Categories
Articles

User Interfaces for Federated Login

It’s often said that technical people are bad at designing user interfaces. Ken Klingenstein’s presentation at the TERENA Networking Conference reported (and demonstrated) the results when user interface experts looked at the problem of explaining federated login to users. A striking early finding was that even the interfaces users regularly use to login to services […]

Categories
Articles

Managing Federated Authorisation for Research

Research, and particularly the on-line collaborative research referred to as e-science, creates a new challenge for federated access management systems. In teaching, the authoritative statement whether an individual is entitled to access an on-line resource comes from their home organisation: are they a member of that course? are they covered by that institutional licence? Thus […]

Categories
Presentations

Opportunities and Choices: Digital Student Records and Privacy

I was recently invited by the Groningen Declaration Network to join a panel discussing privacy issues around the exchange of digital student records. Like the discussion, this summary is a collaborative effort by the panel team. Two main use cases were discussed during the meeting: transferring records between education institutions when students apply to or […]

Categories
Articles

Legitimate Interests and Federated Access Management

I only wish the Article 29 Working Party had published their Opinion on Legitimate Interests several years ago, as it could have saved us a lot of discussion in the federated access management community. Any organisation that processes personal data needs to  have a legal justification for this; in access management that applies both to […]

Categories
Articles

Level of Assurance: are we approaching a limit?

I’ve had several conversations this week that related to what’s commonly referred to as “level of assurance”: how confident we can be that an account or other information about an on-line user actually relates to the person currently sitting at the keyboard. Governments may be concerned with multiple forms of documentary proof but I suspect […]

Categories
Articles

Low-risk identifiers in Access Management

The Information Commissioner’s analysis of the European Parliament’s amendments to the draft Data Protection Regulation discusses the wide range of information that falls within the definition of “personal data” and gives examples that seem particularly relevant to identity federations. The Information Commissioner considers that identifiers pose a higher privacy risk if they are “interoperable”. Since […]

Categories
Articles

Everything by consent?

As a privacy-sensitive person, I’m concerned that the trend in European Data Protection law seems to be to place more and more weight on my consent as justification for processing my personal data. In theory that sounds fine – given full information and a free choice, I can decide whether or not I’m willing for […]

Categories
Articles

Life-long identifiers in Research and Education

There are several situations when it would be useful to have a life-long identifier that doesn’t change when we move house, employer or even country. Most of us already have life-long identifiers to link together all our interactions with the health service and the tax office; in research and education linking together our achievements would […]

Categories
Presentations

Federated Access Management: Legal Developments

At the VAMP workshop last week I was asked to review legal developments that might affect access management federations. On the legislative side the new European Data Protection Regulation seems to be increasingly mired in politics. The Commission’s proposed law from January 2012 needs to be discussed with the European Parliament and Council of Ministers […]

Categories
Articles

Managing Incident Response in Identity Federations

In talking with service providers at this week’s conferences on federated access management in Helsinki it’s become apparent that many of them are asking identity providers to supply not only the information that they need for normal operations, but also information that will only actually be needed if a problem occurs. For example it seems […]