User-Managed Access (UMA) lets web application creators easily craft systems that give control of data back to the people. Any web-based data ecosystem can leverage UMA, including eHealth and eGov portals, social networking sites, photo sharing portals, and personal data stores. It offers individuals centralized security, privacy, and control for sharing data with friends and family, business associates, and organizations. And it allows apps to offer sophisticated privacy and sharing options without a lot of software development. One UMA implementation, the SMART system from Newcastle University, leverages Facebook friends for sharing; others could use the new Google+ Circles system, which allows sharing within circles of contacts.

The audio and video recording of the UMA webinar from July 13 is available at http://kantarainitiative.org/confluence/display/uma/Home or http://bit.ly/UMAWebinar110713

“Like” UMA on Facebook at http://www.facebook.com/UserManagedAccess.

Follow the group on Twitter at http://www.twitter.com/umawg and hashtag #UMAWG.

Kantara Initiative has announced the release of a Draft Recommendation for the User-Managed Access (UMA) protocol. UMA heralds a new era of user-centric access control for web-based applications such as social networking sites, content-sharing portals, and personal clouds.

PISCATAWAY, NJ, USA – July 7, 2011 – As we spend more time online, our data becomes more prolific and widely dispersed across sites. Data privacy and security have become onerous issues. Kantara Initiative’s User-Managed Access Work Group (UMA WG) has published a Draft Recommendation for a user-managed data access protocol and contributed it to the Internet Engineering Task Force (IETF) standards body to solve these problems.

UMA lets web application creators easily craft systems that give control of data back to the people. Any web-based data ecosystem can leverage UMA, including eHealth and eGov portals, social networking sites, photo sharing portals, and personal data stores. It offers individuals centralized security, privacy, and control for sharing data with friends and family, business associates, and organizations. And it allows apps to offer sophisticated privacy and sharing options without a lot of software development. One UMA implementation, the SMART system from Newcastle University, leverages Facebook friends for sharing; others could use the new Google+ Circles system, which allows sharing within circles of contacts.

Aad van Moorsel, Director of the Newcastle University Centre for Cybercrime and Computer Security, says: “The UK government will increasingly offer Internet-based services. The data shared in such services can be sensitive since it may include employment history, exam results or health information. UMA provides the technology to share such data safely, putting the citizen in control. We strongly believe UMA will be a cornerstone for future eGov services, and are working to publish our SMART software as an Open Source UMA implementation.”

Mario Hoffmann, Head of Secure Services & Quality Testing of Fraunhofer AISEC, remarks: “User empowerment serves as a key enabler for trustworthy and trusted service usage on the Internet. UMA supports developers through a security -and privacy-by-design approach. The user-centric concept of UMA is the basis for managing access policies to personal, data, claims, and attributes in a unified, balanced and comfortable way.”

Drummond Reed, Founder and Chairman of Connect.Me, comments: “This milestone for UMA could not come at a better time – interest in user-managed data sharing is exploding. Social networks have made people more comfortable with online sharing, and now UMA brings us a standard way for users to share data across many different sites and services without losing control of that information. Connect.Me looks forward to bringing the power of UMA to our users.”

Iain Henderson, Co-Founder of the Mydex Community Interest Company, says: “The publication of the draft specs for UMA is a great step forward in enabling the individual to better realise the value of their personal information. The Mydex team sees this release as of direct relevance to a number of existing initiatives in both public and private sectors, and we look forward to deploying it later in 2011.”

The WG will demonstrate UMA’s benefits in a public webinar on Wednesday, July 13, at 9am Pacific time. All are welcome to attend.

Register and find out more at http://tinyurl.com/umawg.

“Like” UMA on Facebook at http://www.facebook.com/UserManagedAccess.

Follow the group on Twitter at http://www.twitter.com/umawg and hashtag #UMAWG.

