UMA protocol flowAccording to a recent Pew Research study, 91 percent of Americans believe that they have little to no control of the collection of their personal data by third-party entities. ForgeRock wants to turn that on its head by giving Internet users complete control over their own data through the open source User-Managed Access (UMA) protocol. As such, the company launched the new Kantara Initiative UMA Developer Resources Work Group (UMA Dev WG), which will release open source UMA implementations for Web applications and IoT platforms.
Eve Maler, ForgeRock's vice president of innovation and emerging technology, said, “As organizations collect more and more user information in order to deliver more personalized experiences to consumers, failing to offer those consumers a way to actually manage that personal information themselves is a privacy time-bomb. As a leader in the adoption of open identity standards, ForgeRock believes UMA is the right solution to apply before the problem explodes."
The UMA standard, which is based on the OAuth protocol, allows people to share their data digitally only when they decide to and for as long as they want. For instance, if a school requests a child's healthcare records at the beginning of the year, the parent could allow access to that data for only a short period of time during which the school can verify the records, but not any longer than that.
In the same way, financial information could be shared with tax accountants, or healthcare information could be shared with medical professionals. The data would remain under the user's control at all times, instead of being centralized in another place.
Having a third party store the data not only makes the aggregation of millions of people's data a more appealing target for malicious hackers, but the data may also not be kept under the strictest security standards, leaving it open to data breaches.
ForgeRock has created the new Kantara Initiative Working Group to provide free and open source tools for developers to incorporate the UMA standard into their applications in order to boost their adoption. The software will be offered in languages such as Java, C++ and Python to make it easy to add interoperable authorization, access control, privacy and consent features to application ecosystems.
The company has already managed to get the government of New Zealand and Philips to join the new working group, as they seem interested in deploying such privacy-oriented systems for their citizens and customers, respectively.
"Serving the needs of citizens in New Zealand in an efficient, privacy-preserving way calls for a customer-centric approach to access control and the tools to match. For example, students might want to share authoritative records of achievement with careers advisors and potential employers. We are therefore currently undertaking a proof of concept to explore UMA as a scalable standard that can help citizens interact with government more efficiently and conveniently," said Stuart Wakefield, CIO, Ministry of Education, New Zealand.