Home New Standards Effort Targets for Privacy, Data Control

New Standards Effort Targets for Privacy, Data Control

The first-ever technology promising to give consumer and corporate
end-users a dashboard to control access to the data they store
online will take its first step this month toward standardization.

The User-Managed Access (UMA) protocol is an authorization
engine for individuals. It lets users selectively share data, via a set
of policies, instead of being at the mercy of social, government or other
sites that often have less than complete concern for the data owner’s privacy, safety
or reputation.

John Fontana (@JohnFontana) is the
Identity Evangelist for Ping
and editor of the PingTalk Blog.
Prior to joining Ping, he spent 11 years as a senior editor at Network

Is this a dagger which I see before me?

For example, an online resume could be protected via a UMA policy that
grants access only to a select few employers. In a more real world example, a user could protect their online geolocation information, limiting access to their credit card company so
that red flags would not be raised during trips abroad.

UMA could put a dagger in the privacy and usage debates burning around
social networking and solve questions of control over more sensitive
data stores such as health-care records and government databases.

“Before people can control how information about them is used online
we need a protocol to enable that,” says Ian Glazer, a research director
for identity and privacy strategies at Gartner. “UMA is that kind of
work. It is a common language and protocol for expressing people?s
desires, preferences and opinions on how information can be used by
service providers.”

The User-Managed Access working group of the Kantara Initiative
recently submitted its UMA protocol to the Internet Engineering Task
Force (IETF) as a draft recommendation. The IETF is expected to consider
the draft later this month in Quebec City, Canada. UMA’s goal is a standard for all online sites and

A Growing Need

Issues of privacy and data safety are cropping up all over the globe
and advocates are turning to software and governments to try and bring
about one-off controls.
In February, the Internet Education Foundation released an application
that provides tips to users on how to safely use the Internet and
Smartphones. The tips included how to protect your identity and
information such as financial data.

UMA won’t address all these scenarios, but the bottom line is that
awareness is growing as to just how high the value of personal data has

In June, the Electronic Privacy Information Center (EPIC) filed a
complaint with the Federal Trade Commission seeking a ban on Facebook?s
facial recognition technology. U.S. Rep. Ed Markey (D-Mass.) commended
EPIC and said Facebook’s policy should be: “Ask for permission, don’t
assume it.'” The four Nordic countries
submitted 45 questions to Facebook about
what personal information is collected by the company, how it is used and
how it is transmitted to others.

UMA won’t address all these scenarios, but the bottom line is that
awareness is growing as to just how high the value of personal data has

Michael Fertik, founder and CEO of privacy vendor Reputation.com, told
the San Jose Mercury News earlier this month that concerns about privacy
online have created a demand among people to be given control of their
data. “We think there is a coming privacy economy,” he said.

Reputation systems such as those built by Fertik?s company, privacy
tools from vendors such as Connect.Me and big ideas such as vendor
relationship management (VRM), a six-year-old project at Harvard?s
Berkman Institute, are starting to dominate distributed computing

UMA wants entry into those discussions.

A Hub Architecture

The protocol’s model lays out a hub architecture. The hubs are run by
providers who offer an authentication service where users set sharing
polices and apply them to groups or specific individuals.

“This is a way that someone who runs a website – social or a
repository or personal data locker – can avoid putting in sophisticated
access controls,” said Eve Maler, who three years ago started the UMA
effort. “They can outsource that to some authorization manager. That is a
prospect we are holding out for.”

From the business angle, the UMA group is exploring small business use
cases where employers could control authorization to cloud applications
used by contractors or temporary employees.

“With cloud mashups and the ‘API economy,’ UMA could be helpful to
align more and more enterprise authorization mechanisms on simple, OAuthfriendly,
concepts,” says Maler.

Maler said UMA could also function as a lightweight RESTful interface
for the authorization decision protocol called the Extensible Access
Control Markup language (XACML). The protocol is gaining interest from
enterprise IT staffs looking for standards-based, centralized

“With cloud mashups and the ‘API economy,’ UMA could be helpful to
align more and more enterprise authorization mechanisms on simple, OAuthfriendly,
concepts,” says Maler.

UMA is built on the OAuth protocol, which has emerged as an important
IETF standard for authentication not only to mobile and other
applications but to application programming interfaces (API).

Maler is hoping that the OAuth authors will streamline UMA into their

There are already some examples of UMA in action.

UMA in Action

The Center for Cybercrime and Computer Security at Newcastle
University in the UK is testing UMA and believes it can be used to
selectively share data, such as employment history, exam results and
health information.

“UMA provides the technology to share such data safely, putting the
citizen in control,” said Aad van Moorsel, director of the Center. “We
strongly believe UMA will be a cornerstone for future eGov services.”

The Center plans to publish its implementation of UMA as open source
NewCastle University used UMA to build its Student-Managed Access to
Online Resources project, referred to as SMART. The system?s SMART
Authorization Manager integrates with Facebook, leveraging friends as a
ready-made access control list to meter sharing with other sets of data
(A beta of the system is open for public use: http://smartam.net/).

The UMA working group says the protocol has the same fit with Google Plus
Circles, the search giant?s new social sharing site.

“Our Authorization Manager (SMARTAM) allows the individual to
immediately see how information is being shared, how it is accessed. The
individual can easily change security policies and as such, protects his
privacy,” said Maciej Machulak, a Ph.D student working on SMART at

“We feel like we have UMA 95% completed,” Maler said. And the
possibilities for what she called “selective sharing” are important given
the explosion in distrusted computing.

“A lot depends on if the rest of the world thinks these problems are
important as we do,” she said.

Ft. Knox photo by Army Arch

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.