A theoretical approach to the Right to be forgotten

Imagine a world where individuals can share personal information online with the possibility to control where the information are located, track all the copies of information derived, managing the right to request removal of data and effecting the erasure of removal of all exact or deviated copies of the items. This is called "right to be forgotten".

The right to be forgotten is included in the proposed regulation on data protection published by the European Commission in January 2012.

Despite the debates about this topic, related to the fact that in an open system like internet, the right to be forgotten cannot be enforced by technical means alone (see ENISA report about Right to be forgotten), I would like to demonstrate a theoretical model to address this regulation.
The model is inspired by the "Chain-link confidentiality approach" which can realistically be applied to the User-Managed Access (UMA) protocol.

A chain-link confidentiality regime would contractually link the disclosure of personal information to obligations to protect that information as the information moves downstream.The system would focus on the relationships not only between the discloser of information and the initial recipient, but also between the initial recipient and subsequent recipients.

UMA defines how resource owners (an individual) can control protected-resource (personal information) access by clients operated by arbitrary requesting parties (the recipients), where the resources reside on any number of resource servers (the provider of the personal information), and where a centralized authorization server governs access based on resource owner policy.

Applying Chain-link confidentiality approach to UMA, means to enforce the requester (client) to be itself a protected resource. The result is that the Client becomes a resource server for any personal information derived from the initial recipient (resource server), creating a chain of protection.
The assumption here is that the personal information at each chain node are exposed as web resource.

As result, an individual has the possibility to control where information are stored at the initial recipient, and track all the copies of information derived from it, following the chain of protection.
Through the UMA's Authorization Server, an individual has the possibility to manage the right to remove data from the resource servers, and delete any relationship with them.

The diagram below show how the proposed model addresses the complexity to represent the relationships and the control on the individual’s personal information distributed among different initial recipients and subsequent recipients. In the example is showed (in dotted line) a chain of protection, where the Bank (resource server) is the initial recipient for bank account information, and the Employer and the Loan Service are requesting parties as subsequent recipients which become protected resources.

UMA Approach to Protect and Control Online Reputation

Reputation plays an important and crucial role in the today economy. According to the Wikipedia definition, Reputation of a social entity (a person, a group of people, an organization) is an opinion about that entity, typically a result of social evaluation on a set of criteria.

Rachel Botsman delivered an interesting talk at TEDGloab 2012, where she stated that the concept of trust, across multiple platforms, would constitute the currency of a new collaborative economy, asserting that "reputation capital creates a massive positive disruption in who has power, influence and trust."

Nevertheless, Prof. Giovanni Sartor in his article "Privacy, Reputation and Trust: Some Implication for Data Protection", analyzes the privacy versus reputation-based trust, where the privacy, as self-determination over one's own personal data, seems to conflict with reliance based upon reputation.

In order to mitigate and balance the privacy issues, providing a better control on own personal data and encourage a collaborative economy, it is possible formalize a new approach based on UMA protocol.

This approach assumes the support of a legal framework for data sharing and data protection, harmonized with the legal requirements and obligations needed for the proposed model.  More details about Binding Obligation on UMA participant are available here.

UMA Approach

User-Managed Access (UMA) is a profile of OAuth 2.0. UMA defines how resource owners can control protected-resource access by clients operated by arbitrary requesting parties, where the resources reside on any number of resource servers, and where a centralized authorization server governs access based on resource owner policy.

Consider the following scenario:

• Alice (Resource Owner) is an active user of e-commerce sites: eBaj and e-Selling.
• Both e-commerce sites (Resource Services) provide a reputation ranking mechanism and the possibility to protect this information with Global Reputation System (Authorization Server) with which Alice maintains the control on her own data.
• In her e-commerce experience, Alice has had good and bad experiences, so she has an average reputation ranking for both sites equal to 3 of 5.
• Bob is a buyer (Requesting Party), and he would buy a camera from eBaj site (Client), and he finds that Alice is selling that article.
• Before adding the article in the shopping cart, Bob want be sure about the seller’s reputation.

The picture below shows an example e-Commerce UI that allows Bob to request and view the Alice's reputation ranking.

Bob adheres to Alice’s term of authorization, showing he’s a registered user at the ecommerce site.

Bob can view Alice’s global reputation ranking according to Sharing Policy controlled by Alice.

Based on UMA approach, the Resource Owner (Alice) is able to control all online reputation info through specific sharing policy or terms of authorization, called connection.
You can find more details about UMA Connection on the study which explores visualization techniques to enhance privacy control user experience for UMA protocol, as part of my work at Newcastle University, contributing on the Smart Project.

The following diagram describes an example of the connection structure applied to protect reputation data.

A Connection includes:

• Protected resource - this is the ranking info end-point, or an aggregation of them if they are available on multiple e-commerce sites (resource servers). 
• Requesting party - is the entity who is requesting to view the ranking. It's possible to define anonymous entities, registered users or users which provides specific trusted claims. 
• Client or App which is allow to request access to the ranking reputation data. 
• Constraints can be used to limit the access to the info, temporary access based, or based on scopes (i.e read review or see only the ranking points).

