Thursday, January 31, 2013

UMA Approach to Protect and Control Online Reputation

Reputation plays an important and crucial role in the today economy. According to the Wikipedia definition, Reputation of a social entity (a person, a group of people, an organization) is an opinion about that entity, typically a result of social evaluation on a set of criteria.

Rachel Botsman delivered an interesting talk at TEDGloab 2012, where she stated that the concept of trust, across multiple platforms, would constitute the currency of a new collaborative economy, asserting that "reputation capital creates a massive positive disruption in who has power, influence and trust."

Nevertheless, Prof. Giovanni Sartor in his article "Privacy, Reputation and Trust: Some Implication for Data Protection", analyzes the privacy versus reputation-based trust, where the privacy, as self-determination over one's own personal data, seems to conflict with reliance based upon reputation.

In order to mitigate and balance the privacy issues, providing a better control on own personal data and encourage a collaborative economy, it is possible formalize a new approach based on UMA protocol.

This approach assumes the support of a legal framework for data sharing and data protection, harmonized with the legal requirements and obligations needed for the proposed model.  More details about Binding Obligation on UMA participant are available here.

UMA Approach

User-Managed Access (UMA) is a profile of OAuth 2.0. UMA defines how resource owners can control protected-resource access by clients operated by arbitrary requesting parties, where the resources reside on any number of resource servers, and where a centralized authorization server governs access based on resource owner policy.

Consider the following scenario:
  • Alice (Resource Owner) is an active user of e-commerce sites: eBaj and e-Selling.
  • Both e-commerce sites (Resource Services) provide a reputation ranking mechanism and the possibility to protect this information with Global Reputation System (Authorization Server) with which Alice maintains the control on her own data.
  • In her e-commerce experience, Alice has had good and bad experiences, so she has an average reputation ranking for both sites equal to 3 of 5.
  • Bob is a buyer (Requesting Party), and he would buy a camera from eBaj site (Client), and he finds that Alice is selling that article.
  • Before adding the article in the shopping cart, Bob want be sure about the seller’s reputation.
The picture below shows an example e-Commerce UI that allows Bob to request and view the Alice's reputation ranking.

Bob adheres to Alice’s term of authorization, showing he’s a registered user at the ecommerce site.

Bob can view Alice’s global reputation ranking according to Sharing Policy controlled by Alice.

Based on UMA approach, the Resource Owner (Alice) is able to control all online reputation info through specific sharing policy or terms of authorization, called connection.
You can find more details about UMA Connection on the study which explores visualization techniques to enhance privacy control user experience for UMA protocol, as part of my work at Newcastle University, contributing on the Smart Project.

The following diagram describes an example of the connection structure applied to protect reputation data.

A Connection includes:
  • Protected resource - this is the ranking info end-point, or an aggregation of them if they are available on multiple e-commerce sites (resource servers). 
  • Requesting party - is the entity who is requesting to view the ranking. It's possible to define anonymous entities, registered users or users which provides specific trusted claims. 
  • Client or App which is allow to request access to the ranking reputation data. 
  • Constraints can be used to limit the access to the info, temporary access based, or based on scopes (i.e read review or see only the ranking points).


UMA approach and the meccanism to centralize the policy decision for sharing reputation data provides three main important benefits:

Firstly, it provides a fundamental alignment with Privacy requirements to determine what information will be revealed to which parties and for what purposes, how trustworthy those parties are and how they will handle the information, and what the consequences of sharing their information will be. More details about this aspect can be found here.

The second benefit, that can be considered an innovative driver for encouraging a collaborative economy is the possibility and the capability to aggregate reputation data from different service provider to provide a more complete and consistent data.

The third benefit is related to the analytic capability which provides the ability to create a graph of the trust relationship among the parties involved on reputation data for a better reputation management. For more details about this topic, please see The Role of Data visualization here.

About UMA

Follow the links below for more info about UMA: