Freedom of the Shelves: Untangling the Confusion on Federated Identity, Access Controls, and Privacy

I think it’s time to get started welcome everyone I’m Cliff Lynch the director of the Coalition for Networked Iinformation and it’s my pleasure to welcome you to this breakout session from the spring 2020 virtual member meeting that CNI is conducting we are approaching the middle of that meeting which will run through the end of May the topic today is untangling the confusion on federated identity access controls and privacy this is a very important topic particularly now that we are in such a distributed mode and relying so extensively on federated access to provide our user community and our institutions would access to a whole collection of diverse resources this is also a very fraught issue in the sense that people have expressed a lot of opinions on it and particularly on we work like our a21 that often is not particularly well grounded I think in the specifics about the technology there’s a lot of misunderstanding about where what what’s dictated by technology what’s dictated by policy and how the two fit together I cannot think of anyone more authoritative and well qualified to speak to this than Ken Klingenstein Ken has been advancing these technologies tirelessly since the early days of CNI and internet2 and it’s been a great pleasure and a great honor to work together with him over the years on these topics so I am just absolutely delighted to be able to welcome ten to this virtual meeting we will take questions at the end Beth Secrist will moderate those you can type in questions by using the Q&A tool at the bottom of your screen and please feel free to queue up questions at any point as they occur to you and we’ll just sort them all out at the end but it’s fine to put them in as we go along so with that welcome all and I’m gonna disappear and turn it over to ten Thank you, Cliff just want to check that the sounds coming through all good good okay and the the title slide is up on the screen so with that if I can do the advancing I want to talk a little bit about what’s driving all of the developments that as cliff indicated are now bubbling up in the environment what we see is our target and the target hasn’t changed since 2000 when these ideas first started percolating up but I want to talk in detail what those look like what’s coming along in terms of the infrastructure many of the pieces are in place sliding into place and then I want to talk a little bit about the work that’s ahead because there was still gaps I don’t know that this is gonna finish on my watch but I’d love for it to arrive ultimately intact on that far shore and have an environment that appreciates our traditional interests in privacy while providing new levels of personalization and access control some of those gaps I don’t think I’ve received a proper attention and so I’d love to make sure that we give give give some focus on that and then one of those gaps is can the users really manage their privacy and we’ll talk a little bit about what Daniel solo of calls the privacy paradox about users wanting to have a lot of privacy but then giving it away for rubble squeeze toys so with that let’s talk about the drivers for change certainly our federated identity has taken a strong root in the internet whether you’re asked to log on with your institutional credits credentials or with your Google account or your EarthLink account since there may be some people in this crowd still do EarthLink or whatever other identity provider it the pattern is increasingly that you use in authentication at a single spot and leverage it at many different locations across the Internet another major driver for change is protection of IPR and content there are websites that this community is well aware of things like Sai hub which have stolen a massive amount of content from journals and the journal publishers are rightfully concerned about keeping their business alive so they can can publish these kinds of research work and so they’d like to stop that kind of bulk downloading that enables those kinds of IPR violations and federated identity is a part of that answer um this rich five is the opportunities with personalization I can make the world look exactly like what you need on the screen without knowing who you are I can take your colorblindness your other physical disabilities and make adaptive changes to the screens and the presentations of content without knowing exactly who has those kinds of characteristics similarly I can post comments and dialogues and have privacy and anonymity persistent anonymity all of the techniques that the trolls use in rushar can be used positively in other ways in in those kinds of conversations there’s a massive requirement and now around compliance with international and state regulations wouldn’t it be nice if I could say national regulations as well as state for the US but I can’t but I can talk about and we will talk briefly about gdpr we’ll talk a little bit more about what’s happening a North in Canada because what they’re doing I think of as the state of the art in privacy protection so there are these compliance requirements we all have them no leg no legislation comes along these days that doesn’t seem to have a compliance aspect I’m attribute release friction when we envision this beginning in 2000 we didn’t expect there to be so much friction about releasing attributes because attributes are the currency of this ecosystem and they need to flow and whether they flow on an institutional decision or on a use the decision they need to flow and we’ve made one attempt in the federated community with the research and scholarship bundle or attributes but that hasn’t gotten