user consent for consumer identity (@isse2010)
DESCRIPTION
As presented for ISSE 2010, on 7 October 2010 in Berlin.TRANSCRIPT
User consent for consumer identity7 October 2010, ISSE 2010, Berlin
Maarten Wegdam
Principal Research @ Novay
Novay?
• Mission “to create breakthroughs in the way we work, live, and entertain ourselves, by creating and applying ICT-innovations”
• Independent Dutch ICT research institute• Formerly Telematica Instituut• Innovation projects for clients• Networked innovation• Identity & Trust is focus area, e.g.:
2
An intro to user consent
• User centric identity
• Empower user to control his/her identity
• See also: Laws of Identity by Cameron
• Why: legal, ethical and user acceptance
• How: insight and control over data flow
3
Case: SURFfederation
• Federate for Dutch higher education and research• ~700k users, ~40 IdPs, ~30 SPs• Limited sharing of attributes• Trust framework• Multi-protocol, including SAML & WS-Federation• Question: do users want consent, and how?
4
IdP
IdP
IdP
IdPSP
SP
SP
SP
hub
State-of-the-art for consent
InfoCard (active client)
5
State-of-the-art for consent
OpenID (web-redirect)
6
User centric SAML?
• But isn’t SAML is Identity Provider centric? Well, that depends …
• SAML WebSSO is web-redirect, similar to OpenID: consent can be similar
• Already examples:
• consent module van SimpleSAMLphp (WAYF, Feide)
• uApprove (SWITCH)
7
A step backA complicated trade-off for consent
8
Privacy attitude
9
[Privacy indexes: a survey of Westin’s studies. Kumaraguru, Faith Cranor. ISRI technical report, december 2005.]
Approach
• State-of-the-art• Design web-redirect based consent
• Not SAML/OpenID specific …
• 5 guidelines (next slides)
• Based on ‘professional’ literature, academic literature and existing implementations
• User studies! InfoCard vs user-centric SAML
• Pilot
10
11
We decided in our case not to provide per-attribute choice, too difficult to understand.
Always ask user before exchanging data
0 Consent
12
We show actual value of information, explain the federation and role of SURFnet, and link to privacy statement
Make the information flow clear
1 Informed
13
We decided to only have ‘timed’ automation, people forget…
Enable providing consent for future log-ins
2 Automate
14
We decided to only have ‘timed’ automation, people forget…
Enable providing consent for future log-ins
2 Automate
will be longer
15
Difficult to do with web-browser without becoming too intrusive…
Notify when information is exchanged (in right context)
Even if consent was already provided
3 Notification
16
Including what attributes are included in consent, but no log.
Provide overview and allow revocation of provided
consents
4 Revocation
17
Including what attributes are included in consent, but no log.
Provide overview and allow revocation of provided
consents
4 Revocation
User study setup
• Small/qualitative, in depth, using mockups
• Co-discovery, 9 * 2 people, 3 universities, mix
students & employees, questionnaire
• Do they want consent, or will they rather leave it to their university?
• If they do: do they prefer InfoCard or user-centric SAML?
• And specific feedback on trade-off in our user-centric SAML
18
User study outcome
• Yes, they did want consent
• They prefer user-centric SAML over InfoCard
19
User study – other points
• No consensus on desired ‘obtrusiveness’: we decided to skip notification
• They want to know why service providers want their attributes
• They want control over the data after consent: no solution yet …
20
Current status
• Exploring user-centric SAML• Additional user studies to fine-tune user
interface• Started large pilot two weeks ago • Based on outcome SURFnet will decide
if to roll-out
21
Closing remarks
• Providing actual consent is NOT trivial• Unclear how specific the results are for our
case: trust, web-redirect, limited attributes• Complication (?): role of hub and SURFnet• Asking people about privacy behavior is
tricky: risk of bias towards privacy-paranoids, behavior over longer time, social desirable
• Timed consent: what period?
22
THANK YOU
Acknowledgement:• SURFnet: Hans Zandbelt, Roland van Rijswijk, Eefje van
der Harst, Remco Poortinga-van Wijnen and others• Novay: Ruud Janssen, Bob Hulsebosch, Dirk-Jan van
Dijk and others
23
More information: report: User controlled privacy voor de SURFfederatie (Dutch)report: User controlled privacy voor de SURFfederatie: een gebruikersstudie (Dutch)report: Outcome user controlled privacy pilot, to appear Dec 2010 (English)blog post: http://maarten.wegdam.name/2010/03/11/user-centric-saml/ email: [email protected]