantarainitiative.org/mailman/listinfo/wg-uma http://kantarainitiative.org/mailman/listinfo/wg-uma
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <> http://kantarainitiative.org/mailman/listinfo/wg-uma http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler | cell +1 425.345.6756 tel:%2B1%20425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com <>
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <> http://kantarainitiative.org/mailman/listinfo/wg-uma http://kantarainitiative.org/mailman/listinfo/wg-uma
--
Adrian Gropper MD
RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/ http://patientprivacyrights.org/donate-2/
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <> http://kantarainitiative.org/mailman/listinfo/wg-uma http://kantarainitiative.org/mailman/listinfo/wg-uma
--
Adrian Gropper MD
RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/ http://patientprivacyrights.org/donate-2/ _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org mailto:WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma http://kantarainitiative.org/mailman/listinfo/wg-uma
(I’m going to snip the lower part of this thread to focus on the “data by reference” point. I’m also going to inject UMA technical terms so we can be very clear about our mappings.) UMA does not inject a new “data by reference” solution where before there was none. So I don’t know if we have a super-duper new set of tools at our disposal. Some concrete examples: 1. Alice sets up a resource server RS1 at home to host her self-asserted personal information (she prefers “aisle”, “nonsmoking”, “room near the elevator”, and nickname “Allie”). RS1 is at alice.com http://alice.com/, managed entirely by here, hosted by her ISP. She hooks it up to an authorization server AS1 to control release of this information to her travel agent, requesting party Bob, using client app C1 for making travel arrangements. Importantly, the client app really does “GET” her data. It may cache or store it for short or long periods of time, possibly depending on her (nontechnically imposed) constraints, and it may refresh what it stored periodically, if her policies allow that. 2. Same, except alice.com http://alice.com/ is managed by Google. Meant to highlight the “cloud” aspect of hosting. 3. Alice uploads a photo she took to RS2, Flixr.com http://flixr.com/. The requesting party is Charlie at the framing shop and the client app is C2 for printing photos on canvas, for mounting. Otherwise the same. Meant to highlight the “joint data rights ownership” aspect, and that she has nothing to do with the hosting. 4. Alice uses RS3, which hosts her credit score and credit record, to check out her financial picture. The requesting party is financial officer David and the client app is C3 for assessing bank clients’ suitability for personal loans. Otherwise the same. Meant to highlight that Alice “owns” even fewer aspects of the data, in that she didn’t even contribute anything to the “value” of the data. 5. Alice is a video game community manager, and for work she uses RS4, which is Twitter — a modern Twitter that is UMA-enabled. Its API is very rich, and it allows calls for both GETting and POSTing status updates. The requesting party is her colleague Eric, and he uses a client app C4, a third-party Twitter app that posts status updates to the corporate account she controls. Otherwise the same. Meant to highlight that clients don’t just receive data, they can insert data into a supposedly “authoritative source” RS. ==== I realize that in today’s pre-UMA environment, there’s a robust understanding of data controllers and data processors (in various jurisdictions), but I’m not sure exactly how the lines are drawn. In an environment with UMA in the picture, does anything change? What roles would the AS, the not-Alice requesting parties, and the resource servers and client applications in play? Eve
On 18 Aug 2015, at 10:50 AM, Mark Lizar wrote:
HI Jeff,
[some comments inline]
I think you are suggesting that there needs to be a scenario in which Alice controls certain data and authorizes specific uses of the data without transferring the data to Bob. Bob can view or print (as in a label), but cannot electronically save the data. (Of course, printing the data is a form of saving the data, because the label can be copied or OCRed to recover Alice's address in electronic form.)
Perhaps Bobs Health Widget uses a delivery company, which uses a 3rd party trust framework, that is verified and audited by another intdependant third party to ensure to Alice that her address is not accessed, saved or copied by Bob’s Health Widgets. So the name, the contents of the package and the address are separated so no one party can have all three bits of data?
How does Bob’s widgets advertise that they have these privacy and security practices, which are different than Dave’s Widget company? Is Bob’s Widgets more trust worthy than Dave’s?
In one context, Privacy by Design is a container for trusting process that Dave’s company asserts when collecting Alice’s consent and data ( to effectively control the data rights management) Because Dave’s company holds Alice’s data, Dave’s company is subject then to Data Protection laws and Privacy by Design certifies that he encrypts Alices data and doesn’t leak it. 3
In the context of Bob’s Health widgets’ he doesn’t need privacy by design, and is not liable to data protection, because Bob may never hold’s Alice’s Data.
Notionally, this sounds like a good idea, but enforcement would be tricky. If Bob is actually Bob's Widget company and Alice orders a widget and provides her address under this scenario, what happens if Alice's widget never arrives? Bob cannot tell Alice what address the widget shipped to, because he no longer has a record of the address.
