User-Managed Access: A new tool for privacy, consent, and building trusted digital relationships

The news: ForgeRock’s new Identity Platform is out, and I couldn’t be more thrilled that our conforming implementation of the User-Managed Access (UMA) standard is a part of this release. The ForgeRock Identity Platform is the first identity management platform to support UMA for consumer consent and data sharing -- scenarios that are near and dear to my heart.

What is UMA about? Before talking about UMA, let me muse on the complex topic of privacy for a moment. The following Venn diagram represents key elements that contribute to privacy.

There is aspirational language in Fair Information Practice Principles, Privacy by Design about “transparency” and “control” and such; this is what the autonomy aspects of privacy are about. Individuals have the right to be left alone, to make decisions unmolested by pressure, to make health decisions with a full set of data at their command, and so on.

However, most businesses and most regulations have -- understandably -- focused on data protection (what privacy is generally called in Europe!), and on risk mitigation. In other words, privacy compliance has largely been about “ensuring that data doesn’t get out.” As a result, tools for consent have been limited.

But new forces are coming into play. Consumers have become more skeptical and cynical; the regulatory landscape is now shifting, as we have seen with Safe Harbor and the emerging EU General Data Protection Regulation regime; the Internet of Things is pushing data volumes and sources to new heights; and in the face of all this, businesses are keen to build trusted digital relationships with their customers.

UMA’s design center can be expressed simply: It’s an OAuth-based protocol designed to give an individual a unified control point for authorizing who and what can get access to their digital data, content, and services, no matter where all those things live. The resulting architecture makes UMA a strong basis for tools and solutions for building trusted digital relationships, both from the perspective of addressing externally imposed consent requirements and from the perspective of demonstrating trustworthiness to customers.


What ForgeRock has been up to: Our amazing product teams have built impressive support for the hardest UMA scenarios: those serving consumers and citizens. Our out-of-the-box user interface for the central sharing management console (the “UMA authorization server”) offers value-add features such as: 1) Share buttons so that end-users can choose to delegate selective access to IoT devices, online identity data, and other digital resources, and 2) pending-request pages so that end-users can selectively approve access requests made to those resources. Additionally, API endpoints let developers customize interfaces, flows, and policy conditions as required for business needs.You can also UMA-protect your services with our gateway component. Further, some of our partners have been gaining experience building POCs for a variety of use cases.

Memory lane: My work on the protocol goes back to early 2008, before there was an UMA, so I have a lot of history with this work. I worked with colleagues at Sun Microsystems on a predecessor called “ProtectServe,” and then gathered with like-minded people at the Internet Identity Workshop series of events (whose 22nd meeting ForgeRock will be sponsoring again in April!) to begin planning a proper standardization effort. Ultimately we took the project to the Kantara Initiative; the Version 1.0 specifications were approved in March 2015 and Version 1.0.1 just last month.

Final thoughts and thanks: As founder and chair of the UMA Work Group, as well as in my role driving privacy and consent innovation for ForgeRock, I have been and continue to be blessed to work with an amazing bunch of UMAnitarians inside and outside the company. Up next: Deployments in various verticals.

Here’s to more “context, control, choice, and respect” for users’ data in 2016!

Eve can be found on Twitter at @xmlgrrl