Decentralized Internet and Privacy

Decentralizing OAuth2.0 in a post-GDPR world for full privacy and portability

Automating, API-fying and Tokenizing GDPR for privacy and portability with open source software
UA2.220 (Guillissen)
Mehdi Medjaoui
Users want their data back and the ability to transfer them the way they want to the platform they want. This si user's freedom in a digital world. Today, because of current authorization protocols/framework design like OAuth2.0, power is concentrated to the identity providers who decide what applications they allow to access their API and the user cannot say anything about it. New regulations like GDPR have appeared to enforce this freedom for users by law but there is not yet tooling for developers to make GDPR data ownership and GDPR data portability happen, useful for users to avoid this To really decentralize data permissions from platforms control, make users in control of their privacy and make companies GDPR compliant, you need now to update OAuth2.0 dance into a stateless flow and tokenize the GDPR authorization and agreements to make it programmable for developers. In this talk, Mehdi will explain how you can use open source technologies to automate GDPR requests for your users to, build APIs on top of GDPR takeouts, export GDPR user 3rd-party data in your system and tokenize your GDPR agreements to make them programmable for compliance using opens source technologies.
Making GDPR programmable and adding decentralization of data portability to OAuth2.0 In the classic OAuth 2.0 flows, the authorization server and the resource server are behind the same firewall, giving full power and control about sharing capabilities to the Identity Provider (i.e. Facebook, Amazon, Google etc...). The Identity Provider decides what can be shared to whom via its API, and the user is limited into making data exportable to what the Identity provider allows. Because of new regulations about data portability (GDPR in Europe and CCPA in California), now every user is able to ask a full export of its data to be stored anywhere, breaking Identity Provider monopoly and control. In that context, users can now own fully a copy of their data and share it to who they want. They can now become theoretically independent from previous Identity providers, by becoming their own Identity Provider if they are able to install a server to do so themselves, or theoretically choose the Identity provider that is the best delivering value for them about managing their personal data and permissions. As we seen in Bitcoin, a large majority of users will still want to delegate authorizations to a trusted 3rd-party to manage permissions, as they do until today with banks for their money, or to wallet managers for their Bitcoins/Crytocurrencies. In the Alias protocol ecosystem,users decide where their data is stored (on the server of their choice) and decide the Alias authorization server that will manage its permissions. Introducing Alias protocol Alias is a protocol enabling decentralized data export authorizations. When implemented, Alias enables for users to decide to share the data they want, to whom they want, without limitations from any centralized Identity Provider, and in fine grained control. Technically, Alias is a decentralized protocol based on OAuth 2.0, where each user, identified by an cryptographic alias, can let third-parties ("clients") access to their data stored in servers ("resource servers"). Access to the data is controlled by an Authorization server ("authorization servers") that manages permissions and scopes. The main innovation of Alias is that the resource server and the authorization server do not need to be behind the same firewall, enabling users to decide freely and in full control who store their data and who manage permissions in a decentralized way.

Additional information

Type devroom

More sessions

2/2/20
Decentralized Internet and Privacy
Tim Dittler
UA2.220 (Guillissen)
Today, hard disk encryption only protects user's data when their machine is shut down. "Close lid to encrypt" aims to enhance this protection also to suspend mode.
2/2/20
Decentralized Internet and Privacy
Eyal Ron
UA2.220 (Guillissen)
Almonit is a project for decentralized websites and web services. Decentralized websites and web services are an alternative to the way the web functions today. They combine decentralized storage (like IPFS), decentralized name services (like ENS) and P2P networks in order to replace the server-based model of the web. This lecture describes the Almonit project, its architecture, the technical details of the technology and the ecosphere in which it is created. Come discover the state-of-the-art ...
2/2/20
Decentralized Internet and Privacy
Marcin Czenko
UA2.220 (Guillissen)
Society is becoming increasingly more aware of the importance of protecting digital information and it is becoming clear that the current centralized model has came to an end. The future of the Internet is distributed. Unsupervised, unmoderated access, affordable storage, data-replication, and security and privacy built-in are the most important aspects of the Internet of the future. Unfortunately, a global, reliable, decentralized network cannot be built without actual physical nodes, as the ...
2/2/20
Decentralized Internet and Privacy
Friedger Müffke
UA2.220 (Guillissen)
Inspired by the concept of sharing data between apps on Android devices through Content Providers, this talk explains how this can be achieved on the Web today using decentralized identity and storage (identity hubs). This talk has been accepted late to replace "Decentralized object storage An open source decentralized object storage" by Ivan Fraixedes. Due to health issues Ivan's talk had to be cancelled. We wish him a speedy recovery.
2/2/20
Decentralized Internet and Privacy
Brett Sheffield
UA2.220 (Guillissen)
Written in 2001, RFC 3170 states: "IP Multicast will play a prominent role on the Internet in the coming years. It is a requirement, not an option, if the Internet is going to scale. Multicast allows application developers to add more functionality without significantly impacting the network." Nearly two decades later, multicast is still largely ignored and misunderstood. This talk explains why multicast is the missing piece in the decentralization puzzle, how multicast can help the Internet ...
2/2/20
Decentralized Internet and Privacy
Mateusz Kowalski
UA2.220 (Guillissen)
Please note this is a lightning-fast version of our full talk taking place on Saturday at 18:00 in the Main Track Do you know where your internet traffic flows? Does it go through China even if you don't want it to? SCION is a new internet architecture aimed at solving this problem. We will show how you can easily join the already existing worldwide network.
2/2/20
Decentralized Internet and Privacy
Esther Payne
UA2.220 (Guillissen)
In 1996 Brian E. Carpenter of IAB and Fred Baker of IETF wrote a co-statement on cryptographic technology and the internet. This RFC wasn't a request for a technical standard, it was a statement on their concerns about Governments trying to restrict or interfere with cryptography. They felt that there was a need to offer "All Internet Users an adequate degree of privacy" Since that time successive governments around the world have sought to build back doors into encrypted apps and services to ...