Scalable Consent – Effective, informed, revocable, *.* multiprotocol consent + attribute release, UI, infrastructure, informed content
Scalable Consent: Effective, Informed, Revocable
Tuesday 4I Convener: Ken Klingenstein
Notes-taker(s): Ken Klingenstein
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Topics
- Use cases and requirements
- Enterprise internal and federated
- Boots on the wire today
- Scalable Consent
- Architecture
- UI
- Application behavior connected to attribute
- Status
- Informed Content
- Lessons learned
The internal and federated use cases
- External consent
- Classic federated use cases:
release
- Difficult because of their often international aspects
- In the US, a significant number of “policy deciders” are not in central IT
- EU GDPR (General Data Protection Regulation) has raised the bar
- Internal consent
- Examples are the student app marketplace at
- Consent needed per requirements of data
- May involve protocols beyond SAML, including Duke and the departmental app marketplace at UW stewards, both central and distributed
OAuth and OpenId Connect
What’s on the wire?
- Opaque non-correlating transient identifiers
- Opaque pair-wise persistent identifiers
- Opaque correlating persistent identifiers
Local Federation Registrations
Kim Cameron’s Laws of Identity
Approaches to attribute release and consent
- Institutional policies and individual choices – End-entity categories (e.g. Research and SAML End-user consent Scholarship)
- Consent to release user’s attributes
- Oriented towards IdP, transactional consent with
- Client side and server-side Shib options
- OIDC and Oauth consent
- Consent to access a user’s resource
- Oriented towards RP, persistent consent with
- Multi-protocol consent infrastructure (+ Shib shim) suppression options, revocation options, Scalable Consent
- Components to create a scalable consent experience and infrastructure
- An infrastructure to deliver the capabilities and
- A user interface that enables a user to make the information to allow users and administrators manage their attribute release from their identity provider at scale effective and informed decisions about attribute release experience
- Tools for an enterprise to manage that user
- Catalyzed by an NSTIC grant from NIST, becoming part of the TIER suite
- Web site
https://spaces.internet2.edu/display/ScalableConsent/Scalable+Consent+Home
Consent Requirements
- Derived from use cases, usable privacy research, legal regulations, etc.
- Fine-grain attribute release capabilities, with use of “bundles” and “meta-attributes” as needed
- Informed consent that is hierarchical, flexible, accessible, etc, with clear, concise human-readable explanations of attributes to be sent
- Additional detail provided when needed, including which attributes are required, values of attributes, how SP will use each attribute, how long SP will keep each attribute (attribute privacy policy)
- Revocation of an attribute release policy (out of band is fine)
- Ability to convey trust marks and other guides to user
- Providing a variety of options for attribute release during future visits to the same site, including using the current settings, periodic resets or reconfirmations, out-of- band notifications, etc.
- Provide an audit interface and history to support both privacy and security
- Ability to work across protocols
- Ability to work on-line and off-line
- Support for identity portability
UI (PrivacyLens) as a paradigm
- Enabling effective and informed end-user consent
- Embraces a set of capabilities
- Hierarchical information, fine grain control, bundling, revocation of consent, flexible notifications, etc.
- Embraces a style of presentation
- Clear screens and slides
- Optional display of values being sent
- Affirmative user actions
- Integrates across use cases
- Protocol-agnostic
- On-line and off-line
- Allows a variety of information sources
- UI built on an open consent management infrastructure
- Can be replaced, skinned, etc.
Releasing an opaque identifier only
Anonymous comments
With only the opaque identifier released, individuals may post comments while preserving their anonymity within the community.
Releasing an opaque identifier and some personal information
Releasing an opaque identifier and personal information
Scalable Consent Infrastructure
Integrating organizational and individual policies
Informed Content
- The information and trust sources for Informed Consent
- The fuel that feeds informed user consent
- What do we need right now?
- MDUI (Graphic Icons) for IdP and SP
- IsRequired Attributes
- Meta attributes
- What we need soon
- Informed consent dialogues
- trustmarks - e.g. R&S, CoC, IDESG
- third party reuse and other privacy policy thinking information
Informed content dimensions
- Data fields
- Icons, required attributes, trustmarks, privacy policies, etc.
- Federated agreements on syntax and semantics
- Easier for internal federations to manage
- Transports
- SAML metadata, well-known URI’s, publish and
- Much to understand on the fit of transport to
- Trust management
- Vetted, self-asserted, reputation system based Lessons Learned – Consent Management
- Consent management at scale seems viable, but needs plumbing infrastructure and content
- Contractual vs non-consentable vs
- Need to guard against user habituation, oppressiveness; need to permit rubber squeeze toys
- Applications don’t know how to do data minimization
- Very few are privacy-preserving; most lead with a subscribe mechanisms, etc. data to trust request for identity when, at that point, only statefulness is needed
- “You are what you release” functionality not leveraged
- Deep devils in the details
- Selective release of values from a multivalued
- The hard part will not be the infrastructure design and build but developing and maintaining the information that runs through it attribute
For more information: https://spaces.internet2.edu/display/ScalableConsent/Scalable+Consent+Home
- Scalable Consent Overview https://work.iamtestbed.internet2.edu/drupal/
- PrivacyLens and Consent Management infrastructure
https://work.iamtestbed.internet2.edu/confluence/display/YCW/Yourtown+Community+Wiki+and+Service+Portal – Privacy-responsive and attribute aware applications