Inrupt’s Solid Announcement

Earlier this year, I announced that I had joined Inrupt, the company commercializing Tim Berners-Lee’s Solid specification:

The idea behind Solid is both simple and extraordinarily powerful. Your data lives in a pod that is controlled by you. Data generated by your things — your computer, your phone, your IoT whatever — is written to your pod. You authorize granular access to that pod to whoever you want for whatever reason you want. Your data is no longer in a bazillion places on the Internet, controlled by you-have-no-idea-who. It’s yours. If you want your insurance company to have access to your fitness data, you grant it through your pod. If you want your friends to have access to your vacation photos, you grant it through your pod. If you want your thermostat to share data with your air conditioner, you give both of them access through your pod.

This week, Inrupt announced the availability of the commercial-grade Enterprise Solid Server, along with a small but impressive list of initial customers of the product and the specification (like the UK National Health Service). This is a significant step forward to realizing Tim’s vision:

The technologies we’re releasing today are a component of a much-needed course correction for the web. It’s exciting to see organizations using Solid to improve the lives of everyday people — through better healthcare, more efficient government services and much more.

These first major deployments of the technology will kick off the network effect necessary to ensure the benefits of Solid will be appreciated on a massive scale. Once users have a Solid Pod, the data there can be extended, linked, and repurposed in valuable new ways. And Solid’s growing community of developers can be rest assured that their apps will benefit from the widespread adoption of reliable Solid Pods, already populated with valuable data that users are empowered to share.

A few news articles. Slashdot thread.

Posted on November 13, 2020 at 2:17 PM28 Comments

Comments

David Rudling November 13, 2020 2:32 PM

It seems to me that a “pod” is a sort of personal cloud to which you entrust ALL your data. As such it becomes a single point of failure in security terms. Hack someone’s pod and you get absolutely everything. I would need to be convinced that security of the pod exceeded anything hitherto available to be willing to entrust everything to it.

Albert ARIBAUD November 13, 2020 2:35 PM

One thing I don’t get is, if I let some third party get data from me once, whar control do I have left on that data once it is out in their hands? I cannot take it back ever, can I?

Ross Snider November 13, 2020 3:00 PM

I would be curious to have Inrupt provide some reasoning about launching for enterprise first (or frankly at all)? At first glance this seems to be at odds with how the pod is described and the vision. Is there an equivalent use case for enterprise pods to protect trade secrets? Unless I’m missing something?

This brings up a question about what “control” actually means. Is a pod only “controlled” by you but not “owned” by you? In which case, how long would something like this last before legal compulsion, marketing value proposition, debugging needs, physical pod access, etc create business incentives for the companies who “own” the pod to also control and have some limited ownership of the data?

And if the model is managed pods by hosting companies – how exactly would this be different from managed data service providers like Google Photos, Picasa, Dropbox, OneDrive, Sharefile, …

Peter Green November 13, 2020 3:17 PM

Sad to see the inrupt website hosted in the U.S. and pulls in 9 javascripts, plus uses google tag manager and analytics…

Mmm, keeping your data in your own pod starts with showing you care about your visitors privacy to my mind.

Header image at 14.5MB! Who built the site?

No thanks, these aren’t good signs.

Timothy Collett November 13, 2020 3:22 PM

I’m unclear on how this is supposed to prevent companies independently gathering personal information on you and storing it outside your “pod” (y’know, the way they do constantly now) unless there’s extremely strong new legislation mandating it…

vas pup November 13, 2020 3:43 PM

@Ross Snider • November 13, 2020 3:00 PM
said:’This brings up a question about what “control” actually means.
==>Is a pod only “controlled” by you but not “owned” by you? In which case, how long would something like this last before legal compulsion,…”

I have the same question and appreciate clarification. Thank you, Bruce!

Kurt Seifried November 13, 2020 4:16 PM

Is the pod an actual physical thing that resides on my premises fully under my control or is it a cloud service blob hosted by the company? It appears to be hosted by the company Inrupt, is this correct? If so how do warrants/etc. get handled? Is the data encrypted so that only I can access it and grant access, or can the provider ultimately view my data as well and serve it if given a valid warrant?