the traction we hoped and there are certainly needs for attribute bundles beyond the RNs bundle and we’ll talk about those in a second there’s some interesting work happening being led by Heather Flanagan and others in the RA 21 Club and then there’s a mistake we made in 2000 that we’re paying the price for and we need to fix which is selective release of values from a multivalued attribute when we first started designing group memberships in those early years of this development we decided we’ll stick all your group memberships on one attribute how many could there be and this sucker will never fly anyway so we don’t have to worry well the suckers in the air there are people who have a thousand group memberships and right now with today’s technology for relying party says I want group memberships of this person so I can do access control they may get all a thousand and why aren’t we supposed to be privacy-preserving I’ll come back to that and finally there’s a number of visionaries out there who believe that transparency and user control principles for our society regardless of the technologies what do you want then and freedom of the shelves this is that oh the ability to climb into some musty building I guess they’re not so musty anymore and walk down the shelves and and look at content and have privacy and have the ability at the same time to check books out and to make notes and all of the other things that we believe a free society should have so in the federated version of that we have a global set of identity and attribute providers we have access control techniques to limited license content so that we recognize the business models of the world and there should be places where content is protected by some kind of gated community we want everything to be privacy preserving that’s what we set out to do and I think we’re there and then finally the compliance with the national and international regulations I can’t say we set out to be compliant with those because they weren’t around at the time but they’ve come along so here’s a little drill down on each of those four categories for the identity providers we want a world with more than Google we want Google in there and Facebook and Amazon but we also want universities we want your business addresses we want the earth links maybe we even want linkages to the national identity efforts that are going on no longer in this country but in Europe there are efforts especially in northern European countries to build national identities that can be used for tax purposes for voting purposes and for participating in community interactions and perhaps even for accessing the kinds of content we’re talking about today that whole bundle of stuff is talked about as the IDIS activities in Europe and my guess is they’ll be going slower because everything’s about to go slow and then we’d like to see a global set of attribute and badge providers and identity decorators people who don’t do identity but decorate identity with verified attributes and credentials it may be your membership in and in a professional society it may be your accreditation from some service it may be government and private sectors decorating your identity with stuff that would be useful in voting environments such as your precincts your disabilities being provided by medical doctors so that those adaptive screen technologies that I talked about early on can be done with you concealing your privacy but reconcile recognizing you need for adaptive screen presentations scalable access controls were a big part of the vision and we’ve moved somewhere along the way it would be the traditional create read update and delete mechanisms of crud but we also have needs for much finer grain controls my poster child for this is wiki’s Roth and familiar with a wiki if you want to have different access controls for different parts of the wiki so glute memberships for example could determine which parts of the wiki you chose you were committed to visit we would need then to provide that kind of fine-grained control that is one of the Holy Grails were aiming for is that kind of control over wiki mom it turns out when I talk about signaling that we don’t have that piece in place we do have tools in the in the tool box we use your affiliations as a student faculty staff etc you we look at entitlements I mean teittleman’s tend to be commissions that are granted by the enterprise based upon a sharing of business logic with a resource provider that’s a very common in the library space who can get to these journals the journal publisher will agree with the institution on a set of rules and then the institution will compute eligibility based upon those sets of rules and the attributes that they have about the user but the attributes never leave the institution just a entitlement that whoever this user is they’re permitted to access this content group memberships give us a much finer and more subtle mechanism for doing access control we can again use your groups to say you can get to this part of the wiki or that part of their wiki cuz you’re a member of the group and then finally some of the major infrastructure as a service platforms that serve the research the science research community like Globus and tack give very sophisticated access control mechanisms so we’re largely there on this piece more needs to be done but at the beginning I think one of the participants in all this said you know glute memberships gonna solve 80% of the access control issues that that turned out to be correct and so just having the group tools that have been excellent a privacy-preserving approaches now the the water gets muddy even though initially we thought this was going to be the most straightforward