Benefits

UMA approach and the meccanism to centralize the policy decision for sharing reputation data provides three main important benefits:

Firstly, it provides a fundamental alignment with Privacy requirements to determine what information will be revealed to which parties and for what purposes, how trustworthy those parties are and how they will handle the information, and what the consequences of sharing their information will be. More details about this aspect can be found here.

The second benefit, that can be considered an innovative driver for encouraging a collaborative economy is the possibility and the capability to aggregate reputation data from different service provider to provide a more complete and consistent data.

The third benefit is related to the analytic capability which provides the ability to create a graph of the trust relationship among the parties involved on reputation data for a better reputation management. For more details about this topic, please see The Role of Data visualization here.

About UMA

Follow the links below for more info about UMA:

User-Managed Access (UMA) Working Group at Kantara Initiative led by Eve Maler.

User-Managed Access (UMA) Core Spec.

UMA Trust Model.

UMA Implementations.

UMA FAQ.

User-Managed Access for Higher Education

If you are interested on data sharing challenges about security and privacy, don't miss the next UMA work group webinar. 

Next week, the 17th of October (8am PT), UMA Work Group will conduct a free public webinar to discuss and provide live demonstrations of UMA’s benefits for the higher education community and other communities where data sharing presents security and privacy challenges. 

It will be show an extensive demo of how students can manage access by a variety of prospective employers to distributed, trusted information about their educational achievements.

One UMA implementation, the SMART system developed at Newcastle University, is working to help students control the sharing of Transcripts of Records and other personal data hosted on University systems with future employers. Recently, the system was integrated with the UK Federation to provide these benefits to other British universities.

Join us!

Find webex information at http://tinyurl.com/umawg. 

Follow the group on Twitter at @UMAWG, hashtag #UMAedu for news.

UMA at Oracle Community for Security

Last week I had the opportunity to spread the word about User-Managed Access (UMA) at the Oracle Community for Security in Italy.
Oracle Community for Security is an Italian community of qualified Oracle's partners. They have the goal to provide technical and business awareness to the enterprise and for the market. Last years they contributed on interesting studies (Italian) about the "Return on Security Investiments", "Healthcare Record Management", and "Privacy on Cloud and Mobile".
Since in the community there is a convergence of interests on Privacy and Persona Data Protection, I've explained UMA's concepts and benefits in this field, starting from the today's challenges: 

• Privacy in the Social Networks, 
• The emerging of the personal cloud, Personal data store (PDS),
• The Participatory Personal Data.

All these phenomenas along with the mobile and pervasive computing are the main drivers of personal data collection, processing and data sharing, with a sensible impact for the privacy of the individuals.

This brief presentation (see slideshow below) describes these scenarios, and how UMA helps user to manage their personal data and sharing decisions.

Take Control of your Personal Data

View more presentations from Domenico Catalano

Securing Internet Payment Systems

Recently, the European Central Bank (ECB) released a report with a set of recommendations to improve the security of internet payments. The recommendations include:

• General control and security environment.
• Specific control and security measures for Internet Payments.
• Customer awareness, education and communication.

The security measures for the Internet Payments include:

• Customer identification
• Strong Customer authentication 
• Enrollment for and provision of strong authentication 
• Log-in attempts, session time-out, validity of authentication
• Transaction monitoring and authorization
• Protection of sensitive payment data

The following presentation that I've presented at the Security Summit 2012 (Rome), shows the Oracle approach for Securing Internet payment systems according to ECB recommendations. In particular, it shows an intelligent model to prevent online fraud, based on Oracle Adaptive Access Manager (OAAM), a context-aware risk analysis system. Furthermore, it includes a brief introduction to the Managed-Fraud Reduction (MFR) solution based on Oracle and British Telecom experience. 

View more presentations from Domenico Catalano

Introduzione ad UMA. Parte I

Questo è il primo di una serie di post che ha l'obiettivo d’illustrare il protocollo User-Managed Access (UMA)  e le principali esigenze che intende indirizzare.

Che cos'è UMA
UMA  è un protocollo progettato per fornire ad un utente web (Authorizing User) un punto di controllo unificato per autorizzare chi e cosa può ottenere l'accesso ai propri dati personali on-line (come attributi d'identità ), il contenuto (come foto) e servizi (come la visualizzazione e la creazione/aggiornamento di uno stato), non importa dove tutte queste informazioni risiedono sul web.

UMA permette all'utente di verificare l'idonietà della parte richiedente (Requesting Party) che riceve l'autorizzazione per l'accesso ai dati personali. Le verifiche possono includere le richieste di informazioni (ad esempio "Chi sei? oppure "hai piu' di 18 anni?") e promesse (ad esempio "Sei d'accordo sui termini di divulgazione di queste informazioni", oppure " puoi confermare che le tua privacy e le politiche di portabilità del dato corrispondono ai miei requisiti?").

