Skip to content

NymRights StudyDesign

Jump to bottom Edit New page
aestetix edited this page Oct 4, 2013 · 4 revisions

Draft Wiki Page Related to Nym-Friendly Identity Policy

Table of Contents

========

Research Study (V.0.0.1)

I. Introduction:

Nym[1] -Friendly identity services are one of the core projects of the eCitizen Research initiative of the Human Dynamics Group at the MIT Media Lab. This project aims to research and test business, legal and technical dimensions of a postulated multi persona and nym rights supportive identity service provider company. The postulated company is known as omnividual.com. We have provisioned a Google business apps service to enable accounts for use by participants in the research. Use of an OpenID Connect service is also being contemplated as well as use of industry leading identity as a service federation provider.

II. Study Design and Hypothesis[2]

A. Overview of Study and Intended Results of Research
1. Relevance to New Deal on Data (People Own Their Personal Data and Personal Identity is the Core Personal Data Asset)
2. Do original research and development to establish the reality of the current state of use of nyms and the existing policy and technical environment.
3. Create new knowledge and reference implementation of a tested Nym-Friendly Policy and demonstrable experience with suitable operational environments and transactional practices that support and reflect this aspect of personal data rights and expectations.
B. Omnividual Reference Implementation Nym-Friendly Policy and IdP Service
1. Essential Elements of what is being tested for the Nym Policy
a. Give IP rights of data to users: New Deal on Data (see II.A.1)
b. Problems and prospects for individuals and organizations to use a Nym Friendly policy with lots of day-to-day interactions
c. Users operating under Omnividual Nym friendly policy who use their accounts to do several specified functions[3]:
i. Google Hangout
ii. Email
iii. Login Accounts with social media sites and mobile apps
iv. Attribution on posts via Google search results
2. Some higher value transactions:
a. To inventory a range of every day interactions and transactions (most of which are totally not high value or anything) to benchmark and describe the state of affairs for nym friendly accounts "in the wild" (eg study participants are copying relevant policies, and noting their experiences, etc)
b. To select a few relevant good demonstrations illustrating that use of a nym for a higher value or sensitive, etc transaction is valid, useful and beneficial. (e.g. Dazza signing his lease, Dazza selling his consulting and billing clients, etc, etc).
c. The extent to which censorship is an issue in this context
1. Does forcing “legal names” violate First Amendment freedom of expression and association?
2. How does this play into larger topics such as Net neutrality?
3. How do names factor into a “zoning” of the Internet into respective “Facebook”, “Google”, “Twitter” zones
d. Chronicle of the existing context of Nym policies and circumstances
1. Outreach to people who have been suspended. Suspended Nym-Rights Initiative http://nymrights.org/suspended/suspended-wall-of-fame/
2. Exploration of the business legal and technical best practice approaches to lawful access requests and 4th amendment and other third party doctrine or privacy and security policy provisions (Outreach to ISP and App Developers and others (use the Dublin conference in Oct w/WEF to poll people) EG: Nick Merrill of https://www.calyxinstitute.org/
3. Compare and Contrast the EU and US framework for these policies including in the context of data sharing rules for personal data (EU Privacy Directive and corresponding Safe Harbor) and European Court of Human Rights (also, consider ENISA), structure the study so that some users are subject to ECHR.
a. Safe harbor rules will apply to US companies that have opted into the safe harbor in order to ease data trade with EU organizations... (see: http://export.gov/about/index.asp) part of the research will be to have some account holders subject to the nym policy and some of the companies that account holders sign up to login with will also be subject to EU law (because we will ensure that some are)... in this way we can further explore the international dimensions and the role of the ECHR as well. )
III. Organizing Inquiries for Field Survey
A. Trying to establish the current state of affairs for use of nym and policies and practices regarding use of nyms "out there"
B. Analyze the Terms and Conditions of Policies/ToS/Etc Account Users agree to along the way: determine the current practices by IdP's such as Google to notify users of subpoenas
C. Collect and analyze relevant clauses of policies for Omnividual.com upstream terms owed to Google and collected "out there" as part of field survey, with special reference to 3rd party doctrines. We can put the policies in a central place and document how services can demonstrate problematic aspects: how nyms are used, the policies that apply, and the experiences with policies that apply. This can tie back into II.D.1
D. Establish how open different companies might be to either changing their existing “names” policies or adopting one we develop.
IV. Research Methods:
A. A group of direct research participants will be recruited and provisioned Nym-friends accounts to conduct a series of activities and gather direct research for this study.
1. Users must agree to terms of participation, which includes
a. Perform at least the minimum number of actions within their account as defined in II.B
b. Abide by our general nym policy in the event that conflicts or changes to the policy occur during the terms of the study
c. Relinquish rights to their account upon the conclusion of the study, assuming no further plan for funding their account has been made, although they do get to keep any data they generated.
d. Immediately report any issues with their account, such as being suspended for not using a “name-shaped” name, and share any correspondence with Google employees regarding the issues.
e. Any other terms as outlined in our participation document [link]
B. Direct outreach to gather relevant examples and field research.
C. Possibly tools like "focus groups" or in theory a "public briefing" sort of special end of active study (but before publishing results of research) point research weekly hangout or something.
D. Survey tools to further surface issues and options
1. Suspended Nym-Rights Initiative (intake example) http://nymrights.org/suspended/suspended-wall-of-fame/
2. ISP and App Developers and others (use the Dublin conference in Oct w/WEF to poll people) EG: Nick Merrill of https://www.calyxinstitute.org/
3. Any suggestions made by relevant groups, including IDESG
E. Recursive Approach to Using Research Cycles for Feedback and Experience in the field
V. Action Items
A. Start with Draft Site and Policy and Plan and at start of Study Get Intiial Round of Feedback from Participants on relevant aspects (pose "intake" "day-one" questions to them) Get feedback.
B. Gather feedback on this document from recognized experts on use in situations involving government, cryptography, law enforcement, personal privacy
1. I'd like to chat more with Lee Tien and Nate Cardazzo at EFF. Both have expressed some interest in the study design.
C. Pose to participants same and new questions at end of study.
D. Document what further research we discovered is needed.
Appendix 1. Research Plan:

