Posted 3 months, 2 weeks ago at 12:07 pm. 0 comments
Looking at Privacy and Consent Management in the second parallel session. From an SPs perspective first Fiona Culloch from Edina.
“A Catastrophic Success at keeping personal information private”
Most IDPs only give a small set of very opaque attributes to SPs. The vision for federation was as a route for passing all sorts of attributes between different providers. Technically this is possible. In policy terms personal data has stayed on the old road. The IDPs never get asked; the SPs think it’s too hard so nothing happens!!
From a federation approach technical architects and legal tend to thing that too much will be given/demanded. There are few if any IDP/SP voices in the conversation. It’s hard to engage with them all – there are too many entities so the traditional answer is to go via representative forums.
SP forums could broker requirements. SPs know what attributes they want to know. These are vertifical forums so divorce applications from infrastructure and could cross national boundaries.
IDP forums could determine feasibility and implement. This had to be invented for Eduserv, who is kind of a meta-IDP. It would be useful to broaden that out.
Joint forums would allow bottom up progress and experiment, agree, pilot, deploy, scale rather than just sit around theorising (although as pointed out the downside of this is it mean work!!)
How to release data whilst staying DPA compliant?
Technical fix is user consent at run time.
- Adds complexity to user interface
- IDP must still create defauly Attribute Release Policy (ARP) and face quasi-legal questions
- SPs must handle revocation
DPA does allow release of data if necessary for the purpose it was collected for. Consent is not the only possible way or even the best way. If you are going to do this it’s a good idea to have a Data Processor Agreement between the
IDP and SP. Most IDPs and SPs have a legal relationship in any case – via licenses, so add some
DPA clauses to it. You have agreement and the
IDP is covered against misbehaviour by the SP.
Is there an opportunity to put
DPA terms into the
JISC model license??
Can
JISC Collections define recommended ARPs for each SP or banding of SPs? Only realistic if the
IDP forum existed.
In Computing Regulations we could add
DPA “Purposes” to serve as user notification of fair processing. In practice vague is good. [What about exceptions and exemptions though. How would we record if a user didn’t want to agree to any or all of the
DPA purposes in the regulations. This is the click through consent management problem magnified to the institutional level. If we are concerned about run time consent click through then should we not be concerned about policy click through?]
Seems there are a lot of IDPs in the room interested in participating in such a forum.
Now Robin Wilton Director of Future Identity Ltd and Director of Privacy and Public Policy at Liberty Alliance is going to provide further thoughts on privacy and consent.
Who is Evan Ratliff?? No googling….
Liberty Alliance conceptual model of identity and privacy – the ‘onion model’ (this makes me think of my housemate and Shrek – layers donkey!!)
- Basic Identitifer Set (BIS) at the core provides proof of uniqueness
- Next layer is other Personally Identifying Information (PII) e.g. Address
- The next ring is attributes. Example is blood type – a person only has one but it by no means uniquely identifies them.
Credentials encapsulate data from multiple layers. Credentials are not privacy neutral as they tend to reveal more than just the attribute required for a claim and they tend to make transactions ‘linkable’.
Privacy enhancing systems should (must) be better at attribute level disclosure or better still yes/no answers to attribute related questions – “the
Psychic ID“
“Privacy is about disclosure not secrecy”. A ‘segment’ of the onion may correspond to a particular segment or contextual use. Privacy concerns arise when attributes appear out of context. Privacy may be described as about contextual integrity.
- Privacy is not a state but a relationship
- These relationships are contractual
- It is highly asymmetric and involves conflicting interests and motivations
- It is highly contextual – and context changes.
- We have social relationships and networked relationships but these are not the same.
What are the implications for consent?
If we aren’t talking about the same things what are we talking about? We are only gradually developing a shared vocabulary for digital identity, trust and online privacy.
EnCoRe Project (LSE and HP) is looking at Ensuring Consent and Revocation.
- When we give consent do we understand what we are consenting to?
- What means to we have for enforcing consent?
- What means to we have for withdrawing it?
- How can we make our conditions of disclosure stick to to those attributes, particularly beyond first disclosure.
Evan Ratliff …
decided to see how long he could drop of the grid for … 27 days. He was hunted by online groups then subsequently protected by online groups. Interesting experiment from Wired.