PattiM November 13, 2020 4:52 PM

Hmmm… I wonder about this. There have been so many “secure” things come and go since the 1970’s. How could anyone scrub the internet at this point? A few powerful entities control virtually the entire internet now. It seems a little like saying, “We’ll clean up (say) Oregon, and build there, and that will make the planet [better, cleaner, more secure, whatever…]…”

xcv November 13, 2020 5:10 PM

The company’s gunning for an IPO, and the rest of us are not having good luck at the securities markets, either.

Your request (Reference Number: ###########) to transfer $### from Cash NQ-#### to Ally-#### was successfully submitted for processing on 03/16/2020 at XX:XX ET.

Based on the balances in your brokerage account at the time that your pending transfer is processed, the funds may or may not be available for investment immediately. Learn more about funds availability by entering funds availability in the search box.

If you have questions about this transfer, please contact a Financial Services Representative at 1-800-ETRADE-1 (1-800-387-2331) or send us a Secure Message via Customer Service online.

(c) 2020 ETRADE Securities LLC, Member FINRA (http://www.finra.org) /SIPC (http://www.sipc.org). All rights reserved. The information contained in this Smart Alert does not constitute a recommendation by ETRADE Securities, and is subject to the Smart Alerts Terms and Conditions (https://us.etrade.com/e/t/estation/help?id=1209038000) and the E*TRADE Securities Customer Agreement (https://us.etrade.com/e/t/estation/help?id=1209031000). We cannot respond to e-mails sent to this mailbox. If you have questions, please contact us through Customer Service (https://us.etrade.com/e/t/accounts/servicecenterhome).

Where are these people running off with their customers’ and shareholders’ money anyways? Is Wall Street a total scam or what?

Impossibly Stupid November 13, 2020 6:45 PM

@Albert ARIBAUD

The Solid spec doesn’t seem to cover that (based on a quick scan rather than a full audit, I admit), but there are various methods that could be put to use:

Back when the original iPod came out, I had similar ideas of my own to extend it to serve as this kind of true “pod” device to hold all kinds of personal information beyond music. These days, smart phones could essentially fill the same role.

The problem will always be that anything valuable enough is going to be continually attacked until it can be pulled out of whatever “secure enclave” normally protects it. Sometimes the best you can hope for is the ability to digitally sign some piece of data you release into the world, so that your sharing of it can be validated. I even do that sort of thing myself for published blog comments like this one.

Etienne November 13, 2020 9:16 PM

I logged-in, gave myself an account, and it reminded me of the old computer dial-up screens. Maybe AOL like my brother had.

The delete email address threw me for a loop. A little red – sign, click on it, an x shows up and the words “delete” so I click on the x and nothing.

Oh! click on the delete.

So much white space!

Curious November 14, 2020 2:33 AM

“Your data lives in a pod that is controlled by you.”

If anything, this seems like the first thing that would have to be checked. This already seems like too-good-to-be-true.

Imagine if someone said the same about your operating system, nobody would believe it I am sure. I can goof around with my operating system on my computer, but I have ZERO faith in my actually having real control over it.

Also, I can’t help but wonder, that anything that becomes uniquely personal, is bringing people closer to some chip-in-a-brain kind of future, I don’t like that.

Cassandra November 14, 2020 9:59 AM

I think the idea is worthwhile, and I believe we need to explore other choices like this one, that have the potential to improve control over one’s personal information. It would be astonishing if the first implementation of a new idea got everything perfectly right first time, so I’m not going to rush to judgement.

There is an idea/meme/mantra that ‘data wants to be free’, and ignoring the anthropomorphism, it does illustrate that enforcing boundaries on data sharing is a hard problem. The media industries have spent a lot of time and trouble implementing DRM, to prevent people sharing certain kinds of data, and I understand it is not entirely successful. DRM is there to prevent people taking unauthorized copies of data; which is precisely what individuals want to do with their own personal data.

A system that successfully controls access to personal data could be used to control access to an mp3, or a video. Viewed in this light, I think the problem is less technological than legal: laws that made data sharing without consent illegal, with credible and real sanctions for doing so would have a greater effect. The history of DRM shows technological approaches are fraught with difficulty.

Nonetheless, I applaud the effort to think differently, and wish for more of it.

Cassie

JonKnowsNothing November 14, 2020 11:01 AM

@All

re: commercial-grade Enterprise Solid Server

So… rhetorical question…

  * Am I supposed to buy an ENTERPRISE SIZE SERVER???

