Sitting down with CBR’s Joao Lima, Eve Maler, VP of innovation and emerging technology from software firm ForgeRock, spoke about why data privacy has become a freedom issue.
Every day, we create 2.5 quintillion bytes of data according to IBM, and as enterprises adopt new IoT models and users connect their devices, this number is forecast to grow alongside concerns surrounding privacy.
"Data privacy is about one phrase that we use, about online data, but it is actually about the freedom we have to choose what happens to us in life. Privacy, over and above data privacy, is about decisional autonomy, meaning that we get to choose."
The VP stressed that discussions around data privacy need to widen their focus, and embrace the "decisional autonomy" that is being given to consumers.
"Privacy now becomes a freedom issue. It is not just a privilege, it is a right."
Maler exemplifies how this decisional autonomy is happening in the US, where employers are trying to incentivise employees to combine different healthcare choices to help companies reduce health spend within their workforce.
"Employers want to get access to, for example, employees’ fitness wearables, and incentivise healthcare choices employees make."
Employers getting straight access to their workers’ data, collides with what we learnt from Stephen Pattison, VP Public Affairs at ARM, last month while attending HyperCat’s IoT summit in London.
Pattison told the industry to "accept consumers own their data and we need to make sure consumers have a good sense that their own their data".
Maler said: "Data ownership is tricky because the multiplicity of stakeholders over data is a challenge. [In this space] Technology OAuth is a really important technology, and in the OAuth architecture the person who is being redirected to login and consent, is called a resource owner."
The OAuth is an authentication and authorisation protocol that enables third parties to act on the user’s behalf. For example, when twitters allow an external application to run on their Twitter account and publish tweets for them.
"The person who logs in into an app, who has the right to controlled access to whatever data that is in that app or API, is a resource owner up to an extent. They get to authorise whoever gets access to the data. With resource ownership I am saying that when users have online data rights, they have right to their data."
However, as the IoT increases data streams, rights and privacy are being faced with several international barriers.
"I do not think some countries’ approach to data is viable, when they say you have to use the cloud in our country to manage data.
"For example, Germany would have a higher standard than the EU, and another countries would have a standard that does not map. I do get the sense that a generic safe harbour approach is a really good way for managing liability in order to float up various parties to the standard of other entities and stakeholders.
"It does not seem viable for a vibrant IoT economy to go that way, because packets of data do not notice jurisdictional boundaries."
The VP explained that one solution is to take a "higher water market approach", which is to look for the highest standard intersection of all the answers.
User Managed Access
The need for these standards has led ForgeRock to currently work on User Managed Access (UMA), based on OAuth. The UMA is an international standard developed at the Kantara initiative.
The premise of using UMA is that with web applications, people have been struggling to control their data and access to the APIs they interact with, and "this is increasing as more IoT devices come online".
"UMA is trying to turn the tables on the consent conversation that we often have about privacy. It is about putting the person in control of that data and give him or her the opportunity to have Context Control Choice and Respect (CCCR)."