Enforcement can happen in a number of ways: - fines by law - breach of contract - reputation damage - 3rd party audit for compliance - trust framework enrolment process or customer software
and so on.
The issue that we are running into full speed is that some data does not have a single "owner". When Alice transacts with Bob, both are parties to the transaction. Whether or not Bob is an individual or an institution, I would assert that the transaction data is as much his as it is Alice's. In fact, in many jurisdictions, there are legal reasons (e.g., "Know Your Customer" in the US) for Bob to maintain certain information about Alice. And when a third-party payment system is involved (e.g., a credit card or PayPal), they would also have a stake in the transaction, giving them a stake in (some of) the data, as well.
This problem has not been solved, yet. And I don't think that there is anything in UMA that takes on this challenge. UMA solves several use cases, but does not claim to solve this one.
I think we need to be careful trying to avoid applying UMA to problems that are beyond its scope just because it is such an elegant solution to portions of the problem.
I think what we are exploring here is the transference of liability, through consent, access control, and data control scenario’s. If Alice has the freshest copy of her own aggregate data, and she sets a notice that Dave no longer has a accurate data, then legally, with the proposed EU laws I believe Dave will no longer be allowed to process that data.
In this regard I can imagine IOT scenario’s where data is only valid when it’s live data. (but that’s just me)
Best ,
Mark
Jeff
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
Eve,
You may be right that UMA does not inject a new "data by reference"
solution but your use-cases are completely different from mine and I reach
a very different conclusion.
In my use-cases, Alice owns her AS vs. all of yours where she owns the RS.
The situation in healthcare has shown little value for Alice owning her RS
or outsourcing it. We call Alice's RS a Personal Health Record (PHR). PHRs
have failed spectacularly in the marketplace (I'm responsible for $4.2 M
and 7 years of that failed market myself) because processing data from the
PHR is very expensive for the recipient client. The data has lost
provenance (because digital signatures are still uncommon) and it's always
stale. Worst of all, the "scope" problem is practically insoluble. The vast
majority of data has been munged through two scope filters: first when it
fas grabbed from the source RS to the PHR and second when it goes from the
PHR to the client. The lack of a consistent data model for the PHR as
intermediary RS doesn't help either. The result of this scope problem is
twofold. First, because the in and out scopes don't match in the temporal
sense, the PHR has a lot of redundancy and lacks the authority (such as a
professional license) to eliminate the redundancy. Second, and much more
expensive, the client that gets data from the PHR receives a lot of
abnormal results that it did not order and now has the liability of dealing
or not dealing with these abnormalities. No doctor is paid to deal with
this kind of thing and no patient or payer wants to have repeat follow-up
for things that have already been addressed in a prior context.
The reason UMA is going to take over healthcare is because it solves all of
the problems of PHRs as intermediaries.
Why UMA and not health information exchanges (HIE)? States and the feds
have spent more than a decade and many $Billions trying to map the
interoperability problem onto a "trusted" intermediary called a HIE. Some
of these HIEs act as an RS, transacting the data by value and have most of
the same issues as the PHR above. Many HIEs however have adopted the "by
reference" model and only manage consent to participate, discovery, and
authorization for access. This maps into the AS role in UMA with the AS is
operated by a "trusted" institution, the HIE, as part of a federation with
RSs and clients.
The problem with the institutional HIE as AS is different from the PHR or
HIE "by value" approach and it's _governance_. When it comes to data about
human beings, the governance of the AS intermediary may be impossible. The
reason is that society is not well equipped to govern activities related to
unlicensed actors. Patients are unlicensed actors. This governance problem
first shows up as difficulty deciding whether to use an "opt-in" or an
"opt-out" consent model for participation in the HIE. Then it shows up in
trying to federate access to the HIE over broad ranges of clients ranging
form federal facilities (the VA, Medicare), state facilities,
multi-$Billion hospitals, solo MDs in another state, nursing homes,
pharmacies, home health aides, .... All of these are potential clients of
the HIE and federations of such strange bedfellows are difficult to govern.
It gets worse when you add IoT.
My thesis is that the only solution is to enable Alice to build, run, or
outsource her AS. This avoids the PHR scopes problem and much of the HIE
governance problem. The federations, be they authentication or
authorization federations, still add significant value, but they have to
compete with Alice building or running her own AS and that keeps the
federated system honest, market-based, and potentially governable.
As I see it, the problem for UMA and HEART is relatively obvious: ensure
that the RS is implemented in a way that makes the AS substitutable. This
is what I'm hoping HEART will figure out and it's something a couple of us
are building around the MITREid Connect implementation - with very limited
resources.