Hardly…

Unfortunately like many startups and grand ideas I’ve had to deal with in my career, this is like most of them

  * You want the Big Dogs and the Big Money

The problem and solution is not there…

The solution is at the bottom of the heap with the little folks. They don’t need a Big Enterprise Server to save their data from exploit. They need a own-controlled-data-filter-stripper to starve the the system.

But that’s not profitable enough. Selling a $10 device to 5Billion people or even 350,000 people (pop of USA) doesn’t make the cut.

Still perhaps Google will buy one. They are harvesting 260MB of data per month off their Android phones using a person’s Cellular Data Plan. Much easier to buy an Enterprise Level Solid Pod Server to get it direct.

Color Me Skeptical but Hopeful.

ht tps://www.theregister.com/2020/11/14/google_android_data_allowance/

Why do Android phones mysteriously exchange 260MB a month with Google via cellular data when they’re not even in use?

(url fractured to prevent autorun)

Jeff November 15, 2020 6:22 AM

What David Rudling said is accurate, in fact I wouldn’t use it at all, I don’t think it can be secured.

Rj November 15, 2020 7:56 AM

The “little guy” has little knowledge how to install, secure, or even operate most computer and networking equipment. They just want their facebook, netflix, games, news, etc. so they can be like all their friends. I have a nephew who loves video games. If something isn’t working the way he thinks it should, he calls me and says “uncle, fix it!” When I suggest that he hang around and learn how to do it himself, he runs outside and plays basket ball. He has no interest in how it works, just as long as it does work. Because way too many people are like this, we have the mess we see today.

Frank Wilhoit November 15, 2020 8:45 AM

“…If you want your insurance company to have access to your fitness data, you grant it through your pod….”

First of all, thanks for choosing such a crisply absurd example to start with.

So now your insurance company has A COPY OF your data. And while they were the ones who asked for it, they are not the ones who are curious about it. No, that is their new business partner, some kind of three-person garage shop who sold them on some kind of vaporware “analytics”. So now they get A COPY OF your data. And who knows where they found the cheapest hosting; and who knows what else they outsource, or to whom; and who knows what is in their contracts with their investors — do I need to go on?

Easton November 15, 2020 11:10 AM

I understand the concept, but the current implementations seem to have authorization scopes so broad that most users would run away. For example:

Authorize https://noeldemartin.github.io to access your Pod?
Solid allows you to precisely choose what other people and apps can read and write in a Pod. This version of the authorization user interface (node-solid-server V5.1) only supports the toggle of global access permissions to all of the data in your Pod.

If you don’t want to set these permissions at a global level, uncheck all of the boxes below, then click authorize. This will add the application origin to your authorization list, without granting it permission to any of your data yet. You will then need to manage those permissions yourself by setting them explicitly in the places you want this application to access.

By clicking Authorize, any app from https://noeldemartin.github.io will be able to:

[*] Read all documents in the Pod
[*] Add data to existing documents, and create new documents
[*] Modify and delete data in existing documents, and delete documents
[ ] Give other people and apps access to the Pod, or revoke their (and your) access

This server (node-solid-server V5.1) only implements a limited subset of OpenID Connect, and doesn’t yet support token issuance for applications. OIDC Token Issuance and fine-grained management through this authorization user interface is currently in the development backlog for node-solid-server

And if you opt not the grant global permissions, the application just doesn’t work. It seems the road to usable implementations in a long on.

DangerMouse November 15, 2020 9:55 PM

All my data from all IOTs and phones and computers written to one convenient location for Law Enforcement, Courts, and anyone suing me to access with nothing but a decision by any judge. Extremely Insecure.

And it will turn out just like the Windows 10 feature of constantly asking for authorization, or Apps asking for permission to access various types of data, you automatically say OK or you turn off the function that asks for permission. There’s no security in a pod will ALL your data from throughout your day in great detail. That’s a security nightmare.

RK November 16, 2020 11:06 AM

Always remember that Berners-Lee not only gave the world HTTP and HTML, he also thinks that your browser should include DRM. Not exactly a paragon of users being in control.