path identifiers turned out to be a very complex space they can be opaque they could be transparent and email address is often transparent a opaque identify as a legion in other parts of the world and they can be session based and you get a new identifier every time you log in or open a window or they can be persisted and you can have a and identifiers still anonymous but is available time you log in and go to a site they can be identified as to be reassigned above versus permanent that turns out to be very important within the access control space because if you’re going to grant permissions on the basis of identifier and in institution changes who that identify belongs to you might be giving access to someone you don’t intend to so it it turned out to be a thick space it still is and and and it’s some of the stuff that the RA 21 crowd is nobly wrestling with um attributes we’ve learned need to be well managed otherwise they grow like weeds so the entitlements versus the groups distinction I made earlier attributes are often scoped if you’re going to say somebody is a of a certain affiliation with an institution what light do you have to speak for that institution in some cases if your Harvard and you’re the Registrar at Harvard sure you can speak for that but when you get to the five colleges the claremont colleges in in the LA area well any one of those five colleges may make assertions about an individual being a participant of a different college than the one making usage and those need to be permitted with appropriate so we have to scope them and then we have to make them have meaning on the wire because you’re gonna have your own little subtleties of of attributes and then if we’re going to exchange him with other people we need to find a lingua franca on the wire that will make the other side do a correct interpretation of the information they’re receiving many many years ago in the early design of the internet there was one of the shibboleths as aware was be careful in what you said and be liberal in what you accept and that has played out in terms of on the wire attributes as well out of those identify as an attributes we build persona and you can visit a website unauthenticated authenticated but anonymous authenticated but pseudo anonymous which says you may not be I’m easily identified by people looking at the identifier but it’s the same identifier for the same person in this thread so every time that identifier is used it’s the same person making the comment I mean then you can have verified credentials as well and that’s the coin of the realm in many of the places where you need to have tight security etc and then all of these persona can be decorated with attributes and that’s much of the work up ahead and then once you have those decorations building attribute based gated communities I have a variant we might get to in demos at the end called the scholarly garage named after a other share the community activities and in the scholarly garage it’s a gated community but within there I can have identity I can have five is he I can make comments in a rich number of fashions relative to my identity and finally I want to make the point that even if you’re going with a fully private mindset in all of this stuff a strong active assent occation is very helpful so strong identity needs are out there even if you only are all focused on privacy we want to make sure that the account has not been prolonged that even if the rest of the world doesn’t know who this user is it’s been a fair mapping compliance so national international and community so almost everybody on on this webinar is familiar with GDP our Canadian stuff I want to introduce because people are known not quite as familiar and I think the Canadians have nailed it and then at one point several years ago I was giving presentations at NIST about some work we would presentations at CNI about some work we were doing finished this has a few survivors fuddled in its wonderful old building in gatorsburg and boulders still trying to maintain the torch of advancing identity in the US and then some states have stepped forward those of you in California have the California consumer Privacy Act CCPA as something to work with the other side of the coin is codes of conduct we you don’t want necessarily compliance from some external source but you want a community to create its own rules and adhere to them these are often then self asserted in terms of compliance um one of the ones that we’ve been looking for in our in our world is the we feds code of conduct we feds is the international federal or any Federation space I’ll talk about that code of conduct in a second and then another code of conduct that we’re trying to normalize is around baseline expectations of how enterprises both IDPs espy and federated operators do their jobs properly and then increasingly there’s compliance activities that we need to do and some of us are getting a gleam in our eye about a reporting infrastructure in the institution and enterprise where there’s almost a policy layer on top of these technology layers that would allow all of the reports that need to be generated for compliance to be done in a normative fashion versus a handman managed spreadsheet gdpr I’m going to move through fairly quickly again people are familiar with it it only it affects a lot of US institutions because we have students who land in Europe and the suddenly such subject to GDP are we have European students on our campuses subject to GE GDP or so lots of sensitivity to this stuff I want to highlight the basis for release and purpose of use as key issues because we’re not doing enough of this every time an institution and an enterprise releases information to