It's not clear to us that are working on this whether this prospect of
millions of potential ASs is compatible with UMA 1.0. Apparently this is
related to the #154 issue which I'm still trying to understand.
Adrian
On Tue, Aug 18, 2015 at 7:59 PM, Eve Maler
(I’m going to snip the lower part of this thread to focus on the “data by reference” point. I’m also going to inject UMA technical terms so we can be very clear about our mappings.)
UMA does not inject a new “data by reference” solution where before there was none. So I don’t know if we have a super-duper new set of tools at our disposal. Some concrete examples:
1. Alice sets up a resource server RS1 at home to host her self-asserted personal information (she prefers “aisle”, “nonsmoking”, “room near the elevator”, and nickname “Allie”). RS1 is at alice.com, managed entirely by here, hosted by her ISP. She hooks it up to an authorization server AS1 to control release of this information to her travel agent, requesting party Bob, using client app C1 for making travel arrangements.
Importantly, the client app really does “GET” her data. It may cache or store it for short or long periods of time, possibly depending on her (nontechnically imposed) constraints, and it may refresh what it stored periodically, if her policies allow that.
2. Same, except alice.com is managed by Google.
Meant to highlight the “cloud” aspect of hosting.
3. Alice uploads a photo she took to RS2, Flixr.com. The requesting party is Charlie at the framing shop and the client app is C2 for printing photos on canvas, for mounting. Otherwise the same.
Meant to highlight the “joint data rights ownership” aspect, and that she has nothing to do with the hosting.
4. Alice uses RS3, which hosts her credit score and credit record, to check out her financial picture. The requesting party is financial officer David and the client app is C3 for assessing bank clients’ suitability for personal loans. Otherwise the same.
Meant to highlight that Alice “owns” even fewer aspects of the data, in that she didn’t even contribute anything to the “value” of the data.
5. Alice is a video game community manager, and for work she uses RS4, which is Twitter — a modern Twitter that is UMA-enabled. Its API is very rich, and it allows calls for both GETting and POSTing status updates. The requesting party is her colleague Eric, and he uses a client app C4, a third-party Twitter app that posts status updates to the corporate account she controls. Otherwise the same.
Meant to highlight that clients don’t just receive data, they can insert data into a supposedly “authoritative source” RS.
====
I realize that in today’s pre-UMA environment, there’s a robust understanding of data controllers and data processors (in various jurisdictions), but I’m not sure exactly how the lines are drawn. In an environment with UMA in the picture, does anything change? What roles would the AS, the not-Alice requesting parties, and the resource servers and client applications in play?
Eve
On 18 Aug 2015, at 10:50 AM, Mark Lizar wrote:
HI Jeff,
[some comments inline]
I think you are suggesting that there needs to be a scenario in which Alice controls certain data and authorizes specific uses of the data without transferring the data to Bob. Bob can view or print (as in a label), but cannot electronically save the data. (Of course, printing the data is a form of saving the data, because the label can be copied or OCRed to recover Alice's address in electronic form.)
Perhaps Bobs Health Widget uses a delivery company, which uses a 3rd party trust framework, that is verified and audited by another intdependant third party to ensure to Alice that her address is not accessed, saved or copied by Bob’s Health Widgets. So the name, the contents of the package and the address are separated so no one party can have all three bits of data?
How does Bob’s widgets advertise that they have these privacy and security practices, which are different than Dave’s Widget company? Is Bob’s Widgets more trust worthy than Dave’s?
In one context, Privacy by Design is a container for trusting process that Dave’s company asserts when collecting Alice’s consent and data ( to effectively control the data rights management) Because Dave’s company holds Alice’s data, Dave’s company is subject then to Data Protection laws and Privacy by Design certifies that he encrypts Alices data and doesn’t leak it. 3
In the context of Bob’s Health widgets’ he doesn’t need privacy by design, and is not liable to data protection, because Bob may never hold’s Alice’s Data.
Notionally, this sounds like a good idea, but enforcement would be
tricky. If Bob is actually Bob's Widget company and Alice orders a widget and provides her address under this scenario, what happens if Alice's widget never arrives? Bob cannot tell Alice what address the widget shipped to, because he no longer has a record of the address.
Enforcement can happen in a number of ways: - fines by law - breach of contract - reputation damage - 3rd party audit for compliance - trust framework enrolment process or customer software
and so on.
The issue that we are running into full speed is that some data does not have a single "owner". When Alice transacts with Bob, both are parties to the transaction. Whether or not Bob is an individual or an institution, I would assert that the transaction data is as much his as it is Alice's. In fact, in many jurisdictions, there are legal reasons (e.g., "Know Your Customer" in the US) for Bob to maintain certain information about Alice. And when a third-party payment system is involved (e.g., a credit card or PayPal), they would also have a stake in the transaction, giving them a stake in (some of) the data, as well.