Posted 3 months, 2 weeks ago at 10:48 am. 0 comments
Federation enhancements and policy development first thing this morning for the survivors of games night last night.
Federation Membership
Federation has been in operation 3 years, is funded by JISC and Becta, has 765 members, 971 entities (596 IDPs, 378 SPs and 3 both) and serves schools, FE, HE and research. 100% of HE are members, 74% in FE, 57% of English schools, 0% of schools in Wales but 100% of schools in NI and Scotland. 20% of total federation members have signed up to the rules but haven’t registered an entity so are classed as inactive.
Service Enhancements
Roadmap is reviewed twice per yeara to give the community a heads up on what’s going on.
1. WAYF Review
- Independent review of the WAYF login process
- Conducting usability tests to assess usability in the context of the user journey
- Aim is to improve usability and accessibility for all users.
- Prioritised recommendations for next steps by July 2010
- Passed onto Rhys Smith to link into the JISC Publisher INterface Study and to Shib developers working on SP discovery.
2. Portal Best Practice
- WAYF is a backstop but encouraging IDPs to deploy a portal so that users have a consistent method to login and access resources.
- Expert team will consider technologies and definitions of portal to provide a best practice guide for the deployment of discovery services.
- Possibly also publish brandable codebase.
- Recommendations published by April 2010
(Do users even like the portal discovery route?? Am not convinced telling users to always start from a certain point is how they actually work).
3. Metadata Scaling
- Centralised metadata does not scale. The size of the UK Federation makes this a growing issue.
4. Statistics Gathering
- Federation needs to justify its existence! So…
- Allow IdPs to visualise how the service is used.
- Anonymous central database of usage statistics.
5. Satisfaction Survey
- Canvass opinion
- Create a benchmark of customer satisfaction
- Has the federation met its objectives?
- Highlight areas for improvements.
Inter-Federation
Draft clauses have been agreed for this. Looking for use cases to roadtest these policies. Paper going to
UK Policy Board.
Eligibility
Interest from
NHS, Government, Libraries, Museums etc in joining the Federation. Trial memberships are approved by
JISC and Becta on a case by case basis on the understanding that future charges will apply. Need to agree and establish policy and come up with a fair pricing model for these other sectors.
Owen is questioning the portal over
WAYF approach. The answer is there is no answer to the discovery problem. Ok that rather pessimistic sweeping statement has been qualified to say there is no
single answer to the discovery problem and this is being tackled on four fronts and that ideally discovery will be solved closer to the SP end than the
IDP end. Mark also points out that the portal study came from schools and for younger learners the portal approach is a good way to direct them to resources. Scope of federation users is incredibly broad from school children to professional researchers.
Changing my mind now and going to the Access and Identity Management Programme session. Thought this would be entirely the same as the Birmingham briefing day but Chris gave me heads up last night that there is a bit of new information on what they got for the 08/09 call and some information on a second call coming out in January 2010 which might be of interest. I gave Chris some feedback last night mainly about the timing of the last call. The second call might be better timing for us than the previous call.
The first part of this session covers the ground from the briefing event so isn’t much new. Interesting discussion on user-centric identity as a key theme of the previous call. Lack of evidence that users are bringing their own identity like OPenID and demanding to use it. Nate pointed out that in his keynote later he will point to evidence of use of Facebook and Twitter IDs but he questioned whether this was user-centric as per the original vision. It is an identity source that exists beyond the user’s relationship with the institution but is it genuinely user-centric? Nate asked if there was anything happening on consent – Chris said there were no bids for that.
So the themes of the original call were:
- user centricity
- granularity – fine grained access control
- delegation of authority
- n-tier – transferring attributes across systems
- accounting/auditing
The cross-themes were:
- Technology and Tools
- Interoperability
- Use Cases
- Policy
- Licencing
They got 20 bids for the Innovation strand and 1 bid in the Level of Assurance (LoA) strand. Looks like quite a lot on user centric tools and use cases. Most bids for tech and tools and then use cases. Policy surprisingly low given how many people said it was their big issue at the Briefing Day in Birmingham – and came out as a theme yesterday in the Identity Management Toolkit session. Nicole has suggested that maybe the big call doesn’t help and it needs to be more focused. Maybe but the big call allows flexibility and creativity – maybe we aren’t creative. I have to say we had ideas in this space and chatted to some at the briefing day about a collaborative bid but the timing of the call and the overhead a
JISC project adds to work in progress were the main off putting factors.