another third-party it has to record the basis for release of that is a limited six I believe basis for release and it’s something that we as identity providers and our institutions need to be doing and then those things may get audited to see if we did the proper basis for release we are heavily reliant at this point on contract as a basis for release as a tool and it’s legitimate but it’s limited the purpose of you stuff is interesting as well it’s required by gdpr that a user be informed of the purpose for which their data is being used you’ll see those fields in the consent demo are due at the end of this talk you want to normalize those things you want to have users understand what those various purposes of use tend to mean purposes abuse have been developed in the advertising space and they’ve been developed in healthcare and they haven’t been developed in other verticals and it would be helpful to have that I’m finally gdpr talks about when is consent to be used and not to be used that said I want to segue into the Canadian activities where legislation called Peter was was created maybe 15 years ago as a as a personal information protection act in Canada and then the model the Canadians used to implement in infrastructure around that legislation is to create a system of private identity providers typically banks and those identity providers have come together to create the pan-canadian trust framework and Dayak and they have drafted an elegant set of rules for acting in the digital I particularly like their stuff because they dive into consent and notice and again it was part of the original vision of federated identity and the Canadians get it and where the Europeans tend to say legitimate interest mm-hmm consent is hard the power ratio balances the Canadians say consent will normally be sort it’s going to be opt in it’s at the time a trans transaction and it can need to be persistent or just for that one time you should be able to withdraw the consent but it applies to future transactions that’s the right interpretation you’re not going to get the data that you released last year back it should be explicit and in language that will be easily understood and wouldn’t it be nice if you had a privacy console where you can manage your privacy preferences you’ll see I hope all of those features in the demo at the end putting together the answer then from the piece parts that are coming along we have baseline expectations as the first element to level the trust fabric to move from a best-effort environment to a shared expectations environment dynamic metadata because we succeeded and so the metadata bundles have gotten huge and we need to not ship them around anymore but provide them on demand we need IDP discovery it happens as a result of dynamic metadata it’s an essential first step in the process and the RA 21 software that we’ll look at is doing that institutional and attribute release is the next element to get those attributes flowing and reduce that friction you’ll see that software in action but there’ll be there’s so are gaps in the metadata and signaling as with wiki’s that I alluded to earlier and then finally there’s a variety of community standards where as a community we need to take a deep breath and wade into some of those are what I call informed content so that users can make an informed consent decisions purposes of use privacy policies we need community taxonomy x’ so that we have shared understandings of what’s happening we applications to be a lot more aware of attributes versus grab all the identity that it can take we need to be able to translate data minimization from a nice concept into which specific attributes are minimal and which ones are optional so these are the five pieces that we’ll talk about we’ll move progressively through this the first three are well in hand the next the bottom two still need some work if we get all this together what do we deliver a privacy experience that can be managed by both the institution and the user which gives the user informed choices but not intrusive Lee allows the institution to manage access controls we want users to have choice but we want users not to be able to suppress negative information which we want which the institution wants to transmit like this user is not permitted to have this kind of capability we want to address the cognitive load of the user you’ll see that in this green design we were very careful to keep the white space and the thinking opportunities we want meaningful choice and we want to be able to do compliance it’s got a scale and hopefully can be slid into places what this won’t deliver all the other ways that privacy is a threat and it with the fact that uses still express high importance to their privacy but then give it away for bright shiny objects baseline expectations is something that is happening widely now at least in the u.s. in common has raised the bar and institutions are now doing a consistent set of approaches they might vary a tad by their own situations but security patching the software operations who has access to signing keys incident handling there’s a violation of either relying party and is trapped batch traced back to something that went wrong at your identity provider do you agree to participate in a diagnostic effort to handle that incident keep you metadata fresh provide privacy policies provide updated contact people this braceland expectations has sections that I address IDPs SPS and federated operators it began as an in common activity I think around 2018 we rolled out b1 a v2 is now under active discussion and the in common website has pointers to that that was a solid enough idea that we’re trying to help the International Federation