the user perspective on consent for identity federations (tnc 2011)
DESCRIPTION
As presented at the Terena Networking Conference 2011, 16 May 2011, in Prague. See https://tnc2011.terena.org/core/presentation/71.TRANSCRIPT
![Page 1: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/1.jpg)
The user perspective on consent for identity federationsTerena Networking Conference 2011, 16 May 2011
Maarten Wegdam, Eefje van der Harst, Ruud Janssen
Acknowledgement:SURFnet: Hans Zandbelt, Roland van Rijswijk, Remco Poortinga-van Wijnen and othersNovay: Bob Hulsebosch, Dirk-Jan van Dijk and others
![Page 2: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/2.jpg)
Novay?
• Mission “to create breakthroughs in the way we work, live, and entertain ourselves, by creating and applying ICT-innovations”
• Independent ICT research institute• Formerly called Telematica Instituut• Innovation projects for customers• Networked innovation
2
![Page 3: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/3.jpg)
What to expect?
Large-scale user study on consent for an identity federation
• Goal• Design choices & prototype• Pilot & survey outcome
3
![Page 4: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/4.jpg)
Intro to user consent
• (Old ?) trend: user centric identity• Empower user to control his/her identity• See also: Laws of Identity by Cameron• Why: legal, ethical and user acceptance• How: insight and control over the
exchange data
4
![Page 5: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/5.jpg)
SURFfederatie• NL Federation for higher education and research• ~700k users, >60 IdPs, ~30 SPs• Limited sharing of attributes• Trust framework• Multi-protocol, including SAML & WS-Federation
5
IdP
IdP
IdP
IdPSP
SP
SP
SP
hub
![Page 6: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/6.jpg)
Research question: do users want consent, and if so, how?
6
![Page 7: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/7.jpg)
A complicated trade-off
7
Under-standable
![Page 8: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/8.jpg)
Privacy attitude
8
[Privacy indexes: a survey of Westin’s studies. Kumaraguru, Faith Cranor. ISRI technical report, december 2005.]
![Page 9: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/9.jpg)
Research approach
• State-of-the-art• Design web-redirect based consent
• Not SAML/OpenID protocol specific …
• 5 guidelines
• Based on professional literature, academic literature and existing implementations
• 2 roundes of small-scale user studies• A large pilot with two rounds of surveys
9
![Page 10: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/10.jpg)
Set-up user studies
• Small/qualitative, in depth• First study: mockups
• Co-discovery, 9 * 2 users, 3 institutes, mix students & employees, list of questions
• Do they want consent, or do they prefer their institute to control this?
• And: feedback on the trade-offs in our mockup
• Second round: with prototype• Focus on trade-off
• Mockups of different design choices10
![Page 11: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/11.jpg)
Example screenshot
11
![Page 12: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/12.jpg)
Outcome user studies
Yes: SURFfederatie users want consent
How to make the trade-offs: see next slides …
12
![Page 13: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/13.jpg)
13
We decided in our case not to provide per-attribute choice, too difficult to understand.
Always ask user before exchanging data
0 Consent
![Page 14: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/14.jpg)
14
We show actual value of information, explain the federation and role of SURFnet, and link to privacy statement
Make the information flow clear
1 Informed
![Page 15: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/15.jpg)
15
We decided to only have ‘timed’ automation, people forget…
Enable providing consent for future log-ins
2 Automate
![Page 16: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/16.jpg)
16
We decided to only have ‘timed’ automation, people forget…
Enable providing consent for future log-ins
2 Automate
will be longer
![Page 17: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/17.jpg)
17
Difficult to do with web-browser without becoming too intrusive
Notify when information is exchanged (in right context)
Even if consent was already provided
3 Notification
![Page 18: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/18.jpg)
18
Including what attributes are included in consent, but no log
Provide overview and allow revocation of provided consents
4 Revocation
![Page 19: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/19.jpg)
19
Including what attributes are included in consent, but no log.
Provide overview and allow revocation of provided consents
4 Revocation
![Page 20: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/20.jpg)
User study – other points
• Why do service providers need my attributes?Specific answers are very difficult ...
• What happens after my consent with my data? No real solution for this (yet?)…
• What is SURFnet doing here? Web-interface runs on SURFnet hub, which now becomes visible… We explained this carefully
20
![Page 21: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/21.jpg)
Pilot & survey
• Three universities (TUD, RuG, Univ Leiden)• Three service providers (Legal Intelligence,
Prof, SURFdiensten)• Dutch and English• 1043 participants (18%), 507 did the survey• Ran for 2 months
21
![Page 22: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/22.jpg)
Main conclusion 1
22
![Page 23: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/23.jpg)
Main conclusion 2
23
20%
42%
28%
8%
2%0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
1 2 3 4 5
The new option is a good add-on to the SURFfederatie(1=absolutely; 5=not at all)
![Page 24: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/24.jpg)
Check on bias towards privacy fundementalists: representative
24
![Page 25: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/25.jpg)
Timed consent• 87% of users wants this!• No clear preference how long …
25
![Page 26: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/26.jpg)
Conclusions
• Users want consent• Current prototype is good way to provide this• Open issues
• Do the other stakeholders want this?• For all institutes, and can each one choose?• On the hub or at the institutes?
• SURFnet decided to deploy this (summer 2011)
26
![Page 27: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/27.jpg)
Questions?
27
More information: User controlled privacy for the SURFfederatie: the user perspectivereport, Jan 2011, to appear on www.surfnet.nl, or send me an email for pre-final version
Report extended summaryhttp://maartenwegdam.files.wordpress.com/2011/04/20110125-gp3-ucp-2010-ext-summary.pdf(or as “extra file” on TNC2011 site)
Blog posthttp://maarten.wegdam.name/2011/04/03/user-study-outcome-users-do-want-consent-for-federated-login/
![Page 28: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/28.jpg)
backup
28
![Page 29: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/29.jpg)
Consent on hub or with institute
29
IdP
SP
SP
SP
hub
cons
ent
IdP
cons
ent
IdP
cons
ent
IdP
SP
SP
SP
hub
cons
ent
IdP
IdP
![Page 30: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/30.jpg)
Consent on hub or with institute?
30
Hub+ one-time deploy
+ analog to current attribute filtering
- hub becomes ‘fatter’
- hub becomes visible
Institute+ ‘logical’ place
- Some of the identity software will not support this, custom changes needed
![Page 31: The user perspective on consent for identity federations (TNC 2011)](https://reader034.vdocuments.us/reader034/viewer/2022052413/559c74c31a28ab88088b482a/html5/thumbnails/31.jpg)
31