October 2009

Some interesting postings om attribute aggregation, both grew out of work on virtual organizations

Attribute aggregation is collating attributes about a user account from multiple sources.  In the case of virtual organizations and their use of specific web resources with federated login, this boils down to: how do I add an eduPersonEntitlement maintained by VO-whatnot to the information about the user from his university.

The possibilities and the doors opened with attribute aggregation are enticing and slightly frightening. My international research project site getting an attribute from the project manager and federated login from my employer will work fine.  That is not scary. The employee web site may be able to download info about my color preferences from nerdy-color-repository.  That is not so scary.  When my son starts school next year, I may log in to the learning management system, getting the login from the national eID, the association with my child from an attribute authority and information about his attributes from Feide.  That is cool and not scary at all.  The pizza place getting info about my phone number, cross referencing with payment history, getting info on pavement status in my neighbourhood and refusing to dispatch pizza to the people helping me move my piano.  That is scary.  And partly why the user interface for aggregation, informed choices, privacy, security testing and a lot of other issues needs more work.


Normally we try operate all transfer of personal identifiable information by the principle of informed consent.  In the discussions on privacy at the NORDUnet conference, Andrew Cormack pointed out that in practice the guiding principle for services may well be necessity to transfer and process personal identifiable information. Privacy guidelines explicitly allow processing when there is necessity, as illustrated in the figure below.

Informed consent and necessity

One example of necessity is if my hospital need to notify my family physician that the xray pictures show a rampant pneumonia.  Not notifying the person responsible for prescribing antibiotics may harm my health, and in this situation the necessity is easy to understand.

In the EU regulations, the necessity part seems to be interpreted differently from country to country.  Denmark has legislation allowing parts of the public sector to exchange information according to necessity.  In Norway this is put into some specific laws, but is not an overall guiding principle with a carte blanche.

There is discussion on what constitutes similar services, and if informed consent to transfer information needed for exam registration is really voluntary when the alternative may be to travel for 20 minutes and spend an hour in an office to complete the same transaction on paper.  If the prior procedure was all on paper, and the web self service interface was introduced as a complement to standing in line, the answer may be that it is voluntary.  If the procedure was on the web, and the paper procedure was added as a fall back, then it may not be voluntary enough.

This then raises the question of who gets to impose what costs.  May I as a user impose the cost of a paper procedure to may university, but gain the feeling of online privacy?  If this is only a feeling, and the university processes my PII data together with everyone else, the only gain for me was avoiding Internet transfer.  Does that make sense?  Does it make sense for stuff that must be conducted online?  Or does it only make sense in those situations where I do not trust the service provider?  If I have to trust the service provider to handle exams, I may have to trust them with information in order for them to provide my credentials.

I am not sure what to think about the necessity part of privacy.  But I do know that keeping users informed is polite, and politeness is necessary.