About Kantara Initiative
http://kantarainitiative.org/

About the UMA WG
http://tinyurl.com/umawg

###

Media Contact
Dervla O’Reilly
+1-415-731-4487
dervla[at]kantarainitiative[dot]org

Catch the round up of recent updates from Kantara Initiative:

• Authorization Standards Workshop at Burton Catalyst San Diego, July 27, 12:30-2:30pm
• Merger of Kantara’s IdP Selection WG into ULX WG
• Kantara Initiative Meeting, Oct. 19-21, Paris, France hosted by Orange-FT
• Kantara Initiative announces the formation of the Federation Interoperability Work Group (FIWG)
• Kantara Initiative Announces Identity Assurance Framework 2.0
• Announcing Yasuhisa Sakamoto & Toshihiro Suzuki as Kantara Initiative’s Japan WG co-chairs
• Kantara Initiative Engages Drummond Group to Manage Global Interoperability Program
• Comparing OAuth and UMA – by Eve Maler
• Kantara speakers featured at Burton Catalyst Prague, June 21-24, 2010
• Kantara Initiative Webcast via BrightTALK: Identity Assurance Frameworks within Federated IAM Systems, May 6 - listen and view the audio of this Webcast
• Catch up on recent activities at industry events: UMA at EIC 2010, IIW X round-up
• What exactly is “open” in Open Identity?
• Industry events – contact Dervla O’Reilly regarding discounted conference rates: pii2010, August 17-19, Seattle, Hacker Halted October 9-15 Miami, WHIT 6.0 Nov. 8-10 Washington D.C., Gartner Identity & Access Management Summit November 15-16 San Diego

Abbie Barbir (http://www.oasis-open.org/about/distinguished-contributors.php) has just been elected by his peers to Chair the Kantara Initiative Privacy and Public Policy Work Group (http://kantarainitiative.org/confluence/display/p3wg/Home).

According to Abbie, the Kantara Privacy and Public Policy WG (P3WG) plays an important role in identifying the steps that are needed in the community to help ensure better privacy outcomes for users, data custodians and other stakeholders across the Internet and other public domains. The P3WG intends to be actively engaged with other stakeholders such ISO/IEC JTC1, ITU-T SG 17 and OASIS to ensure that common frameworks, privacy-enabling technology (PET) standards, operational criteria and privacy-enhancing culture, policies and best practices are adopted at the international level. Abbie Barbir invites all interested individuals to participate in this important activity by joining the P3WG today (http://signup.kantarainitiative.org/?selectedGroup=8).

Noted anti-virus vendor Eugene Kaspersky has weighed extravagantly into the larger security problem, arguing that  “anonymity causes security headaches and should be outlawed <http://blogs.computerworld.com/14940/eugene_kaspersky_wants_no_net_anonymity>” (http://blogs.computerworld.com/14940/eugene_kaspersky_wants_no_net_anonymity).  So he wants an Internet Passport.

This is surely madness.  The social repercussions are obvious, while it’s not at all clear what problem it might solve.

Most cybercrime is actually associated with an *excess* of arbitrary identification, with inadequate safeguards.  For the average user, anonymity in reality has become a luxury.  The simplest credit card purchase requires an inordinate amount of identifying information to be divulged, to total strangers, who then pass it all onto third party processors no one has ever heard of.

Mainstream authentication is so difficult to use that most users choose the same password for all services.  The Federated Identity and Single Sign On movements, typified by OpenID, amount to the same thing.  Everything gets linked to everything else.  This is hardly the “anonymity” that Kaspersky so dreads.

It’s also likely that, like many before him, he’s underestimated the legal complexity and cost associated with general purpose Internet identities.  Who will issue and warrant an Internet passport, vouchsafing the bearer in all contexts?  This is what’s stopped authentication brokers schemes to date.  Some of my own analysis of these issues is presented in brief at  http://lockstep.com.au/library/babysteps/babyste13-identity-silos and http://lockstep.com.au/library/babysteps/babystep-15-introducing-ident.

Of course, what would happen is that any real world Internet passport would come with risk-managed warranty limitations.  It wouldn’t be good for all conceivable transactions, only ones that the issuer has been able to analyse and circumscribe.  For other uses, the holder would need to supplement their passport with other credentials suited to teh context … and we’d be back where we started.
Advocates of Internet passports should re-visit how a conventional passport works, and reconsider their metaphor.  A passport is not a universal key to cross all borders; many countries require you need to obtain a visa, to make sure you meet their security, cultural and political norms.  That is, risk profile, appetite and management strategies vary from one country to another (just as they vary in e-business from one segment to another) and there really is no universal passport.

So I say to Kaspersky, an Internet passport is utopian, and proper anonymity would be a blessing!  To solve cybercrime, we don’t need any new passport, rather we need to protect the plurality of identities we already have against online theft and abuse.

