Subject Re: draft charge, refeds working group on attribute release
From David Simonsen <david@xxxxxxx>
Date Thu, 30 Jun 2011 18:17:20 +0200

On Jun 30, 2011, at 10:18 AM, Andrew Cormack wrote:
> But I thought we'd already agreed that you can't use consent for all attribute releases?

When did we agree :) ? 

In WAYF we certainly use consent for all (!) attribute releases.
If the user asks the system to store the consent (for 3 years), they will only be prompted for new consent for that SP-specific attribute release if their attribute values change...


> If the attribute really is one to which consent applies (i.e. the user isn't effectively compelled to say yes) then provided the IdP is sure that the user has indeed given valid consent then they may decide that the risk is sufficiently low to release. For releases that can't be done based on consent then the IdP has to have some other reason for believing that the risk is low.

> Andrew
>> -----Original Message-----
>> From: Nicole Harris [mailto:nicole.harris@xxxxxxxxxxxxxxxxx]
>> Sent: 30 June 2011 09:09
>> To: Andrew Cormack
>> Cc: Mikael Linden; Diego R. Lopez; Steven Carmody; Leif Johansson;
>> refeds@xxxxxxxxxx
>> Subject: Re: [refeds] draft charge, refeds working group on attribute
>> release
>> I'm not sure that distinction holds up when a consent 'client' is
>> introduced. If the IdP doesn't release unless instructed to do do by a
>> consent 'client' there really is no difference between that an an email
>> 'client' instructing a server to send email. Both are under the user
>> control, both have a user interface which instructs (in my case) an
>> organisational server or application to send something about me on my
>> initiation. I want to access resource (click button), I want to email
>> refeds (click button).  The first case is actually more secure because
>> I'm only sending information to one organisation. In the email case, it
>> goes to servers all around the world.
>> Sent from my iPhone
>> On 30 Jun 2011, at 08:36, Andrew Cormack <Andrew.Cormack@xxxxxx> wrote:
>>> Why am *I* explaining to *you* the difference between SAML and
>> SMTP???? In SAML it's the IdP that releases the personal data,
>> therefore the IdP that carries the legal liability for any resulting
>> harm. In SMTP it's the user client, therefore the user.
>>> So (trying to return this thread to its original topic) you need to
>> find ways to persuade IdPs that the benefit of releasing personal data
>> justifies the risk of liability. Getting SPs to accept lower risk types
>> of data should help with that, so you need to persuade them too. From
>> my reading of the law there's no way to remove the risk - other than
>> not releasing personal data, of course - you can only reduce it.
>>> Incidentally we were joint authors of a document several years ago
>> that explained the right way to do it. I still believe it's the right
>> way to do it. See
>> protection.html
>>> Andrew
>>> --
>>> Andrew Cormack, Chief Regulatory Adviser, JANET(UK)
>>> Lumen House, Library Avenue, Harwell, Didcot. OX11 0SG UK
>>> Phone: +44 (0) 1235 822302
>>> Blog:
>> developments/
>>> JANET, the UK's education and research network
>>> JANET(UK) is a trading name of The JNT Association, a company limited
>>> by guarantee which is registered in England under No. 2881024
>>> and whose Registered Office is at Lumen House, Library Avenue,
>>> Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
>>>> -----Original Message-----
>>>> From: Mikael Linden [mailto:Mikael.Linden@xxxxxx]
>>>> Sent: 30 June 2011 07:55
>>>> To: Diego R. Lopez; Andrew Cormack
>>>> Cc: Steven Carmody; Leif Johansson; refeds@xxxxxxxxxx
>>>> Subject: RE: [refeds] draft charge, refeds working group on
>> attribute
>>>> release
>>>>>>> I wonder if I should sue TERENA for infringing my privacy because
>>>> it
>>>>>>> operates a mail list service which delivers my cn and mail
>>>> attributes
>>>>>>> (in this mail's headers) to any recipient of refeds@xxxxxxxxxx
>>>> list,
>>>>>>> even to those outside EU/EEC.
>>>>>> I'd expect you'd be told that since you disclosed that personal
>>>> information
>>>>>> yourself then any harm that resulted was your fault.
>>>>> Doesn't that self-disclosure principle apply when I push a
>> "Consent"
>>>> button in a
>>>>> web form, whether at the IdP or the SP, whether at first usage or
>> at
>>>> every usage?
>>>>> Doesn't it cover most of the cases we have been discussing in this
>>>> thread,
>>>>> as long as there is an initial step that implies self-disclosure?
>>>> Exactly! Where is the difference between
>>>> (a) I press "Send" button of my email client
>>>> (b) I press "I consent" (or "I am informed on the attribute release"
>> in
>>>> the necessity case) button in my web browser.
>>>> Both cases result to my home organisation assembling a protocol
>>>> (SMTP/SAML) message carrying my personal data which are then passed
>> to
>>>> a peer server in or out of EU.
>>>> mikael