This problem has not been solved, yet. And I don't think that there is anything in UMA that takes on this challenge. UMA solves several use cases, but does not claim to solve this one.
I think we need to be careful trying to avoid applying UMA to problems that are beyond its scope just because it is such an elegant solution to portions of the problem.
I think what we are exploring here is the transference of liability, through consent, access control, and data control scenario’s. If Alice has the freshest copy of her own aggregate data, and she sets a notice that Dave no longer has a accurate data, then legally, with the proposed EU laws I believe Dave will no longer be allowed to process that data.
In this regard I can imagine IOT scenario’s where data is only valid when it’s live data. (but that’s just me)
Best ,
Mark
Jeff
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
-- Adrian Gropper MD RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/
I hear where you’re coming from, Adrian, but I don’t want to leave the RS use case variants just yet. For our legal subgroup purposes, I think they: - Demonstrate that data provenance can be usefully known by the recipient, without expensive digital signature solutions, by virtue of the data (or APIs, anyway, for POST operations by the client) residing authoritatively at some original resource server. This has always been touted as a benefit of UMA; see this university e-transcript case study https://smartjisc.files.wordpress.com/2012/10/smart_hears_draft012.pdf from Maciej. - Demonstrate that Alice mostly doesn’t own the resource server; she has an account on a resource server that someone else operates. It’s really rare for an individual to run one, though nothing is stopping Alice from doing it in cases where the data is self-asserted. Most of my examples involve third-party-operated RS’s. This can help us align the needs of (what the Binding Obligations draft called) the Authorizing Party and Resource Server Operator roles (and possibly others). - May help us explore “data controller/processor” regulations wrt UMA (though I’m guessing about this);. Now, when it comes to authorization servers, which is your particular concern here, we could equally explore similar use case variants, keeping the RS and client elements constant. E.g.: What happens to the other parties’ adoption willingness, liability, etc. when Alice: Chooses her own outsourced (e.g., “social”) AS? Runs her own AS in a cloud? Builds her own AS and runs it at home, hosted by her ISP? Something else?… Eve
On 18 Aug 2015, at 7:46 PM, Adrian Gropper
wrote: Eve,
You may be right that UMA does not inject a new "data by reference" solution but your use-cases are completely different from mine and I reach a very different conclusion.
In my use-cases, Alice owns her AS vs. all of yours where she owns the RS.
The situation in healthcare has shown little value for Alice owning her RS or outsourcing it. We call Alice's RS a Personal Health Record (PHR). PHRs have failed spectacularly in the marketplace (I'm responsible for $4.2 M and 7 years of that failed market myself) because processing data from the PHR is very expensive for the recipient client. The data has lost provenance (because digital signatures are still uncommon) and it's always stale. Worst of all, the "scope" problem is practically insoluble. The vast majority of data has been munged through two scope filters: first when it fas grabbed from the source RS to the PHR and second when it goes from the PHR to the client. The lack of a consistent data model for the PHR as intermediary RS doesn't help either. The result of this scope problem is twofold. First, because the in and out scopes don't match in the temporal sense, the PHR has a lot of redundancy and lacks the authority (such as a professional license) to eliminate the redundancy. Second, and much more expensive, the client that gets data from the PHR receives a lot of abnormal results that it did not order and now has the liability of dealing or not dealing with these abnormalities. No doctor is paid to deal with this kind of thing and no patient or payer wants to have repeat follow-up for things that have already been addressed in a prior context.
The reason UMA is going to take over healthcare is because it solves all of the problems of PHRs as intermediaries.
Why UMA and not health information exchanges (HIE)? States and the feds have spent more than a decade and many $Billions trying to map the interoperability problem onto a "trusted" intermediary called a HIE. Some of these HIEs act as an RS, transacting the data by value and have most of the same issues as the PHR above. Many HIEs however have adopted the "by reference" model and only manage consent to participate, discovery, and authorization for access. This maps into the AS role in UMA with the AS is operated by a "trusted" institution, the HIE, as part of a federation with RSs and clients.
The problem with the institutional HIE as AS is different from the PHR or HIE "by value" approach and it's _governance_. When it comes to data about human beings, the governance of the AS intermediary may be impossible. The reason is that society is not well equipped to govern activities related to unlicensed actors. Patients are unlicensed actors. This governance problem first shows up as difficulty deciding whether to use an "opt-in" or an "opt-out" consent model for participation in the HIE. Then it shows up in trying to federate access to the HIE over broad ranges of clients ranging form federal facilities (the VA, Medicare), state facilities, multi-$Billion hospitals, solo MDs in another state, nursing homes, pharmacies, home health aides, .... All of these are potential clients of the HIE and federations of such strange bedfellows are difficult to govern. It gets worse when you add IoT.
