Attendees: Rob C (Duke), Ken K (I2), Ethan K (UNC-CH), Keith W (Illinois)
For a video recording of the call, see https://internet2.zoom.us/rec/share/7JRsBZr_731IRJ3NslzPZPJxB9-7T6a803QWrvcLnUuDKdwic4ysr6evKWSrrGrn Password: 4k?F0#hZ
Watercooler:
Between Bertha and the RNC, North Carolina is more in the news than some of us might prefer.
Colin Wallace, head of Kantara (which is subcontracted on the Midpoint grant) is engaging with Ken about potential future work with Midpoint around consent and provenance. Midpoint may find things like the new EU GDPR board rulings interesting (those are on the agenda for today)
Campus situations: UNC-CH is getting closer to releasing a scenario where classes start a bit early in August, no fall break happens, and the semester ends early over Thanksgiving. Duke is holding off on making a Fall announcement until June, but expected to be similar. Financial restrictions continue to ratchet up at Duke, and somewhat at UNC, but state decisions on that front are less settled at this point. I2 financial impact is likely to lag behind teh impact on schools, since I2 is a second order system. I2 has already made TechEx non-in-person – BaseCamp may be next.
Topics:
Ken: I looked at the baseline expectations update. It's still moving slowly, and still avoidant of the mandatory R&S release stuff, and mentions nothing about consent per se. The new CoCo stuff was interesting in that space, though – there's a webinar sometime in June about it, and it makes heavy use of consent, apparently. It looks beyond R&E to a more generalized space. I'll send out the slides I have that they're going to use for the webinar – the slides did not address whether or not it's relevant to the folks outside the EU, and I've sent Nicole a question or two about that. Assuming it has some relevancy, though, it's a reasonable document. It's going ot the Dutch data processing authority – I know more now about the EU data processing authorities than I care to know – if you can get one authority to agree to something, the others seem morally obligated to go along with it. CoCo is getting some review, and comes down far on the side that Legitimate interest is being abused, and consent is therefore necessary (but also hard to do right). I verified with some EU folks on a call this morning that the biggest thing you have to worry about is refactoring applications to account for GDPR and consent. CoCo feeds into all of that, and may give us some hope for the future.
Ken: Keith isn't with us to update us on Illinois librarians (which are a species unto themselves), but did anyone catch Lisa's webinar two weeks ago? (apparently not) Hoping it got recorded and we can catch it – I'm sure Keith likely caught it and can update us when the opportunity arises. I did catch a webinar on "discovery" that ended up having nothing to do with IDP discovry and everything to do with content discovery. Interestingly, I was looking for something (National Theater at Home) – it turns out it's content provided by ProQuest – searching for it at your local University library would likely fail on that account, as it turns out.
<Keith Wessel joined>
Ken: Spinning back: CAR/Midpoint discussion hasn't moved much since last call – Kantara is named as mentor to Midpiont for their grant, and they're working with Ken now. There's a CoCo webinar coming up in June that may further the goal of consent in the EU. And now we're up to the Illinois librarians update... Before we talk about Lisa, there was another CNI webinar last week that features an Illinois librarian (not Lisa) talking about "discovery", but it was content "discovery"
Keith: I'm always amused by the number of terms we use in the IAM world that have different meanings in the Library world – "discovery" and "metadata" and lots of others –
Ken: So the other CNI talk was describing what they were calling "bento box" presentations – what it didn't answer is what sort of communication might exist between the different processes and services in the different "boxes". Keith – did you get to see the IAM online Lisa did?
Keith: Sadly, I had a conflict and I've not had a chance to catch the recording yet.
Ken: Keith, are you involved in the BaseCamp conversation
Keith: not this year – I handed it off to Eric because I wasn't going to be available to go to Milwaukee that week, oddly enouhg, but I'm therefore only tangentially involved.
Ken: It's interesting because it'd be great to bring new blood into the fold, but I2 is going to charge for it as a virtual meeting, and we'll see if that's feasible or not. TechEx has been cancelled, and not announced as virtual
Keith: The planning committee meetings have been cancelled individually but not as a set, so there may be movement yet.
Ken: The CNI virtual meeting actually worked out well. CNI typically has an executive roundtable where they talk among a limited group of executives about a single topic. In this year's, there were actually 4 executive roundtables in serial, and they got all four sessions into a single integrated report about what various institutions are doing to keep the research efforts alive in the face of what's going on with COVID-19.
