Kantara Initiative is out with a new version of its user data access specs
The newest guidelines for software makers update ways for sharing personal data between individuals and through Internet of Things devices.
While the upcoming General Data Protection Regulation (GDPR) is the largest and best-known effort to guard personal data, it’s not the first.
Founded in 2009 and based in Wakefield, Massachusetts, the Kantara Initiative is one of the other efforts. It’s a non-profit global consortium of about 70 companies that is designed to improve the trustworthy use of identity and personal data through specifications for software makers.
Toward that aim, the Initiative has recently released version 2.0 of its User-Managed Access (UMA) tech specs, replacing the 1.0 version approved in 2013. It is intended to provide a protocol for how an individual’s personal data can be accessed, wherever it lives.
Executive Director Colin Wallis told me that the new version simplifies the previous protocol and aligns it more closely with OAuth than version 1.0 did. OAuth, or Open Authorization, is an open standard for authorization to personal data, such as granting a website access to the list of your friends on Facebook without you having to enter your login credentials.
Version 2.0 also makes it easier for individuals to share their individual personal data — such as personal attributes, device data or a document — with multiple parties, without having to immediately consent to other uses. And it provides ways to authorize the sharing of personal data across Internet of Things devices without having a continual connection to an authorization server.
While GDPR is a European Union governmental regulation, Wallis noted, UMA 2.0 is a spec for building software products. Although Kantara’s protocols conform to GDPR, they relate to only some of that regulation’s envisioned scenaria.
Among other protocols, the group has also released a Consent Receipt spec that indicates what kind of confirmation a user might receive indicating they have actually given consent for the use of their personal data. The Initiative has also started a working group for ways to bring best practices to the management of consent, and it has an Identity Assurance Trust Framework Provider program for accrediting credential service providers.