Post on 08-Jul-2015
description
The user perspective on consent for identity federationsTerena Networking Conference 2011, 16 May 2011
Maarten Wegdam, Eefje van der Harst, Ruud Janssen
Acknowledgement:SURFnet: Hans Zandbelt, Roland van Rijswijk, Remco Poortinga-van Wijnen and othersNovay: Bob Hulsebosch, Dirk-Jan van Dijk and others
Novay?
• Mission “to create breakthroughs in the way we work, live, and entertain ourselves, by creating and applying ICT-innovations”
• Independent ICT research institute• Formerly called Telematica Instituut• Innovation projects for customers• Networked innovation
2
What to expect?
Large-scale user study on consent for an identity federation
• Goal• Design choices & prototype• Pilot & survey outcome
3
Intro to user consent
• (Old ?) trend: user centric identity• Empower user to control his/her identity• See also: Laws of Identity by Cameron• Why: legal, ethical and user acceptance• How: insight and control over the
exchange data
4
SURFfederatie• NL Federation for higher education and research• ~700k users, >60 IdPs, ~30 SPs• Limited sharing of attributes• Trust framework• Multi-protocol, including SAML & WS-Federation
5
IdP
IdP
IdP
IdPSP
SP
SP
SP
hub
Research question: do users want consent, and if so, how?
6
A complicated trade-off
7
Under-standable
Privacy attitude
8
[Privacy indexes: a survey of Westin’s studies. Kumaraguru, Faith Cranor. ISRI technical report, december 2005.]
Research approach
• State-of-the-art• Design web-redirect based consent
• Not SAML/OpenID protocol specific …
• 5 guidelines
• Based on professional literature, academic literature and existing implementations
• 2 roundes of small-scale user studies• A large pilot with two rounds of surveys
9
Set-up user studies
• Small/qualitative, in depth• First study: mockups
• Co-discovery, 9 * 2 users, 3 institutes, mix students & employees, list of questions
• Do they want consent, or do they prefer their institute to control this?
• And: feedback on the trade-offs in our mockup
• Second round: with prototype• Focus on trade-off
• Mockups of different design choices10
Example screenshot
11
Outcome user studies
Yes: SURFfederatie users want consent
How to make the trade-offs: see next slides …
12
13
We decided in our case not to provide per-attribute choice, too difficult to understand.
Always ask user before exchanging data
0 Consent
14
We show actual value of information, explain the federation and role of SURFnet, and link to privacy statement
Make the information flow clear
1 Informed
15
We decided to only have ‘timed’ automation, people forget…
Enable providing consent for future log-ins
2 Automate
16
We decided to only have ‘timed’ automation, people forget…
Enable providing consent for future log-ins
2 Automate
will be longer
17
Difficult to do with web-browser without becoming too intrusive
Notify when information is exchanged (in right context)
Even if consent was already provided
3 Notification
18
Including what attributes are included in consent, but no log
Provide overview and allow revocation of provided consents
4 Revocation
19
Including what attributes are included in consent, but no log.
Provide overview and allow revocation of provided consents
4 Revocation
User study – other points
• Why do service providers need my attributes?Specific answers are very difficult ...
• What happens after my consent with my data? No real solution for this (yet?)…
• What is SURFnet doing here? Web-interface runs on SURFnet hub, which now becomes visible… We explained this carefully
20
Pilot & survey
• Three universities (TUD, RuG, Univ Leiden)• Three service providers (Legal Intelligence,
Prof, SURFdiensten)• Dutch and English• 1043 participants (18%), 507 did the survey• Ran for 2 months
21
Main conclusion 1
22
Main conclusion 2
23
20%
42%
28%
8%
2%0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
1 2 3 4 5
The new option is a good add-on to the SURFfederatie(1=absolutely; 5=not at all)
Check on bias towards privacy fundementalists: representative
24
Timed consent• 87% of users wants this!• No clear preference how long …
25
Conclusions
• Users want consent• Current prototype is good way to provide this• Open issues
• Do the other stakeholders want this?• For all institutes, and can each one choose?• On the hub or at the institutes?
• SURFnet decided to deploy this (summer 2011)
26
Questions?
27
More information: User controlled privacy for the SURFfederatie: the user perspectivereport, Jan 2011, to appear on www.surfnet.nl, or send me an email for pre-final version
Report extended summaryhttp://maartenwegdam.files.wordpress.com/2011/04/20110125-gp3-ucp-2010-ext-summary.pdf(or as “extra file” on TNC2011 site)
Blog posthttp://maarten.wegdam.name/2011/04/03/user-study-outcome-users-do-want-consent-for-federated-login/
Emailmaarten.wegdam@novay.nl
backup
28
Consent on hub or with institute
29
IdP
SP
SP
SP
hub
cons
ent
IdP
cons
ent
IdP
cons
ent
IdP
SP
SP
SP
hub
cons
ent
IdP
IdP
Consent on hub or with institute?
30
Hub+ one-time deploy
+ analog to current attribute filtering
- hub becomes ‘fatter’
- hub becomes visible
Institute+ ‘logical’ place
- Some of the identity software will not support this, custom changes needed
31