My thesis is that the only solution is to enable Alice to build, run, or outsource her AS. This avoids the PHR scopes problem and much of the HIE governance problem. The federations, be they authentication or authorization federations, still add significant value, but they have to compete with Alice building or running her own AS and that keeps the federated system honest, market-based, and potentially governable.
As I see it, the problem for UMA and HEART is relatively obvious: ensure that the RS is implemented in a way that makes the AS substitutable. This is what I'm hoping HEART will figure out and it's something a couple of us are building around the MITREid Connect implementation - with very limited resources.
It's not clear to us that are working on this whether this prospect of millions of potential ASs is compatible with UMA 1.0. Apparently this is related to the #154 issue which I'm still trying to understand.
Adrian
On Tue, Aug 18, 2015 at 7:59 PM, Eve Maler
mailto:eve@xmlgrrl.com> wrote: (I’m going to snip the lower part of this thread to focus on the “data by reference” point. I’m also going to inject UMA technical terms so we can be very clear about our mappings.) UMA does not inject a new “data by reference” solution where before there was none. So I don’t know if we have a super-duper new set of tools at our disposal. Some concrete examples:
1. Alice sets up a resource server RS1 at home to host her self-asserted personal information (she prefers “aisle”, “nonsmoking”, “room near the elevator”, and nickname “Allie”). RS1 is at alice.com http://alice.com/, managed entirely by here, hosted by her ISP. She hooks it up to an authorization server AS1 to control release of this information to her travel agent, requesting party Bob, using client app C1 for making travel arrangements.
Importantly, the client app really does “GET” her data. It may cache or store it for short or long periods of time, possibly depending on her (nontechnically imposed) constraints, and it may refresh what it stored periodically, if her policies allow that.
2. Same, except alice.com http://alice.com/ is managed by Google.
Meant to highlight the “cloud” aspect of hosting.
3. Alice uploads a photo she took to RS2, Flixr.com http://flixr.com/. The requesting party is Charlie at the framing shop and the client app is C2 for printing photos on canvas, for mounting. Otherwise the same.
Meant to highlight the “joint data rights ownership” aspect, and that she has nothing to do with the hosting.
4. Alice uses RS3, which hosts her credit score and credit record, to check out her financial picture. The requesting party is financial officer David and the client app is C3 for assessing bank clients’ suitability for personal loans. Otherwise the same.
Meant to highlight that Alice “owns” even fewer aspects of the data, in that she didn’t even contribute anything to the “value” of the data.
5. Alice is a video game community manager, and for work she uses RS4, which is Twitter — a modern Twitter that is UMA-enabled. Its API is very rich, and it allows calls for both GETting and POSTing status updates. The requesting party is her colleague Eric, and he uses a client app C4, a third-party Twitter app that posts status updates to the corporate account she controls. Otherwise the same.
Meant to highlight that clients don’t just receive data, they can insert data into a supposedly “authoritative source” RS.
====
I realize that in today’s pre-UMA environment, there’s a robust understanding of data controllers and data processors (in various jurisdictions), but I’m not sure exactly how the lines are drawn. In an environment with UMA in the picture, does anything change? What roles would the AS, the not-Alice requesting parties, and the resource servers and client applications in play?
Eve
On 18 Aug 2015, at 10:50 AM, Mark Lizar mailto:mark@smartspecies.com> wrote:
HI Jeff,
[some comments inline]
I think you are suggesting that there needs to be a scenario in which Alice controls certain data and authorizes specific uses of the data without transferring the data to Bob. Bob can view or print (as in a label), but cannot electronically save the data. (Of course, printing the data is a form of saving the data, because the label can be copied or OCRed to recover Alice's address in electronic form.)
Perhaps Bobs Health Widget uses a delivery company, which uses a 3rd party trust framework, that is verified and audited by another intdependant third party to ensure to Alice that her address is not accessed, saved or copied by Bob’s Health Widgets. So the name, the contents of the package and the address are separated so no one party can have all three bits of data?
How does Bob’s widgets advertise that they have these privacy and security practices, which are different than Dave’s Widget company? Is Bob’s Widgets more trust worthy than Dave’s?
In one context, Privacy by Design is a container for trusting process that Dave’s company asserts when collecting Alice’s consent and data ( to effectively control the data rights management) Because Dave’s company holds Alice’s data, Dave’s company is subject then to Data Protection laws and Privacy by Design certifies that he encrypts Alices data and doesn’t leak it. 3
In the context of Bob’s Health widgets’ he doesn’t need privacy by design, and is not liable to data protection, because Bob may never hold’s Alice’s Data.
