Inrupt offers a standard for controlling data and identity on the web

Founded by security and web luminaries, Inrupt has commercialized the Solid Project technology to manage sensitive data in a more secure, compliant manner...if enough people buy into its vision.

interconnecting gears / process / automation / machinery / mechanism / efficiency
Anawat S. / Getty Images

The music industry occasionally puts together a supergroup assembled from the best musicians who are both looking for a second act and carrying more than a flicker of star power in their back pocket. Some like Paul McCartney even bring a knighthood to the mix. The computer industry often does the same thing, although given the way that startups bloom and die, the supercoders are sometimes looking for their fifth, twelfth or maybe even thirtieth act.

Inrupt is one of those supergroups. Sir Tim Berners-Lee assembled a team to tackle one of the gnarliest in the foundation of what used to be known simply as the World Wide Web. Berners-Lee is, after all, known first for nurturing the HTML format and HTTP protocols that begat all the fractious chaos that we think of as the internet.

The rest of the team is also impressive. Bruce Schneier, a well-known cryptographer and privacy expert, and John Bruce, former CEO and cofounder of Resilient, are just two of the big names who bring a depth of knowledge and, no doubt, the ability to recruit the best talent. All have been top contributors to the evolution of the digital world and bring a wealth of trust.

What is Inrupt?

The Inrupt vision is that data can float independently around the web in bundles called pods. Any application could request access to the pod from anywhere, saving it from storing the data locally. This alone could save developers from the expense of the disk storage while also reducing the inconsistencies that can emerge when multiple copies of records aren’t kept in tight synchrony.

Changing the model like this could significantly simplify security and compliance headaches for some companies. Not keeping a copy means not having to protect that server or database. You’ll still have to guard it during retrieval but once the computation is done, it can be thrown away along with the headaches of securing that data.

Davi Ottenheimer, vice-president of trust and digital ethics at Inrupt, says the big value proposition by going through a list of the various legal acronyms like PCI that are keeping developers jumping. “HIPAA forbids sharing patient records without consent.” he says. “CCPA and GDPR require portability of data, informed consent, and owner-based control over how data is used and shared.”

The second half of the vision is to change control of the data. Applications can request access, but the owner needs to grant it. That owner will probably be the person about whom the data was gathered. The data owners, not some big megacorp, will control their health, financial and other records and give out granular access. Data owners won’t be the insurance company or doctors or the search engine, although they would probably allow the first two into the pod with access to just the data that they might need to grok.

Inrupt sees that opening up this protocol could also shift the political geography of the internet by reducing the advantages of the big companies with their proprietary data collections, which Berners-Lee refers to as “silos.” If people can grant access to any of their personal data, then smaller companies will get the same opportunities as the big ones. Merely maintaining a data silo won’t be enough to dominate.

How the Solid technology works

Inrupt is bringing this vision to market using the Solid Project specification that Berners-Lee helped develop at MIT. At its core are data stores called “pods,” which are pretty simple. They are just bundles of files in a hierarchical collection of folders. Inrupt shares an open-source Pod Browser that explores the pods and grants or denies access to various files.

The pods themselves are stored on servers that speak the Solid protocol and serve the bits in the file in response to web service requests that will probably be encrypted. Inrupt is selling a production-grade version of the server that manages the pods and delivers the data after the appropriate authentication and authorization.

Developers who want to interact with the pods have a variety of different libraries and sample projects, mainly written in JavaScript for the Node.js community. The React components are mainly for juggling the packets that initialize a session using the OIDC protocol.

Authentication is evolving. The early versions began with Web Access Control (WAC), a distributed protocol designed to knit together users across domains. A newer version, Access Control Policies (ACP), controls the Enterprise Solid Server. Both offer granular control of the different files in the pods and allow users to control, via the API, just who can read, write or modify the data.

Solid as an “extension of the web”

The technology, in other words, follows an evolutionary path that’s been unfolding around the internet over the last few decades, often at the direction of some of the same people at Inrupt who, in former lives, worked on committees with the W3C. Inrupt, for instance, has its own RDF vocabularies that follow in the tradition defined by It’s like the early version of the web but with better security protocols. Everything builds on protocols to make integration possible and adoption easier.

“Solid can be thought of as an extension of the web.” Osmar Olivo, vice-president of product management at Inrupt, says. “The standard leverages existing web technologies and concepts.... As long as an app or platform can make an API call, it can be integrated with Solid."

