Date, Time, and Location

Thursday, July 9, 2020
1:00pm ET | 12:00pm CT | 11:00am MT | 10:00am PT

Minutes

eAC wiki: https://spaces.at.internet2.edu/display/eduroam/eduroam+Advisory+Committe

Attendees: Miroslav MIlinovic, Robert Gorrell, Andrew Buker, Kim Owen, Stefan Winter, David Morton, Jeff Egly, Neil Johnson

With: Mike Zawacki, Nick Roy, Shannon Roddy, Romy Bolton, Ann West, Jessica Fink, Kevin Morooney

Regrets: Tim Cappalli, Jeremy Livingston, Theresa Semmens

Notes

• Best Practices Guide 
• https://docs.google.com/document/d/1urZpoOnGwfSHVeeUh6F-0AIOhzpnrmBACkm_LeXCJMw/edit#heading=h.o1olq8uhuwpe
• Report out, guided tour by Working Group
• Identified four initial topics to build out, draft guide.
• Using eduroam as your primary ssid - Rob 
• How much access to give ANYROAM guest users - Andrew 
• CIPA requirements, content filtering of K12 -Jeff 
• Privacy and security suggestions - Neil 
• AI FOR ALL: Review draft sections of guide, offer feedback via document comments or email 
• Timeline 
• First eduroam training scheduled to begin production in August.  We’d like to include these best practices in the training material, so the guide could be released as soon as late August. 
• AI FOR ALL: Please review between now and next meeting (Aug 6) - please send notes directly to the working group members, add comments to doc, or email this group

• Terms and conditions (Stefan) PRESENTATION
• Approaches to global eduroam T&Cs
• IdPs generally have T&C/AUP for its users, usually shown when user signs up for service
• SPs might have T&C/AUP regarding how its network is used
• When IdP and SP is same entity, no problem. When roaming it can get more complicated. What to do if there are differences between IdP and SP AUPs? And why would a user care? Eduroam is supposed to be seamless. 
• Currently T&Cs  for IdP/SP not a part of global compliance statement
• No requirement to present to users either
• Suggested “meta” T&C for eduroam globally is to use the more restrictive AUP when more than one applies. Can be tricky for users, extra work
• Requiring all users to see global AUP involves a lot of work. Update process for onboarding users, worry about pre-existing users & making them aware of new requirements, etc.  
• OpenRoaming (OR)  T&C requirements
• OpenRoam (drastically simplified) is a consortium that connects roaming consortiums 
• Handles interconnect between services like eduroam, commercial services, etc. OR calls these “Ecosystem Brokers”
• Integrating eduroam into OpenRoaming being discussed by GEANT and other global working groups
• Participants need to agree to OR T&Cs, and ensure their IdPs and SPs have agreed to those terms as well. Also requires end users be exposed to T&Cs. 
• The T&Cs themselves are pretty straightforward, industry standard stuff. The difficulty is getting them in front of eduroam subscribers, users, and gathering “informed consent”
• Having fixed T&C is not bad - helps with earlier stated issue of different AUPs
• Could use eduroam CAT to assert T&C
• CAT tool seems like really the only way to do this
• Collecting end user consent at the credentialing phase rather than the installation phase is a good approach too. There are probably IdPs that already display their own T&Cs. Could just add them in there. 
• We don't have to consider legacy users of institutions that used CAT. Keeps ability to display new terms or gather implied consent in the hands of the IdP.
• Stating that use of eduroam implies agreement to OR T&Cs  wouldn’t work in EU. Requirement is to gather informed consent
• K12 deployment would be trickier - minors can’t agree to T&Cs. Needs to have signoff of parent or guardian It’s possible to shift the responsibility since minors cannot agree. Acceptable use vs responsible use for minors.  Shifting the burden back to parents instead of the school.  Gathering parental consent at installation for K12s might not work. Credentialing phase could work better to have parent/guardian sign off on that. Also keep in mind that you can see 
• Are there requirements/compliance issues with adding T&Cs, changing the way consent is gathered?
• Maybe, It becomes a part of the admissions/onboarding credentialing  process
• Need to understand implications of people coming from research, other sectors into smaller colleges, or higher ed coming into K12. 
• Would a global eduroam AUP apply equally to IdPs and SPs?
• Different Ecosystem Brokers could apply different AUPs but participation in OR involves agreeing to a certain baseline set of requirements. 
• There is a risk to joining but we feel the risk of not joining is greater so we need to consider jumping onboard with this because everyone else will be.  Eventually users could just join OR with social identities, could displace eduroam and we could lose significance in R&E space
• It's onerous to add in new T&Cs but the community is used to it. Adding OR’s requirements would be another example of this
• SPs rolling this out here in the US, uptake was slow at first but it seems to be picking up steam
• Thoughts on adding global AUP? Even just a statement that IdP and SP AUPs must be adhered to and leave it at that for now? We could build off that 
• Internet2’s has this in the eduroam agreement. All subscribers have to agree to our AUP. Eventually it will be replaced with a national eduroam policy. OR related requirements could be added in there. Starting with the regional agreement and then eventually higher-ed. Gathering informed consent for users would be trickier. 
• We will let GEANT take the lead.  
• ACTION ITEM FOR ALL: Think about how this could affect eduroam as a whole
• An OpenRoaming SP proxy in the EU. If you’re an IdP you can contact Stefan and test or have a demo. At this point the T&Cs don’t need to be signed off on - this is proof of concept only.  Eventually there will be one proxy per country, so this one will eventually transition to production and people will need to agree to the T&Cs. 

• Next meeting of eAC: August 6th, 1pm-2:30pm ET

Intellectual Property Reminder - All Internet2 activities are governed by the Internet2 Intellectual Property Framework.

Public Content Notice - eAC minutes are public documents. Please let the eAC and note taker know if you plan to discuss something of a sensitive nature.