Notionally, this sounds like a good idea, but enforcement would be tricky. If Bob is actually Bob's Widget company and Alice orders a widget and provides her address under this scenario, what happens if Alice's widget never arrives? Bob cannot tell Alice what address the widget shipped to, because he no longer has a record of the address.
Enforcement can happen in a number of ways: - fines by law - breach of contract - reputation damage - 3rd party audit for compliance - trust framework enrolment process or customer software
and so on.
The issue that we are running into full speed is that some data does not have a single "owner". When Alice transacts with Bob, both are parties to the transaction. Whether or not Bob is an individual or an institution, I would assert that the transaction data is as much his as it is Alice's. In fact, in many jurisdictions, there are legal reasons (e.g., "Know Your Customer" in the US) for Bob to maintain certain information about Alice. And when a third-party payment system is involved (e.g., a credit card or PayPal), they would also have a stake in the transaction, giving them a stake in (some of) the data, as well.
This problem has not been solved, yet. And I don't think that there is anything in UMA that takes on this challenge. UMA solves several use cases, but does not claim to solve this one.
I think we need to be careful trying to avoid applying UMA to problems that are beyond its scope just because it is such an elegant solution to portions of the problem.
I think what we are exploring here is the transference of liability, through consent, access control, and data control scenario’s. If Alice has the freshest copy of her own aggregate data, and she sets a notice that Dave no longer has a accurate data, then legally, with the proposed EU laws I believe Dave will no longer be allowed to process that data.
In this regard I can imagine IOT scenario’s where data is only valid when it’s live data. (but that’s just me)
Best ,
Mark
Jeff
Eve Maler | cell +1 425.345.6756 tel:%2B1%20425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com mailto:xmlgrrl@gmail.com
--
Adrian Gropper MD
RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/ http://patientprivacyrights.org/donate-2/
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
Eve,
I really don't see how to introduce UMA in healthcare or anywhere else if
the use-case is as in the university e-transcript case study. That model is
unrealistic, at least in healthcare:
- Presumes adoption of shared data models and scopes (the HEAR in the
demo) to a practical extent for authorization management. FHIR is moving in
that direction and promises standardization for interchange purposes but
authorization is a higher bar because it presumes that Alice's
comprehension, state, and federal data protection mandates (42CFR) will
align with the interchange standards. There is no reason to believe this
alignment will happen. FHIR is governed by a group of industry peers for
their interchange purposes. Authorization is not necessarily on their
agenda. My example is healthcare specific, but I suspect it applies to most
other verticals, probably even education.
- Presumes adoption of identity and other federations. There are
absolutely no ID federations in healthcare and none are even on the
horizon. Healthcare may be a more extreme case but we see similar behavior
in many other industries that serve consumers. In finance, consumer ID
federation is limited to small transactions at ATMs. Education is a
misleading outlier because the participants are peer higher education
institutions. ID federation will happen sooner or later but the path is far
from clear and UMA should not wait if we want real-world adoption for IoT
and selected verticals.
- The outsourced model for general purpose authorization management is
currently the Apple App Store and they have no reason to adopt standards in
the near term. We see the Apple authorization domain moving from the
regular apps, to HealthKit apps, to payment, and now to HomeKit. UMA will
enter the market as the standard for businesses that want to compete with
Apple's strong privacy protections. Substitutability of the Authorization
Server will be essential to competing with Apple and other walled gardens
of authorization.
I'm not as close to other verticals as I am to healthcare but it seems to
me that the evidence points in the direction of dynamic registration of the
UMA Authorization Server first, followed by dynamic registration of the
client second. Although I'd like to see every implementation of UMA include
OIDC by default, like MITRE ID Connect does, the more we rely on federation
of identity and standard authorization data models, the less likely we are
to succeed.
Adrian
On Wed, Aug 19, 2015 at 12:18 AM, Eve Maler
I hear where you’re coming from, Adrian, but I don’t want to leave the RS use case variants just yet. For our legal subgroup purposes, I think they:
- Demonstrate that data provenance can be usefully known by the recipient, without expensive digital signature solutions, by virtue of the data (or APIs, anyway, for POST operations by the client) residing authoritatively at some original resource server. This has always been touted as a benefit of UMA; see this university e-transcript case study https://smartjisc.files.wordpress.com/2012/10/smart_hears_draft012.pdf from Maciej.
- Demonstrate that Alice mostly doesn’t own the resource server; she has an account on a resource server that someone else operates. It’s really rare for an individual to run one, though nothing is stopping Alice from doing it in cases where the data is self-asserted. Most of my examples involve third-party-operated RS’s. This can help us align the needs of (what the Binding Obligations draft called) the Authorizing Party and Resource Server Operator roles (and possibly others).