community adopt a similar set of requirements and so there is a global conversation now going on in we feds about a global baseline standard now that’ll be interesting because the variation in Federation’s between countries is significant a dynamic metadata rolling out as we speak a it’s needed because yeah the fields within each entity within the metadata have increased the number of entities in the metadata have increased as well as their fields getting bigger this is what the internet went through in MO the mid-90s when DNS came along and doing this is creating some it’s it’s relieving some problems that identity provide his hat as the metadata bundle cut very big there are two elements of this approach there’s a query protocol get me mine get me the metadata on this relying party I need it now and then there were places that aggregate metadata and register authoritative lis the metadata for various enterprises all these things are sliding into place pretty nicely and in common and other Federation’s it’s the way the future one unfortunate aspect of this is that many many service providers used to depend upon that massive static metadata file to populate an identity provider list so you could find your identity provider can’t do that how do we solve that well that came along has come our a21 to solve that IDP discovery father connecting a user to their identity provider today we have inconsistent experiences across sites it wouldn’t be nice if users know to go to a certain part of the screen or look for a certain icon and be able to select that identity provider that way I’m again we want to solve the problems that dynamic metadata has created this is the next stage of the RH 21 process it comes in several different flavors you’ll see in an action in the demo it works well and the different flavors give you different integrations and it looks like it’s beginning to get traction and some major content providers have started to use attribute release consent notification even if you don’t believe in consent it’s probably valid to do motivation let’s see in this section here I’m supposed to look at the chat at the same time so I’m attribute release it wasn’t supposed to be expected it wasn’t okay Lisa I’m sorry I just got to your question all make a note of that and and get back to that and thrilled to have you as a participant in the session so attribute release is the biggest friction in the federal landscape something we didn’t anticipate the large leak was we expected to use this to be in control in the consent pieces lag but partially because institutions have been much more attribute retentive than we expected that to be so that we may one attempt the RNs tag it’s it’s gotten a nice step up from researchers needing access to Cobie data but it still has limited penetration within the community we’re going to continue to push that of the tags are under discussion as well on consent is not widely deployed but we have software that we developed with an ensta grant and internet - and most particularly Duke University and I’ll be demonstrating that software and its capstone in that it gives users exactly the information and control over their privacy that we wanted to achieve a while I just mentioned these they’re happening as part of the our a 21 or reef Ed’s community for those of you who know has a Flanagan it’s sometimes hard to know which hat she’s wearing when she’s doing her good work we’re doing an authentication only bundle you know anonymous authorization bundle typically an anonymous identifier decorated with some attributes and then pseudonymous support right now these all of these attribute release bundles will be self-assertive that is you will assert as a relying party that’s what you need you will assert as an ID key that you are responsive to these deeds they may be need be me be need for registration down the road user the use of this well the IDP can use these bundles to configure attribute release policies users can get a second set of recommendations for consent based upon these profiles um we can maybe guide contracts between libraries and content providers so that they sought to use normative language about access controls that’s some of our hope for this work so one one tool for attribute release mechanisms is called car it’s a consent informed attribute release as indicated Duke’s been the lead developer for this it stresses the informed aspects of this it provides self service it translates the hideous names that we use for these attributes internally in Identity Management into something that might be more friendly to a user like your relationship to the University verses such a person affiliation things like that um gifts finding controls it records the basis for release it provides revocation and interestingly it provides user not present mechanisms so one of the glitches in our privacy as an institution is that we can have a student be enabled as Furber and then we will not pass information in an attribute release bundle in real time to a relying party but we don’t apply for controls by and large to batch feeds to third parties that’s just outside the Ken of the identity management system we have mechanisms now so that your consent choices can be applied when you’re not there and that can be used in attribute release situations I wanted to show you a typical car screen again at the end if we have time I’d love to do a real-time demo and move all these buttons around and show you the consequences of that but a few things to note off on the right we have the logo of the relying party that I’m about two of these attributes to in this case RNs are us we have the privacy policy of that relying party on the left side we have the sets of attributes that are being released this is for an undergraduate going to a research site notice clear permit and deny buttons notice fine grain control notice that the value of the attribute is being displayed so that if there’s a wrong value you can’t correct it in the consent screen that would be inappropriate but you can make a note and have those values cleaned up in the institutional systems the clear markers for permitting deny and then near the bottom in the in the bottom don’t show this screen the next time I login we don’t want to intrude on you every time if you want this to be a persistent consent policy will suppress the screen going forward if you want it to be the policy your release policy unless the value being released changes for some reason which point you want to reconsider we can do that too so there’s the suppression stuff save and continue’ affirmative actions as required by the d DAC like Dayak legislation this is what the screen looks like i mean when i’m going to another side content or us i’m doing this as a faculty member and what i wanted to illustrate here is limited license access controls so if you look at those first two attributes for departmental fun codes it indicates that you’re a member of the Institute of those departments and so you’re able to get to Lexus or ICS PR based upon those permissions notice you can get there without revealing any personal identity in this configuration on the screen right now I’m showing my academic affiliations but nothing personally identifiable so I can browse the shelves freely at Lexus and ICS PR without my identity being known again the suppression screen on the end um this is my self service console here’s my attribute release policies as they’ve been stored and there’s a manage button for each of these and I can go in and change what’s been stored from my attribute release policies the last area that we have to be working on is the community standards for behavior provisioning of informed content today much of the metadata that you saw in the consent screens for car were gleaned from the in common metadata and we’d love to continue to do that but some are gleaned from well-known five well-known URLs and some are not well harvested at all we need to work on some of that stuff the codes of conduct I alluded to you want to know that the relying party has disposed of attributes properly when they’re done processing that how can I do that well code of conduct over that but the code of conduct doesn’t apply to us v1 there’s supposed to be a version two that would apply to us being developed in Europe but that has gone very slowly even when we have those kinds of codes of conduct we’ll have lots of issues about fine tuning that lofty premises and the codes of conduct we need to understand what’s minimum for data minimization if I don’t release an attribute will it does I have to break the application for it to be a required attribute or not a geolocation is often something that we share inappropriately um when is geolocation required versus option and then finally users need to understand some of these Quadra see trade-offs the more privacy you have perhaps the less functionality you’ll get at the website so what’s the work ahead we have to apply we have to get this stuff actually deployed are a twenty ones gaining traction dynamic metadata has arrived baseline expectations needs internationalization attribute release and consent needs adoption on campuses codes of conduct need development we have to figure out some of these gaps about how do i signal attribute needs along and finally we have to find good ways for users to understand some of these trade-offs my guess is uses of because of the years of working in Facebook and Google have at least a better knowledge of how their privacy is being spindled and mutilated and maybe if this will be an easier thing for them to understand finally a set of references and then I’m going to turn this back to you cliff and catch up on any QA there’s a set of videos on YouTube that I’ve recorded including one in particular from the librarian perspective that talks about how I can get access control while maintaining maximal privacy I’m the baseline expectations work is happening both at in common in v2 and in baseline expectations for Reef Ed’s at b1 and finally appointed to seamless access so I’m gonna stop to share I can temporarily cliff and give this back to you for the QA thank you very much Ken for your presentation and your efforts helping to build this essential infrastructure and we will open it up now to Q&A if you have a question but as can mention he does have some demos to show if we don’t have questions I know Lisa has a pending question was it sure if you had covered that or not can yes I mean let me I I just pulled that up so uh what’s gone away from static metadata bundle with dynamic metadata so if I was a if I was Elsevier well let me take a simpler case if I was a a journal or a resource that was just in the US and I wanted to provide identity providers for user to select from I would download the income and metadata typically once a day I’d use that to populate a pulldown list maybe of four or five hundred Institute identity providers and the user would use that for the discovery process when we begin to add edge again there’s now 2000 identity providers or so in that list the print gets really small user experience begins to suck and then there is no more single bundle because it’s too big so I now have to have a list of pre-populated identity providers or favored identity providers or some mechanism of fetching my own preferred identity providers and easy each flavors of what are a twenty one can help us do in terms of populating I’m an identity providers