Many sites across the Web use OAuth-based protocols to share and grant access to users. OAuth, however, doesn’t always provide the granular control over user information that modern privacy requires, which is where the User-Managed Access (UMA) standard comes into the picture. UMA provides a profile for OAuth deployment that can enable more control over user information and access.
Helping to push the UMA standard forward is the Kantara Initiative, which is a multi-stakeholder effort to help advance digital identities. The Kantara Initiative today is launching the UMA Dev Working Group to help build tools and educate the market in an effort to boost UMA adoption.
UMA can enable access to information attached to a user identity for a specific length of time and for certain sites, Joni Brennan, Kantara Initiative executive director, explained. Examples include sharing medical records with specialists when needed and financial records with tax professionals at tax time.
“We know privacy and security are important, but what I love about UMA is it turns the conversation of privacy from one that is about protection and compliance to one that engages with users,” Brennan told eWEEK.
Part of the challenge of modern technology is that lots of data is collected on individuals and used in different ways, Brennan said. Typically, there is little or no control for individual users on how to interact and control all the data that is collected.
For example, with photo-sharing, a user might just want to have the ability to share with anyone, Brennan explained. If it’s a user’s bank account, the access will be more restricted to financial services professionals. For a medical device, like a pacemaker’s information, users likely shouldn’t have any access to change information, but they might want to have visibility into the data that is being collected.
“Users should have a way to interact with their own data, whether it’s an Internet of things lightbulb or personal data from a device,” Brennan said. ” The user should be able to verify and check the data, so UMA will give users a standard approach and a way to make the Internet much more of a two-way street in terms of how data is shared and managed.”
Brennan expects that UMA will also help build more trust between individuals and those organizations that hold their data. What has changed in the technology landscape that is driving the need for UMA adoption is increased awareness of threats from media reports around hacking, as well as the commercial deployment of Internet of things (IoT) devices, she added.
Having the user engaged in the process of identity is a key part of protecting privacy in Brennan’s view. UMA is a foundational core component in helping users control their data in the IoT world, she said.
“IoT changes the game because it changes how we do authentication and authorization,” Brennan said. “I know there is a lot of hype around IoT, but when we think about managing all the data from all the devices, it’s important to understand who has access, so we don’t end up in a dystopian environment.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.