- May help us explore “data controller/processor” regulations wrt UMA (though I’m guessing about this);.
Now, when it comes to authorization servers, which is your particular concern here, we could equally explore similar use case variants, keeping the RS and client elements constant. E.g.:
What happens to the other parties’ adoption willingness, liability, etc. when Alice:
- Chooses her own outsourced (e.g., “social”) AS? - Runs her own AS in a cloud? - Builds her own AS and runs it at home, hosted by her ISP? - Something else?…
Eve
On 18 Aug 2015, at 7:46 PM, Adrian Gropper
wrote: Eve,
You may be right that UMA does not inject a new "data by reference" solution but your use-cases are completely different from mine and I reach a very different conclusion.
In my use-cases, Alice owns her AS vs. all of yours where she owns the RS.
The situation in healthcare has shown little value for Alice owning her RS or outsourcing it. We call Alice's RS a Personal Health Record (PHR). PHRs have failed spectacularly in the marketplace (I'm responsible for $4.2 M and 7 years of that failed market myself) because processing data from the PHR is very expensive for the recipient client. The data has lost provenance (because digital signatures are still uncommon) and it's always stale. Worst of all, the "scope" problem is practically insoluble. The vast majority of data has been munged through two scope filters: first when it fas grabbed from the source RS to the PHR and second when it goes from the PHR to the client. The lack of a consistent data model for the PHR as intermediary RS doesn't help either. The result of this scope problem is twofold. First, because the in and out scopes don't match in the temporal sense, the PHR has a lot of redundancy and lacks the authority (such as a professional license) to eliminate the redundancy. Second, and much more expensive, the client that gets data from the PHR receives a lot of abnormal results that it did not order and now has the liability of dealing or not dealing with these abnormalities. No doctor is paid to deal with this kind of thing and no patient or payer wants to have repeat follow-up for things that have already been addressed in a prior context.
The reason UMA is going to take over healthcare is because it solves all of the problems of PHRs as intermediaries.
Why UMA and not health information exchanges (HIE)? States and the feds have spent more than a decade and many $Billions trying to map the interoperability problem onto a "trusted" intermediary called a HIE. Some of these HIEs act as an RS, transacting the data by value and have most of the same issues as the PHR above. Many HIEs however have adopted the "by reference" model and only manage consent to participate, discovery, and authorization for access. This maps into the AS role in UMA with the AS is operated by a "trusted" institution, the HIE, as part of a federation with RSs and clients.
The problem with the institutional HIE as AS is different from the PHR or HIE "by value" approach and it's _governance_. When it comes to data about human beings, the governance of the AS intermediary may be impossible. The reason is that society is not well equipped to govern activities related to unlicensed actors. Patients are unlicensed actors. This governance problem first shows up as difficulty deciding whether to use an "opt-in" or an "opt-out" consent model for participation in the HIE. Then it shows up in trying to federate access to the HIE over broad ranges of clients ranging form federal facilities (the VA, Medicare), state facilities, multi-$Billion hospitals, solo MDs in another state, nursing homes, pharmacies, home health aides, .... All of these are potential clients of the HIE and federations of such strange bedfellows are difficult to govern. It gets worse when you add IoT.
My thesis is that the only solution is to enable Alice to build, run, or outsource her AS. This avoids the PHR scopes problem and much of the HIE governance problem. The federations, be they authentication or authorization federations, still add significant value, but they have to compete with Alice building or running her own AS and that keeps the federated system honest, market-based, and potentially governable.
As I see it, the problem for UMA and HEART is relatively obvious: ensure that the RS is implemented in a way that makes the AS substitutable. This is what I'm hoping HEART will figure out and it's something a couple of us are building around the MITREid Connect implementation - with very limited resources.
It's not clear to us that are working on this whether this prospect of millions of potential ASs is compatible with UMA 1.0. Apparently this is related to the #154 issue which I'm still trying to understand.
Adrian
On Tue, Aug 18, 2015 at 7:59 PM, Eve Maler
wrote: (I’m going to snip the lower part of this thread to focus on the “data by reference” point. I’m also going to inject UMA technical terms so we can be very clear about our mappings.)
UMA does not inject a new “data by reference” solution where before there was none. So I don’t know if we have a super-duper new set of tools at our disposal. Some concrete examples:
1. Alice sets up a resource server RS1 at home to host her self-asserted personal information (she prefers “aisle”, “nonsmoking”, “room near the elevator”, and nickname “Allie”). RS1 is at alice.com, managed entirely by here, hosted by her ISP. She hooks it up to an authorization server AS1 to control release of this information to her travel agent, requesting party Bob, using client app C1 for making travel arrangements.