Posted on behalf of:

Stephen Wilson
Lockstep Group
http://www.lockstep.com.au

UK readers will probably remember one of those legal wrangles which make for such easy satire – the protracted argument over whether a Jaffa Cake is a cake or a biscuit (for VAT purposes, of course…)

It looks as though the European Commission is heading towards a similar argument about cookies – though there may not be much discussion, as the Directive in question has apparently already been approved and merely awaits a few signatures and a rubber stamps or two.

This is about amendments to 2002/58/EC; the Directive on Privacy and Electronic Communications. There are amendments to several areas of the original Directive, but the one which is currently exercising an articulate group of higher-education identity federation experts is nicely summarised here, by Struan Robertson of law firm Pinsent Mason. I recommend a read of his blog post; it isn’t often you see a lawyer describe proposed legislation as “breathtakingly stupid”… but I should also point out that he makes that comment off his own bat, so to speak, and not on behalf of his employers.

The amendments in question are apparently intended to regulate the storing and use of cookies on end users’ devices. I say “apparently”, because the further one gets into the practicalities of it, the less clear it is how the legislation could be put into any meaningful practice.

I’ve no doubt the intent of the amendments is both clear and laudable: to improve privacy outcomes for (EU) citizens going about their online life. In practice, though, there are pitfalls which the legislation seems doomed to encounter – several of them probably fatal.

The way the amendment is phrased (it’s a replacement of Article 5.3, for those who like to read that kind of thing – see Struan’s post, or read p.77 of the document here if you prefer the unexpurgated version) makes it fairly clear to me that what they are trying to regulate is access to the end user’s machine. In other words, if you want to put something on my PC, or read something you put their earlier, you will need to be able to show that I gave my consent. As I say, laudable and straightforward. Until you start to go through the permutations:

• What if I’m using my PC outside the EU?
• What if I’m inside the EU, but accessing a cookie-setting site which is outside the EU?
• What about non-EU citizens, in the EU, accessing EU sites?
• Or non-EU citizens accessing EU sites from elsewhere?
• Or non-EU citizens accessing non-EU sites via a mobile device, roaming through an EU telco?
• … and so on and so on…

There are many other aspects one could dive into similarly – such as “what counts as consent?”, or “how on earth will users cope with all those pop-ups” – but we haven’t got all week.

Before long, a yawning gap opens up between what the legislation is capable of saying, and what it would take to describe something implementable. Depressingly, this really should not have come as a surprise either to the legislators or their drafters. After all, this is merely the next evolution of some quite long-standing network-mediated problems:

• the advent of satellite broadcasting introduced us to the problems of whether such services were to be regulated at the “up-link”, the “down-link”, or some combination of both;
• internet e-commerce has given us plenty of opportunities to work out how you establish distance contracts, between parties under different regulatory regimes.

On that basis, there seems to me to be no excuse for this current legislative initiative to be so woefully half-baked.

All of which brings us back, in a way, to the humble Jaffa Cake; and why not? For those who didn’t follow the saga, this went as far as a court case between leading manufacturer McVitie and Her Majesty’s Customs and Excise, as they were at the time. The conclusion was that legally, they are cakes. The court found that a cake is something which starts off soft and goes hard when it gets stale… whereas a biscuit, they found, starts off hard and goes soft as it gets stale. The majesty of the law leaves me awe-struck sometimes, it really does.

I recently attended a very engaging lecture at the London School of Economics (LSE) by Prof David Lyon – who spoke about “Identity as Surveillance – Security, Surveillance and Citizenship”.

I do hope he subsequently saw this article from the BBC, on the opening day of the Labour Party Conference: “Lord Mandelson denied entry to conference“, because I’m sure it would give him a good laugh.

Apparently, the Noble Lord, First Secretary of State, Secretary of State for Business, Innovation and Skills, President of the Board of Trade and Lord President of the Council could not, initially, get into the conference because there was a problem with his pass. Maybe they couldn’t fit his title onto it. The press were naturally quick to savour the irony that Peter Mandelson, the man perhaps most identified with New Labour, should be unable to identify himself to the satisfaction of the party’s gatekeepers.

What this has to do with Prof Lyon’s talk is this: one of his themes was the way in which identity systems (particularly national ones) permit, enable and encourage judgements to be made about individuals on the basis of “actuarial criteria”, even if other methods would be more reliable (and more respectful of personal privacy).

