Re: [WG-UMA] Pokemon teaches us why all of us will need our own Authorization Server

older
Notes from UMA telecon 2016-07-14

Adrian Gropper

14 Jul 2016 14 Jul '16

4:49 p.m.

Hi Kazue, Thank you much for turning this up. It's an even stronger example of why we can't trust any authorization server we don't specify (and can change) ourselves. Folks may remember that I recently posted about a similar experience with my Dropbox where I had no recollection of allowing Microsoft Word full access to my entire Dropbox. The mechanism that allowed that to happen may be different than Pokemon's link to Google, but that hardly matters. Frankly, I find it amazing that the UMA group, the HEART group, and even VRM are still treating the user-specified authorization server as a "nice-to-have" MAY instead of a MUST. As far as I'm concerned, the only sustainable path for both OAuth and VRM is to build on top of a user-specified authorization server. I have referred to this as: "There's only one Alice." Standards like UMA, HEART, and VRM that don't take this as a given are unlikely to scale or to drive competition and substitutability that make for an effective standard. Adrian On Thursday, July 14, 2016, Kazue Sako wrote:

...

Hi Andrian and Doc,

This seems to have an interesting point regarding use of OAuth where many people here are familiar with.

A friend of mine showed me an interesting link. http://ericrafaloff.com/pokemon-go-and-google/

As google is using OAuth, the usual flow should show the user a consent screen. Yet this was not the case with Pokemon Go.

...
Meaning authorization servers by big companies acting on persons’ behalf. In this case Nintendo (Pokemon Go parent) and Google.

Actually, Pokemon Go was developed by a company called Niantic which was a part of Google at the time they developed Ingress (according to the link above).

Kazue Sako

________________________________________

...
On Jul 13, 2016, at 9:07 AM, Adrian Gropper javascript:;> wrote:

https://www.buzzfeed.com/josephbernstein/heres-all-the-data-pokemon-go-is-co...

Here’s the link without the tracking cruft:

https://www.buzzfeed.com/josephbernstein/heres-all-the-data-pokemon-go-is-co...

...
This may well have been a case of accidental social engineering but it makes the point that multiple random authorization servers will not scale.

Meaning authorization servers by big companies acting on persons’ behalf. In this case Nintendo (Pokemon Go parent) and Google.

...
If Pokemon wants access to my Google stuff, they need to ask my authorization server and not the one Google helpfully gave to me.

Meaning one you operate personally.

Does one exist? Do we have an example or a prototype among all our developments here? (I’m so snowed under looking at all of it that I confess to being a bit lost?in a good way.)

...
Is there any other alternative? How could Google's ever play both sides as both game developer and privacy protector?

That’s the right question. The answer has to come from our sovereign personal whatever (authorization server is a good term, but it needs to be distinguished from the same operated by giant companies playing both sides).

And the Castle Doctrine needs to apply. http://bit.ly/3stldoc or < http://j.mp/cstl3>

Doc

...
Adrian

--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/

-- Adrian Gropper MD PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/

Attachments:

attachment.html (text/html — 5.4 KB)

Show replies by date

Doc Searls

14 Jul 14 Jul

5 p.m.

New subject: [projectvrm] Pokemon teaches us why all of us will need our own Authorization Server

...

On Jul 14, 2016, at 4:49 PM, Adrian Gropper wrote:

Hi Kazue,

Thank you much for turning this up. It's an even stronger example of why we can't trust any authorization server we don't specify (and can change) ourselves.

Folks may remember that I recently posted about a similar experience with my Dropbox where I had no recollection of allowing Microsoft Word full access to my entire Dropbox. The mechanism that allowed that to happen may be different than Pokemon's link to Google, but that hardly matters.

Frankly, I find it amazing that the UMA group, the HEART group, and even VRM are still treating the user-specified authorization server as a "nice-to-have" MAY instead of a MUST.

FWIW, I do regard having the individual (not just a user) in control of everything. That said, ProjectVRM is itself a big tent. If I kept it small around my own value system, it wouldn’t work. We need room for lots of approaches, lots of changes in those approaches, lots of trials and errors, and lots of conversations like this one.

