Open Standards for Collecting of Data

[Navarr Barnier]

I myself couldn’t find anything on this, so I’m posting this.

 

I started work on an idea to create a site that would allow people to manage their online identities using DataPortability Workgroup Standards and Associations, but when looking at Privacy (as noted in other posts) I came across a problem.

 

A person would be able to manage and maintain separate informative profiles about themselves to share with the website, and I wanted these users to be able to say “yes, this website can access this data” “No, this website may not access any data”, however there are currently no standards listed here or in the blueprint addressing how websites are supposed to access that data so that users may request permission.

 

Are websites and social networks supposed to use something like “wget” to grab the XML and parse it all on its own?  Or is there another way that they should do this and talk with the server so that the user can either grant or deny permission for the site to access his/her data?

 

-Navarr Barnier

http://tech.gtaero.net/

[Stephen Adkins (spadkins)]

Hi,

I think what is needed is a Free Software implementation of all the
proposed/agreed standards.
This is and more is what the SharedUniverse Project (http://
www.shareduniverse.net) is organizing to do.
It was as I was organizing the SharedUniverse Project that I came to
be aware of dataportability.org.
SharedUniverse also intends to host whatever services are developed
for the community's benefit at no charge.
Anyone who wishes to help implement actual code that implements these
standards is invited to
collaborate through SharedUniverse.

Stephen Adkins

[Navarr Barnier]

This is pretty much the same idea as what I have been attempting to
implement. However, with an ever expanding web, there will be several
services like this.

However, my problem has not yet been addressed.

The fact is, that users who will be "porting" their data around the net will
want to have a layer of privacy over it. They will have a single common URL
(their OpenID) to plug into websites, who will relocate to the server and
verify them and such. However, what if that website wants to check their
FOAF file? We can't just leave all of the user's FOAF data out for the
world to see. A website he is using for business might pull information
about his personal life, his girlfriends, his "sexual habbits" and display
them on a business website. That’s no good. There needs to be some way for
the user to verify that a site is allowed to access his FOAF file, and what
type of data in it they are allowed to access (using a server-side script to
only display that information in the actual FOAF file).

Do you see my drift? However, current discovery methods with OpenID and
XRDS do not address this.

Is there any currently implemented solution to this problem?

I just came up with an idea, but before I write about it, I want to make
sure that there are no current methods to achieve this.

-Navarr Barnier
http://tech.gtaero.net/

[Josh Patterson]

One of the earlier efforts of the initial dp.org group was kicking
around an idea called "WRFS" to do, well, basically this at runtime.

Basically WRFS treats the web as a single db / FS, and allows say a
3rd party app to runtime "Discover" all of your images, videos, social
graph, and be able to use that (securely). An openID-like indexing
service allows only certain parties to see certain data (think FOAF,
but with controls, and security, probably rendered as XRDS, but
possibly RDF, OWL, or FOAF render options). Lots and lots of
applications could be built on top of this stack.

Originally the private work group was around 25 members, and it was a
little thing, so we were looking at different things for our
respective projects and startups. After the scoble thing, it became,
well, just way too big and I spun WRFS off so there was no confusion.

The WRFS group is at:
http://groups.google.com/group/wrfs

Early sketches:
http://cowbell.floe.tv/WRFS_11_20_2007.html

Current prototype (non draft, non spec, just working document for the
WRFS group:)
http://wrfs.googlecode.com/svn/trunk/Docs/Draft1/WRFS_Spec_MDraft_v0_1.xml
(run that xml ball through: http://xml.resource.org/ to convert it to
a html document)

We're currently quietly working on an early prototype, and a lot of
early dp.org workgroup members cross pollinate the groups. If you are
interested in *writing code* and working on the prototype, then you
are more than welcome to join the group.