I. Weekly Research Briefings (google hangout)

A. Get reports -- Why not create a short survey of questions regarding peoples experiences with the system? And have people revisit the survey every week or two so we can monitor changes.
B Answer any questions, see if there are ways we can improve the nym policy, etc
C Deal with stuff that comes up, whether it be small (forgot password) or big (got suspended)
II. Budget for Study and Funding Plan:
A. Anticipated costs are: $200 for a two month study.
1. If we can get funding beyond that, that would be awesome. I kind of like the "adopt a nym" idea, where benefactors can support people if they can't afford it.
2. Anticipated funding is: I have a funding source, need to check and see if they want to be credited or anonymous. Otherwise, I can foot the initial cost. We could also explore routing funds through ID Commons by way of the NymRights Working Group (ask Kaliya), or collaborate with other ID Commons working groups.
Include "Straw Draft" Policy for Government Entities that Allow Nym Accounts 
 - Leverage the PublicEnterprise project and City of Boston and Kansas SoS NYDB items
 -

Appendix 2. Sample Nym Policy Document and Related Re-Usable Assets

The Nym policy in question: https://github.com/HumanDynamics/FIPS/blob/master/NymPolicy

The survey we could work with to collect data: https://github.com/HumanDynamics/FIPS/wiki/NymRights-survey-questions

Server config info

Appendix 3. Partner Reference Implementations

1. Collaboration cities and states called "PublicEnterprise" to create an open architecture for public sector entities that aligns business, legal and tech policies in a way that promoted and defends 1) individual identity use, 2) user controlled protected data permissions and 3) Open Data / Big Data access and analytics in integrated and standard ways.

