The user perspective on consent for identity federationsTerena Networking Conference 2011, 16 May 2011

Maarten Wegdam, Eefje van der Harst, Ruud Janssen

Acknowledgement:SURFnet: Hans Zandbelt, Roland van Rijswijk, Remco Poortinga-van Wijnen and othersNovay: Bob Hulsebosch, Dirk-Jan van Dijk and others

Novay?

• Mission “to create breakthroughs in the way we work, live, and entertain ourselves, by creating and applying ICT-innovations”

• Independent ICT research institute• Formerly called Telematica Instituut• Innovation projects for customers• Networked innovation

2

What to expect?

Large-scale user study on consent for an identity federation

• Goal• Design choices & prototype• Pilot & survey outcome

3

Intro to user consent

• (Old ?) trend: user centric identity• Empower user to control his/her identity• See also: Laws of Identity by Cameron• Why: legal, ethical and user acceptance• How: insight and control over the

exchange data

4

SURFfederatie• NL Federation for higher education and research• ~700k users, >60 IdPs, ~30 SPs• Limited sharing of attributes• Trust framework• Multi-protocol, including SAML & WS-Federation

5

IdP

IdP

IdP

IdPSP

SP

SP

SP

hub

Research question: do users want consent, and if so, how?

6

A complicated trade-off

7

Under-standable

Privacy attitude

8

[Privacy indexes: a survey of Westin’s studies. Kumaraguru, Faith Cranor. ISRI technical report, december 2005.]

Research approach

• State-of-the-art• Design web-redirect based consent

• Not SAML/OpenID protocol specific …

• 5 guidelines

• Based on professional literature, academic literature and existing implementations

• 2 roundes of small-scale user studies• A large pilot with two rounds of surveys

9

Set-up user studies

• Small/qualitative, in depth• First study: mockups

• Co-discovery, 9 * 2 users, 3 institutes, mix students & employees, list of questions

• Do they want consent, or do they prefer their institute to control this?

• And: feedback on the trade-offs in our mockup

• Second round: with prototype• Focus on trade-off

• Mockups of different design choices10

Example screenshot

11

Outcome user studies

Yes: SURFfederatie users want consent

How to make the trade-offs: see next slides …

12

13

We decided in our case not to provide per-attribute choice, too difficult to understand.

Always ask user before exchanging data

0 Consent

14

We show actual value of information, explain the federation and role of SURFnet, and link to privacy statement

Make the information flow clear

1 Informed

15

We decided to only have ‘timed’ automation, people forget…

Enable providing consent for future log-ins

2 Automate

16

We decided to only have ‘timed’ automation, people forget…

Enable providing consent for future log-ins

2 Automate

will be longer

17

Difficult to do with web-browser without becoming too intrusive

Notify when information is exchanged (in right context)

Even if consent was already provided

3 Notification

18

Including what attributes are included in consent, but no log

Provide overview and allow revocation of provided consents

4 Revocation

19

Including what attributes are included in consent, but no log.

Provide overview and allow revocation of provided consents

4 Revocation

User study – other points

• Why do service providers need my attributes?Specific answers are very difficult ...

• What happens after my consent with my data? No real solution for this (yet?)…

• What is SURFnet doing here? Web-interface runs on SURFnet hub, which now becomes visible… We explained this carefully

20

Pilot & survey

• Three universities (TUD, RuG, Univ Leiden)• Three service providers (Legal Intelligence,

Prof, SURFdiensten)• Dutch and English• 1043 participants (18%), 507 did the survey• Ran for 2 months

21

Main conclusion 1

22

Main conclusion 2

23

20%

42%

28%

8%

2%0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

1 2 3 4 5

The new option is a good add-on to the SURFfederatie(1=absolutely; 5=not at all)

Check on bias towards privacy fundementalists: representative

24

Timed consent• 87% of users wants this!• No clear preference how long …

25

Conclusions

• Users want consent• Current prototype is good way to provide this• Open issues

• Do the other stakeholders want this?• For all institutes, and can each one choose?• On the hub or at the institutes?

• SURFnet decided to deploy this (summer 2011)

26

Questions?

27

More information: User controlled privacy for the SURFfederatie: the user perspectivereport, Jan 2011, to appear on www.surfnet.nl, or send me an email for pre-final version

Report extended summaryhttp://maartenwegdam.files.wordpress.com/2011/04/20110125-gp3-ucp-2010-ext-summary.pdf(or as “extra file” on TNC2011 site)

Blog posthttp://maarten.wegdam.name/2011/04/03/user-study-outcome-users-do-want-consent-for-federated-login/

Emailmaarten.wegdam@novay.nl

backup

28

Consent on hub or with institute

29

IdP

SP

SP

SP

hub

cons

ent

IdP

cons

ent

IdP

cons

ent

IdP

SP

SP

SP

hub

cons

ent

IdP

IdP

Consent on hub or with institute?

30

Hub+ one-time deploy

+ analog to current attribute filtering

- hub becomes ‘fatter’

- hub becomes visible

Institute+ ‘logical’ place

- Some of the identity software will not support this, custom changes needed

31