Josh Patterson

On Jan 20, 12:37 pm, "Navarr Barnier" <nav...@gmail.com> wrote:
> This is pretty much the same idea as what I have been attempting to
> implement. However, with an ever expanding web, there will be several
> services like this.
>
> However, my problem has not yet been addressed.
>
> The fact is, that users who will be "porting" their data around the net will
> want to have a layer of privacy over it. They will have a single common URL
> (their OpenID) to plug into websites, who will relocate to the server and
> verify them and such. However, what if that website wants to check their
> FOAF file? We can't just leave all of the user's FOAF data out for the
> world to see. A website he is using for business might pull information
> about his personal life, his girlfriends, his "sexual habbits" and display
> them on a business website. That's no good. There needs to be some way for
> the user to verify that a site is allowed to access his FOAF file, and what
> type of data in it they are allowed to access (using a server-side script to
> only display that information in the actual FOAF file).
>
> Do you see my drift? However, current discovery methods with OpenID and
> XRDS do not address this.
>
> Is there any currently implemented solution to this problem?
>
> I just came up with an idea, but before I write about it, I want to make
> sure that there are no current methods to achieve this.
>

> -Navarr Barnierhttp://tech.gtaero.net/

>
> -----Original Message-----
> From: dataportabi...@googlegroups.com
>
> [mailto:dataportabi...@googlegroups.com] On Behalf Of Stephen Adkins
> (spadkins)
> Sent: Saturday, January 19, 2008 11:47 AM
> To: DataPortability.Public.General
> Subject: [DataPortability-Public] Re: Open Standards for Collecting of Data
>
> Hi,
>
> I think what is needed is a Free Software implementation of all the
> proposed/agreed standards.

> This is and more is what the SharedUniverse Project (http://www.shareduniverse.net) is organizing to do.

[Navarr Barnier]

Again, another similar idea, but it does not address the problem. So far, all that’s been posted here are projects that are doing the same thing.  The question here, and I will post it again, is how is that information discovered securely.  This question is not covered in the WRFS early sketch or “prototype” it just says it will do it securely.  It doesn’t explain HOW the user grants that site access to his/her data.  Infact, after reading the WRFS sketch, it seems more like that data isn’t protected at all, and that the site auto-discovers it.  Now, this is okay for a desktop or web application that lets users handle their data, and doesn’t read it, but what I’m inquiring about is the protocol that would allow users to say at login “Okay, this website can access my Business FOAF and any photos marked in the category business” and when the site sends a request for the user’s FOAF, the site holding the data goes “Okay, here is the users FOAF” and sends an FOAF that contains only the information marked with a business “tag” persay.

 

So far, all I’ve seen are other projects that want to do the same thing, but I have not seen the method of which gives the user that ability.  Am I missing something?  Am I accidentally skipping something in the skektches?

 

-Navarr Barnier

[Paul Jones]

The primary intended security mechanism behind many of these ideas is OAuth. Whilst the URL is freely discoverable via the appropriate mechanism, and perhaps the format of the information is too, to actually access the content a valid OAuth token needs to be held. This will require explicit user authorisation.

Many sites have already developed their own security mechanisms. The intent of WRFS is to work with these (and not necessarily require them to re-implement their security mechanisms). The purpose of WRFS is definitely not to remove security restrictions.

Paul

[MScri...@gmail.com]

Navarr,

I think you are hitting on an interesting and important area. I am
considering data portability from the perspective of the Health Care
industry. I see the Personal Health Record (PHR) as an incredible
opportunity for the data portability movement. The PHR should be
exactly that - PERSONAL and not a resource owned or controlled by your
Health Care Insurer. The PHR is bigger than any one company. As our
PHR moves on line it becomes far more complicated. The PHR is
something very private but at the same time it is an aggregate record
that is compiled from multiple sources. We also will want to share
parts, or almost all, of our PHR with medical specialists.

I am coming to the view that solving the challenges for the PHR in a
way that preserves privacy but enables easy, fine grained disclosure
to approved people and entities.

- Mark Scrimshire
http://ekive.blogspot.com

On Jan 18, 9:24 pm, "Navarr Barnier" <nav...@gmail.com> wrote:

[Paul Madsen]

Hi Navarre, Liberty Alliance ID-WSF [1] defines a Discovery Service for just this use case.

Whenever a user chooses some provider to host/serve some slice of their identity (or chooses to host it locally), that provider registers this fact at the user's Discovery Service. If and when some site desires a particular slice of the user's identity, that site queries the user's Discovery Service for the location of those attributes.

All of the above happens (if deployed so) securely & privately.

regards

Paul

[1] = http://www.projectliberty.org/resource_center/specifications/liberty_alliance_id_wsf_2_0_specifications_including_errata_v1_0_updates