- How do we identify the relevant policies to reason over?
- We can provide a list of policies that we want to check for
- We can allow the reasoner to find "relevant" policies from a policy
registry. Relevant policies are identified because their patterns
match the transactions under consideration
- It should be possible to override the expected policies with
different ones at run-time (e.g., to risk model a possible court
decision or proposed change in law or contract)
- How do we identify relevant entries from a transaction log?
- assuming that we have a centralized log
- assuming that we have a distributed log
- How should we handle changes in the text of law/policy?
- How will we know when the change occurs?
- How will we know which version of the rule to run
- For audit, recognize the date of the transaction and the
effective date of the rule?
- For current accountability, always use the current effective
version (watch out for enacted but not yet effective)?
- Can we come up with an example in which a combination of transactions
cause a violation?
- Relevant literature on modeling legal reasoning in logic
- User interface should allow user to ask queries such as
- How many violations are there in a given set of transaction
- How many violations are due to policy X
- Which policies do a set of transactions violate
- What-if analysis: If I change rule A, how many more/fewer
violations would have occured in a given set of transactions
- What problems do we uncover when we handle many transactions instead of
- Can we create a proof of concept with 50 rules and 1000
transactions and allow anyone to change a piece of a rule or a
transaction and show that TAMI consistently and correctly produces
the correct compliant/non-compliant result?
- Can we determine if the inference a party draws from data (or data
mining) is reasonable?
- Can we use data purpose algebra to determine if the nth sequential
recipient of data is using it within the narrowed allowed purposes caused
by the sequential passing?
- How can we reason if the nth sequential party to receive data is using
it in a manner "compatible with" the reason for which it was collected?
(Example: a law enforcement agency saved a letter alleging illegal drug
activity of one of its employees and later used the letter for a criminal
investigation of the letter's author. In our current system, both uses
would be for criminal law enforcement, but in the real case the second
use was determined to be impermissible. Additional
- How can we store and reuse input that addresses a
can't-decide-compliance result (e.g., that for TSA, the purpose "secure
planes" includes "counterterrorism")?
- How do we decide among rules created by case law, which rule applies or
- Recognize the geo-location of the person using the data and match
it to the proper Courts (Example: System able to recognize that the
person using the data is geo-located in California, so 9th Circuit
- Recognize the hierarchical structure of courts and apply lower
court rules only where higher court rules don't exist. (Note: the
ability to decide between branches of rules will likely come up in
- Do we want to extend into reasoning based upon weighting of different
rules or variables?
- What special challenges are there when the party is data mining the
- How can we address conflict-of-law or seeming conflict of law
- Preemption: How will we handle rules which state that one rule
should be used instead of another if a particular set of
- In this scenario, the required determination is to find which
rule is most restrictive.
- Exceptions: Have we handled enough different types of exceptions to
be confident that our method of handling is sufficient?
- In this scenario, there are automatic exemptions to preemption
and "manual" exemptions (ones that must be requested and approved
before they can be triggered)
- Can we use data purpose algebra to produce the scope information
needed to compare the restrictiveness of two rules?
- How can we address situations in which the category of data changes
- How can we recognize change in category caused by aggregation
(e.g., anonymized data is aggregated with other data and the persons
can now be identified ... which should trigger rules for handling
Personally Identifiable Information)?
- How can we recognize change in category caused by an event external
to the system (e.g., a foreign national becomes a legal permanent
resident ... which should trigger rules with additional protections
for that person's information)?
- How can we recognize change in category caused by the authorized
purpose of the recipient (e.g., personal telecom records become
health information when CDC collects them to investigate spread of TB
or financial records become criminal case investigation records when
collected by law enforcement during a case)?
- How/when should we be able to reasonably infer leakage?
- How could we recognize that a person (or a person's organization)
accessed information and then, afterwards, that person apparently
used that same information elsewhere (without a transfer of the
- How would we recognize screen-scraping?
- In a distributed environment, how should we obtain value(s) we need to
reason over, if they are not in the same system or under the same
control? (In this example, the FBI system can't decide whether to
release/transfer information until it knows what the Florida system will
do. It needs to be able to ask the Florida system what rules it is going
to follow. This problem is not limited to being able to access other
parties' rules. In other examples, it may be that in order to know which
rule to fire, TAMI will need to know how another system categorizes the
$Revision: 24872 $ of
$Author: lkagal & kkw$