...

As far as I'm concerned, the only sustainable path for both OAuth and VRM is to build on top of a user-specified authorization server.

I have referred to this as: "There's only one Alice." Standards like UMA, HEART, and VRM

VRM is just an acronym. It doesn’t have a standard. The purpose of ProjectVRM is to encourage development of tools that make individuals both independent and better able to engage. Also to prove that free customers are more valuable (to themselves and to others in the marketplace) than captive ones. If those tools don’t end up being called VRM, by the way it doesn’t matter. Whatever works is good. Just saying. Doc

...

that don't take this as a given are unlikely to scale or to drive competition and substitutability that make for an effective standard.

Adrian

On Thursday, July 14, 2016, Kazue Sako mailto:k-sako@ab.jp.nec.com> wrote: Hi Andrian and Doc,

This seems to have an interesting point regarding use of OAuth where many people here are familiar with.

A friend of mine showed me an interesting link. http://ericrafaloff.com/pokemon-go-and-google/ http://ericrafaloff.com/pokemon-go-and-google/

As google is using OAuth, the usual flow should show the user a consent screen. Yet this was not the case with Pokemon Go.

...
Meaning authorization servers by big companies acting on persons’ behalf. In this case Nintendo (Pokemon Go parent) and Google.

Actually, Pokemon Go was developed by a company called Niantic which was a part of Google at the time they developed Ingress (according to the link above).

Kazue Sako

________________________________________

...
On Jul 13, 2016, at 9:07 AM, Adrian Gropper javascript:;> wrote:

https://www.buzzfeed.com/josephbernstein/heres-all-the-data-pokemon-go-is-co... https://www.buzzfeed.com/josephbernstein/heres-all-the-data-pokemon-go-is-co...

Here’s the link without the tracking cruft:

https://www.buzzfeed.com/josephbernstein/heres-all-the-data-pokemon-go-is-co... https://www.buzzfeed.com/josephbernstein/heres-all-the-data-pokemon-go-is-co...

...
This may well have been a case of accidental social engineering but it makes the point that multiple random authorization servers will not scale.

Meaning authorization servers by big companies acting on persons’ behalf. In this case Nintendo (Pokemon Go parent) and Google.

...
If Pokemon wants access to my Google stuff, they need to ask my authorization server and not the one Google helpfully gave to me.

Meaning one you operate personally.

Does one exist? Do we have an example or a prototype among all our developments here? (I’m so snowed under looking at all of it that I confess to being a bit lost?in a good way.)

...
Is there any other alternative? How could Google's ever play both sides as both game developer and privacy protector?

That’s the right question. The answer has to come from our sovereign personal whatever (authorization server is a good term, but it needs to be distinguished from the same operated by giant companies playing both sides).

And the Castle Doctrine needs to apply. <http://bit.ly/3stldoc http://bit.ly/3stldoc> or <http://j.mp/cstl3 http://j.mp/cstl3>

Doc

...
Adrian

--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/ http://patientprivacyrights.org/donate-2/

--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/ http://patientprivacyrights.org/donate-2/

Justin Richer

5:01 p.m.

New subject: Pokemon teaches us why all of us will need our own Authorization Server

Pokemon Go’s issue wasn’t a problem with the AS, though. It was a problem of the developer asking for too many scopes — more than they needed to run the app. It’s really, really easy to overreach. And when people brought it up as an issue? The developer scaled back almost immediately. Having my own AS wouldn’t have stopped or helped any of that and it’s silly to think otherwise. — Justin

...

On Jul 14, 2016, at 4:49 PM, Adrian Gropper wrote:

Hi Kazue,

Thank you much for turning this up. It's an even stronger example of why we can't trust any authorization server we don't specify (and can change) ourselves.

Folks may remember that I recently posted about a similar experience with my Dropbox where I had no recollection of allowing Microsoft Word full access to my entire Dropbox. The mechanism that allowed that to happen may be different than Pokemon's link to Google, but that hardly matters.