Can explore collaborating with the legal/policy aspect of PublicEnterprise as an adjacent MIT research initiative - perhaps as another field test of NymPolicy in a different environment - ie with Government organizations as the policy makers for their own systems and covering the situations when a government externally facing system can, should or must permit users to access an app, service, etc with a Nym or with use of an account issued by a Nym-friendly IdP service

a) Kansas 

 Specifically the Kansas NYDB Approach is a good fit to open a door for feedback and potential collaboration: This the counter-balancing account system for users who wish to remain anonymous or "nymonomous" .... this is counter-balancing an account system expecting "CivicID" friendly accounts enabling users to conduct certain types of transactions for which authenticated identity attribute or legal name assertion or verification are required.

b) City of Boston and Multi-Jurisdictional draft Open Gov Compact 

 Also the City of Boston and partner cities are participating in PublicEnterprise and part of this initiative include developing a draft "Open Government Compact" (or might be called "Open Data Compact") for a generic policy umbrella that governments can signup with to be part of an API-based network, enabling individuals, businesses, other governments etc to use the same account to log into common mobile apps, access regional or cross-boundary services (eg 311, business registration, developer networks, etc) acting like a flexible "MOU"

Specifically, it is envisioned that a clause regarding identity policy and use of externally issued identities that requires minimally consistent privacy, security interoperability and NYDB friendly policy in place and compliant systems in order to be eligible to join and enjoy the benefits of the open gov compact. This City of Boston led effort could be a great fit to offer the draft Nym policy for this research Omnividual project and perhaps get good feedback and if successful have a fork that is fit for use by cities who which to reflect an identity policy allowing users for at least some interactions to use nyms.

Explore Situations when even felons or sex offenders may have a right to use nyms, such as: 1. when conducting political leafleting online... 2. "vote according to secret ballot" (why would that not be true?) 3. when their crime had nothing to do with use of a nym 4. etc...

====

Side-Document:

Recruiting Roster of People Who Will Be Participants in Study

Kaliya Hamlin Meredith aestetix Dazza Sai Skud Ms Naughty Thomas Hardhjono Iranian situation guy [ID3] Bryan Warner or someone from Mozilla Persona Tim Reiniger of tim@futurelaw Someone from Milliways Josh Bails (MIT) David Alexander's Crew (MyDex folks) Ray Campbell (Policy wonk) Julia Wolf Phil Wolf Judith Flenor Duncan Friend (State of Kansas) .Mudge

Further information:

Notes: http://piratepad.net/Nk7BLjokVa

Answers to questions: 

 How can we set up the system so people can agree to and/or see the names policy?

We can have a prominent link to the policy from 1) the informed consent opt in for participants, 2) the page of the Omnividual site that stands for the IdP Nymp Frieindly service and 3) at the header/footer in consplicuous fashion of every touch-point between the account useusers and external parties (eg can it pop up during the OAuth 2 handshake? can it be embeddedded at the bottom of every email? can it be touted at all key junctions?) 

 How do we enable new accounts? Maybe we could set up a web facing page on omnividual.com where people can  sign up?

This question will be ansered by developing the "intake" or "signup" or "participation" process for resarch participants to join the study .... it must be all electronic and shoudl include a key moment of "informed consent". Open questions are

1. How many account holders do we need at mim, wish ideally, can possibly support at max? 2. How and WHEN do we create the list of invitees and final participant roster? 3. It takes some set up time, 

 What  happens if someone does get suspended? Do we need to make them  agree  to fight any issues Google brings up? Also, do we need to  explicitly  get their permission for emails/etc regarding a suspension  appeal made  public?

See ln 31 of the other pad (summary: the point of this study is not to do advocacy but rather to study and learn what is happening and to diocument and analyze it. And the mechanism is to have "refereals to advocacy groups if people are unduly suspended and wish to take further action. However, it is not anticipated that anything like that will happen, because this study design has been deliberately and carefully crafted so as to fall well within the stated policy parameters applicable to Google Business Apps accounts, as confirmed during the study inception point by Erich Sachs, of Google, when asked directly about whether this approach of providing nym account to google biz apps account users for this MIT research was in compliance with their policies. In fact his main concern was simply that the business case of spending $5/user was not a savvy financial approach. See ref to other doc for proposed obligations to report relevant happening - in particular suspension due to nym (that is dead center what we want to know about - then discover why and the policy and tech implications to be ebaluated for this research). 

 Do  we want to set explicit timelines for how long we'll let Google  wait  before we pursue a second attempt at appeal? Maybe we could appeal   internally, and then in a week if we've heard nothing, make it public?

Done: This is a responsibility of the advocacy part (NymRights), however any procedures we craft out will be made public and contributed to the results of the study. 

