-
Notifications
You must be signed in to change notification settings - Fork 232
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Requirements] Ability to express data sharing requirements in Policy #608
Comments
I have given some thought to putting this information in the Jurisdictions API, but I'm not strongly attached to that. |
See notes from the WG Call today. Some good interest in this concept for the next release.
|
See notes from the WG call this week.
|
We will be discussing this topic at tomorrow's Working Group meeting. |
Notes from the public working group meeting:
See a draft proposal for this from me (@schnuerle). Open for comments here or directly in the document: https://docs.google.com/document/d/1zHhg9YpGhp63mu1T3xUSRxfMmPSk1brn78ER5thTnCI/edit Open Questions (also in the draft document):
|
I've made some additions to the draft document based on some conversations with folks. Notably: Summary of benefits of doing this (any others?): A JSON file that explains all the parts of MDS that an agency would like to see from providers, as well as information about the APIs the agency is serving up, can help:
Addition of an agency id field agency_uuid - Created just like providers.csv, but new agencies.csv, with agency name, website, and Requirements API URL. Would help with discovery of MDS usage by agencies, providers, pubic, etc and could be used in Jurisdictions. Idea of an OMF manifest, and/or hosting of the file Could the OMF host a manifest of Requirements APIs by agency, which can link to an external agency location of the file, or to a file in a GitHub repo maintained by the OMF? The file should not change very much except when permit policy is updated or new MDS versions are adopted. Agencies can open issues or pull requests or just email the OMF for updates. If the OMF hosts the files initially during a testing phase, we can see how it goes and do the heavy lifting to kickstart the project and remove barriers to entry. Also allows for the easy creation of agency IDs. Online generation tool Should an online generator be created where an agency can input via form what they want, and the JSON be generated? It could run in the browser with no backend, and be hosted and maintained by OMF. Might not be needed if OMF hosts and manages the files. |
From our Working Group meeting yesterday.
|
The City and Provider Working Group Steering Committees met last week for the Midway Checkpoint for the 1.2.0 proposed release. The Checkpoint let them review feature proposals, align current work to goals, and ensure the release features and work is on track. For this work, we have created a new rubric to help guide the evaluation, looking at feature utility, stakeholder adoption, implementation simplicity, direction consensus, and work completed as part of the evaluation criteria. The outcomes and actions from these discussions are summarized here:
|
I'd be interested in getting this adopted on the SFMTA side. We'd probably be able to do it in a more timely manner if we had access to a generator tool and OMF hosted it. |
I think this could be valuable, particularly for discovery and comparison of regulations across cities rather than chasing down paper docs to review. With that said, I would like to see an effort to get broad adoption among cities to avoid a complicated mix of some using paper docs, some using Requirements API, some with detail on their GitHub sites, etc...so with that +1 to the need for generator tool and OMF hosting. |
We will be deep diving into how to move this idea forward in this week's Working Group. |
@joshuaandrewjohnson1 even if a city uses it along with other methods of paper doc regulations/permit requirements, wouldn't it be good for this to exist for each city? It seems useful for the city to go through the exercise of creating it (with optional OMF guidance) to be clear on what they are asking for, and once it exists, useful for providers to see what they need to provide (more useful than just "the latest version of MDS") without ambiguity. The way it's proposed you wouldn't to have to build anything to machine read the file if you didn't want to. It's very human readable and could be used by a provider/third party without building a tool to ingest it. |
@alexdemisch I think part of the proposal could be a workshop for cities where the OMF helps them create the file and additionally hosts the file if needed. The OMF could even offer some one on one help to make it. I'm thinking that a generator tool at this stage might be over engineering, since it can be created by hand quite quickly (like I did in the examples in the document draft). |
@schnuerle @alexdemisch LINK / Superpedestrian would be glad to beta test the Requirements API feature, once the spec is developed! |
