The first-ever technology promising to give consumer and corporate end-users a dashboard to control access to the data they store online will take its first step this month toward standardization.
The User-Managed Access (UMA) protocol is an authorization engine for individuals. It lets users selectively share data, via a set of policies, instead of being at the mercy of social, government or other sites that often have less than complete concern for the data owner's privacy, safety or reputation.
Is this a dagger which I see before me?
For example, an online resume could be protected via a UMA policy that grants access only to a select few employers. In a more real world example, a user could protect their online geolocation information, limiting access to their credit card company so that red flags would not be raised during trips abroad.
UMA could put a dagger in the privacy and usage debates burning around social networking and solve questions of control over more sensitive data stores such as health-care records and government databases.
"Before people can control how information about them is used online we need a protocol to enable that," says Ian Glazer, a research director for identity and privacy strategies at Gartner. "UMA is that kind of work. It is a common language and protocol for expressing people?s desires, preferences and opinions on how information can be used by service providers."
The User-Managed Access working group of the Kantara Initiative recently submitted its UMA protocol to the Internet Engineering Task Force (IETF) as a draft recommendation. The IETF is expected to consider the draft later this month in Quebec City, Canada. UMA's goal is a standard for all online sites and services.
A Growing Need
Issues of privacy and data safety are cropping up all over the globe and advocates are turning to software and governments to try and bring about one-off controls. In February, the Internet Education Foundation released an application that provides tips to users on how to safely use the Internet and Smartphones. The tips included how to protect your identity and information such as financial data.
In June, the Electronic Privacy Information Center (EPIC) filed a complaint with the Federal Trade Commission seeking a ban on Facebook?s facial recognition technology. U.S. Rep. Ed Markey (D-Mass.) commended EPIC and said Facebook's policy should be: "Ask for permission, don't assume it.'" The four Nordic countries submitted 45 questions to Facebook about what personal information is collected by the company, how it is used and how it is transmitted to others.
UMA won't address all these scenarios, but the bottom line is that awareness is growing as to just how high the value of personal data has gone.
Michael Fertik, founder and CEO of privacy vendor Reputation.com, told the San Jose Mercury News earlier this month that concerns about privacy online have created a demand among people to be given control of their data. "We think there is a coming privacy economy," he said.
Reputation systems such as those built by Fertik?s company, privacy tools from vendors such as Connect.Me and big ideas such as vendor relationship management (VRM), a six-year-old project at Harvard?s Berkman Institute, are starting to dominate distributed computing discussions.
UMA wants entry into those discussions.
A Hub Architecture
The protocol's model lays out a hub architecture. The hubs are run by providers who offer an authentication service where users set sharing polices and apply them to groups or specific individuals.
"This is a way that someone who runs a website - social or a repository or personal data locker - can avoid putting in sophisticated access controls," said Eve Maler, who three years ago started the UMA effort. "They can outsource that to some authorization manager. That is a prospect we are holding out for."
From the business angle, the UMA group is exploring small business use cases where employers could control authorization to cloud applications used by contractors or temporary employees.
Maler said UMA could also function as a lightweight RESTful interface for the authorization decision protocol called the Extensible Access Control Markup language (XACML). The protocol is gaining interest from enterprise IT staffs looking for standards-based, centralized authorization.
"With cloud mashups and the 'API economy,' UMA could be helpful to align more and more enterprise authorization mechanisms on simple, OAuthfriendly, concepts," says Maler.
UMA is built on the OAuth protocol, which has emerged as an important IETF standard for authentication not only to mobile and other applications but to application programming interfaces (API).
Maler is hoping that the OAuth authors will streamline UMA into their work.
UMA in ActionThere are already some examples of UMA in action.
The Center for Cybercrime and Computer Security at Newcastle University in the UK is testing UMA and believes it can be used to selectively share data, such as employment history, exam results and health information.
"UMA provides the technology to share such data safely, putting the citizen in control," said Aad van Moorsel, director of the Center. "We strongly believe UMA will be a cornerstone for future eGov services."
The Center plans to publish its implementation of UMA as open source software. NewCastle University used UMA to build its Student-Managed Access to Online Resources project, referred to as SMART. The system?s SMART Authorization Manager integrates with Facebook, leveraging friends as a ready-made access control list to meter sharing with other sets of data (A beta of the system is open for public use: http://smartam.net/).
The UMA working group says the protocol has the same fit with Google Plus Circles, the search giant?s new social sharing site.
"Our Authorization Manager (SMARTAM) allows the individual to immediately see how information is being shared, how it is accessed. The individual can easily change security policies and as such, protects his privacy," said Maciej Machulak, a Ph.D student working on SMART at NewCastle.
"We feel like we have UMA 95% completed," Maler said. And the possibilities for what she called "selective sharing" are important given the explosion in distrusted computing.
"A lot depends on if the rest of the world thinks these problems are important as we do," she said.Ft. Knox photo by Army Arch