Federated Identity and Privacy

Over the next few blog posts, we’ll be diving into some of the issues brought up in the RA21 FAQ. This week, let’s talk about the use of federated identity and privacy.

Almost everyone online has been to a site that requires the user to register, and offers the possibility of using one of their social media accounts to handle that registration. Immediately, questions come to mind: if I click on this link, what is my social media provider learning about me and the sites I visit? What information is my social media provider returning to this third party? How can I enjoy the easier user experience of just clicking on this link rather than following a full registration process while still protecting the privacy of my data?

When shifting from a social media service to an academic or business environment, however, these questions change. Contracts between an identity provider and a service provider are often involved that clearly define what user information can be shared, and how it may be used. As the number of Identity Providers increase, however, these kind of bilateral agreements do not scale for either the identity provider nor the service provider. Identity federations are a way to support such agreement at scale, and as members of such federations both service providers and identity providers agree to abide by specific operating procedures (e.g., the InCommon Participant Operating Practices). Those operating procedures may include the ability for all parties to publish their privacy statements directly in the federation metadata feeds, and to be very specific in how they use information sent from the identity provider to the service provider. In fact, identity providers can make policy-based decisions as to whether to allow an authentication transaction to go through based on whether or not there is a public privacy statement available for a service provider.

In the most basic of federation actions, a user goes to a service provider’s website and clicks on a link to authenticate for access. That link first takes them to a discovery service that allows the user to select the correct identity provider. At that point, the transaction shifts entirely to the identity provider which, assuming a successful authentication, only returns information that the authentication was successful. No other data is released in this first, basic flow. By default, the service provider never finds out the user’s name, contact information, role within the institution, and so on, from the identity provider. In a more advanced flow, more information may be shared of relevance to both parties – perhaps the resources being accessed should only be available to students. Or, perhaps access to a particular class of online resources should be restricted to a particular department within an institution. Such access controls can be achieved without access to personal information about the user – only the institutional affiliation is required. Federated authentication and associated authorization decisions are customizable based on automatable criteria. While the decisions on what information to release is largely in the hands of the identity provider, the technology is developing that would allow a user to explicitly consent to releasing additional information (such as their name or email address to support personalization of a service).

The technology and policy exist to both enable and manage the sharing of information about a user; legal restrictions exist as well that further impact what information may be shared and under what circumstances. Many regions in the world have privacy regulations that impact the digital world. From the Global Data Protection Regulation in the European Union, to the Personal Data (Privacy) Ordinance in Hong Kong (Cap. 486 of the Laws of Hong Kong), and the various state and federal consumer protection laws in the United States, many governments consider the privacy of their constituents to something necessary to protect. Even if resource providers want to collect and user data, they have to consider the regulations in all regions in which they operate.

RA21 seeks to improve the federated identity experience through a better identity provider discovery process. Information regarding best practice to support privacy as well as usability are guiding principles for the effort. At the end of the day, the project will have a list of best practices in this space that must support these principles.

Further reading

May 25, 2017

Leave a Reply