Importantly, the client app really does “GET” her data. It may cache or store it for short or long periods of time, possibly depending on her (nontechnically imposed) constraints, and it may refresh what it stored periodically, if her policies allow that.
2. Same, except alice.com is managed by Google.
Meant to highlight the “cloud” aspect of hosting.
3. Alice uploads a photo she took to RS2, Flixr.com http://flixr.com/. The requesting party is Charlie at the framing shop and the client app is C2 for printing photos on canvas, for mounting. Otherwise the same.
Meant to highlight the “joint data rights ownership” aspect, and that she has nothing to do with the hosting.
4. Alice uses RS3, which hosts her credit score and credit record, to check out her financial picture. The requesting party is financial officer David and the client app is C3 for assessing bank clients’ suitability for personal loans. Otherwise the same.
Meant to highlight that Alice “owns” even fewer aspects of the data, in that she didn’t even contribute anything to the “value” of the data.
5. Alice is a video game community manager, and for work she uses RS4, which is Twitter — a modern Twitter that is UMA-enabled. Its API is very rich, and it allows calls for both GETting and POSTing status updates. The requesting party is her colleague Eric, and he uses a client app C4, a third-party Twitter app that posts status updates to the corporate account she controls. Otherwise the same.
Meant to highlight that clients don’t just receive data, they can insert data into a supposedly “authoritative source” RS.
====
I realize that in today’s pre-UMA environment, there’s a robust understanding of data controllers and data processors (in various jurisdictions), but I’m not sure exactly how the lines are drawn. In an environment with UMA in the picture, does anything change? What roles would the AS, the not-Alice requesting parties, and the resource servers and client applications in play?
Eve
On 18 Aug 2015, at 10:50 AM, Mark Lizar wrote:
HI Jeff,
[some comments inline]
I think you are suggesting that there needs to be a scenario in which Alice controls certain data and authorizes specific uses of the data without transferring the data to Bob. Bob can view or print (as in a label), but cannot electronically save the data. (Of course, printing the data is a form of saving the data, because the label can be copied or OCRed to recover Alice's address in electronic form.)
Perhaps Bobs Health Widget uses a delivery company, which uses a 3rd party trust framework, that is verified and audited by another intdependant third party to ensure to Alice that her address is not accessed, saved or copied by Bob’s Health Widgets. So the name, the contents of the package and the address are separated so no one party can have all three bits of data?
How does Bob’s widgets advertise that they have these privacy and security practices, which are different than Dave’s Widget company? Is Bob’s Widgets more trust worthy than Dave’s?
In one context, Privacy by Design is a container for trusting process that Dave’s company asserts when collecting Alice’s consent and data ( to effectively control the data rights management) Because Dave’s company holds Alice’s data, Dave’s company is subject then to Data Protection laws and Privacy by Design certifies that he encrypts Alices data and doesn’t leak it. 3
In the context of Bob’s Health widgets’ he doesn’t need privacy by design, and is not liable to data protection, because Bob may never hold’s Alice’s Data.
Notionally, this sounds like a good idea, but enforcement would be
tricky. If Bob is actually Bob's Widget company and Alice orders a widget and provides her address under this scenario, what happens if Alice's widget never arrives? Bob cannot tell Alice what address the widget shipped to, because he no longer has a record of the address.
Enforcement can happen in a number of ways: - fines by law - breach of contract - reputation damage - 3rd party audit for compliance - trust framework enrolment process or customer software
and so on.
The issue that we are running into full speed is that some data does not have a single "owner". When Alice transacts with Bob, both are parties to the transaction. Whether or not Bob is an individual or an institution, I would assert that the transaction data is as much his as it is Alice's. In fact, in many jurisdictions, there are legal reasons (e.g., "Know Your Customer" in the US) for Bob to maintain certain information about Alice. And when a third-party payment system is involved (e.g., a credit card or PayPal), they would also have a stake in the transaction, giving them a stake in (some of) the data, as well.
This problem has not been solved, yet. And I don't think that there is anything in UMA that takes on this challenge. UMA solves several use cases, but does not claim to solve this one.
I think we need to be careful trying to avoid applying UMA to problems that are beyond its scope just because it is such an elegant solution to portions of the problem.
I think what we are exploring here is the transference of liability, through consent, access control, and data control scenario’s. If Alice has the freshest copy of her own aggregate data, and she sets a notice that Dave no longer has a accurate data, then legally, with the proposed EU laws I believe Dave will no longer be allowed to process that data.
In this regard I can imagine IOT scenario’s where data is only valid when it’s live data. (but that’s just me)
Best ,
Mark
Jeff
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
--
Adrian Gropper MD
RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
-- Adrian Gropper MD RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/
participants (4)
-
Adrian Gropper
-
Eve Maler
-
j stollman
-
Mark Lizar