Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

11/9/2020
03:45 PM
50%
50%

Data Privacy Gets Solid Upgrade With Early Adopters

The United Kingdom and the regional government of Flanders kick off four pilots of the Solid data-privacy technology from World Wide Web inventor Tim Berners-Lee, which gives users more control of their data.

Solid, a technology aimed at redesigning the way users' data on the Web is accessed and giving users more control of their privacy, passed another hurdle on Nov. 9 when four organizations announced pilot projects with startup infrastructure provider Inrupt.

Designed by Tim Berners-Lee — the inventor of the World Wide Web — and Massachusetts Institute of Technology, Solid is an open standard that gives users the ability to share their data with websites and companies while retaining control of who can access the information. Based on encryption and granular access controls, Solid allows users to grant or revoke access at any time to the information stored in its data structures, known as personal online data storage or pods.

Related Content:

Data Privacy Concerns, Lack of Trust Foil Automated Contact Tracing

The Changing Face of Threat Intelligence

New on The Edge: Bug Bounty Hunters' Pro Tips on Chasing Vulns & Money

On Monday, the United Kingdom's British Broadcasting Corporation (BBC), the National Health Service, and UK-based financial house NatWest, as well as the Belgium's regional government of Flanders, all announced pilot projects in conjunction with Inrupt, the company said. Berners-Lee and John Bruce, a veteran of the cybersecurity industry and CEO of the firm, founded Inrupt in 2018.

"Until now, we haven't had much to say to people, except watch this space," Bruce says. We now have "an enterprise-grade version of what the open source community has been working on."

The Solid project aims to turns the diaspora of data spread out among proprietary Internet services into a more reliable and reusable — but still distributed — semantic web of linked data controlled by users. An application that needs access to a user's address will be able to access their pod — given prior permission — at any time. For the user, the pod represents their authoritative source of data: If the user's address changes, for example, that person only has to change the data in one place.

For companies, Solid promises to reduce their risk of violating privacy regulations because of breaches that steal sensitive user data by minimizing the data that is in their custody and, thus, part of their responsibility. Companies get the most recent data, and with less worry about leaking the data, but only for as long as the user allows them access, says Bruce Schneier, noted encryption expert and chief security architect for Inrupt.

"The basic idea is that your data is in your pod, under your control," he says. "If you want to do something, for example, that mirrors the data from your fridge with the data from your Fitbit, both of those datasets are both under your control, not under the control of the refrigerator manufacturer and of Fitbit."

While giving up data may be a hard to sell to data-centric companies like Facebook — whom Schneier and others have called out for treating people like products and not customers — competitors to Facebook may embrace the technology to gain users, he says.

Berners-Lee has called out the current ecosystem of the Web for allowing deliberate malicious actions, creating perverse incentives that sacrifice its value to the user, and for giving rise to unintended consequences. To partly fix the problem, he worked with MIT to create a distributed data system that included user-controlled access policies. The Solid project took off in 2015, when a $1 million donation from Mastercard funded the research effort at MIT. 

The specification for Solid is open, and a version of the project is hosted on GitHub. Solid uses "vocabularies" — definitions of data that can be standardized so that applications know how to access specific types of data relevant to the application. The developer website describes a number of vocabularies for talking about specific types of data, from social interactions to licenses, and from online meetings to events.

"One of the core ideas behind solid is to make data independent from applications, so that one can be in control of his/her own data and share it with the apps of his/her choice," according to the Solid developer site. "For this to be possible, the same piece of data must be understood consistently from one app to another."

The promise of the Solid specification can be seen in the pilots announced on Nov. 9. The UK National Health Service will use Solid pods as a user-accessible medical record that can be a central location doctors, in-home nurses, and caretakers to keep details about medical treatment. The BBC intends to create a content-recommendation engine that could allow third parties to access user data, with the user's permission; NatWest will create an app that allows users to cache important data, such as address or current employer, which will allow customers to create a single authoritative source of information about themselves that they control.

The government of Flanders, the northern part of Belgium, aims to go big with its adoption. The government will give every citizen a pod — or Citizen Profile — using Solid to use as a home for their personal data. The profile will be the authoritative source of up-to-date information on the user.

Inrupt is creating enterprise versions of the server and infrastructure needed for companies to create their own Solid applications. 

"I tend to think of this as the Red Hat model," Inrupt's Schneier says. "There is a public standard, and we have a commercial implementation. There is a public server, and then there is the enterprise-grade server and infrastructure that we are creating."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hawkinsa
100%
0%
hawkinsa,
User Rank: Apprentice
11/11/2020 | 9:24:12 AM
Pending Review
This comment is waiting for review by our moderators.
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29129
PUBLISHED: 2020-11-26
ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
CVE-2020-29130
PUBLISHED: 2020-11-26
slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
CVE-2020-26936
PUBLISHED: 2020-11-26
Cloudera Data Engineering (CDE) before 1.1 was vulnerable to a CSRF attack.
CVE-2020-29042
PUBLISHED: 2020-11-26
An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code.
CVE-2020-29043
PUBLISHED: 2020-11-26
An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name.