Consumers are often bombarded with opt-in “requests” to share their personal data, losing trust as they assent. In this session, Eve Maler, will share insights and lessons learned from active PoCs that require a new generation of privacy and consent. Learn how UMA can be applied to authorization, consent, and delegation scenarios across a wide variety of sectors, and how the ForgeRock Identity Platform is delivering a practical UMA solution today.
Latest evidence:
Spotify last August: simple privacy policy change alarmed customers
Complaints, threats to leave (e.g. new Apple Music)
Lesson: commoditized? low switching costs, lack of sensitivity can hurt you even if the change wasn’t materially negative
Mobile Ecosystem Forum IoT consumer survey: trust issues biggest concern
NEW: On The Dark Web, Medical Records Are A Hot Commodity: Medical records go for US$60 each
NEW: “In January of this year, Melbourne’s largest hospital network was significantly impacted when a computer virus affected the hospitals Windows XP systems disrupting meal delivery and pathology results.”
(See: http://www.dw.com/en/spotify-feels-the-burn-after-privacy-policy-flub/a-18665269)
(See: http://www.fastcompany.com/3061543/on-the-dark-web-medical-records-are-a-hot-commodity)
(See: http://securityaffairs.co/wordpress/49472/data-breach/data-breaches-healthcare-sector.html)
(See: http://www.bizreport.com/2016/04/21-globally-have-concerns-that-iot-machines-will-take-over-t.html)
Image source: https://www.flickr.com/photos/vincrosbie/16301598031/
(See: http://www.pcworld.com/article/3106410/iot-is-now-growing-faster-than-smartphones.html )
[animation] End users: Customers, consumers, citizens, patients: They are cynical about data sharing in the post-Snowden era (see: Spotify), but demand a consistent digital experience across all channels
[animation] Your organization: It’s trying to reach “escape velocity” with its strategic innovations, while navigating a cloud and API strategy that makes sense and a budget that never seems to grow.
[animation] The regulatory landscape: With GDPR and PSD2 (the revised Payments Services Directive) recognizing both loosely coupled services and the autonomy of individuals, consent to share data has gotten a lot more important. And security and data protection are just the start of the conversation.
[animation] The industry landscape: It now includes the Internet of Things, which require newly constrained user experiences, along with other new technologies that affect user trust models such as blockchain and microservices.
In this familiar scenario, citizens interact with online data services to consent (authorize or permission) the transfer of some attributes about them elsewhere so that a decision can be made about whether they can be issued a handicap badge.
Since in this UK scenario the citizen is currently responsible for re-applying for eligibility every three years, and eligibility can actually come and go fairly dynamically, it’s desirable for a citizen instead to monitor and control access to their attributes in more empowered way, so they can just shut off consent whenever they don’t need the badge anymore and don’t want others getting access to that data. To do this you can add a [animation] service that contains no PII itself but specializes in handling consent and delegation on the citizen’s behalf can make this monitoring and management over time possible, no matter how many data services are deployed.
[summary animation]
It’s not unusual these days to want to build person-to-person data-sharing capabilities into applications. We’re used to it in productivity suites, so why not [animation] when doing our taxes?
The problem is that it’s not a core competency for any one company to run authorization services (same as the tax data service), and they’re likely to want to [animation] buy this functionality or even outsource it.
Also, sharing with outsiders means that they and their applications, by definition, [animation] may be outside our own domain.
It’s useful to address these challenges with an architecture that recognizes these boundaries.
(In the UK, the equivalent to the US’s “W-2 form” would be the “P60 form”.)
[summary animation]
If you’re in the business of delivering a Health Cloud, and offer cloud services related to smart devices that you make, then it’s probably clear now why offering a sharing manager independently of your various data services for allowing patients to share data with physicians, caregivers, and others could be attractive for both compliance and your own company’s trustworthiness.
But it’s also possible to allow [animation] two-way data flow, so that when providers generate data, patients can store it back in their PHRs in a permissioned fashion.
And because authorized sharing is managed separately from data services, you can forge [animation] relationships with partners that make IoT devices and related cloud services.
And patients could finally have a clear way to [animation] authorize the donation of their sensitive health data for use in clinical research.
[summary animation]
If you’re in the business of delivering a Health Cloud, and offer cloud services related to smart devices that you make, then it’s probably clear now why offering a sharing manager independently of your various data services for allowing patients to share data with physicians, caregivers, and others could be attractive for both compliance and your own company’s trustworthiness.
But it’s also possible to allow [animation] two-way data flow, so that when providers generate data, patients can store it back in their PHRs in a permissioned fashion.
And because authorized sharing is managed separately from data services, you can forge [animation] relationships with partners that make IoT devices and related cloud services.
And patients could finally have a clear way to [animation] authorize the donation of their sensitive health data for use in clinical research.
[summary animation]
With apologies to John Gilmore’s famous saying about the ‘net and censorship
IT manages hundreds of API-fronted apps in the enterprise (and some outside). Alice is an employee who needs to delegate constrained access to app features/functions to fellow employees and partners within the ecosystem, giving IT – and herself – centralized visibility into the access granted.
Image source:
"John Gilmore Portrait" by Neurosynthetic - Own work. Licensed under CC BY-SA 4.0 via Wikimedia Commons - http://commons.wikimedia.org/wiki/File:John_Gilmore_Portrait.jpg#/media/File:John_Gilmore_Portrait.jpg
Inside the enterprise, the [animation] Share button in Google Apps gives us a good way for avoiding less-secure patterns like password-sharing.
But even though enterprises may have hundreds of API-fronted services and apps, they probably don’t have Google’s resources to develop a nice delegated access model for them.
Some services are [animation] owned by SaaS vendors, some are internal, some are legacy with an API shim.
And sometimes employees need to share access with partners.
…expand…
[summary animation]
New regulations are not just codifying current data protection practice
Many are giving user consent a much greater role in the privacy picture
At the same time, more organizations are recognizing that personal data has got to be a shared asset
You need to provide custodianship but also a relationship
(See: https://iapp.org/media/pdf/resource_center/GDPR-final.pdf)