Feide‘s latest update of the federated login service includes a major revamping of our consent information. Every user gets splashed with a web page about what information the service requesting the login is demanding, and given the option to opt out before information is transferred. The software behind the consent module in SimpleSAMLphp was developed in WAYF, the Danish higher education federation. 
Informed consent is an underpinning of most privacy legislation in Europe, but has been given lip service without real implementation. The two main reasons for this is lack of interest and bad user interfaces. Lack of interest is understandable since the consequences of not having informed consent are ignorable. Bad user interfaces, where the user is exposed to either legalese or tech-talk in stunning doses, has killed most emerging implementations.
The new Feide login has three steps to login:
- Chose where you are from (sticky information, sticks in a cookie)
- Write username and password
- Consent to information transfer (sticky information, sticks in a database)
Where you are from is remembered for weeks, but you have to supply this information again if you change your computer since the information sticks in a cookie. The information times out over the summer holidays.
Username and password needs to be reentered every session, but gives you Single Sign On between separate services.
Consent to information transfer is stuck in a database, unless you chose not to remember consent. If you chose to remember, the consent may be removed using the consent administration service.
Some users get confused by this new third step in the login process, especially when they are redirected as part of SSO and have not seen the login page for the service they are redirected from. Other users are happy to get presented what happens to they personal information elements on the wild wild web.
Consent administration is a separate service, where you at a glance see all the information requested for transfer by each of the services you have ever logged in to using Feide.
User interface for consent administration
End user approval of the consent service is going to be interesting.
March 10, 2009 at 10:18
I like the user-friendly and clear wording of the consent module. Looks tidy and calm 🙂
As you may know SWITCH has been developing and using a user consent module for Shibboleth called uApprove for several years now. It works in a very similar way as the SimpleSAML user consent module but for example doesn’t currently offer a way to examine consent information for all resources users have accessed so far.
We decided to use kind of a real life example to tell users what is happening after they have given their consent to release information. Therefore, we refer to a digital Identity Card that is sent to the service they want to access (see web page link). This digital Identity Card then of course shows the user attributes which are released.
uApprove offers also an optional Terms of Use screen (has to be accepted only once or if terms change) and a global consent option that will never ask the user for consent again unless she checks the reset option on the login page. It shows that in our Virtual Home Organization (home for the homeless AAI users) with more than 8000 users about 4600 (> 55%) users chose to go for the global consent.
So, it seems that the majority of users don’t care about data protection and/or don’t want to be bothered by yet another screen after authentication. But I think user consent solutions are nevertheless required and useful because they make users aware of what is happening and it gives them at least a theoretical possibility not to release information to a service. But of course the choice is between not using the service or giving consent to release user information.
March 10, 2009 at 13:55
Informed consent is good for you. But when you, as part of your privacy routines, delete all cookies when you quit the browser, then the coookie part of it gets annoying. More specifically, why don’t you pre-select my institution based on my IP address? One less think to be annoyed by (it’s enough elsewhere!!)…
March 10, 2009 at 14:15
Pre-selecting where you are from based on IP address works for some use use cases, and not when you are staying away from home. Most people like cookies, and do not empty their cookie-jar at logout. Having said that, the cookie part of login is not related to consent, since consent is sticky in a database, keyed to your user at the Identity Provider. Cookies only help you with WAYF.
Consent follows you regardless of cookies, as you may verify by logging in at the consent administration module at http://innsyn.feide.no
I promise to think about pre-selection based on IP address for the WAYF use cases where people actually stay at their desk, or at least on their home organization’s wireless LAN.
March 11, 2009 at 13:39
When you are staying away from home, you most likely either are in a network you haven’t made a preselection about (like dialup or adsl or random wlans) or you have a cookie already. Most people are not paranoid and will click-through on anything you want them to.
(Well, I am paranoid and suppose you are just after me, of course :))
Apropos innsyn.feide.no, how am I supposed to find this site? I never remember where it is and haven’t seen any link to it on the applications I use (when I am already logged in). Which means it’s either not there or it is well hidden. (It’s never user error/bad observation, of course.)
March 11, 2009 at 19:16
Nice summary of consent, I think.
We’ve considered the IP address thing a few times in the UK. We think that pre-selecting based on IP (or anything else) is a little dangerous except as a hint to help the user select his IdP. After all, home users and visitors from other institutions need to have complete freedom to select their IdPs.
IP-based hinting is not the only kind of hint you can think of, so Rod Widdowson added a general hinting system to the discovery service code available from the Shibboleth team. There’s a provider API, I think, to allow arbitrary hinting modules to be added.
We did some experiments with IP address-based hints in particular (although I don’t think the code Rod lashed up made it into the repository), and at some point we may try and roll something out into the production discovery service to go along with the other hint we use at present, which is of course the list of IdPs which you have previously selected.
March 11, 2010 at 21:51
[…] The latter option is less used, but there are precedents, like uApprove (for Shibboleth) and the Consent module for SimpleSAMLphp. Ignoring lots of details, SAML WebSSO works roughly the same as OpenID (by redirecting the browser […]