Is LoA an area that
JISC should be funding? Response to this was very low. HE has relatively few use cases that require a very high level of assurance. Grants, student loan information are examples from the US given by Nate. Nate points out that Facebook’s peer approval gives quite a high level of assurance for Facebook identities but validation by peers isn’t a traditional metric of LoA. Nate suggests that he’d like to see some work on how to define LoA differently – the more chaos the less useful this gets. It sounds like this is a massively intractable problem
Posted 3 months, 2 weeks ago at 6:32 pm. 0 comments
There’s beer (although had a female moment getting my beer open with the bottle opener) and very nice leather chairs in this rrom so worth staying on for some extra info and discussion in this session.
Eduserv get their moment to talk about the OpenAthens LA 2.0 launch.
Now Owen (Stephens – some of you might not know him!) is talking about WAYF? and other stupid questions. Just getting the whistle stop version of the Telstar presentation we saw last week at RHUL.
This is really about multiple affiliations: where are you from? Also where do you live? Where do you work? Even who do you know? Horrified gasps in the room at anecdotes about this sort of ‘peer to peer’ networking.
Yes see “What are your affiliations”?
This isn’t about owning data but knowing how to use it. We know most about our affiliations even though we may not know what those affiliations give us access to. The key for users is not where am I from but where do I need to be from today to get access to this resource that I want to use. The user needs to help answer the question of multiple affiliations, at the point of using a resource the user just wants access. Users don’t always know the best route to get access to resources that one of their affiliations might allow them to have access to.
Who should answer that question?? The person has to be involved?? But which organisation or service should ‘curate’ user affiliation lists. Authorisation needs to be more sophisticated. Once I’ve established I’m me – how does the service provider answer the question can any provide the user with this resource by one of the affiliations we know about that user. We have to tell someone – then who do we allow that someone to share with.
Is there an incentive for SPs at the moment on an institutional subscription model??
Thought provoking and debate provoking as per usual…
John Paschoud now talking about coincidentally multiple affiliations. One of the big usability issues in the FAM model. Do you want your life to be more segmented or more joined up? Brings the question back to is this a problem? Are users sophisticated enough and do they not mind using the credentials for the best affilation at point of use. Probably not most of them … so looking at potential solutions that balance the seamless access/privact conundrum. Shintau described as the most workable. This is about designating a primary IDP. This IDP can know about other IDPs or not even about each other if using a linking service, and can release an additional attribute about another IDP who can pass a token to get access to only the necessary attributes. I think it’s something along those lines… Google it! It sounds interesting anyway.
Now we are on Consent Management… Cambridge … a loose federation itself. May have data, not necessarily consent to release it. Terms and conditions prompt. Get an information rleease prompt when using each SP for the first time. Usually 3 attributes to external SPs. Starting to use Shib for internal resources so prepared to release many more attributes which makes the release screen horrific. I’m going to the full consent management parallel session tomorrow and it sounds like it will be important governance part of the FAM project.
Wishlist:
- Configurable T&C splash screen
- Let users choose the privacy they want
- Don’t ask in advance, remember choices
- Let users change their mind
- Configurable defaults
- Tell the user what will be released not what could be released
- Distinguish what we must be released from what could be released
- Identitfy everything from the user’s POV
- Some attributes are more equal than others
- Seamless IdP plugin or part of IdP
- Easily skinnable
Waiting for Eduserv to pipe up that OpenAthens
LA 2.0 does all this
Instead Andy Powell asks some further questions:
It would be nice if T&C terms were more user friendly.
Would be nice if SPs provided information on how they use attributes
[Looks like a conference full of IT/Library geeks has finally crashed the free wireless – everyone whips out their iPhones instead]
Perception of SPs is they can’t get anything out of Federation IDPs anyway because of data protection. Are IDPs willing to engage with SPs and get these issues hammered out.
Now some information on federated access in Japan.
UPKI-Federation is service of National Institute of Informatics in Jpan. Has 4 IDPs and 10 SPs.