Frankly, I find it amazing that the UMA group, the HEART group, and even VRM are still treating the user-specified authorization server as a "nice-to-have" MAY instead of a MUST. As far as I'm concerned, the only sustainable path for both OAuth and VRM is to build on top of a user-specified authorization server.

I have referred to this as: "There's only one Alice." Standards like UMA, HEART, and VRM that don't take this as a given are unlikely to scale or to drive competition and substitutability that make for an effective standard.

Adrian

On Thursday, July 14, 2016, Kazue Sako mailto:k-sako@ab.jp.nec.com> wrote: Hi Andrian and Doc,

This seems to have an interesting point regarding use of OAuth where many people here are familiar with.

A friend of mine showed me an interesting link. http://ericrafaloff.com/pokemon-go-and-google/ http://ericrafaloff.com/pokemon-go-and-google/

As google is using OAuth, the usual flow should show the user a consent screen. Yet this was not the case with Pokemon Go.

...
Meaning authorization servers by big companies acting on persons’ behalf. In this case Nintendo (Pokemon Go parent) and Google.

Actually, Pokemon Go was developed by a company called Niantic which was a part of Google at the time they developed Ingress (according to the link above).

Kazue Sako

________________________________________

...
On Jul 13, 2016, at 9:07 AM, Adrian Gropper javascript:;> wrote:

https://www.buzzfeed.com/josephbernstein/heres-all-the-data-pokemon-go-is-co... https://www.buzzfeed.com/josephbernstein/heres-all-the-data-pokemon-go-is-co...

Here’s the link without the tracking cruft:

https://www.buzzfeed.com/josephbernstein/heres-all-the-data-pokemon-go-is-co... https://www.buzzfeed.com/josephbernstein/heres-all-the-data-pokemon-go-is-co...

...
This may well have been a case of accidental social engineering but it makes the point that multiple random authorization servers will not scale.

Meaning authorization servers by big companies acting on persons’ behalf. In this case Nintendo (Pokemon Go parent) and Google.

...
If Pokemon wants access to my Google stuff, they need to ask my authorization server and not the one Google helpfully gave to me.

Meaning one you operate personally.

Does one exist? Do we have an example or a prototype among all our developments here? (I’m so snowed under looking at all of it that I confess to being a bit lost?in a good way.)

...
Is there any other alternative? How could Google's ever play both sides as both game developer and privacy protector?

That’s the right question. The answer has to come from our sovereign personal whatever (authorization server is a good term, but it needs to be distinguished from the same operated by giant companies playing both sides).

And the Castle Doctrine needs to apply. <http://bit.ly/3stldoc http://bit.ly/3stldoc> or <http://j.mp/cstl3 http://j.mp/cstl3>

Doc

...
Adrian

--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/ http://patientprivacyrights.org/donate-2/

--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/ http://patientprivacyrights.org/donate-2/ _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma

Doc Searls

5:10 p.m.

New subject: Pokemon teaches us why all of us will need our own Authorization Server

How would you have the individual control what personal data is accessed and how it’s used? I want to reframe this outside Pokemon Go, because it’s too easy to get into what the various BigCos involved could have done right or better, within their current systems — over which our personal control is entirely a grace of what they allow. We’re trying here (in ProjectVRM anyway) to start with the individual, and her controls. How can we build outward from there? Doc

...

On Jul 14, 2016, at 5:01 PM, Justin Richer wrote:

Pokemon Go’s issue wasn’t a problem with the AS, though. It was a problem of the developer asking for too many scopes — more than they needed to run the app. It’s really, really easy to overreach. And when people brought it up as an issue? The developer scaled back almost immediately.

Having my own AS wouldn’t have stopped or helped any of that and it’s silly to think otherwise.

— Justin

...
On Jul 14, 2016, at 4:49 PM, Adrian Gropper mailto:agropper@healthurl.com> wrote:

Hi Kazue,

Thank you much for turning this up. It's an even stronger example of why we can't trust any authorization server we don't specify (and can change) ourselves.

Folks may remember that I recently posted about a similar experience with my Dropbox where I had no recollection of allowing Microsoft Word full access to my entire Dropbox. The mechanism that allowed that to happen may be different than Pokemon's link to Google, but that hardly matters.

