1) A large-scale user study was conducted on consent for an identity federation to understand user perspectives.
2) The study found that users do want consent over how their data is shared in the federation and what information is exchanged.
3) Different consent options were prototyped and tested, including always asking for consent, informed consent, timed automated consent, notification of exchanges, and revocation of consent. Users responded positively to options that gave them more control and transparency.
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
The user perspective on consent for identity federations (TNC 2011)
1. The user perspective on consent
for identity federations
Terena Networking Conference 2011, 16 May 2011
Maarten Wegdam, Eefje van der Harst, Ruud Janssen
Acknowledgement:
SURFnet: Hans Zandbelt, Roland van Rijswijk,
Remco Poortinga-van Wijnen and others
Novay: Bob Hulsebosch, Dirk-Jan van Dijk and
others
2. Novay?
• Mission “to create breakthroughs in the way
we work, live, and entertain ourselves, by
creating and applying ICT-innovations”
• Independent ICT research institute
• Formerly called Telematica Instituut
• Innovation projects for customers
• Networked innovation
2
3. What to expect?
Large-scale user study on consent
for an identity federation
• Goal
• Design choices & prototype
• Pilot & survey outcome
3
4. Intro to user consent
• (Old ?) trend: user centric identity
• Empower user to control his/her identity
• See also: Laws of Identity by Cameron
• Why: legal, ethical and user acceptance
• How: insight and control over the
exchange data
4
5. SURFfederatie
• NL Federation for higher education and research
• ~700k users, >60 IdPs, ~30 SPs
• Limited sharing of attributes
• Trust framework
• Multi-protocol, including SAML & WS-Federation
IdP SP
hub
IdP SP IdP SP
5
IdP SP
8. Privacy attitude
[Privacy indexes: a survey of Westin’s studies. Kumaraguru, Faith Cranor.
ISRI technical report, december 2005.]
8
9. Research approach
• State-of-the-art
• Design web-redirect based consent
• Not SAML/OpenID protocol specific …
• 5 guidelines
• Based on professional literature, academic literature and
existing implementations
• 2 roundes of small-scale user studies
• A large pilot with two rounds of surveys
9
10. Set-up user studies
• Small/qualitative, in depth
• First study: mockups
• Co-discovery, 9 * 2 users, 3 institutes, mix students &
employees, list of questions
• Do they want consent, or do they prefer their institute
to control this?
• And: feedback on the trade-offs in our mockup
• Second round: with prototype
• Focus on trade-off
• Mockups of different design choices
10
12. Outcome user studies
Yes: SURFfederatie users
want consent
How to make the trade-offs:
see next slides …
12
13. 0 Consent
Always ask user before
exchanging data
We decided in our case not to
provide per-attribute choice, too
difficult to understand.
13
14. 1 Informed
Make the information flow
clear
We show actual value of information,
explain the federation and role of
SURFnet, and link to privacy statement
14
15. 2 Automate
Enable providing consent for
future log-ins
We decided to only have ‘timed’
automation, people forget…
15
16. 2 Automate
Enable providing consent for
future log-ins
We decided to only have ‘timed’
automation, people forget…
will be longer
16
17. 3 Notification
Notify when information is
exchanged (in right context)
Even if consent was already provided
Difficult to do with web-browser
without becoming too intrusive
17
18. 4 Revocation
Provide overview and allow
revocation of provided
consents
Including what attributes are
included in consent, but no log
18
19. 4 Revocation
Provide overview and allow
revocation of provided
consents
Including what attributes are
included in consent, but no log.
19
20. User study – other points
• Why do service providers need my attributes?
Specific answers are very difficult ...
• What happens after my consent with my data?
No real solution for this (yet?)…
• What is SURFnet doing here?
Web-interface runs on SURFnet hub, which now
becomes visible… We explained this carefully
20
21. Pilot & survey
• Three universities (TUD, RuG, Univ Leiden)
• Three service providers (Legal Intelligence,
Prof, SURFdiensten)
• Dutch and English
• 1043 participants (18%), 507 did the survey
• Ran for 2 months
21
23. Main conclusion 2
The new option is a good add-on to the SURFfederatie
(1=absolutely; 5=not at all)
45%
40% 42%
35%
30%
28%
25%
20%
20%
15%
10%
8%
5%
2%
0%
23 1 2 3 4 5
24. Check on bias towards privacy fundementalists:
representative
24
25. Timed consent
• 87% of users wants this!
• No clear preference how long …
25
26. Conclusions
• Users want consent
• Current prototype is good way to provide this
• Open issues
• Do the other stakeholders want this?
• For all institutes, and can each one choose?
• On the hub or at the institutes?
• SURFnet decided to deploy this (summer 2011)
26
27. Questions?
More information:
User controlled privacy for the SURFfederatie: the user perspective
report, Jan 2011, to appear on www.surfnet.nl, or send me an email for pre-final version
Report extended summary
http://maartenwegdam.files.wordpress.com/2011/04/20110125-gp3-ucp-2010-ext-summary.pdf
(or as “extra file” on TNC2011 site)
Blog post
http://maarten.wegdam.name/2011/04/03/user-study-outcome-users-do-want-consent-for-
federated-login/
Email
maarten.wegdam@novay.nl
27
29. Consent on hub or with institute
IdP SP
IdP hub SP
consent
IdP SP
IdP SP
consent
IdP hub SP
consent
IdP SP
consent
29
30. Consent on hub or with institute?
Hub Institute
+ one-time deploy + ‘logical’ place
+ analog to current - Some of the identity
attribute filtering software will not support
this, custom changes
- hub becomes ‘fatter’ needed
- hub becomes visible
30