selection for the user to pick does that help okay and just give it a little bit of time to see if there’s any more questions and Lisa says thank you yes great roger Schoenfeld says thanks Ken for this great presentation can you say a little bit more about the benefits for risks of these kinds of federated approaches that are ultimately controlled by the academic institutions versus some of the efforts being made by ResearchGate and others to serve as a comprehensive identity instance independent of academia why’d you always watch yours has a good curveball what can I say let’s see the I guess I’ve always been all my life I’ve been deployed by institutions and so it yeah I don’t think Roger I can escape that mindset of you know the institution provides me with shelter salary and identity and often content that it’s purchased for its scholarly community and so III don’t you know I recognize that independent services can spring up and I’m I’d be curious to know what your sense is going to be of that stuff but I’m I’m a creature of the university side but Beth you want to address this too okay I got a prompt on the screen that I’ve not seen before but zoom has changed a lot in the last few weeks okay mm-hmm and Roger responds that’s really helpful thank you and thing else um I think we have time for your demos Kim okay I’m gonna slide right into that let me go back to this okay okay let’s just confirm that people can see a choose your institution on the screen confirming great so this is RA 21 as you can see from the copyright notice on the bottom we have set up an environment called slice bread in fact probably if we’re going to do this demo let me share go back to my slides so let see are we seeing a sliced bread environment yes good okay so I’m just gonna hunt this down for a second and then we’ll go back to the live demo but just to give you a sense there’s a bunch of IDPs here and each has an attribute store typically a directory they could be mining ship they could be mining ahktar they could be running Active Directory they could be running Oh IDC as as their tool for provisioning identities we don’t care car is protocol agnostic it is a confuse me consent as a service and we call the slice bread because I won’t get into it there was a pun there a while ago it’s lost to the ages on the bottom those triangles are various content providers that will be going to as part of them so screen sharing has stopped because that one just got close let me share the right screen then for you okay so I hope I’m hopefully back now inside sliced bread looking at the RA 21 service which is listening to identity providers I’m gonna pick well let’s see first I’m going to go to a resource and have this come up so let me go to the research or us screen and resource provider and research or SS you need to pick an identity provider so it throws me here to access research or us I’m gonna pick castle amber I’m gonna go back to my identity provider I’m gonna pick an identity I’m gonna pick an undergraduate identity I can clear previous permissions I got the usual stuff for identities and the display screen you saw earlier I want to show you how the buttons move back and forth here’s the purpose of youth field right there that I was describing if I don’t release enough attributes research all of us will not let me in and then I but we’ll what it will do if it’s properly configured you say you didn’t release the right attributes for access we’re gonna throw you back to your consent screen in this case I’m gonna release enough attributes to be able to get into research or else I’m gonna even release my name so I can get a very nicely custom screen if I wanted to see their privacy policy for research or us there’s their privacy sometimes they lose information so it does go back to here I’m going to save and continue and then I should get to the site and notice that here’s the set of attributes that has been received by research or us I didn’t release affiliation I had released affiliation it would have gotten that attribute notice often the hand corner it says it’s personalized by sign out any e and so we got my display name as an attribute in the process I am in fact going to sign out and then I’m going to go to a different site content R Us and I’m going to pick my identity provider vor a21 I’m gonna be a particular faculty member that I just shown you and again here’s the attributes that I can release and if I release these attributes without identity notice I can get to LexisNexis notice I can get to ICS PR but notice that it doesn’t know who I am just as sly now that’s a very attractive situation in my mind to be able to get access to licensed content without revealing anything more than my affiliation with some academic departments federated identity if it works the way it’s supposed to work is go should allow me to go to other sites and not have to login so if I go to the institutional site for salary and stuff notice I didn’t have to log in again because I didn’t log out so this is just federated identity saying without you you’ve done your single sign-on here’s the attributes you want to release can again show you those controls this is interesting in that I can show sensitive information um this is part of what gdpr requires is that if I have sensitive information and some of my group memberships might be then it shouldn’t come up on the screen unless I do a special click and that’s an example like that I can save and continue and notice it got some information but I didn’t release enough information for the payroll system to do any processing for that let’s see no that I still will say logged in as Professor girdle and I’m gonna go and look at my set of privacy policies and remember