Ultimate Realization of User Managed Contract / Terms and Policies Proffered by individuals

From IIW
Jump to: navigation, search

Session Topic: Ultimate Realization of User Managed Contracts

Thursday 3I

Convener: Dazza Greenwood, Doc Searls

Notes-taker(s): Eric Scace

Reporting on work from MIT Media Lab.  Dazza sketched out some of the problems

(UMA binding obligations, for example) which led to investigation of the following.

Suppose that:

• in a profile page (into which people can enter) for an app, the core rights & obligations are located...

• in an OAuth site or equiv one can see all apps that one has granted access to, and the nature of those apps, in a admin panel.

• merge the above with the contract (between user and service provider, e.g., of a personal data store) itself.

Preliminary work:

• top §§: description of parties (individual & e.g., User Managed Access service provider), scope/description of interaction, term.

• §X: particulars of rights (prototype = OAuth scopes of 7 dimensions) granted for each app, dynamically generated according to the snapshot at the requested moment in time (current scenario is the priority at the moment, or scenario as of yyyy mmm dd hh:mm GMT available in a data store... a.k.a. "temporal reconstruction").

– this section now gives the complete dashboard of all contracts in force at the time.  Similar to 'my account' pages.

General discussion followed.

• Simplifying terms of use is a long, difficult slog.

• Mechanism for proposing & agreeing to a change of

• How to solve false repudiation issue.  Could use external service that does joint authentication between the parties that cannot be subsequently repudiated.

• Could get rid of permission ceremony when user has pre-authorized a certain set of tolerated settings for generic use (e.g., certain subset of attributes, relying party must limit use to only current session, cannot retain nor disclose, etc)

• Could include a default setting of parameters for 'any other app' (e.g., 'do not subscribe me to newsletters', 'do not track', &c)... which a browser plug-in, for example, could help convey.


E. Scace, who understands a rather sketchy level of context & thereby notes that the accuracy of the above is subject to validation by the speakers.