privacy and consent

Access Management

Privacy and Consent

Fiona Culloch, EDINA

FAM09, Cardiff, 24 November 2009

FAM09, Cardiff Copyright © EDINA, 2009 2

Access Management

UK federation privacy

Catastrophic Success


Access Management

Available attributes

• Most IdPs give out only:

– Organisational affiliation (ePSA)

– Service-specific, opaque ID (ePTI)


Access Management

FAM infrastructure allows any attributes

Photo: Library of Virginia / Flickr


Access Management

Personal data has stayed on the old road

Photo: State Library of Queensland / Flickr


Access Management

Most SPs don’t ask for personal data

• Many don’t personalise

• Those that do:

– Had to create own accounts for IP authentication

– User enters own data into form

– Many have kept same system for FAM


Access Management

What if anSP does want

personal data?


Access Management

Institutional directory

•Holds personal data

•Disclosure subject to DPA

•So it’s treated like a safe

Photo: New York Public Library / Flickr


Access Management

Directory guarded by administrators

Photo: New York Public Library / Flickr


Access Management

There’s not just one IdP either…

238 IdPs +243 virt.


Access Management

Will they be friendly?

Photo: Library of Congress, Bain Collection / Flickr


Access Management

“No one really asks us much for ARP

changes”IdP administrator


Access Management

Stable deadlock

Too hard to ask,so SPs don’t

IdPs get no requests, think all is well


Access Management

Can’t federation coordinate top-down?

Resolving MxN policies was original rationale for federations


Access Management

What voices feed into

UK federation standard-setting?


Access Management

Voices(1): Technical Architect

• If you have an

aspiration…

• “Show me the spec.!”

• Demonstrate:

– Necessity

– Deployability

– Widespread need



Access Management

Voices(2): Legal

• Enshrine DPA principles

• Avoid liability

• Agrees with architect:

– SP will ask for too much



Access Management

Voices(3): missing in action

• No IdP, SP

representatives!

• Fed. tries to think

“if I were an IdP/SP…”

– Works for “horizontal”

requirements

– Not so good for app-

specific, “vertical”

requirements

Photo: State Library of New South Wales / Flickr


Access Management

Hard to deal with everyone

Trad. answer is representative forums


Access Management

SP forums

• Representative SPs to broker requirements

• SPs know what attributes they want

• “Vertical” forums:

– Divorce apps from infrastructure

– Can cross national boundaries


Access Management

IdP forums

• IdPs:

– Determine feasibility

– Implement

• Had to be invented

for Eduserv

• Now generalise


Access Management

Joint forums allow bottom-up progress

• App-specific forums

• Experiment, agree,

deploy, not theorise:

– Small scale

(10s not 100s)

– Scale up success

• IETF style


Access Management

How to disclose data but not go to jail

Photo: State Library of New South Wales / Flickr


Access Management

Technical fix: user consent at run time

http://www.switch.ch/aai/support/tools/uApprove_images/attributes.png


Access Management

Technical fix: problems

• Additional user interface complexity:

– Extra screen: what is being asked?

• IdP must still:

– Create (default) ARP

– Confront quasi-legal questions

• SP must:

– Handle revocation


Access Management

DPA permits disclosure on grounds other than

consent,including necessity for

purpose


Access Management

ICO Legal Guidance

3.1.5 … “The Commissioner’s view is that consent is not particularly easy to achieve and that data controllers should consider other conditions in Schedule 2 (and Schedule 3 if processing sensitive personal data) before looking at consent. No condition carries greater weight than any other. All the conditions provide an equally valid basis for processing. Merely because consent is the first condition to appear in both Schedules 2 and 3, does not mean that data controllers should consider consent first.” …


Access Management

Alternative for processing personal data

3.1.1 … “The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed…

The Commissioner takes a wide view of the legitimate interests condition…”


Access Management

Data processor agreements

• Commercial SPs have

licences anyway

• Add some DPA clauses:

– You have a data

processor agreement

– IdP covered against SP

misbehaviour



Access Management

Opportunities in JISC model licence?

• Add standard DPA terms for SPs

• Define recommended ARP for each SP:

– Move per-SP, quasi-legal thinking from IdP to

IdP forum + JISC Collections

– JISC Collections doing legal anyway (licence

negotiation), IdP forum informs on feasibility

– Simplify by banding?


Access Management

Computing regulations

• Add DPA “Purposes”

• Serve as user

notification (“fair

processing”)

• In practice, vague is

good

– c.f. all commercial

privacy policiesPhoto: Library of Congress, Bain Collection / Flickr


Access Management

Call to action

Are you willing to be active in an IdP

forum?

Names please!

privacy and consent

Education