 I  assume we'll be changing the nym policy over time. Aside from  letting  someone agree to the most recent commit, how can we manage users   agreeing to an older version? Maybe we could just release updates to   the policy on a semi-monthly basis, and allow users to leave the  service  if they want to?

Done: Don't want it to ruin the science if it changes too drastically. Maybe have a short test period (two months) and re-evaluate the study at the end. Should be mentioned in the consent form. 

 Could  get reach out to a sponsor to fund X Google accounts for a  year? What  happens if someone has an account and wants to use it beyond  the year?  Or could we "hire" them for a "contract" period and allow them  to  "renew" their "contract" when the time runs out? Or are we going to   view them as customers? I'm not entirely clear on the Google Apps   relationship of business to user accounts.

See Appendix 1 as current plan 

 Do  we need to make it clear that because both MIT and Google are in  the  US, people are held to US laws? What happens if someone uses our   service and breaks the law in another country?  (these questions are Google centric, but I think it could follow for any company that does name based suspensions).

That is right 




The applicable jurisdiction should be clear (ie in study informed consent context, it would be state of mass and an MIT standard form customized for this study and done online.. (in a way better way that we do). and this means also that for the intentionally European set of a) users and b) sites that users go to the jurisdiction would be explicitly EU and the applicable country in those cases (and we should be sure that is part of the study desigt)




Sent Updated Project Notes on current state and next steps to collabrators on this research study.  See below (was not able to use the "Edit Message" to contain the content - apparently the edit notes are not a good place to communicate that sort of content):  


Note to Collaboration Team: 



"I've just slightly tightened up the bit about reaching out to the identity policy and prototype projects at City of Boston and state of Kansas, and corrected some info for the people who should be invited to participate as participants in the research study.  



Would like to tighten up the research plan (at the wiki https://github.com/HumanDynamics/FIPS/wiki/NymRights-StudyDesign) and aim for a launch of study by start of Oct.  We are thinking a two month study period would suit, and about 20 "users" of accounts issued by the created "Nym-friendly" IdP and operating under the initial draft policy would be the right size/timing.  Also we are noting some field research as part of the study, basically to get feedback from experts and others on the draft policy and to gather relevant use cases and experiences of individuals and organizations using, being prevented from using or otherwise related to offering or accepting Nyms online.  The idea will be to have each of the participant users (the 20 people wh "sign up") to use their Nym account to create accounts on some apps and services and to note the policies and any relevant observations (eg "I clicked this thing, screen shot 3, that seems to say I am not allowed to use a Nym for this app", or "I noticed that the service automatically combined by Nym account and my personal account without my consent" or  "I got this note saying my account was suspended because I am using a non legal name" or whatever else seems relevant).  At min, we will ask that a copy of the ToS, Privacy Policy and account set up related screens be compiled and shared through the research site (we will create an easy as possible form or some type or other ways to submit easy as possible).  We should also have a running list of the apps and services people have signed up for, to ensure we get a wide enough spread and also to check if some experiences of participants are somehow different on the same apps or services.  Also, we intend (as written in the Wiki research plan doc) to ensure at least some users and apps/services are European, so as to have a basis for compare/contrast to EU law and practice and the intersection between US and EU (safe harbor, FIPS approaches, etc).  



Your feedback is solicited on content and also to please help fill out the list of who we can reach out to to invite to be study participants.  We have 20 names (more or less) right now.  We need about 20 solid users to be active for the whole 2 months, so we may need to invite three times that many to find the right participants I assume.  



Thanks,



 - Dazza"





    

  1. 
^  "Nym” is usually short for “pseudo-nym”
    2. 

  2. 
^  Notes on II.A and II.B: What are we trying to prove with these accounts? Hypothesis: People can use nyms for a wide variety of lawful commercial, and educational transactions, including some for which more than negligible value is at stake and the need to use so-called "legal names" is overblown and in fact against public policy and efficient, security and resilient systems.
    3. 

  3. 
^  Avoiding the phrase “active users” here because Google itself does not seem to define what makes a G+ user active.
    4. 


              


              

                
                   Add a custom footer
              

          



  
          

            

              

                
                   Add a custom sidebar
              


            
Clone this wiki locally