Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

11/9/2020
03:45 PM
50%
50%

Data Privacy Gets Solid Upgrade With Early Adopters

The United Kingdom and the regional government of Flanders kick off four pilots of the Solid data-privacy technology from World Wide Web inventor Tim Berners-Lee, which gives users more control of their data.

Solid, a technology aimed at redesigning the way users' data on the Web is accessed and giving users more control of their privacy, passed another hurdle on Nov. 9 when four organizations announced pilot projects with startup infrastructure provider Inrupt.

Designed by Tim Berners-Lee — the inventor of the World Wide Web — and Massachusetts Institute of Technology, Solid is an open standard that gives users the ability to share their data with websites and companies while retaining control of who can access the information. Based on encryption and granular access controls, Solid allows users to grant or revoke access at any time to the information stored in its data structures, known as personal online data storage or pods.

Related Content:

Data Privacy Concerns, Lack of Trust Foil Automated Contact Tracing

The Changing Face of Threat Intelligence

New on The Edge: Bug Bounty Hunters' Pro Tips on Chasing Vulns & Money

On Monday, the United Kingdom's British Broadcasting Corporation (BBC), the National Health Service, and UK-based financial house NatWest, as well as the Belgium's regional government of Flanders, all announced pilot projects in conjunction with Inrupt, the company said. Berners-Lee and John Bruce, a veteran of the cybersecurity industry and CEO of the firm, founded Inrupt in 2018.

"Until now, we haven't had much to say to people, except watch this space," Bruce says. We now have "an enterprise-grade version of what the open source community has been working on."

The Solid project aims to turns the diaspora of data spread out among proprietary Internet services into a more reliable and reusable — but still distributed — semantic web of linked data controlled by users. An application that needs access to a user's address will be able to access their pod — given prior permission — at any time. For the user, the pod represents their authoritative source of data: If the user's address changes, for example, that person only has to change the data in one place.

For companies, Solid promises to reduce their risk of violating privacy regulations because of breaches that steal sensitive user data by minimizing the data that is in their custody and, thus, part of their responsibility. Companies get the most recent data, and with less worry about leaking the data, but only for as long as the user allows them access, says Bruce Schneier, noted encryption expert and chief security architect for Inrupt.

"The basic idea is that your data is in your pod, under your control," he says. "If you want to do something, for example, that mirrors the data from your fridge with the data from your Fitbit, both of those datasets are both under your control, not under the control of the refrigerator manufacturer and of Fitbit."

While giving up data may be a hard to sell to data-centric companies like Facebook — whom Schneier and others have called out for treating people like products and not customers — competitors to Facebook may embrace the technology to gain users, he says.

Berners-Lee has called out the current ecosystem of the Web for allowing deliberate malicious actions, creating perverse incentives that sacrifice its value to the user, and for giving rise to unintended consequences. To partly fix the problem, he worked with MIT to create a distributed data system that included user-controlled access policies. The Solid project took off in 2015, when a $1 million donation from Mastercard funded the research effort at MIT. 

The specification for Solid is open, and a version of the project is hosted on GitHub. Solid uses "vocabularies" — definitions of data that can be standardized so that applications know how to access specific types of data relevant to the application. The developer website describes a number of vocabularies for talking about specific types of data, from social interactions to licenses, and from online meetings to events.

"One of the core ideas behind solid is to make data independent from applications, so that one can be in control of his/her own data and share it with the apps of his/her choice," according to the Solid developer site. "For this to be possible, the same piece of data must be understood consistently from one app to another."

The promise of the Solid specification can be seen in the pilots announced on Nov. 9. The UK National Health Service will use Solid pods as a user-accessible medical record that can be a central location doctors, in-home nurses, and caretakers to keep details about medical treatment. The BBC intends to create a content-recommendation engine that could allow third parties to access user data, with the user's permission; NatWest will create an app that allows users to cache important data, such as address or current employer, which will allow customers to create a single authoritative source of information about themselves that they control.

The government of Flanders, the northern part of Belgium, aims to go big with its adoption. The government will give every citizen a pod — or Citizen Profile — using Solid to use as a home for their personal data. The profile will be the authoritative source of up-to-date information on the user.

Inrupt is creating enterprise versions of the server and infrastructure needed for companies to create their own Solid applications. 

"I tend to think of this as the Red Hat model," Inrupt's Schneier says. "There is a public standard, and we have a commercial implementation. There is a public server, and then there is the enterprise-grade server and infrastructure that we are creating."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...