Attending
Donald Beck
Craig Jackson
Von Welch
Susan Blain
Tracy Mitrano
Steven Carmody
Ann West
Action Items
AI - Send Susan questions with what to include on a checklist that organizations should consider when inter federating.
AI - Ann to create a google doc.
AI - Steven will add an item to REFEDS 2015 list about privacy.
AI- Ann will talk with the TAC and Steering about the timeline for interfed.
Notes
Ann presented an overview of the move-to-interfed timeline we’ve been talking about as well as the relevant clauses in the eduGAIN Declaration document. Steven suggested we move up the timeline because we are not asking their permission. We just need the time to educate them about what to do. AI- Ann will talk with the TAC and Steering about the timeline for interfed.
Privacy and Interfederation
Susan reviewed the punch list and provided a brief overview of her assessment of the space.
When two parties enter into an interfederated relationship, what’s the role of the interconnecting third party? The first and second party are bound by the privacy requirements of their own country and the federation operator, just facilities the interaction. In this scenario, the accountability is with the individual participants. They are the ones that need to make sure they are getting the information and assurances they need.
So what’s the role of the federation? InC could develop an index of privacy requirements by country. But this is a lot of work, time and constant attention. Even privacy professionals have a challenging keeping it.
Campuses want to inform themselves not only of their collaborators' laws, but also the cultural implications that bear on those laws. InCommon doesn't have a role other than possibly providing a checklist or FAQ of key questions that participants should ask/get answered. What is that you would want to know about a potential partner? AI - All will contribute their thoughts to a Google doc that Ann will send out.
In the absence of any real international law, we kick the can. We should have something about privacy in the relevant documents, but it’s more along the lines of notification of what we do, not necessarily changing what we do.
If we had consent, how does that change privacy? Does Brown still have liability? We don’t know the answer, because there’s no case law about how this is viewed on an international basis. There’s insufficient data about privacy concerns across national boundaries and no case law to point to how to do it. We’re probably looking at a new model, but we don’t have the examples to point to direction.
AI - Should we add an item to REFEDS with this issue? Yes
Are there key statements we need to make about privacy?
- We can’t assume that international members have the same legal structure as InCommon Members.
- What happens wihen there’s a gov supoena. Issues around external influence. If it’s metadata only, and we get a subpoena because of US engineering research and a hostile country. How do we handle that? We should include a reminder that different countries and different laws are involved. We would be obliged to respond for warrant.
Give notice on a few key issues:
- InCommon respond to adjudicated orders (or properly served legal papers)
- Consumer privacy - are we selling information? Do we data mine or process it? Do we have PII?
- How long for retention? How is it destroyed
- InCommon Federation Operations does maintain some personal information (name, phone number, affiliation) in our systems for contacts responsible for their identity infrastructure at their organization. We may want to have privacy information for them. Regarding users, we have no involvement in the interactions between two parties. We just allow them to communicate by providing directions to each other.
How might community colleges such as Donald’s react to a FAQ identify above? Donald would work with MCNC (their state R&E network working with them on identity) to talk through privacy concerns, but it would be useful to have a document that outlined what they should be aware of.