Frankly, I find it amazing that the UMA group, the HEART group, and even VRM are still treating the user-specified authorization server as a "nice-to-have" MAY instead of a MUST. As far as I'm concerned, the only sustainable path for both OAuth and VRM is to build on top of a user-specified authorization server.

I have referred to this as: "There's only one Alice." Standards like UMA, HEART, and VRM that don't take this as a given are unlikely to scale or to drive competition and substitutability that make for an effective standard.

Adrian

On Thursday, July 14, 2016, Kazue Sako mailto:k-sako@ab.jp.nec.com> wrote: Hi Andrian and Doc,

This seems to have an interesting point regarding use of OAuth where many people here are familiar with.

A friend of mine showed me an interesting link. http://ericrafaloff.com/pokemon-go-and-google/ http://ericrafaloff.com/pokemon-go-and-google/

As google is using OAuth, the usual flow should show the user a consent screen. Yet this was not the case with Pokemon Go.

...
Meaning authorization servers by big companies acting on persons’ behalf. In this case Nintendo (Pokemon Go parent) and Google.

Actually, Pokemon Go was developed by a company called Niantic which was a part of Google at the time they developed Ingress (according to the link above).

Kazue Sako

________________________________________

...
On Jul 13, 2016, at 9:07 AM, Adrian Gropper javascript:;> wrote:

https://www.buzzfeed.com/josephbernstein/heres-all-the-data-pokemon-go-is-co... https://www.buzzfeed.com/josephbernstein/heres-all-the-data-pokemon-go-is-co...

Here’s the link without the tracking cruft:

https://www.buzzfeed.com/josephbernstein/heres-all-the-data-pokemon-go-is-co... https://www.buzzfeed.com/josephbernstein/heres-all-the-data-pokemon-go-is-co...

...
This may well have been a case of accidental social engineering but it makes the point that multiple random authorization servers will not scale.

Meaning authorization servers by big companies acting on persons’ behalf. In this case Nintendo (Pokemon Go parent) and Google.

...
If Pokemon wants access to my Google stuff, they need to ask my authorization server and not the one Google helpfully gave to me.

Meaning one you operate personally.

Does one exist? Do we have an example or a prototype among all our developments here? (I’m so snowed under looking at all of it that I confess to being a bit lost?in a good way.)

...
Is there any other alternative? How could Google's ever play both sides as both game developer and privacy protector?

That’s the right question. The answer has to come from our sovereign personal whatever (authorization server is a good term, but it needs to be distinguished from the same operated by giant companies playing both sides).

And the Castle Doctrine needs to apply. <http://bit.ly/3stldoc http://bit.ly/3stldoc> or <http://j.mp/cstl3 http://j.mp/cstl3>

Doc

...
Adrian

--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/ http://patientprivacyrights.org/donate-2/

--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/ http://patientprivacyrights.org/donate-2/ _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org mailto:WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma

_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma

Adrian Gropper

7:08 p.m.

New subject: Pokemon teaches us why all of us will need our own Authorization Server

Doc, my bad in referring to VRM as a standard. I know it's a big tent but my point is that VRM is nothing if not about agency. So let me restate the point that Justin finds "silly" in terms of agency. I want UMA, HEART, and VRM to stand for my agency as an individual to participate in every transaction that is about me. When I agree to anything more than an anonymous Relationship with a Vendor, I want to be able to specify something I control that will be consulted every time my information is accessed in a new way. This is my interpretation of Management in VRM and Managed in UMA. For example, let's look at Do Not Track. If my relationship with a site is anonymous, then clearly there's nothing to track. If however, there's something longitudinal about my relationship then I claim that providing an email address or other pseudonym as part of "prior consent" is a weak and unsustainable definition of VRM because "prior consent" is not "management" in my book. Management is active and requires me to provide an agent capable of acting on my behalf. If the agent misbehaves and gives Pokemon Go access to all my Google account, then I need to be able to fix or replace my agent. Is there a meaningful difference between the Management in VRM and Managed in UMA? Is it silly for me to equate UMA and VRM with the ability to specify a Manager of my choice? Does it narrow the big tent too much? Adrian On Thu, Jul 14, 2016 at 5:10 PM, Doc Searls wrote:

...