La figura seguente illustra il modello architetturale di alto livello e i principali attori coinvolti nel processo autorizzativo del protocollo UMA.

Come UMA indirizza i requisiti di privacy dell’utente e di controllo dell'uso dei dati?
Le verifiche d’idonietà che l'utente potrebbe voler fare sul richiedente non possono essere risolte solo con sistemi di crittografia e protocolli web, ma è necessario fare ricorso ad accordi ed alla responsabilità delle parti.

UMA non adotta tecniche come DRM (Digital Rights Management), mediante il quale è possibile, utilizzando meccanismi crittografici, restringere l’accesso ai dati prima che i dati vengano inviati.
Più semplicemente e più convenientemente per l’utente finale, UMA pone l’attenzione, anche per una facilità di adozione, sulla visibilità dell’utente e sul controllo dell’accesso ai dati da parte di terzi.

UMA ha come obiettivo un livello minimo ragionevole di applicazione degli accordi autorizzativi, tali che se la parte richiedente va contro le promesse a cui ha aderito in fase di accesso, allora il soggetto interessato può ricorrere in giudizio.

Take Control of your Personal Data: An UMA perspective

Recently, the EU commission reviewed the Privacy Directive introducing new rules for the protection of personal data in a data sharing context. The reason is straightforward: the scale of data sharing and collections has increased spectacularly. Online services are increasing and individuals are encouraged to make personal information available publicly and globally.

Even though privacy is a complex problem with many facets - think about the new Google’s Privacy policy, which provide for combination of personal data across different services, and the concern for the compliance with European data protection legislation - there isn't an easy way to address these problems without a legal framework and respect for the individual.

Nevertheless, state of art technology can help individuals to reduce the risk of losing control of their personal data, empowering the user to control personal data distributed among service providers, using a centralized authorization service.

At the Kantara User-Managed Access (UMA) Work Group, headed by Eve Maler, we are developing specs that let an individual control the authorization of data sharing and service access made between online services on the individual's behalf.

UMA is designed with Privacy in mind, with the goal to address the concept of Privacy by Design. UMA is inspired by the paradigm:

"The goal of a flexible, user-centric identity management infrastructure must be to allow the  user to quickly determine what information will be revealed to which parties and for what purposes, how trustworthy those parties are and how they will handle the information, and what the consequences of sharing their information will be" - Ann Cavoukian, Information and Privacy Commissioner of Ontario (Privacy in the clouds). 

This approach helps to reduce sensibly the difficulties for individuals to stay in control of their personal data.

A typical scenario involves online registration for websites to allow an individual to access its online service. This scenario may involve an host where the individual stores the personal data, a requester, which is the website that provides the service and the Authorization Manager which provides the authorization decision on behalf of the individual.

Let me explain how this scenario matches the privacy paradigm in the UMA perspective:

What data will be revealed
Individuals can control what data will be revealed because they are involved in the protocol. First, the Subject must register the resource which is collecting the personal data with a centralized Authorization Manager. This allows individuals to maintain a centralized view of what data is being collected.

UMA goes beyond just informing people what will happen if something is shared; it lets them activily control sharing.

For what purpose
Individuals are an active part of defining the how the personal information will be handled in the data sharing process. With UMA’s centralized Authorization Manager, the Subject is able to define sharing policy (a connection), for what purposes the personal data is shared (or collected) and maintaining of control of it, including the possibility of canceling and disabling connection with service providers (Requester) at any time.

With which parties
Any attempts to access to personal data by any party (Requester), will be intercepted by a policy enforcement point (at the local service provider) and to alert the Authorization Manager, which is in charge of taking an authorization decision. In this specific scenario, the Authorization Manager interacts with the subject for requesting consent to grant the access to the own personal data.

The following picture shows an individual online consent request based on UMA User Experience study applied to a mobile context.

The Role of data Visualization
Visualization plays a fundamental role in creating an abstraction layer for controlling distributed personal data. Last summer, I had the opportunity to visit the Newcastle University for 4 weeks on the SmartAM project, which is implementing UMA spec, with the goal of studing and contributing to human interface aspects.

As a result of this study, we introduced two main concepts to enhance the level of control of personal data. First is the connection which defines the context of a data sharing policy. In other words, it’s a visualization technique that help the individual to define and determine what data will be revealed for what purpose, so it defines an appropriate context. The second one is an analytics feature which helps to maintain control of information which is revealed.

The picture below shows an example of how the individual would see all of the connections for own Personal data. In the middle of the example, “Personal Data” is shown in different contexts (i.e. Professional, University, Collab, etc.), each context includes Requester (MySelf, Person, Groups, ect.), which have access to the data and Applications which have access on behalf of the requester.

Building Trust
One of the most important and complex aspects for economic development and for encouraging individuals to adopt distributed authorization system is to build a trusted eco-system among Individual, Service Providers and Requester services. UMA WG is also defining a Trust Model in order to provide baselines to build technical and business Trust. At this link you can read a blog post that presents a brief introduction of the model.