Transforming the web into a HTTPA 'database'

Transforming the web into a HTTPA 'database'

Summary: Researchers under Tim Berners-Lee at MIT develop a new HTTP, dubbed HTTPA, a web protocol with accountability.

SHARE:

Researchers at MIT's Decentralized Information Group (DIG) are developing a new protocol they call "HTTP with Accountability,” or HTTPA, designed to fight the "inadvertent misuse" of data by people authorized to access it. 

oshani-seneviratne
Tim Berners-Lee, Oshani Seneviratne, and Lalana Kaga. Photo: Bryce Vickmark.

Believing the solution to data misuse or leakage may be more transparency rather than increased obscurity, HTTPA will automatically monitor the transmission of private data and allow the data owner to examine how it’s being used.

The traditional response of placing tighter restrictions on access could undermine useful data sharing, the researchers, under Web founder Tim Berners-Lee, say. Instead of adding restrictions, HTTPA will automatically monitor the transmission of private data and allow the data owner to examine how it’s being used.

Oshani Seneviratne, an MIT graduate student in electrical engineering and computer science, and Lalana Kagal, a principal research scientist at CSAIL, will present a paper at the IEEE’s Conference on Privacy, Security and Trust in July giving an overview of HTTPA with sample application such as an experimental health-care records system.

With HTTPA, each item of private data would be assigned its own uniform resource identifier (URI), a component of the Semantic Web that, researchers say, would convert the Web from a collection of searchable text files into a giant database.

Every time the server transmitted a piece of sensitive data, it would also send a description of the restrictions on the data’s use. And it would also log the transaction, using the URI, in a network of encrypted servers.

“It’s not that difficult to transform an existing website into an HTTPA-aware website,” Seneviratne says. “On every HTTP request, the server should say, ‘OK, here are the usage restrictions for this resource,’ and log the transaction in the network of special-purpose servers.”

Data owner can then request an audit, identifying all the people who have accessed the data, and what they’ve done with it.

Audit servers could be maintained by a grassroots network, much like the servers that host BitTorrent files or log Bitcoin transactions.

Topics: E-Commerce, Data Management, Security, Web development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • And this changes what, exactly?

    I access something. I download it to the computer (which is required for access anyway). I share the downloaded copy with someone else. Guess what? Your clever URI key thingy doesn't do jack squat! This is stupid.
    cryptikonline
    • humans are not changed by this

      >> fight the "inadvertent misuse" of data by people authorized to access it

      This is not done by new technologies only. You have to educate a user or to make security EASY for a user, which doesn’t happen.
      lymelyme
      • Re:

        I stopped caring about what exactly is done with my data long ago, because it is impossible to track. what I care of is who I give it to. That’s trust. And I also see that the authentication transactions are safe. I’m not a technical person, but it is clear to me. As part of my job I started using cryptographic device, the PassKey, to log in to multiple sites securely and the more I try the more I like it.
        skill7
        • what is passkey

          did you mean the group reservations software for hotels?Or this Passkey device here http://www.wwpass.com/resources/passkey
          lymelyme
    • I guess you don't get the actual proposal...

      What the HTTPA system is enabling is the transparent monitoring of datasharing.

      If you download information and then share it with another party and you do not disclose this sharing, both parties are liable within the HIPAA construct. That is, you can be breaking the law without your knowledge. That's the use case that they want to avoid.

      Whistleblowers, spies, etc., don't apply in this scenario.
      cosuna
  • No way to track what the person does with the data.

    There is no way the system is going to be able to track what the people do with the data. There's a million creative ways people can come up with to sidestep the data usage tracking. This type of technology will only stop honest people. On the other hand, if an honest person doesn't know that they are misusing the data then this technology could stop some misuse.
    downtoearthman
  • Editing?

    The last sentences of the second and third paragraph in this article are identical. There goes my interest in the rest of the piece!
    howell.b1@...
    • Fail.

      "The last sentences of the second and third paragraph in this article are identical."

      They're not. They finish identically, but the last clause follows a comma not a full-stop.
      Its still bad repetition, but if you're going to be punctilious, you should at least try to be correct.
      RobThaBlob
    • By design

      Ah, but that's were the magic happens in the proposed system:

      Because HTTPA will automatically monitor the transmission of private data and allow the data owner to examine how it’s being used, HTTPA will automatically monitor the transmission of private data and allow the data owner to examine how it’s being used!
      MatsSvensson