Toward End-User Consent at Internet Scale

Scalable Consent is an initiative to develop a framework, and working code, in support of effective and informed end-user consent and attribute release at Internet scale. The work supports fine-grained, revocable, informed, and well managed consent services that will allow both user and organization to control the release of their attributes to relying parties throughout an identity ecosystem. The development was catalyzed by an NSTIC grant from NIST, and is being enhanced and maintained by the TIER activity within Internet2.

The deliverables include:

  • an architectural model and APIs associated with each flow and component within the model. The hub of the model is a Consent-informed Attribute Release Manager (CARMA) that interacts with the UI and integrates individual and institutional attribute release preferences.
  • working code, both as a standalone service and embedded within a Shibboleth IdP, that implements scalable consent and attribute release across a variety of protocols, including SAML, OIDC, OAuth, etc.
  • a next-gen UI that allows the user to manage their attribute releases in an informed and effective manner
  • API's and sample connectors that deliver the information for informed consent - services such as RP identification, minimal and optional attributes, information dialogues, histories of prior and similar releases, etc.
  • enterprise management services to help an organization deploy and management attribute release that integrates both end-user and institutional policies.  
  • planning documents, discussion materials, and inter-institutional communications to facilitate deployments

The work is intended to help foster an open and interoperable identity ecosystem. Goals include consent that is usable and privacy preserving, improved support for accessibility, and fostering identity portability. All the specifications and code are open-source.

This demo provides a look at Duke University's implementation of the CAR module that allows an individual to see the attributes being requested by a service and then make a decision about release.

This video, to be supplied shortly, gets more specific into the interaction between the CAR module and institutional attribute release policies. The example looks at institutional attribute release policies and access to the LIGO collaboration.

Scalable Consent Basics

Attribute Release and Consent.pdf

An Overview for Leadership  Consent- A Leadership View.pdf

Scalable Consent FAQ.docx

CAR Demonstrations

CAR under the hood and its use with R&S - CAR under the hood.pdf

Presentation for IAM On-Line on Attribute Release and CAR Demos 6/28/17   iamonline6-28-kjk-rob.pdf

Community Resources

Information on the EU General Data Protection Regulation (GDPR) - The GDPR has significant impacts on the appropriate use of consent. See the following General Data Protection Regulation (GDPR) and Safer Harbor

CAR and GDPR    GDPR and CAR.pdf

Information on Privacy and Consent from the UK ICO - UK Information Resources

Consent and Privacy from the Canadian Privacy Commissioner - consent_201605_e.pdf

Draft on EU Privacy Code of Conduct - and DraftmHealthCodeofConduct.pdf

Work described is supported in part by the National Strategy for Trusted Identities in Cyberspace (NSTIC) National Program Office and the National Institute of Standards and Technology (NIST). The views in this presentation do not necessarily reflect the official policies of the NIST or NSTIC, nor does mention by trade names, commercial practices, or organizations imply endorsement by the U.S. Government.
NOTE: All Internet2 Activities are governed by the Internet2 Intellectual Property Framework.
  • No labels