Privacy and Consent
- 3. FAM09, Cardiff Copyright © EDINA, 2009 3
Access Management
Available attributes
• Most IdPs give out only:
– Organisational affiliation (ePSA)
– Service-specific, opaque ID (ePTI)
- 4. FAM09, Cardiff Copyright © EDINA, 2009 4
Access Management
FAM infrastructure allows any attributes
Photo: Library of Virginia / Flickr
- 5. FAM09, Cardiff Copyright © EDINA, 2009 5
Access Management
Personal data has stayed on the old road
Photo: State Library of Queensland / Flickr
- 6. FAM09, Cardiff Copyright © EDINA, 2009 6
Access Management
Most SPs don’t ask for personal data
• Many don’t personalise
• Those that do:
– Had to create own accounts for IP authentication
– User enters own data into form
– Many have kept same system for FAM
- 8. FAM09, Cardiff Copyright © EDINA, 2009 8
Access Management
Institutional directory
•Holds personal data
•Disclosure subject to DPA
•So it’s treated like a safe
Photo: New York Public Library / Flickr
- 9. FAM09, Cardiff Copyright © EDINA, 2009 9
Access Management
Directory guarded by administrators
Photo: New York Public Library / Flickr
- 11. FAM09, Cardiff Copyright © EDINA, 2009 11
Access Management
Will they be friendly?
Photo: Library of Congress, Bain Collection / Flickr
- 12. FAM09, Cardiff Copyright © EDINA, 2009 12
Access Management
“No one really asks
us much for ARP
changes”
IdP administrator
- 13. FAM09, Cardiff Copyright © EDINA, 2009 13
Access Management
Stable deadlock
Too hard to ask,
so SPs don’t
IdPs get no requests,
think all is well
- 14. FAM09, Cardiff Copyright © EDINA, 2009 14
Access Management
Can’t federation coordinate top-down?
Resolving MxN policies was original rationale for federations
- 16. FAM09, Cardiff Copyright © EDINA, 2009 16
Access Management
Voices(1): Technical Architect
• If you have an
aspiration…
• “Show me the spec.!”
• Demonstrate:
– Necessity
– Deployability
– Widespread need
Photo: Library of Congress, Bain Collection / Flickr
- 17. FAM09, Cardiff Copyright © EDINA, 2009 17
Access Management
Voices(2): Legal
• Enshrine DPA principles
• Avoid liability
• Agrees with architect:
– SP will ask for too much
Photo: Library of Congress, Bain Collection / Flickr
- 18. FAM09, Cardiff Copyright © EDINA, 2009 18
Access Management
Voices(3): missing in action
• No IdP, SP
representatives!
• Fed. tries to think
“if I were an IdP/SP…”
– Works for “horizontal”
requirements
– Not so good for app-
specific, “vertical”
requirements
Photo: State Library of New South Wales / Flickr
- 19. FAM09, Cardiff Copyright © EDINA, 2009 19
Access Management
Hard to deal with everyone
Trad. answer is representative forums
- 20. FAM09, Cardiff Copyright © EDINA, 2009 20
Access Management
SP forums
• Representative SPs to
broker requirements
• SPs know what
attributes they want
• “Vertical” forums:
– Divorce apps from
infrastructure
– Can cross national
boundaries
- 21. FAM09, Cardiff Copyright © EDINA, 2009 21
Access Management
IdP forums
• IdPs:
– Determine feasibility
– Implement
• Had to be invented
for Eduserv
• Now generalise
- 22. FAM09, Cardiff Copyright © EDINA, 2009 22
Access Management
Joint forums allow bottom-up progress
• App-specific forums
• Experiment, agree,
deploy, not theorise:
– Small scale
(10s not 100s)
– Scale up success
• IETF style
- 23. FAM09, Cardiff Copyright © EDINA, 2009 23
Access Management
How to disclose data but not go to jail
Photo: State Library of New South Wales / Flickr
- 25. FAM09, Cardiff Copyright © EDINA, 2009 25
Access Management
Technical fix: problems
• Additional user interface complexity:
– Extra screen: what is being asked?
• IdP must still:
– Create (default) ARP
– Confront quasi-legal questions
• SP must:
– Handle revocation
- 26. FAM09, Cardiff Copyright © EDINA, 2009 26
Access Management
DPA permits disclosure
on grounds other than
consent,
including necessity for
purpose
- 27. FAM09, Cardiff Copyright © EDINA, 2009 27
Access Management
ICO Legal Guidance
3.1.5 … “The Commissioner’s view is that consent is
not particularly easy to achieve and that data
controllers should consider other conditions in
Schedule 2 (and Schedule 3 if processing sensitive
personal data) before looking at consent. No
condition carries greater weight than any other. All
the conditions provide an equally valid basis for
processing. Merely because consent is the first
condition to appear in both Schedules 2 and 3, does
not mean that data controllers should consider
consent first.” …
- 28. FAM09, Cardiff Copyright © EDINA, 2009 28
Access Management
Alternative for processing personal data
3.1.1 … “The processing is necessary for the
purposes of legitimate interests pursued by the
data controller or by the third party or parties to
whom the data are disclosed…
The Commissioner takes a wide view of the
legitimate interests condition…”
- 29. FAM09, Cardiff Copyright © EDINA, 2009 29
Access Management
Data processor agreements
• Commercial SPs have
licences anyway
• Add some DPA clauses:
– You have a data
processor agreement
– IdP covered against SP
misbehaviour
Photo: Library of Congress, Bain Collection / Flickr
- 30. FAM09, Cardiff Copyright © EDINA, 2009 30
Access Management
Opportunities in JISC model licence?
• Add standard DPA terms for SPs
• Define recommended ARP for each SP:
– Move per-SP, quasi-legal thinking from IdP to
IdP forum + JISC Collections
– JISC Collections doing legal anyway (licence
negotiation), IdP forum informs on feasibility
– Simplify by banding?
- 31. FAM09, Cardiff Copyright © EDINA, 2009 31
Access Management
Computing regulations
• Add DPA “Purposes”
• Serve as user
notification (“fair
processing”)
• In practice, vague is
good
– c.f. all commercial
privacy policiesPhoto: Library of Congress, Bain Collection / Flickr
- 32. FAM09, Cardiff Copyright © EDINA, 2009 32
Access Management
Call to action
Are you willing to be
active in an IdP
forum?
Names please!