If it is intended that the Requirements API will be used to allow for changes to data sharing requirements during the term of a program without need for a more formal process (i.e. council approval), it should be structured in a way that preserves important policymaking elements. I've listed some considerations/questions for that process below:
Spin is happy to test this as well, we would just want to ensure the policymaking process is not intentionally or unintentionally supplanted, as well as minimize confusion between the various documents/versions of an agency's data sharing requirements. Some of these may also be applicable for the Policy API as well. |
We will be discussing a draft feature branch of this new /requirements endpoint within the MDS Policy API at this week's Working Group meeting. |
Finished a round of updates and adding examples based on last week's WG conversations. Please review and provide additional thoughts of your own and on the comment that are already here. Still needs more outside links with supporting documentation. See the Policy Requirement PR for specific conversations people left about boolean value formats in MDS, SLA latency, mode specification. Another question I have is when to add the |
Glad you called this out, @schnuerle. It has actually been my expectation all along that I think there is tremendous value in listing private endpoints, because it allows cities to be explicit about what they require and what they don't. It also would be confusing to exclude private endpoints for agencies who want to use the required_fields property on private endpoints. From a data-security perspective, I think including private actually makes things more secure because providers could turn off access to endpoints and fields that are not being used by an agency. |
I think when to publish the URL wasn't really clear or defined, and I initially also thought that all of them could be published. But as I put those in the examples docs, I started to doubt the idea and so only put public urls. The big question for me is, for providers, is there any credible risk if their MDS urls are known? The main MDS stubs are known in providers.csv, but not the full URLs once you add cities, versions, APIs, and endpoints to the URL. Eg. is there a difference between knowing "https://web.spin.pm/api/mds/v1" and "https://web.spin.pm/api/mds/v1/louisville/provider/trips". Though arguably that could be guessable, and if you know the format for one city you know them all, and also the URLs are being sent by email now anyway. Some providers have public, shareable, and discoverable API docs too. It would be beneficial to have these URLs listed, for all parties involved, for multiple reasons, I agree, I just want to make sure it's ok with the community first. |
Gosh, I would sure hope not Michael. If a known API url represents a credible security threat for any provider then they have no business dealing with sensitive location data. Edit: hopefully the above didn't come across as just being a snide comment. I truly believe that it's the right thing from a security perspective for all endpoints to be listed. If any vendors are relying (perhaps implicitly) on the "security through obscurity" of their endpoints URLs not be publicly known, making them public would provide a good opportunity for them to clean up their act. It would also make vulnerability scans trivial. |
We will be discussing some of these items and updates to the PR on tomorrow's Working Group call: url security, boolean values, modes, metadata. |
Below is a quick sketch of what came to mind in our conversation today. Conceptually, the object hierarchy is as follows:
|
Thanks @quicklywilliam for advancing this. I like this proposal a lot and want to emphasize our support for making this data public. Some feedback on William's sketch (above)—it would be nice if agencies could optionally define the specific fields they require from each endpoint. For example, if our agency elected to exclude the {
"endpoint_name" : "trips",
"required_fields" : ["provider_id", "device_id", "device_type"]
} This may be an edge case, but I can see it being more useful as the standard continues to designate more optional fields. Edit: derp, I see you covered this use case in the GBFS definition. |
We will be talking about this and recent updates on tomorrow's working group call. |
Great discussion today and some decisions made. See the meeting notes for details. Since the meeting I've taken action and completed the following in the PR spec and examples:
Action items include:
|
Hi all, we will be talking about this proposal and the concept of 'disallowed' endpoints and fields on today's working group call. Example of how disallowed APIs, endpoints, and fields could work in the Requirements endpoint. UPDATE: the WG agreed that the concept of disallowing APIs did not make much sense and should be removed. Disallowing endpoints and how to implement that is up for discussion. Disallowing fields seemed to have agreement. ...
