The first-ever technology promising to give consumer and corporate
end-users a dashboard to control access to the data they store
online will take its first step this month toward standardization.
The User-Managed Access (UMA) protocol is an authorization
engine for individuals. It lets users selectively share data, via a set
of policies, instead of being at the mercy of social, government or other
sites that often have less than complete concern for the data owner’s privacy, safety
or reputation.
John Fontana (@JohnFontana) is the
Identity Evangelist for Ping
Identity and editor of the PingTalk Blog.
Prior to joining Ping, he spent 11 years as a senior editor at Network
World.
Is this a dagger which I see before me?
For example, an online resume could be protected via a UMA policy that
grants access only to a select few employers. In a more real world example, a user could protect their online geolocation information, limiting access to their credit card company so
that red flags would not be raised during trips abroad.
UMA could put a dagger in the privacy and usage debates burning around
social networking and solve questions of control over more sensitive
data stores such as health-care records and government databases.
“Before people can control how information about them is used online
we need a protocol to enable that,” says Ian Glazer, a research director
for identity and privacy strategies at Gartner. “UMA is that kind of
work. It is a common language and protocol for expressing people?s
desires, preferences and opinions on how information can be used by
service providers.”
The User-Managed Access working group of the Kantara Initiative
recently submitted its UMA protocol to the Internet Engineering Task
Force (IETF) as a draft recommendation. The IETF is expected to consider
the draft later this month in Quebec City, Canada. UMA’s goal is a standard for all online sites and
services.
A Growing Need
Issues of privacy and data safety are cropping up all over the globe
and advocates are turning to software and governments to try and bring
about one-off controls.
In February, the Internet Education Foundation released an application
that provides tips to users on how to safely use the Internet and
Smartphones. The tips included how to protect your identity and
information such as financial data.
UMA won’t address all these scenarios, but the bottom line is that
awareness is growing as to just how high the value of personal data has
gone.
In June, the Electronic Privacy Information Center (EPIC) filed a
complaint with the Federal Trade Commission seeking a ban on Facebook?s
facial recognition technology. U.S. Rep. Ed Markey (D-Mass.) commended
EPIC and said Facebook’s policy should be: “Ask for permission, don’t
assume it.'” The four Nordic countries
submitted 45 questions to Facebook about
what personal information is collected by the company, how it is used and
how it is transmitted to others.
UMA won’t address all these scenarios, but the bottom line is that
awareness is growing as to just how high the value of personal data has
gone.
Michael Fertik, founder and CEO of privacy vendor Reputation.com, told
the San Jose Mercury News earlier this month that concerns about privacy
online have created a demand among people to be given control of their
data. “We think there is a coming privacy economy,” he said.
Reputation systems such as those built by Fertik?s company, privacy
tools from vendors such as Connect.Me and big ideas such as vendor
relationship management (VRM), a six-year-old project at Harvard?s
Berkman Institute, are starting to dominate distributed computing
discussions.
UMA wants entry into those discussions.
A Hub Architecture
The protocol’s model lays out a hub architecture. The hubs are run by
providers who offer an authentication service where users set sharing
polices and apply them to groups or specific individuals.
“This is a way that someone who runs a website – social or a
repository or personal data locker – can avoid putting in sophisticated
access controls,” said Eve Maler, who three years ago started the UMA
effort. “They can outsource that to some authorization manager. That is a
prospect we are holding out for.”
From the business angle, the UMA group is exploring small business use
cases where employers could control authorization to cloud applications
used by contractors or temporary employees.
“With cloud mashups and the ‘API economy,’ UMA could be helpful to
align more and more enterprise authorization mechanisms on simple, OAuthfriendly,
concepts,” says Maler.
Maler said UMA could also function as a lightweight RESTful interface
for the authorization decision protocol called the Extensible Access
Control Markup language (XACML). The protocol is gaining interest from
enterprise IT staffs looking for standards-based, centralized
authorization.
“With cloud mashups and the ‘API economy,’ UMA could be helpful to
align more and more enterprise authorization mechanisms on simple, OAuthfriendly,
concepts,” says Maler.
UMA is built on the OAuth protocol, which has emerged as an important
IETF standard for authentication not only to mobile and other
applications but to application programming interfaces (API).
Maler is hoping that the OAuth authors will streamline UMA into their
work.
There are already some examples of UMA in action.
UMA in Action
The Center for Cybercrime and Computer Security at Newcastle
University in the UK is testing UMA and believes it can be used to
selectively share data, such as employment history, exam results and
health information.
“UMA provides the technology to share such data safely, putting the
citizen in control,” said Aad van Moorsel, director of the Center. “We
strongly believe UMA will be a cornerstone for future eGov services.”
The Center plans to publish its implementation of UMA as open source
software.
NewCastle University used UMA to build its Student-Managed Access to
Online Resources project, referred to as SMART. The system?s SMART
Authorization Manager integrates with Facebook, leveraging friends as a
ready-made access control list to meter sharing with other sets of data
(A beta of the system is open for public use: http://smartam.net/).
The UMA working group says the protocol has the same fit with Google Plus
Circles, the search giant?s new social sharing site.
“Our Authorization Manager (SMARTAM) allows the individual to
immediately see how information is being shared, how it is accessed. The
individual can easily change security policies and as such, protects his
privacy,” said Maciej Machulak, a Ph.D student working on SMART at
NewCastle.
“We feel like we have UMA 95% completed,” Maler said. And the
possibilities for what she called “selective sharing” are important given
the explosion in distrusted computing.
“A lot depends on if the rest of the world thinks these problems are
important as we do,” she said.
Ft. Knox photo by Army Arch