You are here

You are here

‘Solid’ privacy pods: Can Tim Berners-Lee keep his dream alive?

Richi Jennings Your humble blogwatcher, dba RJA

The so-called “inventor” of the web has had yet another neat idea. His startup, Inrupt, has been working on a system where people can control their own data. Sounds clever.

Called Solid, it’s now ready for enterprise pilots, he says. But is it any good? Or is it, as one wag describes it, mere “nerd drivel”?

Reaction has so far been extremely mixed, to put it mildly. In this week’s Security Blogwatch, we wonder if Sir Tim is still relevant, 30 years on.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: deepfake lipsync.

TBL talks the talk

What’s the craic? Ron Miller reports—Inrupt releases Solid privacy platform for enterprises:

Berners-Lee has always believed that the web should be free and open, but large organizations have grown up over the last 20 years that make their money using our data. He wanted to put people back in charge of their data, and the Solid open source project, developed at MIT, was the first step in that process.

The core idea … is that users control their data in online storage entities called Personal Online Data Stores (or Pods). … The enterprise version consists of Solid Server to manage the Pods, and developers can build applications using an SDK to take advantage of the Pods and access the data they need to do a particular job like pay taxes or interact with a healthcare provider.

To give you a sense of how this works, the [UK] National Health Service has been building an application for patients … who, using Solid, can control their health data. “Patients will be able to permit doctors, family or at-home caregivers to read certain data from their Solid Pods, and add caretaking notes or observations that doctors can then read in order to improve patient care,” the company explained. … It is up to the user who can access this information and the application owner has to ask the user for permission and the user has to explicitly grant it and under what conditions.

Who’s involved? Our old chum Robert Lemos lists the perps—Data Privacy Gets Solid Upgrade:

Berners-Lee and John Bruce, a veteran of the cybersecurity industry and CEO of the firm, founded Inrupt in 2018. … For companies, Solid promises to reduce their risk of violating privacy regulations because of breaches that steal sensitive user data by minimizing the data that is in their custody and, thus, part of their responsibility.

Companies get the most recent data, and with less worry about leaking the data, but only for as long as the user allows them access, says Bruce Schneier, noted encryption expert and chief security architect for Inrupt. … "The basic idea is that your data is in your pod, under your control," he says. "If you want to do something, for example, that mirrors the data from your fridge with the data from your Fitbit, both of those datasets are both under your control, not under the control of the refrigerator manufacturer and of Fitbit." … "Think of this as the Red Hat model. … There is a public standard, and we have a commercial implementation. There is a public server, and then there is the enterprise-grade server and infrastructure that we are creating."

Solid uses "vocabularies" — definitions of data that can be standardized so that applications know how to access specific types of data relevant to the application. … Based on encryption and granular access controls, Solid allows users to grant or revoke access at any time to the information stored in its … pods.

For example? Aunty Beeb’s Rory Cellan-Jones is a fellow hyphenated-surname chap—NHS data: Can web creator Sir Tim Berners-Lee fix it?:

It is one of the biggest challenges for the NHS: how to give people some control of their medical data while making sure it can be shared with all of the doctors and other healthcare workers who need it. … The NHS pilot project is happening in Greater Manchester, where it is hoped that it could improve the lives of people suffering from dementia.

Some [patients] may want to take control, even wishing to store the pod on a hard drive at home and only giving short-term access to doctors when necessary. Others will just see it as a way of cutting through the bureaucracy and not having to start from zero every time they see another doctor.

As someone who has relatively frequent interactions with the health service and is sometimes frustrated by the lack of communication between different parts of it, I can see the attractions of this idea.

In the mood for some hyperbole? Sir Tim Berners-Lee hails A New Era of Innovation and Trust in Data:

Today marks a huge milestone. … I’m thrilled. … It’s the fruit of two years of work by our outstanding team.

These technologies will fundamentally change how organizations connect people with their data. … It’s going to drive groundbreaking new opportunities.

Organizations worldwide can take the first step towards building a trusted web where innovation flourishes, and everyone – businesses, developers, and web users – share the benefits. We hope you’ll join us on this exciting journey.

Interesting? 0laf thinks so, but isn’t hopeful for success:

This sounds more like a national utility service. Nations could invest in the infrastructure where the business case is weak protecting citizens' data, while empowering safe and responsible data sharing.

Although that would require nations to do this altruistically and not try to corrupt the process for their own means. **** all chance of that, I suppose.

So it looks like Tim & Co. have an uphill battle on their hands. Many Geeks are dead against it—geeks such as specialist:

Solid is a non-starter for medical records. … How does a patient grant access (consent) if they are incapacitated? Like during an ER visit? How does a patient manage that consent for all the other care providers? Can a patient ever retract the consent?

[I] Implemented 5 regional healthcare medical records exchanges in the mid-aughts. My teammates handled the web portal for accessing same data. The "break the glass" edge use case, where care providers bypassed the consent, was ~80% of daily usage. Because that's the reality of healthcare.

I'm not optimistic that Solid & PODs bring anything new or practical to the table.

And geeks like theshowmecanuck:

[This] is typical "I don't want to understand the real world" nerd drivel. [It] means someone else is hosting your data. So now there is a single point of failure that all hackers can target.

Not really any advantage. … How dire.

And geeks like StrangerHereMyself, who calls it a “Stupid idea”:

There's simply no market for the product TBL is selling at the moment. … Tim may be the inventor of the Web as we know it, but he's merely coasting on his illustrious past to grab VC monies to start one silly enterprise after the other.

Whatever happened to the Semantic Web, which he was pushing for well over a decade? Why don't I hear him promoting HORNET (High Speed Onion Routing Network; a Tor-like network with the speed of the regular internet)?

But Angostura’s not bitter: [You’re fired—Ed.]

The thing about TBL is he isn't a glory-hound. My sense of him is he gets involved in interesting problems that he thinks have serious benefits and gets stuck in.
He's been thinking and working on this current problem for quite a while, takes it seriously and it is very close to the domain that he has been involved in for decades now. The name may generate some buzz, but I suspect the project may have intrinsic value in its own right.

Perhaps it’s more of a PR problem? Theo Priestley—@tprstly—suggestifies thuswise:

You're going to need better marketing and messaging around why people, not businesses, should care. Everything is enterprise and developer focused but there's no critical "so what" for the general public. 

You need the weight of public/consumer adoption as well as enterprise use cases. So far, not seeing anything because it's aimed at peers who aren't the audience you need to win over.

Meanwhile, this Anonymous Coward cuts to the chase:

Privacy lol. … Nobody gives a **** about privacy. Proof: # of users for Google, Facebook, Twitter, etc.

The moral of the story?

Definitely one to watch, but beware getting sucked into something that’s going nowhere.

And finally

Lipsync shallowfakes

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE. 30.

This week’s zomgsauce: Jarle Naustvik (cc:by)

Keep learning

Read more articles about: SecurityData Security