"required_data_specs": [
{
"data_spec_name": "MDS",
"version": "1.1.0",
"required_apis": [
{
"api_name": "provider",
"required_endpoints": [
{
"endpoint_name": "status_changes",
"required_fields": [
"associated_ticket"
]
},
{
"endpoint_name": "trips",
"required_fields": [
"parking_verification_url"
],
"disallowed_fields": [ // field level example
"vehicle_id",
"route"
],
}
]
}
],
"disallowed_endpoints": [ // endpoint level example
{
"api_name": "events"
}
]
}
],
"disallowed_apis": [ // is API level needed?
{
"api_name": "agency"
}
]
... |
See the action items and discussion from yesterday's public call and meeting. There is a new discussion area to dig deeper into some of the topics discussed including disallowed endpoint implementation, and feedback from providers on the burden of disallowed fields. |
Thanks Michael! It looks like you took care of my action item for me, but
just wanted to confirm that there wasn't something else I need to do that I
missed?
—
William Henderson[image: 🙋♂️] he/him
ceo [image: 🚲] Ride Report [image: 🛴] ridereport.com
…On Fri, Jul 30, 2021 at 9:43 AM, Michael Schnuerle ***@***.*** > wrote:
See the action items and discussion
<https://github.com/openmobilityfoundation/mobility-data-specification/wiki/Web-conference-notes,-2021.07.29-(Joint-Working-Group)#minutes>
from yesterday's public call and meeting.
There is a new discussion area
<#675>
to dig deeper into some of the topics discussed including disallowed
endpoint implementation, and feedback from providers on the burden of
disallowed fields.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#608 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAQPIDQQXA7PXCFTPIVJLT2LJCLANCNFSM4U5ID6YQ>
.
|
@quicklywilliam I think this item "William H to start a discussion in the repo about getting trip start/end point data" is a different discussion about how we can solve, in a future release, for the question of how to get parts of the route points (eg the start and end) through /trips in a way that could be specified in the Req endpoint, to satisfy the problem Alex brought up of not having to use trip_id to connect to status_changes/events to get start/end points if they don't want route at all. My idea on the call was "Could add properties to the route GeoJSON that describe a point (start, on trip, end) so start and end could only be returned and specified via Req endpoint", but there may be better solutions to discuss. |
Per our working group meeting, I've updated the PR with the following:
|
Adding a note here that organizations like Transit @gcamp may be interested in this feature, and could update their guidance to include using the public Requirements endpoint in regulations, like in this example. Note that @mplsmitch from MobilityData (GBFS) has already been following along and could update their guidance. |
To wrap up some discussions on supporting other data specs in this MDS feature, in the area where the
So for this first release we specify how MDS and GBFS can be used explicitly, leave it open for people to use any others they want to try, and provide a way to leave feedback for official incorporation in future releases. |
I really like where this is going. Having the flexibility for cities to clearly define what's required and disallowed will support some of our existing use cases, (e.g., SFMTA's e-moped program where we do not collect trip routing data). I think Requirements will become even more useful as MDS starts to incorporate additional modes and nuances of mobility programs/permit requirements. |
Completed with #646! Thanks to everyone for the great work on this feature! |
Is your feature request related to a problem? Please describe.
It has come up in a number of contexts that it would be useful to allow agencies to express data sharing requirements in MDS. I'm probably forgetting a few use cases, but here are some I have heard:
Describe the solution you'd like
I think of MDS Policy as the digital representation of a City's mobility program policies – we are digitalizing their program PDF, in a sense. Data sharing requirements, including the requirement to provide MDS, are common in nearly any such policy. Hence, I think this belongs in MDS and in Policy specifically. One possibility that might meet some of the uses cases above would be adding a new rule type or set of rule types within the Policy endpoint that describe a city data sharing need.
Is this a breaking change
I think this could probably be done in a non-breaking way.
Impacted Spec
Policy.
Describe alternatives you've considered
There has also been discussion of this living in a new endpoint. I'm open to that, but I like the simplicity of having a single (public!) endpoint return everything about a city's policy. In addition, there are often direct relationships between rules and data sharing needs (cities need data to assess compliance with a rule). I think these relationships might be made more clear and explicit through a carefully considered augmentation of MDS Policy.
The text was updated successfully, but these errors were encountered: