Rhys Smith, Jisc Privacy and AIM: a tale of too much success?
2
Jisc Jisc is a not-for-profit company that works on behalf of the UK’s R&E community Jisc’s service portfolio includes the high speed network, and other services that build on it This includes a portfolio of Trust & Identity services, and related service development activity Jisc has approximately 18 million eligible users, from UK schools, HE, FE and ACL programmes 3Privacy and AIM: a tale of too much success?
Today’s story 1.What we want and why 2.Where are we now? 3.Where we’re going 4.What are we trying to do, anyway? Privacy and AIM: a tale of too much success?4
Act I Privacy and AIM: a tale of too much success?5 What we want and why
Context & Motivation Hypothesis: » Individual privacy is under attack But? » Do people care? Well » I care! » Every little helps » Higher assurance data is worth $$$ » R&E specifically – anonymous browsing may have real business benefits 6Privacy and AIM: a tale of too much success?
Privacy? Today I’m talking about: » Anonymous/pseudonymous access to resources » Only releasing PII with appropriate policy and/or consent. Some good general, relevant, privacy principles are... 7 Privacy is an overloaded term Privacy and AIM: a tale of too much success?
Privacy by Design Privacy is usually very hard to retrofit properly Take privacy into account during the whole design & engineering process 8Privacy and AIM: a tale of too much success?
Data Protection != Privacy Protection EU privacy laws are somewhat (!) over effective » Good, obviously, but hinders usefulness UK seems to be slowly moving towards more of a risk based approach rather than black/white » c.f. UK ICO guidance 9Privacy and AIM: a tale of too much success?
Privacy vs Utility Constant battle (especially in EU) » Protect individual & organisational privacy » Whilst also retaining usefulness of federated identity (rich attribute ecosystem) » Boils down to Trust vs Privacy Striking a balance is hard! » Different answer for every context 10Privacy and AIM: a tale of too much success?
Act II Privacy and AIM: a tale of too much success?11 Where are we now
State of the Union Let’s have a look at how design choice can influence privacy in SAML federations 12Privacy and AIM: a tale of too much success?
State of the Union – SAML federations Web SSO » E-journals » Web systems » Learning platforms » Etc Many R&E federations Gov federations Commercial uses And beyond… 13Privacy and AIM: a tale of too much success?
Mesh Federation 14 IdPs RPs Privacy and AIM: a tale of too much success?
Hub & Spoke 15 IdPs RPs Privacy and AIM: a tale of too much success?
Privacy and Utility in a Mesh World 16Privacy and AIM: a tale of too much success? User » Can remain anonymous to the service IdP » Tailor attribute release per RP » Traceability » See which RPs the user users RP » Anonymous Personalisation » Sees which IdP the user came from
Privacy in a Mesh World » Anonymity (or pseudonymity) is easy › Opaque identifiers targeted per RP » Non PII attributes released » PII attributes destroy anonymity, so only released with specific purposes and trust base 17Privacy and AIM: a tale of too much success?
Privacy in a Hub & Spoke world 18Privacy and AIM: a tale of too much success? User » Can remain anonymous to the service Hub » Traceability » Tailor release policy to RP » Sees everything RP » Anonymous Personalisation » Doesn’t know user or IdP IdP » Doesn’t know which services the user uses
Privacy in a Hub & Spoke world 19Privacy and AIM: a tale of too much success? » Double Blind › Better privacy guarantees than Mesh… assuming you trust the hub! » Triple Blind › New cryptographic techniques meaning no single entity has full picture
Act III Privacy and AIM: a tale of too much success?20 Where we’re going
Improving the current - SAML » If privacy protection is the goal, then we’ve largely achieved it! » Problem is – a bit too well, in many contexts › Utility has suffered which may affect take up of services » So looking to shift the balance slightly 21Privacy and AIM: a tale of too much success?
(EU) DP CoC An attempt to help increase utility » help the lack of attributes problem Services sign up to a promise to respect data privacy » Makes use of EU DP “code of conduct” allowances 22Privacy and AIM: a tale of too much success?
Entity Categories Mark particular entities with annotations » Shows entity is a member of a particular category » Can be used to help attribute release, influence UI, etc Research & Scholarship category » Attempt to help attribute release for the R&S world › “Service Providers that support research and scholarship interaction, collaboration or management as an essential component” 23Privacy and AIM: a tale of too much success?
Next Gen - Moonshot Moonshot » Federated Access for anything » EAP/RadSec & SAML & GSS-API & Trust Router UK pilot » April > Dec 2014 » Focus on research community requirements (SSH, etc) GÉANT pilot » March > March 2015 » Focus on interfederation from the start with Trust Router 24Privacy and AIM: a tale of too much success?
Privacy in the Moonshot world Just like everything else – depends on deployment model Assuming common deployment model will be mesh » Similar privacy properties » But a few minor tweaks to enhance utility 25Privacy and AIM: a tale of too much success?
Trust Router How do entities find each other? » No metadata like SAML » No heirarchy like eduroam Trust Router » Allows Moonshot entities to securely locate each other and communicate. » Multi-layered trust network 26Privacy and AIM: a tale of too much success?
Trust Router - Communities 27 Authentication Policy Community / (Community of Registration) Authentication Policy Community / (Community of Registration) Community A Community B Community C Organisation validation to APC’s defined standards Policy coming from community requirements. Could include: Registration LoA AuthN LoA Operational Practices User behaviour Attribute release (RADIUS & SAML) Etc. Privacy and AIM: a tale of too much success?
Whole Trust Network 28Privacy and AIM: a tale of too much success?
Community A 29Privacy and AIM: a tale of too much success?
Community B 30Privacy and AIM: a tale of too much success?
Community C 31Privacy and AIM: a tale of too much success?
Act IV Privacy and AIM: a tale of too much success?32 What are we trying to do anyway?
What do our customers want? …want the moon on a stick » Ease of use for the users » Federated authentication so they don’t have to manage passwords » High assurance identities (in some cases) » A rich attribute ecosystem (for interesting AAI decision making) 33Privacy and AIM: a tale of too much success? Services
What do our customers want? …the needs are quite different: » To enable their users to make better use of tools available: › Ease of use for the users (that’s the same) - federated authentication to enable › Ease of discovery of services » Requirements for identity assertion that fits with their current IDM capabilities › Identity assurance is probably high in many cases, but tidying up IDM and asserting per user what level that is will be *expensive* » An attribute ecosystem that is low risk and high benefit, but easy to manage 34Privacy and AIM: a tale of too much success? Home Organisations (i.e. IdPs)
What do our customers want? Last in these slides, but should be first in our minds » Just want to get their job done › As quickly and easily as possible › Any kind of AAI that gets in their way or slows them down is a negative 35Privacy and AIM: a tale of too much success? Users
So, have we gone too far? Privacy and AIM: a tale of too much success?36 Yes we have! » We’re stifling our users. Something is wrong But, also, no we haven’t: » Privacy and anonymity is important Umm… So what do we do? » Remember to be more pragmatic. » Help our community to think about risk/benefit approaches instead of black/white. » Provide support and guidance