Privacy and User Managed Access – an interview with Eve Maler, ForgeRock’s VP of Innovation & Emerging Technology

Eve Maler, ForgeRock VP of Innovation & Emerging Technology

Eve Maler @xmlgrrl

A recent report published by Pew Research (titled: Public Perceptions of Privacy and Security in the Post-Snowden Era) has people coming to the conclusion that the status quo is pretty dire, and asking if UMA (User-Managed Access) is a solution that might begin to put the power back into individuals’ hands.

I asked Eve Maler, our VP of Innovation & Emerging Technology (not to mention our resident UMA expert), some questions relating to privacy, UMA and what she thinks will happen next.

Eve, first can you give us your thoughts on the report and what you think this means for the future?

Privacy practitioners have been remarking for some time that the “notice and consent” paradigm that has reigned over the privacy conversation has been failing us. Just pressing the Agree button on websites as if we’re rats at a feeder bar hasn’t protected us — and of course, people have noticed this (no pun intended).


We’re starting to see a welcome broadening of digital privacy’s practical application among those who deliver online services. I think it’s moving from a compliance phase to one where we can begin exploring it as craft. For example, look at the Privacy by Design and Privacy Engineering efforts.

What do you mean about broadening digital privacy? Do you mean redefining it?

In essence, yes. In recent times, privacy has often been treated as a very thin notion that looks like “We apps would like to install a large pipeline between us to transmit data about you, so we can bother you later with ads. Are you okay with that?” Storing a “yes” answer became “privacy” management. Really?!? In the work we’ve done on the UMA standards group, by contrast, we’ve tried to turn this thinking on its head: What personal data would a person choose to share if she were comfortable that she wouldn’t have to share everything with everybody? We called this vision “selective sharing”.


Interestingly, the UMA architecture turns out not to discriminate when it comes to who’s doing the (selective) sharing and who’s doing the receiving. A person can share data — say, a medical record — with a family member, or with a doctor, or with a research institution. An organization can selectively share data — say, an RFP — with a consulting attorney, or a bidding contractor, or a government auditor. A broad vision of privacy for people starts to look like a broad vision of access control for loosely coupled organizations in the “API economy” too.


We’re only beginning to plumb the depths of meaningful privacy in all its dimensions. Fatemeh Khatibloo, a Forrester analyst who advises customer insights pros, has had her finger on these issues for a long time; she observed last week while at the Privacy Identity Innovation conference:


Once a user’s data is out there in the wild, hasn’t it escaped for good?

Unfortunately, yes; the Pew survey respondents, like all of us, are sadder but wiser now!

To the extent that personal data is volatile, it reinvents itself often enough to let us apply new approaches to sharing it and throttling access to it. I bet you’re sorry every time you laboriously write out an email telling someone what times you’re free, because your calendar changes soon after; it’s easier to share a calendar “feed”. Same with most other data that changes.


On the other hand, for data that’s unchanging, we really do have a problem. One way the US HIPAA health privacy law is trying to tackle this challenge is to capture “accounting of disclosures” even in the case of regulated public-health disclosures that a person can’t prevent. Imagine displaying disclosures of data on a “digital footprint dashboard” so that people could be more aware of what data has been sent around.

What the heck is a “digital footprint dashboard”?

You know like in the movie Minority Report where Tom Cruise swipes displays around with his hands? No? Okay, try this: It’s an app where you can easily, conveniently, cleanly manage who gets access to all the data and content you manage at a dozen or a hundred different online services, all for your own benefit. If you don’t see benefit in sharing, you can stop it immediately.


This isn’t just for change-of-address scenarios for extended warranties on slow cookers. In the Internet of Things household automation era, it may include how you manage which of your kids have access to which of your cars!

Thanks Eve. For those interested in discussing this further, visit our ongoing forum discussion around this topic, called “The light is dawning for respondents to the new Pew survey on personal data”.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?