I said I could manage what I release two places so if I’m not comfortable with what I’m releasing to scholarly garage I can come to this management screen and say here are the attributes we have in landscape here’s your choices here’s what your IDP recommends amber recommends and additional settings and way down at the bottom you’ll see the while I’m away stuff that I was talking about for batch feeds etc there’s a lot of other features I can show you I I don’t think I want it I can run amok on this demo and it would be quite late but I can assign permissions to individual users for example if faculty want to see but not be able to edit release policies that the institution provides wants to understand what the FERPA guidelines are the Registrar wants to know that I can create them as an order to do a policy formation stuff etc etc so let me just stop there and I’m gonna turn it back to you cliff that was or - you bet that was Nia demos and we’ll take it from there and Lisa Hinchliffe does have another question it’s certainly great to see that kind of transparency but it seems like this isn’t user control per se as much as user notification that they are being compelled to release their PII what’s to stop an SP for demanding all the PII that’s available or is the thought that libraries will be negotiating to limit what the minimal release level is thank you Lisa and the answer is we’re counting on the libraries to with librarians have a keen knowledge of privacy and the subtleties and we’re counting on the librarians to do that the attribute we lease bundles that I talked about earlier that the are h21 work is doing is exactly for that purpose and if we keep giving into the contracts then you know the the other side of the coin by the way Lisa is a increasingly espies realized that the more data they have the more potential for data breaches they have and so they’re trying to minimize data to some degree as well so I think their interests are beginning to converge with the interests of the institution and the librarians to towards minimal disclosure but it’s certainly an area where we have a lot of work to do okay and we do have some thank yous for people who either had to leave or whatever but Clifford has a question I just have a quick question can that was the debt demo was just fascinating and it’s wonderful to see the amount of progress that’s happened to get way around the attribute control fundamentally I guess the place where I take a little bit of a deep breath here is on the user education side you’ve got a very powerful very detailed tool here the question I’m struggling with and I’d love your views on is how much how much explanation how much education is an institution going to need to do to allow a student or a faculty member to regen you ‘only make sense of what’s going on here great question a couple of our comments one is that at least in terms of the car interface it went through almost forty iterations at Duke where the wonderful people at Duke set up in a coffee shop gave you a free cup of coffee if you play with it and generally and then asked a couple of questions to understand the level of comprehension and they did it across age groups and the results were very encouraging that people seem to be getting it especially if we managed the cognitive load a second tool that we have for managing that cognitive load is the presets that come up when you go to a site stuff those presets are typically set by the institution but they’re malleable and again triggered by some of the attribute release bundles and so the presets if you use it just one stick get to the gooey marshmallow at the end of authentication and attribute release and they hit save and continue’ things should work right so the presets are set for privacy by functionality and again those can be set by the institution however it sees fit third comment on on levels of users to manage this I think sadly you and I cliff are of a generation that wasn’t born digital and my guess is that for those coming up it’s just you know these screens are annoyances but they understand what’s kind of on there enough to get by but we’ll see I I hope we see over the fullness of time thanks that’s that’s helpful and you know I got to agree that the the interface there is very nicely designed and very smooth that it shows that level of refinement in the in the trials the the one that I was sort of worried about a little more was there’s an underlying a little bit of an underlying conceptual model here that people have to get that you know you have an identity and it has attributes and it’s passed around and I think I’m I’m I have no data at all about whether people get that or not right nor do i I think and frankly cliff it may well be culturally related as well and so it may be that in the US where we’ve not developed a keen sense of privacy and been seduced by many bright shiny objects we don’t have an underlying model that works and societies that have more orientation around privacy may have a better awareness of the model again I sure hope we can get to discover this I sure do - thank you so much Ken and I do I I really think implicitly here you’ve got a challenge for education where it’s needed in your comment and I hope people will step up to that when it is needed thank you again thank you you and I will just say that Lisa Hinchliffe is chiming in she says as an educator at the current generation I share clips concern on the user in question and I believe that brings us to time and what to thank you so much Ken for your presentation today and remind others that we have more presentations tomorrow so I hope you can join us for that and thank you again today thank you applause absolutely super thank you .