Federated Access Management: Legal Developments

At the VAMP workshop last week I was asked to review legal developments that might affect access management federations. On the legislative side the new European Data Protection Regulation seems to be increasingly mired in politics. The Commission’s proposed law from January 2012 needs to be discussed with the European Parliament and Council of Ministers and neither of those bodies has yet been able to agree its initial negotiating position. Recent revelations have added questions about Government spying on internet users to the mix, even though these are outside the formal scope of both the Directive and the draft Regulation. It seems unlikely that there will be time to debate all these questions (and the 3000+ amendments that have been proposed to the Commission’s draft) before the Parliamentary elections next year. Privacy experts have even suggested that it might be better to start again from scratch.

Whatever privacy law eventually emerges, some basic privacy principles for federations seem likely to help them, and their members, towards compliance:

  • Ensure information is only transferred if it is necessary to deliver the service the user has requested. The current European Directive requires that personal information processing not be excessive; privacy by design approaches tend to refer to data minimisation. Research and Education federations already provide a rich range of identifiers and attributes from those (such as e-mail or name) that directly identify individuals, to strongly pseudonymised labels allowing only recognition, to anonymous attributes indicating only what group a user falls into. Identity Providers and Service Providers should ensure that they are choosing appropriately from this selection.
  • Avoid surprising users by using information in unexpected ways. This need not involve obtrusive privacy notices: as the UK Information Commissioner points out, some uses of personal data are obvious from the request the user has made – “send me a book” (or an e-mail) obviously requires some processing of personal data. Less obvious processing, and particularly any use of personal information for secondary purposes, does need to be described and possibly actively brought to the users’ attention.
  • Treat privacy as a benefit/risk issue, not an absolute yes/no one. Users already understand (possibly only subconsciously) that to access services on the Internet they need to provide some information about themselves and trust the service provider to use it properly. Federated access management can reduce the amount of personal data required and provide a stronger basis for that trust, knowing that organisations have signed a federation agreement. However, and especially given the widening definition of “personal data” in European law, it’s not going to be possible to avoid that law entirely. The Information Commissioner has an example where transfer of personal information benefits the user as a routine part of their job or study. If the regulator and the user both consider that the benefits can justify the risk, it’s unfortunate if the access management system insists on a different approach.

Many of the presentations during the workshop already contained these ideas. Jens Jensen, Remco Poortinga and Marco Fargetta considered different ways to ensure that only adequate and relevant information was transferred. Heather Flanagan observed that for some applications a project-specific attribute might be more accurate and less privacy-invasive, though coordination between projects will be needed for this approach to scale. Marco asked whether treating exceptional circumstances, such as user mis-behaviour, separately could reduce routine information transfer; this led to an open space discussion I’ve written up in another posting. Jens suggested that service providers might also take a risk-based approach and offer greater access to users with a history of good behaviour, rather than insisting on detailed information disclosure about everyone, just in case. Jens and Johannes Reetz discussed ways to let individuals and communities control some aspects of information disclosure and location, while noting that they might choose incompatible options, such as refusing release of an attribute that is essential to authorise access. Careful configuration, good error messages and support are likely to be needed. Heather described a project that in previous versions had offered its users both too much and too little information and control: the latest release hopes to achieve the ‘Goldilocks’ level. Finally Bob Cowles noted that the whole basis of Federation is trust – accepting the risk of relying on someone else to act in a way that doesn’t harm you. Treating information disclosure as a benefit/risk question should fit naturally into the federated environment.

My conclusion: it seems that the scientists and engineers have made more progress on privacy in the past year than the legislators.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *