Privacy Stew and Stewardship

So it looks like you’re in an attic room, Cliff. I’m not in an attic room but a second story room. Yeah, kind of under the eaves is this part of like, yeah, wait on all of my European calls everybody is the whole that kind of, you know, situation. you’re in Jersey huh. Yes, Southern, so. thanks for joining us and we’ll get started in about 90 seconds. Thanks for joining us today we’ll get started in about a will be starting in about 30 seconds.

02:22 - Okay, let’s go ahead and get started. Welcome everybody. Thanks for joining us today I’m Cliff Lynch, the director of the Coalition for networked information. I’ll be introducing the session. This is one of the project briefing sessions for week three of the CNI fall 2020 virtual meeting to remind you we three is focused on technology standards and infrastructure And certainly issues around privacy and the interactions of privacy and technology fit very squarely there. A A couple of logistical We. are recording the session and it will be subsequently available there is closed captioning please make use of that if it’s helpful.

03:23 - There is a chat And you’re welcome to use that as we go. And there’s a q&a box, you can post questions as they occur to you and after kin finishes he’ll work through questions with the assistance of Diane Goldenberg-Hart from CNI. So, let me just very briefly introduced this session. I am as always delighted to welcome back to CNI the. The one and only Ken clippin Stein internet to who has as good of view on privacy identity security access management related issues as anyone I can imagine, and We’re not allowed to have blue phase anymore because of the pandemic but if we were I would characterize this as a bit of a buffet of recent developments that are on Ken’s mind and have affected many of us, and that promise to affect us in new ways and future.

04:46 - I suspect you will have a lot of questions for Can I know I have a couple that I, I’m going to invite him to speculate on if there’s time, particularly if you don’t, but with that, I’ll just think can for coming to make us all smarter on these topics and turn it over to you. Welcome. Thank you, Cliff soundcheck things Okay. Sounds good. Okay. And thanks to all of you for attending and finding the room as it were. I’m usually parked at the very end of the Omni we were reminiscing about the Omni Hotel in DC. So I’m glad you found it. For those who are watching this in a delay fashion on video, and I’d be very interested in in responding to any comments and questions you might have.

From this 05:47 - presentation and KJK and internet to.edu I can. My scat at various places on the internet and you can find me and I’d be thrilled to answer stuff. For those who were participating alive. We do have QA, Diane is going to things but I’m glad into up the flow along the way. And then finally, we’re on the cusp I believe, of being able to address some of the long standing desires of the library community.

With regards to combining 06:26 - both privacy and access control. And now that that looks like we can get there. I’m curious about what to use cases are what are the unique access control sets of issues that people might have that might challenge. The, the approach that we taking along the way. So I hope we can sink into that, with that. the set of topics I want to begin with the stew. Talking about what’s happening out there, disobeys will be largely presentation before we get to be interactive part of, which is the stewardship element, the stool will consist of updates on GDPR it’s been very active in the last year in terms of development in developments in that space of privacy and management of user rights. We’ll talk a little bit about Privacy Shield I’m not sure that the for the community gathered here that Privacy Shield was in fact much of a shield, but for some of you universities and institutions, and for a large number of corporations Privacy Shield was a way to interact with the Europeans, And that has been struck down and we’ll spend a little bit of time talking about how to manage the aftermath of that. I want to look at the stuff happening up north in In Canada, partially because some number of the attendees I see and I are traditionally Canadian, but largely because the Canadian doing really. Right. And. and one, put a bit of a highlight on that.

08:22 - I’ll just touch briefly on how covid 19 tracing and privacy interacts. Many of you on this call may have a more profound understanding and be great to exchange that. And then finally I’m going to talk about it. Piece of work that we’ve been developing now for several years about attribute release with consent And in the last few weeks that activity has started to engage with film for L federated identity management for libraries and we’re getting to a point where we can begin to again site to do proper access control on a collections. I’m the stewardship piece is a lot more about process.

09:09 - How do you chart a course given all the things that are happening there. And were in that path. Do libraries figure. And how do you separate the wheat from the chaff. Many campuses have have created a chief privacy officer, it’s almost always a second title to somebody who already had a title. So the question of what they respond are and how they juggle that is interesting and then finally we’ll talk about how can you build some privacy partnerships on campus, and our examples for that will be, how to manage these seamless access attribute bundles, as they make their way into the IT world, from a group that has been largely librarian shaping them. So that’s the map going forward. And with that, I’d like to borrow a slide from Daniel so love on GDPR I Daniel has a number of really good resources about this.

He provides them 10:18 - freely with acknowledgement. I would point out that there’s a lot of elements to GDPR and you might be familiar with some number of them and not the others that players list is important that there were data subjects us data controllers. The people who own our data, data processes, the people who asked for our data from the data controllers, and the supervisory authorities to people who kind of make sure that rules are being followed. At one point, there was concerned that the GDPR only applied to Europeans and then all of the edge cases percolated up that made its impact, far border. If you have campuses in Europe, you’re covered.

If you have European 11:08 - students in the US on your campus GDPR affects them. So it is truly transnational in some of its impacts that lawful processing list just below the territorial scope, we’ll get into a bit more. It’s where I tend to live, you’ll see consent right next to it. It says, attributes can flow. Only if certain lawful conditions in it. A Legal. contract legal obligation in the interest of legitimate niches of user, some national security issues, or consent.

11:50 - So those are high bars and then the EU has put on consent a very high bar, which is, when can you use it, and how well. Must you present it. And so, when can you use it must be in a truly symmetric relationship and often all relationships with our data processes are not symmetric. But. they are there are instances where they are and then we can start to use concerned, it has to be informed, or spend a bit of time on what that means and unambiguous and needs to be by the way we vocable, but not in the past tense, in the future tense. So you can’t withdraw. What’s been seen already there is something called the right to a ratio of all of the aspects of GDPR that’s been the most difficult to implement think about backup tapes. The International, the enforcement levels are quite high.

There needs to be 13:01 - special treatment for sensitive data, itself etc etc. Again, a very comprehensive set of requirements, a high bar in So in particular, two things have emerged in the last several years around GDPR that are relevant to the access control issues that libraries face. What’s the basis of release for attributes. And what’s the purpose of use for the information that’s been released. Again, basis for release, just a limited number of of categories and very carefully identified and abused, frankly, and I’ll come back to that in a of use, is really pretty vexing. The.

13:52 - If you releasing information how is the relying party receiving this information going to use it. Various verticals have developed taxonomies for purpose of use in In particular, the Interactive Advertising Bureau has been very conspicuous in the space, we don’t have one And the purpose of use field. Turns out to a percolated up in May, when the European Court of Justice, I believe, tightened the lots of the abuses around around GDPR, in particular, there was a massive abusive legitimate interest, where people would say I don’t have to ask for your information I can just take it because you came to this site, so you must have meant to give up that information. It’s not clearly the case poorly done consent and cookie walls, so perhaps the most dramatic impact of these may rulings are now visible. If you’re visiting websites that are frequented by people who are covered by GDPR, you’ll have noticed that the Accept cookies category has been replaced with a finer grained set of options.

You can 15:23 - click to accept all of them. Typical cookie wall, except all these cookies, or you can click on that box typically at the bottom of the screen and discovered this four sets of cookies. And you can choose which ones to accept There’s a set of functional ones, a set of style ones, a set of marketing and tracking ones, and in particular I always go in now when I see that we find set of cookie options and deselect everything but the functional ones. I appreciate that control. And in fact, I assume I’m being tracked less as a result of that. And then define a again that kind of pushes on this fine grained controls. I did include a citation.

16:13 - EDPB stands for the European data processing board. So. long lots of about that before I move on to privacy issue then he speed. Okay. Any we find mints that folks would like. Okay. So privacy Shield was occlude to replace a hack the original hack was safe harbor in a covered transfer of European data to us. And it gave people a sense of comfort that data being sent to the US was going to be protected and a a whole lot of use use cases, some of the places where got gunky is when you have a multinational company, and they’re trying to pass data from European employees to the US headquarters. And you need protections around that.

They will 17:12 - also instances with customers, and they was social use cases and in fact, it was the social use cases that triggered the demise of Privacy Shield, which was the replacement for the original hack of safe harbor. And in particular, the European Court of Justice ECA j in shrimps to swim This is the German student who who has Facebook for all of his data that Facebook had, and Facebook sent in early list that was slim and then sent several hundred pages of data that they have shrim sued in the European Court of Justice, one. And so Privacy Shield is toast. The core reason that the European Court of Justice struck down Privacy Shield by the way, was. They didn’t trust us US government. they not might be a really reasonable policy, but they felt that the US the US government had numerous legal mechanisms to force us companies to provide data that was supposed to be protected by Privacy Shield, it impacts a lot, though not community, not so much.

18:27 - But you may start to see some contract clauses in content being provided by European resources that are attempting to address some of the protection that extensively Privacy Shield gave you can also do encryption upon encryption, as a protection mechanism, but that comes with lots of costs computational and otherwise. Moving up north. Diack stands for the digital identity and access control council or Canada, and they’ve created a pan Canadian trust framework. It’s monitor, it’s developed. much as the US, tried to develop an effort of an end stick. I am a survivor of that effort. some of the software I’ll talk about in a few minutes, is also a survivor of that effort, but that effort went down in flames. And later on in the bar we can talk about that.

Um, they have a 19:31 - trust mock called voila, which is appropriate for a bilingual country. And if you see that trust mark on a website, you believe that that website is playing by the rules that the pan Canadian trust framework, sets out. It’s an impressive list of identity providers. Those include banks, social media, governments and an impressive list of relying parties planning on using it. It’s just starting to roll out now, but because it’s embracing some existing infrastructure as part of its approach, you could say that it has a great deal with traction already.

20:14 - In particular, in British Columbia, you can use an identity issued by a bank of government, a number of other places a validated social identity, that’s been verified and use that to file taxes, get building permits, do a lot of interactions with the British Columbia, Columbia I’m. I’m very impressed with it because I live in the notice and consent space, and they have some extremely nice noticing consent. We lost our way, and we end up doing Single Sign On across the internet, because there was an immediate need with very few attributes flowing and that’s been a source of frustration. And now. And now, we might be able to get back into having attributes flow. Come back in touch as well. They had the concept of verified persons and verified organizations, and as he asked infrastructure.

It’s an 21:52 - elegant framework that privacy cuts across. it for the noticing consent requirements. Again, for those of us who live in this landscape, they’re very welcome. Consent will normally be sought. It is in if it’s a legitimate interest determine if it’s, you know some kind of contract signed years ago, when in doubt, do consent or notice Notice in the places where things have to be provided consent with some discretion. It’s always opt in. It takes place at the time of transaction, but it can be given for a period of time, like for a subscription service withdrawal of consent as mentioned, keynote, it applies to future transactions, where you’ve given him for an extended period of time, but you can’t close the barn door that’s when the horses have left.

It’s always 22:49 - explicit and in language that is easily understood. And that is quite a challenge, and will I’ll show you some screens where we’ve attempted to do that. And then this should be a place where you have a console. a dashboard where all of my consensual. And when I can manage them, and I’ll give you an example of one of those as well.

23:14 - And that consent dashboard has just taken fire in Europe as well. And I expect that to be the next set of efforts going Um, so I just wanted to touch briefly on covid 19 and privacy because it had huge impacts on. everything, including privacy rapid adoption of new cloud services which we all went through. We didn’t really have the time to look at the data protection clauses or at the property closes, because we couldn’t have stayed open without that. So there was a number of privacy concerns that got sidelined by the urgency of providing online education, I think we need to be those At a recent conference in Europe Gardner talked about how.

As a result of 24:09 - COVID-19 the future future arrive 57 months early. I’m not quite sure how they got the number 57 but in fact we dealing in a future world now, and scrambling to make it work. I won’t get into the subtleties of Kant of contact tracing. But I would assume that some of you have followed the nuances of the various approaches And we’ve gone, thankfully, from a very centralized approach that often would use mobile devices, but would use your phone numbers on the mobile and gather from the cell phone towers that your phone interacted with. Were you were. And who was around you. And that had major privacy impacts.

Along the way, we’ve 25:02 - migrated from that centralized approach by and large, to have most contract tracing apps and I have one of my phone Be decentralized, so my phone is keeping track of what what other phones have come within Bluetooth range of my phone. But no one else knows that but my phone, but there is now a threat to be triggered. If somebody is phone has the owner has come down with COVID-19 there is a path to be followed a path that would let the owner of that phone notify owners have phones that have been proximate that there was a positive test. And that that was a that came at some functionality expense, but I was pleased to see that ironically, that approach of privacy preservation and contact tracing was championed by Google and Apple and I tend not to think of Google, Apple is being privacy preserving companies but in this case, they They were inspiration. So before I dive into this one to me just this is a natural pause point, see if any questions or percolated up comments.

26:31 - I’m not seeing any questions right now can. Thanks Diane. So I want to talk about one tool in particular, and we’re just starting to get serious engagement on this tool that has been in development for a number of years, um consenting formed attribute release. It’s a joint effort of internet to and Duke And. the deep bench of talent that sits at Duke University. Just emerged from the end state grant on scalable privacy.

I think 27:10 - it might be the only floating. Guppy leftover from the that end stick effort. It provides effective and user management for attributes for release of attributes and information items, you can do it in line and there’s a self service mechanism as the Diack and as the content dashboards, talk about this very effective enterprise management of how consent and notice of presented, and how policy around that is formulated. I think we all have some use cases, and I’ll touch on one or two and in the second where some information really needs to be provided by the user and other information needs to be consented to be released by the US. Some of some of the information that has to be released might the information that has to be released might be in that functional category that we talked about in terms of cookies.

And so this necessary 28:11 - to have the access control function. And some of it might be compensatory stuff where user has colorblindness and once the screen to to be presented in a certain fashion, and those kinds of attributes, could be consented And then there was some things that are negative attributes where we don’t want to use it to not release them. We all have negative rights, somebody is banned from using the VPN somebody is prohibited from using another resource. You don’t want to have a user. be able to suppress inflammation that important for the relying party to So. so there are mechanisms for both shipping information and giving users a choice about shipping information.

It turns 29:07 - out is unexpected compliance benefits. Your your lawyers at your institution or probably keeping of what attributes are being released to what relying parties. That’s a requirement. of GDP or they may be keeping that stuff on a spreadsheet, I know of a couple of universities doing They may be keeping that stuff on a spreadsheet, I know of a couple of universities doing that. That tracking of when information is being the least two which relying parties per user is a simple report out from the core software, click this button, and your manual spreadsheet gets replaced with a report that tissue, where I would ever is source software, by the way, will works for Oh IDC works for SAML and Shibboleth it works for batch feed so one of the painful aspects of our privacy actions to data on campuses, is that were policing, maybe the release of information via real time interactive stuff. But we have these batch feeds going on batch feeds provisioning to zoom, our user base batch feed provisioning to Google Docs batch feeds provisioning to third parties who would doing alcohol education services for us.

Those batch feeds are not 30:33 - covered by February today. And so if a student has selected Ferber. It’s not reflected in their privacy settings in these batch feeds. This gives us a mechanism for that. It’s open source software And for those of us who go back way too far. The original Shibboleth t shirt said will work for attributes. This is what that about. So I want wanted to show you a typical screen. The identity provider here is Amber from the. arcane novels, and here I am going to a research our US site And they want attributes wanted to show you a couple of things about this screen. First of all over here on the right of reminder of what site, you’re going going to, and the privacy policy for that site.

31:27 - Over here on the left, we say we view and edit what you provide to this site because this is set that stuff that you have preset and this is what you did last time as it were The release and deny or in the typical reading green permits and denies the attribute being released is presented in English, or in Spanish card is multilingual, It does Chinese quite well. The value being released is also present. Now you can’t correct values that are being released in this environment, you’ll need to go to the system of record to correct that. But at least you’re notified in the case that the value is set. that you need to change that. And then underneath that in italics, is the purpose of use.

We’re finally presenting for 32:28 - the first time. why an attribute could be used or needed along the the These things are easy to change just button buttons. This has been tested extensively on user populations across a variety of ages and backgrounds and seems to be fine in fact, the target moved on us while we were working on this early on in the days of federated identity. The general feeling was uses couldn’t do consent, and then Google and other social environments began to do consent screens badly at first, increasingly better over time, and uses got used to the fact that they might need to do consent, And now we have a population that seems to be fairly comfortable with consent. Notice on the bottom it says don’t show the screen next time.

So you 33:23 - don’t, you know unless you’re a consent and notice person, you don’t want to see this more than once to get to resource, so you can suppress that. And then if you want to change your policy. You can go to the Self Service console and change it. And if you as an institution, want to have policies changed for users when something changes in the environment. You can trigger those. We want you to be consent. What kind of changes can happen in the environment.

Supposing research or us 33:54 - change their privacy policies, you’re not quite sure that you like, you have with a single command, the ability to ask all users going to research or You have with a single command, the ability to ask all users going to research or us too we confirm. They will these policies could be a handy tool down the You can also, we consent, if the value being least has changed. Here’s another setting, I just wanted to give you a different view on this, this was for faculty trying to get to content. And this is important because it begins to do fine grain access control. So in this one, I’m releasing not identity.

Well I’m releasing a 34:40 - display name but that doesn’t have to be identity. But I am releasing my affiliations, and allows me to get to departmental II licensed content. And so we have access control. These affiliate these departmental funding controls and I’d welcome better wording on that from anybody in the community who has knowledge of that. But. these are expressed as group memberships, very simple to manage from the identity provider viewpoint, and gives restricts content to members of the School of Law, sociology, etc. and finally, here’s my self service console so here’s all of the places I’ve set attribute, releasing consent policies for.

And, 35:35 - when I’ve updated them and the Manage button will allow me to go in and change my policies, So, if I’ve decided that a site is becoming uncomfortable to get certain information. I can manage that. If I decided that I’d really want to change the way the site presents information in response to an accessibility concerns that I now have I can manage that as well. This. is for any geeks in the audience does API’s all around the place. I just wanted to show you that in particular down at the bottom there are two figures. So you as a user, get to use that intercept interface and you also get to do the self serve interface.

36:24 - As it as administrators, there are two other interfaces that I haven’t shown in this one, that would allow to sysadmin to set institutional policies, and would allow a privacy person or a librarian to administer a subset of those capabilities. So this will allow a librarian for example, who has signed the contract for certain at content to set an X axis release policy appropriate to that content. This stuff can get I don’t want to dive into it. given one of the time questions. But let me pull up one example of where a institution has created a measure or policies that need some triage, We’ll talk about Harvard. We’ll talk about Fiverr which allows you as a librarian when you buy content to set a leased these Policy for all of the students in faculty so they can get to that content Except not all Because there is also at Harvard students.

37:39 - and Office of Special students, special in the sense that the, the children of presidents, or the children of shares or other kinds of, very important people, and the Office of Special students sets policies with the release of that input of information for those particular students, So we have the need to meld a comprehensive policy set by a librarian, with a specific policy set by A. an office within the campus. that protects certain students that very interesting triage, we think we can Okay that ends the stew part and I want to talk a little bit about this stewardship next, how does a campus manage all of these developments How do you stay aware of this And the answer. I’ll cut to the chase is poorly. This do pieces not what we’d like it to be. I’m gonna lean a bit on a publication that just came out from the car I want to thank them at EDUCAUSE about the evolving landscape of data privacy and higher, higher education. And from that I’ve joined a couple of grass that we’ll be talking about want to talk about who the players are with the processes are and what the partnership.

So who are the 39:01 - were legal and compliance is very big in this, in fact, over the years I’ve seen an emergence of a lot more compliance compliance aspects in enforcing privacy. I think that’s a result of some of this hefty fines that are being in out there. And the compliance officer is a natural place for this to have and the chief privacy officer and number of campuses to created those offices frequently in conjunction with the security office, and it’s not clear that that’s an appropriate. weaving of responsibilities, but it is what it is. Central it is clearly a player in all Managing.

39:56 - Ferber and other kinds of privacy regulations, and And I put libraries, in question because up to two years ago. It’s not clear that the libraries whereas actively involved in some of this access control and privacy management, as, as has happened recently and I want to give lots and lots of credits to the group over at seamless access already 21 knee so they have convened a community, and one of very timely process that is resulted in some access control opportunities that will come back and talk So. the chief privacy officer again thanks to E card has so many responsibilities that I fear for executing them well. And first and foremost is, you know, there’s been a privacy spill an i o for Would you please clean it Well that’s a, that’s a large part of the work, and in fact those things are hard to clean up. Sometimes you get to create policies about privacy. A lot of data governance issues.

Sometimes it’s important to 41:17 - do stakeholder privacy training one of the requirements of GDPR is to actually train, the people in the organization who managed privacy it’s explicit. Sometimes there’s providing thought leadership protecting PII etc. Down at the bottom, there’s some folks have unfortunately responsibility of trying to police the swamp of privacy issues that students creative and social media and big tech. tech. That’s a lot of work. That means that often to CPO. doesn’t get to provide the right amount of focus on some of these issues And I think in particular, with the seamless access work. If that enters the portfolio of the Privacy Officer, it may not emerge so I want to sound that caution. Again, for me car.

Here’s some of the 42:21 - things that that privacy officer needs to do It’s a full time job and it’s typically given to somebody who already a full time job in the security space. So. I want to talk a little bit about process going forward and I love for this to be interactive and I see something in a. Oh, I see a question so let me, let me answer. A Robbins question about sensitive attributes. Institue. research analytics department. So the sensitive attributes, as defined by GDPR our stuff that I’m not quite sure Robin research analytics will get to see a lot of the sensitive attributes could as GDPR assigns them are about work about religion, about.

43:29 - sexual preferences, about accessibility sets of issues. So they’re very much a set of personal sets of issues raised and sex. Oh, wow. So I can tell you that both race and sex, or covered by GDPR. And so you might start to say ask, I think Robin You said you were at Virginia. Good people that Virginia, you might start to try to find out who speaks GDPR at UVA and raise those issues with them.

44:15 - It turns out at least in my narrow view of how card handles sensitive attributes. We don’t display them at first blush. So when you see a screen where you saying Do you want to release information in there was sensitive attributes there. We require a second click to display those attributes, and that’s the steps that we’ve done for protection, but I’m not quite sure if that’s the kinds of concerns you were thinking about I’d love to engage on that going forward. Any, Anything else on that thread. Okay. seamless access.

So, this 45:09 - process has been underway for about two years. Find people in the community have been leading it, and keeping a steady March, and out of it has emerged a set of attributes bundles, they labeled in fact, as me see if I have have it on the next slide, they labeled as end entity categories but they really attribute of bundles of attributes, and there’s three bundles that have emerged to. compensate for the only bundle that we’ve had so far in identity space, which is called the research and scholarship under and it’s highly identity. oriented. So you release a number of attributes in that RNs bundle that indicate identity And part of the reason for that is that you are typically accessing major scientific resources and that those relying parties are very concerned about abuse of those resources, and so they want identity if only for tracking purposes. So out of the work that has been happening in the seamless access activity.

Three bundles have 46:27 - have been created One that is just authentication, one that has a authorization. and one that has pseudonymous authorization and on that screen that I showed you earlier in car where I was releasing some deployment of fund code, but not identity. Actually in that when I was releasing I was releasing an email address, I could have suppressed that in that one screen I showed That’s a case where you’re releasing some information that helps personalization, or state or access control process that these bundles are going through is that seamless access created them, then refer them over the transom to the identity crowd, which is typically a The process that these bundles are going through is that seamless access created them, then refer them over the transom to the identity crowd, which is typically a way in international group called refetch Research and Education Federation’s, there’s a group that does schemer they looked at these things they had a fair bit of feedback. We’re in the feedback processing stage, and I got some hope about that that I’ll talk about in a second. Once these these bundles are anointed.

We have to get 47:38 - adoption won’t be easy. We’re going to get adoption at the Federation level. And then we’re going to need adoption at at the identity provider level. Eight. a parallel action, is being done by a contract language working group that talking about how you put this stuff in contracts would contract content providers that conversation has shown a whole lot of abuse by content providers who want identity. And so, if you didn’t give idea if it wasn’t released by the identity provider, they’ll ask you for identity, out of band once you hit the content site, they’ll ask you to create an account, due to a lot of things to grab you.

48:27 - I’m not quite sure why what the business purposes our But I think the contract language is going to be very important. So that a lot of these content providers including some very big scientific publishing houses change their policies, along the way so that they don’t obviate privacy by asking the user f after they’re in. For additional information. There was some concern about mixing attributes about usage and metrics with other kinds of access control. So I want to talk a little bit about how car could use these bundles. Turns out, I’ve had conversations.

Just today with the 49:10 - FIM for L crowd, a nice group of people, and will be doing some demos of how car can serve library needs. But one of the ways that car can use these new access bundles is to pre configure IDP release, So, in a typical consent screen that car presents gives you a list of attributes vows you some control it often can be displayed as to what the institution recommends for what you release. It’s not binding, but it’s recommendations, it will reduce the friction at the content provider. If you release these attributes. We can take these attribute bundles these entity categories that have been done by seamless access and use that to pre configure the preference settings by the user. And then asked for consent, or if the campuses just comfortable, just releasing that information without user consent.

They can 50:15 - They can do that, I think over time we’re not going to be allowed to release attributes without consent from the way that GDPR is, in any case there’s, there’s really good hygiene, to notice in transparency, even if you’re not giving users control. It’s really decent of the institution to let the user have an option of knowing what’s being. So, I think we’re in through the discussion. phase of this. Let’s see if there was another chat question. No. Okay, so the question is for the folks who have gathered here.

50:59 - Do you get call to the table, about privacy And if you don’t get called to the table which should you be called on I tell you right off the bat, that when these attribute bundles get released as maybe good things for federations and identity providers to a My guess is having looked at the identity providers in us. Most of them will not practice. They won’t even know about it. They know about it, they’ll say it’s not for them. And so I think, right off the bat is a role for librarians. In, going over to the IT organization the people running the federated identity and saying some stuff rolling down the pike. When it hits. We’d like to be involved. That’s going to resolve require learning some new language skills, and again, I think there might be some places beyond the access bundles, where the unique perspectives of librarians you my variants have been since I watched the wonderful conversations about the importance of open shelves and the freedom to browse, and I think that philosophy has got to interject into other activities.

52:18 - With that, I’ll take a deep breath of stop, and turn this over to you Diane for next phase. Thanks Ken. I’m not was a lot to think about and a really wonderful presentation and always so fun to hear it from you. So thanks, thanks for coming back to see and I once again. And in the spirit of conversation I just shared with our attendees and invitation to participate in dialogues so I see that Robin has raised her hand go ahead allowed you to unmute yourself and anyone else just raise your hand if you’d like to jump in as well. Go ahead. Thank you. I didn’t want to leave you with the impression that the library is just gaining a lot of attributes, you know, and not handling it appropriately.

But 53:18 - we had some research questions that had to do with diversity and so this group was seeking. You know more information about individuals who had access content. And so I went to the data stewards and got sent to the institution Analytics department and you know they’re gonna to identify the information when it comes back, but we’re trying to deal with this gnarly thing of trying to keep that information separate from other information that we we need to answer other kinds of research questions and we want to de identify everything and start rotating our log so we don’t actually have as much sensitive information. I realized this is not the bulk of your talk and I’m really interested in. You know what you’re coming up with and us providing more privacy to people.

54:16 - And having their Gotcha And so, lucky couple comments, first of comments, first of all, increasingly impairing the word consent notice in language and even in the cases where consent is not appropriate. I’m a big fan of transparency and notice we, in car. Make notice very. quiet. but it’s there. I’m And a user who’s curious about what’s being released can easily find it but it isn’t intrusive back to your particular situation Robin was the content that was being accessed me access to IP access control so by federated identity federated identity so people use single sign on. And they check something out from the library and then that goes into a log. And we want to rotate those laws and not have information around forever but we have to determine all the research questions that people have, you know, and retain enough information to answer those questions before we do identify the information.

55:38 - We’re using a shovel with basically right so did you talk to the people. When you said you talk to the data stewards. Did you talk to people over in it the gym juggles etc who run the Shibboleth environments and to see what they have in their log files. files. Yes, they wouldn’t have any other, well they do have some easy proxy information for us. And I used to work for jam and run identity management for him so you know he and I are in discussion all the time about this sort of stuff. stuff. Gotcha.

But it’s 56:17 - more, you know, we know that this information is sensitive and we don’t want it to get out and be coupled up with a person’s identity. And so I wanted to go through the right data stewards, and I was just surprised when I got sent to the institution for research and And I was wondering you know we are we are one off institution have in that department have this responsibility, or is it because we just don’t have a prophecy, a chief privacy officer, other than our head of security. Good question. So, Can any of the other participants who were one raise their hand, if they ever Office of Research analytics. You. are alone. There is a someone just wait in In chat. Or is it because Robin said research.

57:13 - Or is it because Robin said quote research. It might yeah Robin that that you know that that’s that that threw me to it was that you wanted to do research on the data. But the in typical my Office of Institutional Research at my old University wouldn’t have known, where to start on this. And actually it’s It was that you wanted to do research on the data. But, that in typical my Office of Institutional Research at my old University wouldn’t have known, where to start on this.

And actually, Mike for low, who made the 57:47 - comment, he would like to join the conversation as would clip so please go ahead, Mike. Yeah, I’m just gonna make it very quickly I just, I think that such offices of institutional. My guess what I’m just wondering Robin whether that was like the opposite opposite of Institutional Research, or an analogue to that, but I was really kind of being facetious and didn’t mean to interrupt the conversation too much but I’ve had more than once. People just shouldn’t send me the wrong place because I said the magic word that they were in a hurry to get past me so. Yeah, it yeah it was not very very helpful. Sorry about that.

Well, it’s just some 58:24 - surprised this is a fairly new department but I think it is a new name for the institution. You know data to kind of people that will do analytics before, but it’s just just this new responsibility that they have now and they told me. Well, you give us the data gives us the logs, with the authentication ID and we’ll give you back these attributes. and or information and answer your research question, but we’ll dig out the unify everything. It was just something completely different from what I’ve done before where I’ve talked to the data stewards and gang what we want. So let that.

Let me just jump 59:09 - in with, because this in, with one or two questions that we won’t get a chance to answer, answer, but I’m the only about content that has access control. stack would be governed by attributes, for example citizenship is their content or enrolled in a certain class, I showed you an example. Already have how we can control that. but citizenship. I know of some medical research journals and databases. We you cannot have two different files open at the same time because they were afraid of correlation attacks And so the access control there is, If you have this open you can’t have that. open vice versa. We have all of these new capabilities coming down the road in terms of access control.

And I’m 00:00 - curious if we have previously in technical situations that we can now handle a bit more gracefully. And I saw Don what is on here at dawn you pumped you deal with some of that. Interesting stuff out there and if you ever bump into some access control issues that you go whoa, I’m Oh, One let me raise a figurative hand here and ask about something a little different. Before I do I just want to mention can that within a URL leadership now I believe there is quite a discussion going on about exactly what the role of research libraries, is VCP privacy on campus. And there’s at least one group that wants to position libraries is taking a very strong sort of educational and consultative role, privacy as a service if you So that might be in the questions you were asking about you know the roles and who comes to the table with Chief privacy officers that might just be something you want to explore a little further.

01:29 - The thing I wanted to ask about the was. I am really nervous about issues about jurisdiction and patchworks here around privacy. I mean we already saw a funny reaction in some ways to the GDPR in that. Yeah, there were organizations that did business in Europe. that had to deal with it. But there were also organizations that did very marginal business in Europe for example, some local and regional newspapers in the States, where the, You know, people abroad would occasionally expatriates and things would occasionally look at them but they really didn’t do enough business to bother and you just see those things blocked when you go to Europe now they’re just doing geo blocking saying, too much trouble to deal with GDPR we just want to talk to people.

02:35 - I have seen some very ambiguous stuff about Europe attempting to essentially assert jurisdiction over Europeans anywhere they may be in the world. And. You’re muted. Okay. interesting question, Cliff. And I have thought about including ccpa, the California consumer Privacy Act. In this thread but it is a, it’s going to be revised significantly this year if they get to it because they take out a lot of things that they need to fix in that legislation on me was also consumer oriented and less for our particular use cases that said, New York has done a privacy law of other states to follow as well. Yes, it is a patchwork I have almost no hope of it. Doing being anything better patchwork in the And so I admire the Canadian effort, it’s a country it’s attractable population even And, and I think they’re I think they’re going to pull it off and that might wash down to the US With Biden coming in, he he got to witness the end stick effort.

I hope 04:35 - he learns all the lessons from that but it seems to me a x of the big tech issues that the republicans have embraced that we’re not going to give any kind of uniform legislation in the US around this it’s just it’s just really said it’s a reflection in a way of the fact that, surveys, consistently show that in Europe. People trust the government more in terms of privacy, more than a trust corporations and in the US, it’s the inverse of that they trust corporations more than they trust the government in terms of privacy and what people hand over to corporations shocks me in the chart you I’m sure as well. Is it going to be a patchwork, I probably is they’re hearing that. There are cases where Europe is turning down us visitors because of the set of issues around GDPR is in One of the things we were hoping to do and may still do, is consent notices a service. And so we would be able to begin to deliver.

05:50 - these capabilities that you saw in card, without an institution standing up to full set of service offerings. Were a little confounded by a lack of data about where universities are using federated identity who would the relying parties they deal with. I know it’s some campuses, is far more local relying parties and or an an uncommon. But the converse is true elsewhere, whether we’ll get to provide a service that could replace the patchwork with something so attractive and easy, that people attend to that for uniformity. Sure. Sad to say not on my Thank you. That’s, that’s helpful.

I’m not Sara 06:42 - Lee, you know, the best news in the world but very helpful can thank you so much. As you’ve given us an incredible survey of developments and I really appreciate it. This is a, you know, Shibboleth and all and federated ID was sent here to serve this community. We got sidetracked, but we’ve come back home. Yes, you have and you know this is one of the places where it started. Yep. Yep, So, right. Well, thank Right. Well thank you so Right.

Well thank you so much can 07:19 - And thanks to all of our attendees, this was a really great session very fruitful. And with that, I will close the session and wish everyone a great rest of your day or evening wherever you are, and hope to see you back at CNI in the days and and coming weeks. Take care. .