Hacking the law for Federated Access Management

One definition of a “hacker”, according to Wikipedia, is someone “who makes innovative customizations or combinations of retail electronic and computer equipment”. I was recently asked by TERENA to have a think about the legal issues around using federated access management to control access to resources in eResearch. This has quickly come to feel like hacking (in that sense) the law: making it do something it didn’t know it was capable of…

Data Protection law generally looks at bilateral relationships between an individual and an organisation that processes their personal data. If any other organisations get involved, it tends to be as a sub-contractor to the primary data controller and the legal duties stay with that data controller. That far the law is reasonably well known and understood. However federated access management tends to involve three or more parties, and in a variety of different relationships.

In the UK, at least, the most common application for federated access management has been to give students and staff access to on-line resources licensed by the organisation of which they are a member. This involves relationships between three parties – the publisher (acting as service provider), the organisation (acting as identity provider) and the individual. However these relations are already a bit different from those envisaged by activities such as the UK Government’s Identity and Privacy Principles, where the individual has (as a key principle) the ability and right to choose which identity provider they use and then directs that identity provider to release information to a particular service provider. In that model the relationship between the IdP and SP is therefore mediated by the user. In education, by contrast, the IdP and SP are likely to have an existing direct relationship, which may well be contained in a commercial contract, and the user may have no relationship with the SP other than being required as part of their study to access a particular SP under a particular IdP’s licence. This relationship is better characterised as organisation-mediated. Since law is all about relationships, this already suggests that different legal arrangements may be needed.

In eResearch, it is common for a fourth party to be involved, since access to research resources (equipment, experiments, high-performance computing, datasets, etc.) may well be granted to a project, rather than to an individual. The project (sometimes referred to as a Virtual Organisation) then decides how to allocate those resources between its members, but still using their home organisations as identity providers to provide and check individuals’ login credentials. This seems to imply that there will be strong relationships between the organisation and the user, the user and the project, and the project and the service provider, with weaker or no relationships between other pairs of parties. The project/VO therefore seems likely to mediate the relationship between the user and the service, but (unlike services procured by the organisation) the user may well mediate the relationship between the organisation and the project/VO.

It seems clear that the number and complexity of relationships involved in this eResearch model will require that any legal framework be, as far as possible, based on these existing relationships rather than imposing new ones purely to satisfy the law. So we’re a long way from the simple bilateral model of data protection law. However my impression is that, with sympathetic interpretation, EU law does provide the components that could be “hacked” into a suitable framework. As with all the best hacking projects there are sure to be some hiccups to overcome, notably that different European countries may have implemented the necessary parts of EU law differently. The full TERENA paper has been published as part of a wider study of AAA platforms, and I’ll be presenting some of these ideas at a workshop in September to get some feedback and see how the ideas might develop.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *