The Legal Forum

From IIW

Session Topic: The Legal Forum

Wednesday 4F

Convener: Dazza Greenwood

Notes-taker(s): Nora Draper

Tags for the session - technology discussed/ideas considered:

Legal Issues, MODIS, Terms of Authorization, User-Centric

(note: session taped – see Doc Searls for the document)

  • Goal: To reassert the legal portion of the IIW Commons. Re-inaugural wake-up call to see who wants to leave. Also to bring forward from case studies in the user-centric economy using what we know about the B2B end.
  • Building on a conversation that has happened with Doc Searls over the last few IIWs that looks to invert the Terms of Service that feel that it is something that happens to you with something that appears in your apps that tells you all the various parties that have rights and obligations around you and your data. Killing the ToS and replace with the ToA.
  • We start with an apps page and add more clauses as we add more parties. To get this, we need Business to Business contracts.

(introduction of participants and participant interests)

(Broad ideas that came out in the introductions: Interest articulated in terms and solutions that can be implemented in the near term. Interest in security and privacy. Lots of representation from Customer Commons. Interest in understanding the Terms of Authorization and how that relates to participant platforms. Interested in what our Freedom of Contracts should be.)

Dazza speaking – unless otherwise noted

This is a dynamic part of the transition to the digital economy where technology, law, economic and relationships are all happening apace. This is a place where innovation happens.

Start with an overview of what’s been happening at the media lab and how that could be useful for everyone around the table.

Sandy Pentlen (spelling?) (from Media Lab) is happy to do constructive listening and sharing.

Two things we’ve done:

First – B2B part: to try and express in a more machine readable format the types of structures that governments and businesses have when they are using individual data (and other information). There is a lot to learn from B2B to understand how things might operate in a user-centric world. Started by taking multilateral agreements for financial clearing houses and identity federations and, through a combination of creating and analyzing, found common elements and looked at how those could be better suited to existing conditions. What we have is a template (go get it, use it, update) from creative commons: business and legal structures for identity commons. A few design patterns culminated with MODIS (MIT Open Data and Implementation Systems) – moving from proof of concepts to an open model. Purposes of this system is a design pattern, for whatever system you have, you can see how a system could align with the specifications that users provide. Right now, to integrate those meaningfully across systems is really difficult because of different standards. You can get more predicable outcomes for user preferences and privacy using this MODIS model.

Second – from the PoV of indivduals. Want to see ourselves as an autonomous human with some freedom. Even before getting to constitutional analysis, using widely configured technologies (like OAuth2), turns out that we have been given a legacy of sufficient pieces that can be architected together to give expression to autonomous people. One is Terms of Authorization: starts with the idea that there is an account dashboard related to a human who “owns” the account.

Doc: Account makes an assumption that there is a second party.

Dazza: Maybe that isn’t the right word – account may have baggage with it – but we have an idea that the user can use federated authentication to log into the account.

Mark: Who is the identity provider?

Dazza: Hold that. What a human does when they log into the system, they can log into an admin or root page (or account page), what they see is a dynamic page that is the legal part of their relationships including the party providing this. Terms of authorization written in the first person: “I license you as service provider…” (called iAuth). The terms should be as little as possible (but no less). The Dashboard, is not reflected in the legal documents. Want to indicate the obligations and rights with respect to the resources (e.g. give service right to access photos and put in dropbox). May be able to revoke (possibly at a granular level) with a baseline that cannot be revoked. Once revoke, that agreement is remove (although you can see still see it in another section). But what you are shown is always the parties you currently have an agreement with. Dynamic expression of terms of authorization.

Dazza: Goal is a human speech, machine readable content that reflects the business deal. Some business arrangement in the beginning that allows for the granting and accepting of Scopes.

Need resource, scopes and identity

o Can add how long the access is, etc. but these are the key components

In terms of creating the forensic data to show what the terms were, this is a good model

The goal is to kill the terms of service with extreme prejudice and then embrace terms of authorization that allows for the ability to support a user ecosystem

Doc: if we look at tracking as authorization does Do Not Track map on this

Dazza: In principle/theory, it may map

Doc: I’m talking more about taking that concern of an individual where they go to a site and are proscribing in a way they could act. One of the guys on our side, Chris Savage (DC Attorney), what he says is that you don’t visit a website, it is a request for a file (Dazza: or resource…)

Phil: That’s the 1995 version, now it’s a discussion

Doc: There is a ceremony about how this works. Let’s say you visit Google, there are terms of service that come to you in a file. What if, in the same way, Google says by accepting this, you are accepting our terms. That is flipped.

Mark: We need to solve identity, data and permissions, which is what you’ve done. Just to clarify, this is an aggregate view across contexts. This is not the agreement that binds both parties – where is the agreement that binds the service provider? This is a one-way IDA.

Dazza: One of the design requirements that would be most useful is to have an implementation that must map to existing business relationships, that do not include the full inversion. The subset of use cases this works for is when you have a system (the “s” in MODIS). It assumes that you have, in some way, some kind of platform, services, apps where there is an identity, platform, apps, services where we know all the parties that have agreed to be in bound by these agreement conditions. Could describe the business, legal and technical terms of the system – by implementing this system, you agree to a minimum set of terms.

Mark: can you see the other party’s terms?

Dazza: There is a link where you have to have a link to the terms of the party. There is a tangle between the existing commercial terms and other terms. But there is a section in the legal and technical where you can link to existing terms and rank them. I am anticipating that someone else would do that, because I’m not sure what the assumptions are. This is more primitive than that.

Mark: Is there transparency?

Joyce: Is there a place to put the terms?

Dazza: There is a place in the personal data store in the MODIS system where this information gets dumped in a very unstructured way.

Question: Who should we expect to implement this?

Dazza: Three that we have: Technical University of Denmark, MIT and a hospital, Kansas Secretary of State’s Office. Looking forward: e-commerce and NSTIC