An example Prof Lyon gave was this: research work by John Taylor and Miriam Lips (full text of paper available online here) investigated the use of online identity data by the DVLA ([UK] Driver and Vehicle Licensing Agency) when someone applies online for a driving licence. The researchers noted that the DVLA submits the applicant’s details to the credit reference company Experian, which attempts to corroborate the applicant’s identity assertions by matching them against databases of Credit Applications and Addresses. Experian then applies a weighting which assigns a ‘trust score’ to the applicant’s assertions, based on the apparent quality of the applicant’s digital footprint (as revealed by the database enquiries). These actuarial measurements are then used by the DVLA to govern the subsequent processing of the application transaction.

Prof Lyon’s point was that this ‘trust score’ mechanism goes beyond a simple assessment of whether or not the applicant’s address can be corroborated. The score is enhanced more, for instance, if the applicant’s records indicate that they have had a lot of interactions with clearing banks, than if the indication is that the applicant has had a lot of interactions with mail-order companies.

The implication of this is that subsequent processing of the DVLA application is determined not just by past records, but by inferences based on supposed future behaviours of the applicant – whether or not those inferences are in fact accurate.

Basically, this is what starts to happen, the more you architect systems on the basis of actuarial criteria in support of the categorisation of individuals, and the more you remove notions of human judgement and discretion from the process. Admittedly, that’s not always a bad thing – after all, humans are fallible too. But if you design humans into the process rather than out of it, you get fewer embarassing incidents such as the sight of Labour’s “eminence grise” being locked out of his own conference…

As you may know, I’ve recently set up the Privacy and Public Policy Work Group (P3WG) for the Kantara Initiative, and as we start mapping out the areas in which the Group wants to exercise an influence, one topic has generated more discussion than anything else on the mailing list. It goes by the rather uninformative name of “LOA”, or Level of Assurance. Even if you’ve never heard of LOAs, they have played a major part in your life online and off.

I’ve blogged before about what I call the “Chain of Trust” – namely, the sequence of events all of which need to be working if a credential is to work properly when you present it. In other words, for instance, if you apply for a passport in the name of Michael Mouse and the passport office doesn’t bother to check whether there’s any evidence that that is your name, the resulting passport won’t be that reliable as an indicator of your identity (even though people may assume that it is). Similarly, driving licences would not be much use as an indicator of which vehicles you’re entiteld to drive, if it was possible for you to alter what the licence says… and if you tell someone the PIN of your ATM card, it is no longer effective as a way to ensure that only you can take money out of your account (in fact, the bank is likely to take it as de facto evidence that you must have been responsible for the transaction, even if it wasn’t you who actually used the card and PIN…).

These are just three examples of the many ways in which the Chain of Trust can fail, at the Registration/Verification phase, over the life of the credential, and at the authentication step, respectively. There are many other points at which the Chain can be compromised and the reliability of the credential (or the assertions made using it) undermined.

LOA is about protecting the first of these – the point at which someone decides whether or not to issue a credential which represents you in some way. In other words, if you can present a relying party with not just a credential, but a ‘score’ which indicates how reliably that credential was issued to you, can judge whether it’s more likely that you are actually Michael Mouse, or that whoever gave you a passport saying so was not doing their job very well.

That, in turn, will give them useful information about what decisions to make next, particularly if they decide that the answer to your authentication question is “yes”.

The UK and US governments both have relatively simple 4-level LOA models (though, inconveniently, one runs from 0-3 and the other from 1-4…). Omitting the ‘index value’ for a moment, the four levels look remarkably similar. In fact, if I adopt a slightly different scale, just to paper over that difference, we might get something like this:

Rare

UK: no authentication of identity

US: little or no confidence in the asserted identity

Medium rare

UK: basic authentication

US: some confidence in the asserted identity

Medium

UK: greater level of assurance (e.g. credentials based on proof of identity to a third party)

US: high confidence in the asserted identity

Well done

UK: identification beyond reasonable doubt

US: very high confidence in the asserted identity

So far so good. However, when it comes to putting this simple model into practice, and because we’re talking about assurance here (and therefore judgement), a couple of different approaches emerge.

One is to give a technical specification of the kinds of authentication technology which should or must correspond to an implementation claiming to be at a given LOA level.