How would you have the individual control what personal data is accessed and how it’s used?

I want to reframe this outside Pokemon Go, because it’s too easy to get into what the various BigCos involved could have done right or better, within their current systems — over which our personal control is entirely a grace of what they allow.

We’re trying here (in ProjectVRM anyway) to start with the individual, and her controls. How can we build outward from there?

Doc

On Jul 14, 2016, at 5:01 PM, Justin Richer wrote:

Pokemon Go’s issue wasn’t a problem with the AS, though. It was a problem of the developer asking for too many scopes — more than they needed to run the app. It’s really, really easy to overreach. And when people brought it up as an issue? The developer scaled back almost immediately.

Having my own AS wouldn’t have stopped or helped any of that and it’s silly to think otherwise.

— Justin

On Jul 14, 2016, at 4:49 PM, Adrian Gropper wrote:

Hi Kazue,

Thank you much for turning this up. It's an even stronger example of why we can't trust any authorization server we don't specify (and can change) ourselves.

Folks may remember that I recently posted about a similar experience with my Dropbox where I had no recollection of allowing Microsoft Word full access to my entire Dropbox. The mechanism that allowed that to happen may be different than Pokemon's link to Google, but that hardly matters.

Frankly, I find it amazing that the UMA group, the HEART group, and even VRM are still treating the user-specified authorization server as a "nice-to-have" MAY instead of a MUST. As far as I'm concerned, the only sustainable path for both OAuth and VRM is to build on top of a user-specified authorization server.

I have referred to this as: "There's only one Alice." Standards like UMA, HEART, and VRM that don't take this as a given are unlikely to scale or to drive competition and substitutability that make for an effective standard.

Adrian

On Thursday, July 14, 2016, Kazue Sako wrote:

...
Hi Andrian and Doc,

This seems to have an interesting point regarding use of OAuth where many people here are familiar with.

A friend of mine showed me an interesting link. http://ericrafaloff.com/pokemon-go-and-google/

As google is using OAuth, the usual flow should show the user a consent screen. Yet this was not the case with Pokemon Go.

...
Meaning authorization servers by big companies acting on persons’ behalf. In this case Nintendo (Pokemon Go parent) and Google.

Actually, Pokemon Go was developed by a company called Niantic which was a part of Google at the time they developed Ingress (according to the link above).

Kazue Sako

________________________________________

...
On Jul 13, 2016, at 9:07 AM, Adrian Gropper wrote:

https://www.buzzfeed.com/josephbernstein/heres-all-the-data-pokemon-go-is-co...

Here’s the link without the tracking cruft:

https://www.buzzfeed.com/josephbernstein/heres-all-the-data-pokemon-go-is-co...

...
This may well have been a case of accidental social engineering but it makes the point that multiple random authorization servers will not scale.

Meaning authorization servers by big companies acting on persons’ behalf. In this case Nintendo (Pokemon Go parent) and Google.

...
If Pokemon wants access to my Google stuff, they need to ask my authorization server and not the one Google helpfully gave to me.

Meaning one you operate personally.

Does one exist? Do we have an example or a prototype among all our developments here? (I’m so snowed under looking at all of it that I confess to being a bit lost?in a good way.)

...
Is there any other alternative? How could Google's ever play both sides as both game developer and privacy protector?

That’s the right question. The answer has to come from our sovereign personal whatever (authorization server is a good term, but it needs to be distinguished from the same operated by giant companies playing both sides).

And the Castle Doctrine needs to apply. http://bit.ly/3stldoc or < http://j.mp/cstl3>

Doc

...
Adrian

--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/

--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/

_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma

_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma

-- Adrian Gropper MD PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/

2989

Age (days ago)

2989

Last active (days ago)

List overview

Download

4 comments

3 participants

participants (3)

Adrian Gropper
Doc Searls
Justin Richer