Giuseppe Ciaccio, Antonio Pastorino and Marina Ribaudo
is expected to provide using that data item. The process of granting authorization is based on unforgeable cryptographic tokens released by a trusted authorization server with which individuals, applications, and resource managers, are all registered.
2. Smart disclosure stories
The Department for Business Innovation & Skills in the UK has launched the `midata ' project( www. bis. gov. uk / news / topstories / 2011 / Nov / midata) which aims to give consumers more control and access to their personal data. The program involves various business sectors including energy, telecommunications, finance and retail. By letting customers access data about their purchasing and consumption habits, and safely add new data and feedback of their own, businesses have the opportunity to create rich, new person‐centric applications while consumers can make better consumption decisions and lifestyle choices.
The next two examples are related to the medical context. In the private sector, Microsoft has proposed the HealthVault( www. microsoft. com / en‐gb / healthvault / default. aspx) as“ a trusted place for people to organize, store, and share health information online”. According to the HealthVault website, Microsoft offers an open platform for security enhanced data sharing amongst health services organizations and citizens. Any information entered into HealthVault can be, with the citizen ' s permission, re‐used across many different apps and supplemented by a growing list of devices.
An interesting success story is the project known as the Blue Button( www. bluebutton. com). Developed in collaboration with the US Department of Veteran Affairs( VA), the project allows veterans to go to the VA website, click a blue button, and download their personal health records. These records can be individually examined or shared for example with doctors or with third parties applications. The Blue Button download capability can help individuals access their information so they can manage their health care more effectively.
Another successful initiative is the Green Button project( www. greenbuttondata. org), similar to `midata ', and part of the White House ' s Smart Disclosure Program. Thanks to this program, consumers in the US can access and download their energy usage information provided by their utility or retail energy service provider, take advantage of online services and apps, and manage their energy consumption. From the scarce information we were able to retrieve( Wollman nd), it seems that the service leverages Apache Wink( incubator. apache. org / wink /) for exporting data in a RESTful way via the Atom Publishing protocol( IETF 2007), plus Spring Social( www. springsource. org / spring‐social) as the authorization framework for user‐controlled smart disclosure. Spring Social leverages the OAuth 2.0( IETF 2012 b), so the overall picture is similar to the one we provide in this paper.
Falcão‐Reis and Correia( Falcão‐Reis 2010) propose coupling Electronic Health Records( EHRs) with an extended version of OpenID( Recordon 2006) in an effort to implement a user‐controlled system of Health Digital Identity for Portuguese citizens. They also propose leveraging OAuth 2.0 as an authorization technology for user‐controlled access to EHRs, thus anticipating smart disclosure in the medical care field.
In all these examples, the recurring theme is that the wealth of personal data contained in medical records, telephone or energy usage reports, or other information sources, present a unique opportunity for software developers to build applications that can truly transform how individuals interact with their data to stay healthy and manage their care, to save energy and therefore money, in other words to improve several aspects of their everyday life.
3. OAuth 2.0
3.1 Goals and current status
OAuth 2.0( OAuth Working Group 2010, IETF 2012 b, Hammer‐Lahav 2010) originated in 2010 from a complete redesign of the previous OAuth 1.0 specification. OAuth 2.0 is too high‐level to be defined as a protocol specification. It should be considered as a blueprint of a protocol, within which many implementations are feasible, although possibly not interoperable with one another. The interest around this technology is huge: the IETF OAuth working group includes members like Google, Facebook, Microsoft, Twitter, Deutsche Telekom, and Mozilla( Hammer‐Lahav 2010), and OAuth 2.0 has already been adopted by Google( Google Inc. 2012), and Facebook( Facebook 2012), just to cite a few.
137