Another is to relate the LOA levels to levels of risk, and allow the implementer to work out how they think that risk is best mitigated.

You might think that a third, better solution would be to combine the two… define organisational risks in a way which allows them to be assessed against the four-level model, and then have a technical specification list which says: “if you face this level of risk and you want this level of assurance, you need technology such as ‘x’, implemented with the following governance measures.

Actually, I have a better idea… if you have opinions on this question (better still, if you have a good answer), come and sign up to the Kantara P3WG and join the discussion. We’d love to hear from you.

Apologies for the rather opaque title of this post. In its expanded form, it would read something like this: “IP addresses: are they personally identifiable information within the meaning of the law, or not?”… but that would be a bit long.

The question is prompted by the latest legal ruling on the subject, this time from a US federal judge in Seattle, issuing a written decision in a class-action case between consumers and Microsoft. The judge ruled that they are not: IP addresses identify computers, not people, he concluded, and therefore do not constitute personally identifiable information.

I think there’s a technical and a pragmatic side to any discussion of this conclusion. Technically, the argument could well rumble on; after all, if I tell you the IP address “192.168.1.1″, does that identify anything, let alone a person versus a computer? It is probably recognisable as the default starting point for the IP address range behind the average domestic firewall/router. So, the address “192.168.1.1″ doesn’t uniquely identify any computer… but then again, the address the firewall/router exposes to the ISP doesn’t uniquely identify any of the computers it shields, either… so on examination, the judge’s argument doesn’t stand up – as presented, at least.

Does the pragmatic approach fare any better? Well, in some jurisdictions the argument has already moved on. In some EU member states, the current position is closer to this: IP addresses constitute personally identifiable information if the entity processing them can reasonably be considered to have access to data, linkable to the IP address, which would identify an individual. That makes a certain amount of sense, in that ISPs, for instance, need to establish enough of a link between an IP address and an individual to send them a bill. On the other hand, it doesn’t prove that the person responsible for paying the bill has anything to do with the internet traffic terminating at that IP address (for instance, I might pay for my child’s broadband subscription while they are at college). As a little experiment, try visiting Dave Birch’s blog, here. While you’re there, incidentally – check out the content; it’s excellent. Then have a look in the right-hand margin, and see how close Feedjit gets to personally identifying you. In my case, it gets as far as the neighbouring town – about 5 miles away – and therefore lumps me in with a population of over 60,000 people.

In the sense of “IP addresses being sufficient to uniquely identify an individual”, then, the pragmatic approach doesn’t look too healthy either. However, where I think it scores is in its ability, potentially, to make the decision conditional on other factors – such as, in this case, how much other data the IP address can be linked to by any given party who sees it. After all, it’s reasonable to assume that the ISP, in this case, can more easily work out who a given IP address is assigned to than could the man on the proverbial No.38 bus (Victoria to Clapton, via Piccadilly and Angel, incidentally).

In other words, if you are the data controller for both the IP address and the billing data, you would do well to behave as though the IP address was PII. That seems reasonable enough. In some cases, it may mean being able to prove that you have taken steps to prevent one from being linked with the other. That seems reasonable enough, too.

Looking a little further down the line, though, the pragmatic approach will run into some interesting obstacles. The same logic, after all, will mean that in some circumstances the words “Yes” and “No” will need to be treated as personally identifiable information. For example, suppose you are in a position to link the following pieces of data:

• Individual (subscriber, patient, etc)
• Question (Is this individual over 18?)
• Answer (Yes/No).

Good practice (read Dave Birch’s piece on Psychic ID for a great example) is to reduce disclosures of personal attributes to Yes/No answers to closed questions… and that’s both a laudable ambition and a good design objective. It won’t solve the “what is PII?” riddle, though.

http://www.rightsideup.net/?p=273

This post is a short(ish) summary of a working session led by Drummond Reed and me at the recent West Coast VRM Workshop, and also an introduction to the Kantara workgroup in which we are going to move this debate forward. It is also part of the thinking that will short emerge in a Mydex white paper.

At the VRM workshop, we discussed the need for the concept of the Personal Data Store, what it would do in practice, and what that will ultimately enable.

