Common Identity Framework, comments

Trying to wrap my head around the concepts introduced by Kim Cameron, Kai Rannenberg and Reinhard Posch in Proposal for a Common Identity Framework

Kim Cameron is blogging about definitions for a common identity framework, explaining the concepts behind the paper.

Their definition for user centric is interesting

User-centric: Structured so as to allow users to conceptualize, enumerate and control their relationships with other parties, including the flow of information.

The work in Feide on consent, consent management and revamping user interfaces falls nicely into this definition. When the goal is to give users control over their relationship and give them tools to conceptualize the existing relations, we ended up with the federation Innsyn. I do not fully understand what is implied by “enumerate relationships”, but assume that this is similar to the consent management. It is interesting to note that user centric solutions can be achieved both on the client and server side of the traditional server-client model for services, but in order to do server side user centric solutions, the user must be given tools on the server side.

Another interesting concept in the paper is that not all assertions are true (but all Cretans are liars?)

It is key to the document that claims are assertions by one subject about another subject that are “in doubt”. This is a fundamental notion since it leads to an understanding that one of the basic services of a multi-party model must be ”Claims Approval”. The simple assumption by systems that assertions are true – in other words the failure to factor out “approval” as a separate service – has lead to conflation and insularity in earlier systems.

Being able to sort out assertions into claims and credentials may help us think clearer about the security needs. In psycology we learn that children will know the difference between true and false at the age of three-four, but in this case the security community has taken a few more years to sort out the issue. I wonder what that says about the maturity of our understanding?

Complexity breeds contempt (or consent?)

When is informed consent really consent, and not just paperwork? My local newspaper carried an interesting article yesterday where professor Stein Kaasa at NTNU stated that the paperwork for getting informed consent for participation in research projects from cancer patients has grown too complex.  The text in the consent form is three times what is was some years ago, and the added text is mostly legalese (legal issues, economic terms, privacy information, data storage information).  He states that this is preventing his patients, mostly ill and elderly, from understanding the issues involved in volunteering for research projects.  I believe that he is fundamentally right, not only for elderly patients.  The user/patient’s need to understand consent information should override the need for us to add complex disclaimers.

How many of the Microsoft Office users are aware that you agree to not use Word’s media elements to create scandalous works?

You may not create obscene or scandalous works, as defined by federal law at the time the work is created, using the Media Elements

And that text is snipped from the first part of the EULA, a part that innocent users might see while scrolling through the text to be able to agree and then get work done.  One of the major roadblocks for security is the Press-OK-to-continue-syndrome.  Because the questions asked are either self-evident or too complex to understand, the only possible answer is YES.  This is why I believe that complexity breeds consent.

Back to the cancer patients, where almost all agree to participate in research.  The proposal from professor Kaasa was to use established channels: spend some time in the conversation with the patient to inform about issues (mostly done by research nurses).  And he states that the hospital must be able to take on more of the administrative burden with regards to the consent forms, possibly also take on board more responsibility as an organization instead of outsourcing everything to each project.

How much of the policy work done today is about disclaimers, where we are covering our backsides?  How much is really needed?  How formalized should policies be?  How much of the formalization of policy must be visible to the end users?

Ready, able and willing: federated consent

Feide’s latest update of the federated login service includes a major revamping of our consent information. Every user gets splashed with a web page about what information the service requesting the login is demanding, and given the option to opt out before information is transferred. The software behind the consent module in SimpleSAMLphp was developed in WAYF, the Danish higher education federation.

Informed consent is an underpinning of most privacy legislation in Europe, but has been given lip service without real implementation. The two main reasons for this is lack of interest and bad user interfaces. Lack of interest is understandable since the consequences of not having informed consent are ignorable.  Bad user interfaces, where the user is exposed to either legalese or tech-talk in stunning doses, has killed most emerging implementations.

The new Feide login has three steps to login:

1. Chose where you are from (sticky information, sticks in a cookie)
2. Write username and password
3. Consent to information transfer (sticky information, sticks in a database)

Where you are from is remembered for weeks, but you have to supply this information again if you change your computer since the information sticks in a cookie. The information times out over the summer holidays.

Username and password needs to be reentered every session, but gives you Single Sign On between separate services.

Consent to information transfer is stuck in a database, unless you chose not to remember consent. If you chose to remember, the consent may be removed using the consent administration service.

Some users get confused by this new third step in the login process, especially when they are redirected as part of SSO and have not seen the login page for the service they are redirected from. Other users are happy to get presented what happens to they personal information elements on the wild wild web.

Consent administration is a separate service, where you at a glance see all the information requested for transfer by each of the services you have ever logged in to using Feide.

User interface for consent administration

End user approval of the consent service is going to be interesting.