Privacy & Interfederation A challenge to soup

Some topics to discuss IDENTITY vs identity Privacy and a federation’s role The JA.NET analysis of EU rules So what constitutes PII anyway? Can interfederation work? Others ?

IDENTITY vs identity Is it a pointer to your protoplasm? Is it some subset of data about you? It’s all of the above, BUT… Fundamental to the notion of privacy You decide what to reveal in any context Revealing too little may have consequences

Privacy and a federation’s role Federation sets rules for its members Protection of identity data Part of an Identity Assurance Profile? Current focus is on IdP SP/RPs are also critical Commercial interests don’t want constraints What liability might a federation incur if it tried to ‘enforce’ privacy rules?

JA.NET analysis of EU rules Places requirements on both IdP & SP Provides for predefined default release Subjects must know what that is and why Anything additional requires consent Federations aren’t enforcers “It’s the law!”

Identity Providers Must identify which services are necessary for [each recognized SP/RP] Must consider whether personally identifiable information is necessary for those services, or whether anonymous identifiers or attributes are sufficient; Must inform users what information will be released to which service providers, for what purpose(s). May release that necessary personally identifiable information to those services; May seek users’ informed, free consent to release personal data to other services that are not necessary for [a given SP/RP] Must inform users what information will be released to which service providers, for what purpose(s); Must maintain records of individuals who have consented; Must allow consent to be withdrawn at any time; Must only release personal information where consent is currently in effect. Should have a data processor/data controller agreement with all service providers to whom personally identifiable data is released. Must ensure adequate protection of any data released to services outside the European Economic Area.

Service Providers Must consider whether personally identifiable information is necessary for their service, or whether anonymous identifiers or attributes can be used; Should obtain that information from home organisations; Should have a data processor/data controller agreement with all home organisations from whom personally identifiable data is obtained; If no such agreement is in place, must inform users what personal information will be obtained, by which service providers, for what purpose(s). May request personal information from users Must inform users what information will be released to which service providers, for what purpose(s); Must ensure that users who do not provide information are not unreasonably disadvantaged; Must maintain records of individuals who have consented; Must allow consent to be withdrawn at any time; Must cease processing data when consent is withdrawn

What constitutes PII? There may be an EU analysis … Does FERPA help? Does HIPAA help? If rules or laws(!) differ what applies? Jurisdiction of the Subject? What about a Stanford student studying in Paris? Do we use the union of both rules? Do we use the common subset?

Can interfederation work? It must! (My words) It will take discussion, cooperation, work Interfederation Agreements must address this issue Can individual federations require this of their members? Depends on member agreements… Who is the enforcer? (Judge Dredd !)

Discussion …