Why we need such things – because individuals have a complex need to manage personal information over a lifetime, and the tools they have at their disposal today to do so are inadequate. Existing tools include the brain (which is good but does not have enough RAM, onboard storage, or an ethernet socket……thankfully), stand alone data stores (paper, spreadsheets, phones, which are good but not connected in secure ways that enable user-driven data aggregation and sharing), and supplier based data stores (which can be tactically good but are run under the supplier provided terms and conditions). NB Our current perception of ‘personal data stores’ is shaped by the good ones that are out their (e.g. my online bank, my online health vault); what we need is all of that functionality, and more – but working FOR ME.

What they will do/ enable – the term Personal Data Store is not an ideal term to describe a complex set of functions, but it is what it is until we get a better one (the analogy I’d use in more ways than one is the term ‘data warehouse’ – again a simplistic term that masks a lot of complex activity). A Personal Data Store can take two basic forms:

Operational Data Stores – that get things done, and only need store sufficient breadth and depth of data to fulfill the operation they are built for (e.g. pay a credit card bill, book a doctor’s appointment, order my groceries).

Analytical Data Stores – that underpin and enable decision making, and which typically need a more tightly defined, but much deeper data-set that includes data from a range of aspects of life rather than just that from one specific operation (e.g. plan a home move, buy a car, organise an overseas trip).

A sub-set of the individual’s overall data requirement will lie in both of the above, this being the data that then integrates decision-making and doing.

In both cases, the functionality required is to source, gather, manage, enhance and selectively disclose data (to presentation layers, interfaces or applications).

We also discussed ‘who has what data on you’ and introduced the following diagrams to explain current state and target state (post deployment of Volunteered Personal Information (VPI) tech and standards).

The key terms that require explanation are:

My Data – is the data that is undeniably within, and only within, the  domain of an individual. It’s defining characteristic is that it has demonstrably not been made available to any other party under a signed, binding agreement. This space has been increasingly encroached upon by technology and organisations in recent history (e.g. behavioural tracking tools like Phorm) and this encroachment will continue. Indeed a general comment can be made that ‘my data’ equates to privacy in the context of personal data; so the rise of the surveillance society and state is a direct assault on ‘My Data’. Management of ‘My Data’ can be run by the individual themselves, or outsourced to a ‘fourth party service’.

Your Data – is the data that is undeniably within the domain of an organisation; either private, public or third sector. Proxy views of this data may exist elsewhere but are only that. This data would include, for example, the organisations own master records of their product/ service range, their pricing, their costs, their sales outlets and channels. Customer-facing views of much of Your Data is made available for reproduction in the ‘Our Data’ intersect.

Our Data – is the data that is jointly accessible to both buyer and seller/ service provider, and also potentially to any other parties to an interaction, transaction or relationship. It is the data that is generated through engaging in interactions and transactions in and around a customer/ supplier relationship. Despite being ‘our’ data, it is probably technically owned, or at least provided under terms of service designed by the seller/ service provider; in practical terms this also means that the seller/ service provider dictates the formats in which this data exists/ is made available.

Their Data – is the data built/ owned/ sold by third party data aggregators, e.g. credit bureaux, marketing data providers in all their forms. It’s defining characteristic is that it is only available/ accessible by buying/ licensing it from the owner.

Everybody’s Data – is the public domain data, typically developed/ run by large, public sector(ish) entities including local government (electoral roll), Post Offices (postal address files), mapping bureau (GIS). Typically this data is accessible under contract, but the barriers to accessing these contracts are set low – although often not low enough that an individual can engage with them easily.

The Basic Identifier Set/ Bit in the Middle – this is the core personal identity data which, like it or not, exists largely in the public domain – most typically (but not exclusively) as a result of electoral rolls being made available publicly, and specifically to service providers who wish to build things from them. This characteristic is that which enables the whole personal eco-system and its impact on data privacy to exist, with the individual as the un-knowing ‘point of integration’ for data about them.

The ovals in the venn diagram represent the static state, i.e. where does data live at a point in time. The flow arrows show where data flows to and from in this eco-system; I use red to signify data flowing under terms and conditions NOT controlled by the individual data subject.

Flow 1 (My Data to Your Data, and My Data to Our Data) – Individuals provide data to organisations under terms and conditions set by the organisation, the individual being offered a ‘take it or leave it’ set of options. Some granularity is often offered around choices for onward data sharing and use, i.e. the ‘tick boxes’ we all know and which are one of the main bitsof legacy CRM that VRM will fix.

