Gluu Blog

Follow us:
Back to Blog


Michael Schwartz June 10, 2012

In the 1921 novel We by Yevgeny Zamyatin, citizens live in a glass city, where there is literally no privacy. Kaliya Hamlin wrote in her recent newsletter on personal data that Zamyatin’s novel is a “nightmarish vision of total repression.” In light of the myriad pieces of personal data being collected on a daily basis and pervasive movement of personal data to the cloud–has that nightmarish vision become a reality? Kaliya’s descripion of We made me think of the paintings of Jennifer Presant, one of which is shown here, which are serene and yet somehow unsettling. Jennifer is an insanely talented painter who attended my alma mater Washington University, and is currently residing in Chicago. If interior and exterior spaces cannot be separated, we are vulnerable to elements which we were not designed to withstand. This is a parallel to the opportunity and challenge of the Internet: you may see some great sunsets, but watch out when it rains.

One might wonder if reservations about an Internet without walls is behind recent European legislation proposed to give individuals the right to data portability, and the right to be forgotten. But even if I can get my data, and erase it from the databases of certain organizations, the laws don’t seem like they will provide the Internet “walls” that people want.

A “walled” area on steroids is a vault. 14 years ago, I founded a company called ID-Vault. Although that start-up failed (too early!), the idea of personal data vaults is reaching fruition. I am greatly encouraged by services such as Personal and Qiy, which are trying to consolidate many important streams of personal data. Consolidation saves time and money. But the reality is that complete consolidation is not possible. However, despite our innate discomfort with organizations holding data about us, it is necessary. In fact organizations “super-empower” us as individuals, to use Thomas Friedman’s jargon. I don’t have to go further than my bank to give an example: the fact that my bank says I have money to spend enables me to participate in the global economy.

So we want a vault, for its strong walls, but the problem is we have not one, but a network of personal data vaults, some of which we control, and others which are controlled by organizations. Here is the challenge: if all my data is locked up, it doesn’t do my any good. Getting your data is part of the challenge, but after you get it, the more difficult challenge is how to share it? How do I share data that is controlled by an organization? Is there an Internet standard I can use to accomplish this? OAuth? XACML? UMA? XDI?

We can quickly rule out OAUTH, which assumes you already know what content you want to share. XACML sems to fit the bill, however XACML provides a mechanism to express the rules under which you have access to content, it doesn’t provide you with a way to organize and reference the content. UMA? If OAUTH doens’t solve the problem, a centralized OAUTH service would not solve the problem either. XDI offers a vision, but one wonders if a standard will ever emerge from this slow moving OASIS technical committee.

How can I model the complex relationships that define me as a person–my family and the organizations which empower me. How can we design an Internet security deisgn–for example, how I can specify who has access to what information under what conditions.

The truth is that we need something between no walls and vaults… and to get there, we need standards.


Be sure to subscibe to
our RSS Feed

Mike Schwartz

Mike has been an entrepreneur and identity specialist for more than two decades. He is the technical and business visionary behind Gluu. Mike is an application security expert and has been a featured speaker at RSA Conference, Gartner Catalyst, Cloud Identity Summity (now "Identiverse") and many other security conferences around the world.

Reader Interactions