Ken: Information sharing interoperability: The Kantara activities are underway. I was on a call with the advice and consent group this morning, mostly focusing on the topic of how to keep consent records in a distributed ledger. I'm still warming to the idea of a distributed ledger – having grown up in a federated world – but the question of what to do with consent receipts and how to achieve privacy, in general, with distributed ledgers. Questions arise like whether my decision to release or not release certain attributes is public information or private? There are a number of people in that group who do know a lot about the EU situation with privacy under GDPR. Theire back-channel discussion is mostly about how the EU is starting to crack down on the abuse of Legitimate Interest as a legal basis. They point out that the 2-year grace period for enforcement in the EU of the GDPR expired last week, so there may be much more going on soon in that regard – the EU is beginning to crack down on the abuse of LI. There have been a lot of references to the IAB (not our IAB, but the Advertising Board) – they don't regulate, but they try to facilitate with non-normative "regulations" for advertising services. Someone on the call noted that there were two other key targets beyond advertisers – target 3 of the set of 3 was research and education... That's of course not officially documented anywhere, but the sense is that R&E is in the sights.
Ken: There are a lot of librarians and a lot of content providers (Elsevier, OCLC, etc.), Ralph from the American Chemical Society, are all engaged with the effort. I was able, among other things, to get the American Chemical Society to think about the need for attribute release signalling. Interestingly, the most frequently used word in the EU board's recent release is "Granularity"...
Ken: Seamless Access is still working on the attribute bundle effort. Everyone seems to agree that using bundles to user consent purposes as well as IDP configuration purposes would be a good idea. There's a sub-effort spinning up to look at how to socialize the attribute bundles with vendors as part of their contracts – how to integrate bundles in contracts. Selective release is bubbling up from the angle of how a, eg., faculty member associated with two schools signals which school he's with without releasing other affiliations in order to get to specific content licensed just to a particular school.
Ken: If we think of these things as "end entity tags", some odd issues arise – how do you categorize the end entities for which a bundle of attributes associated with activating accessibility features – as personalization? Heather's doing a wonderful job of keeping the group moving, and it's been very educational for a number of librarians involved in the effort, so we may end up with some more engaged librarians. There's an open question now about what group of people do we engage now that we've engaged R&E and librarians?
Keith: That came up in the TAC last week – there's a lot of good speculation, but no decisions as yet. We may have more concrete things to talk about in a couple weeks.
Ken: I got exposed this morning to a revision of NIST 800-53 – revision .5 came out. It has a large component around privacy. In fact it creates a security space and a privacy space and describes the interactions between those two spaces. Generally from an enterprise perspective (so if you have a CIO and a CPO) – real interesting documen tis out for comment through the end of this week. I'll send a pointer to it. Where the distributed ledger stuff is maybe not in our space, but 800.53 is (along with 800.63). NIST is continuing to flesh out – among their huddled survivors huddled in some dark part of Gaithersburg trying to keep the candle lit on these issues... It's an interesting document to chew on.
Ken: Segueing then into the EU Data Processing Board stuff. It's a very dense document – it's linked off our web site. It's operational and very specific. It informs through parables, largely – there are 23 scenarios described in the document. For the most part, it focuses on the structuring of applications in ways that fail to foster the use of legitimate interest and consent properly. EG: If you're asking for geolocation information, when is it legitimate interest and when is it something that has to be punted to consent for release – they make the point that services need to be designed around good practices.
Ken: Lots of discussion about cookie walls – where a site puts out a cookie that tells the client to accept all other cookies – a sort of "meta-consent" cookie. They frame things in those terms more than the ones we might use around data minimization and consent control. It's going to be very interesting to watch app developers deal with the nuanced nature of the issues the EU is now focusing on. I hope it fosters conversations around minimization. I assume your campuses put out cookies when browsers visit your web sites? Another item of interest: The IAB has determined that if you scroll through a page, it implies consent – the EU is apparently going to crack down on this. 
Ken: Unfortunately, the popular press really didn't understand much beyond cookie walls in the EU ruling. The ruling's examples will get posted to the Drivers web site for us to all review.
Ken: Rob and I had a bit of fun with this because it's such a strange 'standard'... I was asking people about purpose of use and I got pointed to COEL – "The Classification of Everyday Living". This is literally an effort to taxonomize daily life so that they can develop context in which to discuss purpose of use.
Rob: There's an example in the document they have describing how to taxonomize dishwashing that differentiates between washing dishes by hand and washing dishes in a dishwasher, and between loading and unloading dishes from a dishwasher.
Ken: It demonstrates the lengths of absurdity to which standards groups can go... But I'm still looking for categorizations we can use for purpose of use taxonomies...
Ken: Rob – any updates on the CAR code front?
Rob: ...
Ken: Do we know where Midpoint keeps its configuration information?
Ethan: All the resource info, etc. is stored in the database – the basic configuration is in properties files.
Ken: Rob and Ethan and I sit on a biweekly call with Steve Zoppi looking at the TAP components and their potential integration points. So far, Steve is steering clear of the topic of sharing UIs for administrative purposes.
Ken: I'll send out some additional material – including the CoCo presentation and the NIST 800.53 material and Keith sent out the link to https://www.youtube.com/watch?y-SkCeCV1bS6U Lisa's presentation