Challenges to Solid adoption

A deep challenge will be what the digital music industry sometimes calls the “analog hole.” That is, once the user jumps through all the authorization hoops and gains access to the raw content, that user can cache the data. Some people may use their phone cameras to record what’s playing on the TV.  

It’s not just the movies. Some banks, for instance, store copies of the credit scores of the customers each time they fetch one from the credit bureaus—not for any particular reason, just in case. Once they have a copy, they don’t need to ask again.

There’s no practical way for Inrupt to deploy algorithms to stop any API user from keeping a cache of the answer to queries. Silos may still flourish, even inadvertently, if dominant companies store copies. The only solution is legal and relying on the law has a mixed track record.

While some may cheat, others may welcome the opportunity to put data at arm’s length in a Solid server. Banking and credit card companies have been explicitly prohibiting others from storing copies of credit card security codes. They understand that cutting back on the proliferation of copies cuts risks. That’s why you have to retype those three-digit values so often. Offloading storage to a Solid server would make it easier to avoid issues about encrypting data at rest or caching a CSC (card security code).

The deeper questions revolve around the business and the packaging. Inrupt is targeting larger enterprises and selling a marquis product, the Enterprise Solid Server, that bundles all these protocols for manipulating pods with enhanced monitoring and integrated security. A company can start embracing the vision by installing one.

Is a major enterprise the right target? If the goal is to put control back into the hands of the people, the people need to seize this power. Traditionally, grabbing the sword from the stone requires a hero’s will and quite a bit of energy. How many people have that? On the internet, that translates into running a server and lately everyone—including the cloud-loving DevOps teams—has been offloading this burden onto a service provider.

Will people fight the concentration of data by running their own servers? Or will they just pay some pod-as-a-service provider? Or will they be suckered in by free services from companies that will run the pods but fund them with ads or perhaps even more covert monetization schemes?

Does ending up with pod-as-a-service providers bring us back to where we are now? Not exactly. Service-provider clouds might be functionally similar, a bunch of data centers filled with machines answering HTTP requests, but merely granting people control over their data is a big shift. They can shut off access. They can have root control over their pods.

Inrupt competitors

The greatest challenges for Inrupt may be competition. There has never been more interest in what might be politely called “digital coyness.” Thousands of exciting papers, hundreds of cool open-source repositories, and dozens of intriguing startups are all devoted to the idea that our personal data has better places to live than the silos of the powerful.

The Interplanetary File System is now supported by many of the major browsers now that Brave joined the coalition. It also spreads out data while adding defenses against deleted files and disconnections. Filecoin, a cryptocurrency for paying for distributed storage, is supposedly supporting a network with more than 2.5 petabytes of distributed storage. 

Tools for homomorphic encryption may not be perfect or as efficient as desirable, but it’s becoming more possible to execute a query that computes a correct answer without decrypting or downloading any data. IBM is just one major company sharing code.

Sophisticated tools for tackling the problem are appearing in surprising places. Many of the digital currencies like Ethereum are operating distributed data stores that also enforce digital contracts. They’re not just bags of bits. Some users are taking advantage of the infrastructure by storing information on the blockchain while insisting upon contractual provisions that will be enforced by the network. dWeb is just one example of how the traditional web pages can be mixed with digital currencies.

The rise of the microservices architecture has also led to the creation of many tools for knitting together disparate data sources. This makes it simpler for anyone to integrate the Inrupt vision while also making it a bit less necessary. Google Maps, for instance, maintains a central data store for addresses and the businesses that might live there. They also try to update the information and track things like the closing times. When other companies pay for the Maps API, they’re getting access to this pod-like service.

Other echoes can be heard all over the web. Amazon’s Web Services, for instance, has more than a dozen different services that store data in buckets, execute predicates, and merge data from all over the web. AppSync, for instance, creates a single GraphQL interface for multiple distributed backend data stores.

Olivo says that the company is not standing still and to “keep an eye out for ... client-side encryption, advanced query and search, verifiable credentials, additional platform support, and more.” In other words, they’ll be increasing the sophistication of the mathematical foundation.

All this means that Inrupt faces the same challenges as any of the musical supergroups. Even impressive talent can’t coast on inertia. If anything, talent needs to work a bit harder. The vision is a good one—so good that many are already rushing to implement it.

Copyright © 2021 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)