Flow 2 (Your Data to Your Data, including Our Data) – Organisations share data with other organisations, usually through a back-channel, i.e. the details of the sharing relationship are typically not known to the data subject.

Flow 3 (Your Data, including Our Data to Their Data) – Organisations share data with a specific type of other organisation, data aggregators, under terms and conditions that enable onward sale. Typically the sharer is paid for this data/ has a stake in the re-sale value.

Flow 4 (Everybody’s Data to Their Data) – Data Aggregators use public domain data sources to initiate and extend their commercial data assets.

The target state is shown below, a different scenario altogether – and one which I believe will unfold incrementally over the next ten years or so…..data attribute by data attribute, customer/ supplier management process by customer/ supplier management process, industry sector by industry sector. In this scenario, the individual and ‘My Data’ becomes the dominant source of many valuable data types (e.g. buying intentions, verified changes of circumstance), and in doing so eliminates vast amounts of guesswork and waste from existing customer/ citizen managment processes.

The key new capabilities required to enable this to happen are those being worked on in the User Driven and Volunteered Personal Information work groups at Kantara (one tech group, one policy/ commerce one), and elsewhere within and around Project VRM. The new capabilities will consist of:

- personal data store(s), both operational and analytical

- data and technical standards around the sharing of volunteered personal information

- volunteered personal information sharing agreements (i.e. contracts driven by the individual perspective, creative commons-like icons for VPI sharing scenarios)

- audit and compliance mechanics

Around those capabilities, we will need to build a compelling story that clearly articulates, in a shared lexicon (thanks to Craig Burton for reminding us of the importance of this – watch this space), the benefits of the approach – for both individuals and organisations.

The target state that will emerge once these capabilities begin to impact will include the 4 additional individual-driven information flows over and above the current ones. The defining characteristic of these new flows is that the can only be initiated by the data subject themselves, and most will only occur when the receiving entity has ’signed’ the terms and conditions asserted by the individual/ data subject. The new flows are:

Flow 5 (My Data to Your Data (inc Our Data) – Individuals will share more high value, volunteered information with their existing and potential suppliers, eliminating guesswork and waste from many customer management processes. In turn, organisations will share their own expertise/ data with individuals, adding value to the relationship.

Flow 6 (Everybody’s Data to My Data) – With their new, more sophisticated personal information management tools, individuals will be able to take direct feeds from public domain sources for use on their own mashups and applications (e.g. crime maps covering where I live/ travel)

Flow 7 (My Data to (someone else’s) My Data) – An enhanced version of ‘peer to peer’ information sharing.

Flow 8 (My Data to Their Data) – The (currently) unlikely concept of the individual making their volunteered information available to/ through the data aggregators. Indeed we are already starting to see the plumbing for this new flow being put in place with the launch of the Acxiom Identity Card.

The implications of the above are enormous, my projection being that over time some 80% of customer management processes will be driven from ‘My Data’. I’m pretty confident about that, a) because we are already see-ing the beginning of the change in the current rush for ‘user generated content’ (VPI without the contract), and b) because the economics will stack up. Organisation need data to run their operations – they don’t really mind where it comes from. So, if a new source emerges that is richer, deeper, more accurate, less toxic – and all at lower cost than existing sources; then organisations will use this source.

It won’t happen overnight obviously; as mentioned above specific tools, processes and commercial approaches need to emerge before this information begins to flow – and even then the shift will be slow but steady, probably beginning with Buying Intention data as it is the most obvious entry point with enough impact to trigger the change. That said, the Mydex social enterprise already has a working proof of concept up and running showing much of the above working. A technical write up of the proof of concept build can be found here. And the market implications of this are explored in more detail in new research on the market value of VPI shortly to be published by Alan Mitchell at Ctrl-Shift.

The two hour session at the VRM workshop was barely enough to scratch the surface of the above issues, so the plan is to continue the dialogue and begin specifying the capabilities required in detail in the User Driven and Volunteered Personal Information (technology) workgroup at The Kantara Initiative. The workgroup charter can be found here. A parallel workgroup focused on business and policy aspects will also be launched in the next few weeks. Anyone wishing to get involved in the workgroup can sign up to the mailing list here and we’ll get started with the work in the next couple of weeks.