Let’s pick a few choice quotes from the “Solid specification”, particularly their FAQ:

Are Solid users expected to setup their own servers and self-host?
No. Self-hosting means that your data would sit at home on your own physical hard drive or server. Self-hosting is possible but not essential when using Solid […]

So, “providers” strongly encouraged, eh?

When I want to leave a Pod provider, can I take my data with me?
Yes, unless the Pod provider doesn’t allow you to. […]

ROFL

When using Solid, how is data stored?
It depends on the Pod Provider. From a user point of view, how the data is stored is not as important as how it is accessed and controlled.

So, trusting the provider all the way, hm? Not even mentioning any kind of client-side encryption to ensure the provider does not get access. check.

Does Solid mean we won’t need so many passwords?
Yes. When you use Solid, you only need to login to your Identity Provider. […]

facepalm

Is data in my Pod safe? Is the Pod encrypted while it is stored on a provider’s system?
It depends on the Pod Provider. Pod providers can be Solid compliant without encrypting the data stored […]

Hey, at least they’re transparent about it.

If all my data is in one place, does it not become a vulnerable target for hackers?
All of your data will not necessarily be in one place, since you can store pieces of data across several Pods. When it comes to malicious cyber attacks, an attack on a single source of many people’s data is generally more likely than on an individual level.

No shit, those providers look mighty juicy to me.

Can Solid prevent 3rd parties from replicating data they have legitimate access to ?
No. […]

So, how is the user “in control” again?

I’ve not bothered to read the actual spec, their FAQs seem honest enough…

Bruce, you are peddling snake oil and I don’t like the smell of that.

KJN November 16, 2020 6:47 PM

There is a security/privacy issue for which the pod appears to be a worse solution than a data silo such as Facebook.

It concerns the privacy of the individual consumers of your data. When you post something on Facebook, you cannot tell who has read it, except those who leave a comment or a “reaction” (a “like”, etc).

If you control your pod, and therefore the authentication for each data access, then you can find out who has accessed your data – and who has not. You discover that your funny pictures of your cat, your children’s glorious wedding photos, and your acute political observations are read by – nobody. You may also discover that an old friend from High School has an unhealthy level of interest in your swimsuit photos.

There is no escape from this issue if your pod is provided by a third party. Commercial providers of pods will compete on features, and this will make it hard for them not to offer everything of which the technology is capable.

RK November 17, 2020 12:54 AM

@KJN:

If you control your pod, and therefore the authentication for each data access, then you can find out who has accessed your data – and who has not

Only that this statement is patently false after the very first access. Because that access can be used to store a copy of the data which can then be distributed and used however the accessing party likes.

Pods provide a convenient way to keep different “social media”, etc. systems up to date, by providing a central repository to pull from. Security- and Privacy-wise they are a dumb and dangerous idea.

Jerel Crosland November 18, 2020 8:50 PM

Reading this just makes me sad. Either I’ve lost my security mojo or Bruce has. Either way makes me sad. I’ve read all of the comments, and not a single one says, “Hey! Great idea!” so I’m leaning towards thinking I’m not crazy.
There are so many holes in the idea of this being a “good idea” that I don’t even know where to start. Thankfully everyone posting before me has done a pretty good job. Here are a couple of key points.
1) Once granted access there is nothing preventing retention and unauthorized reuse of the retrieved information.
2) The “pods” have to be hosted somewhere that is not under my full control.
3) Reading the “Security Considerations” of the Solid spec are terrifying. There are a LOT of “…MUST…” and “…MUST NOT…” statements, but the whole thing starts off with “Some of the normative references with this specification point to documents with a Living Standard or Draft status, meaning their contents can still change over time. It is advised to monitor these documents, as such changes might have security implications.”
4) What is the impetus for companies to pay for this service? I’m assuming it’s not free. Why should they bother with all this when everyone is simply willing to “Login with your Facebook Account for 50 free coins!”?

Sad. Just… sad.

TRX November 21, 2020 3:45 PM

Sooo… what they’re selling is just an interface to ordinary OS filesystem permissions, applied to cloud storage? Dropbox with granular access? And I assume some kind of user-end GUI to make it easier?

So the user still has to know what his files are and where to put them, and manage file access. Corporate users have this done for them already, and grandma and Uncle Fred aren’t sure what files are or where they live anyway.

Any salesman that came to my office pitching that, I’d be reaching for the flyswatter.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.