7′ speech: students in control over their own data



SURFnet, the Dutch National Research and Education Networking organisation, had their two-year networking event for their customers and partners (3-4 October 2012). A new item were 7′ TEDx-like speeches, one of which was give by me. I talked about putting the student central is discussions about privacy in higher education, e.g., when introducing promising innovations like learning analytics. Although preparing for 7′ takes way more time per minute than preparing for 45′ or 90′ presentations (the length of the presentation the day and week before), it was fun doing it. I basically argued that the user acceptance of privacy-sensitive innovations in higher education is more important than if lawyers think that these innovations are allowed. This means that you should 1) explain the benefits of the innovation for the student and why the data is needed, 2) that you should be transparent on what data is collected exacly and 3) that whenever possible the student should be able to control the collection/sharing/rentention of this data.

For more information (all in Dutch ..): here is a blog post from SURFnet on my presentation. Here are the slides, but since they have a lot of pictures and little text, you are probably better of watching the video. It is only 7′ 🙂 My presentation starts at 1:11′. You can also watch the other presentations, including cool visualisations of open data by the VPRO (first talk) and interesting thoughs on Next-generation trust infrastructures by Roland van Rijswijk (SURFnet, second talk).

Digital identity in the Netherlands: DigiD for consumer-2-business?


On Tuesday 4 October we organised a Novay networking event called Tuesday Update, with digital identities as the subject. The main subject of discussion was the need for re-usable identities, and especially who should be the identity provider: government or private parties. This is a hot subject in the Netherlands, also because of the recent security incidents (DigiNotar). Hein Aanstoot, director at SIVI, argued very well that the insurance sector increasingly needs a consumer-2-business identity solution, and would they be allowed to use the national citizin-2-government solution DigiD then this would help insurance companies a lot. This is however not allowed in the Netherlands, and Kees Keuzenkamp from the ministry of Internal Affairs explained the policy developments in this area (NL and EU), including the planned Dutch eID smartcard (called eNIK, elektronische Nederlandse Identiteits Kaart). Bottom-line (in my wording) is that the decision on eNIK will be taken end of this year (after which it goes to parlement) and that it is very unlikely that DigiD/eNIK can be used as a generic consumer-2-business identity solution. Hein Aanstoot also gave some insight into a new initiative with several large insurance companies to create a breakthrough in a re-usable identity for the insurance sector, I think it is good for these insurance companies that they do not make themselves (too) dependent on the government or others (banks). I also presented, and gave my perspectives on consumer-2-business identities, why this is so difficult (privacy, trust etc), the outcomes of our cidSafe project, my views on DigiD (and eHerkenning) and what the role of government should be (especially: solve it or be very clear you’re not going to do so). I also presented three innovations we are working on that we believe will increasingly become important: user control over their data, mobile-centric identity and context-enhanced authentication/authorization. My presentation is on slideshare (dutch!).


Consent from the EU legal perspective


The Article 29 Data Protection Working Party wrote an opinion on the definition of consent. Not everything this Working Party produces is of interest to me, or even understandable (‘too’ legal for mere mortals). I however did find this opinion interesting since it describes when consent is needed from a legal perspective (based on Data Protection and e-Privacy Directives), and it has examples making it relatively easier to interpret.  In my work on this area I usually take the user’s perspective on consent (e.g., on consent for the SURFfederatie), and how to enforce this (architectural/technical perspective), but a legal perspective is of course also needed.

The statement in the summary that especially got my attention was that if consent is used incorrectly, the data subject’s control becomes illusory. I couldn’t agree more, of course, consent cannot be used as an excuse, and in some cases a different legeal ground is needed, and that consent should be informed, freely given etc. I however do want to make a point here that even in cases that privacy law requires a different legal ground for data exchange than consent, it does not forbid to additionally ask for consent. I therefore argue that the decision if and how to offer consent should be primarily based on whether users want it.

Below I quote and interpret parts of the opinion that I found most interesting, and further motivate my position on doing consent-even-when-not-legally-needed.

… obtaining consent does not negate the controller’s obligations under Article 6 with regard to fairness, necessity and proportionality, as well as data quality. For instance, even if the processing of personal data is based on the consent of the user, this would not legitimise the collection of data which is excessive in relation to a particular purpose.

Consent is related to the concept of informational self-determination. The autonomy of the data subject is both a pre-condition and a consequence of consent: it gives the data subject influence over the processing of data. However, as explored in the next chapter, this principle has limits, and there are cases where the data subject is not in a position to take a real decision. The data controller may want to use the data subject’s consent as a means of transferring his liability to the individual. For instance, by consenting to the publication of personal data on the Internet, or to a transfer to a dubious entity in a third country, he may suffer damage and the controller may argue that this is only what the data subject has agreed to. It is therefore important to recall that a fully valid consent does not relieve the data controller of his obligations, and it does not legitimise processing that would otherwise be unfair according to Article 6 of the Directive.

Or in my wording: if a data processor has obtained consent then this does not mean the data processor can do whatever he wants with the data, it has to be a reasonable usage of the privacy sensitive data, the data processor still has a liability and last-but-not-least the person has be in a position to really make a decision.

Transparency is a condition of being in control and for rendering the consent.

Or in my wording: without insight there is no actual control.

There is in principle no limits as to the form consent can take. However, for consent to be valid, in accordance with the Directive, it should be an indication.

The form of the indication (i.e. the way in which the wish is signified) is not defined in the Directive. For flexibility reasons, “written” consent has been kept out of the final text. It should be stressed that the Directive includes “any” indication of a wish. This opens the possibility of a wide understanding of the scope of such an indication. The minimum expression of an indication could be any kind of signal, sufficiently clear to be capable of indicating a data subject’s wishes, and to be understandable by the data controller. The words “indication” and “signifying” point in the direction of an action indeed being needed (as opposed to a situation where consent could be inferred from a lack of action).

Or in my wording: consent can be implicit in an action, but not implicit in doing nothing.

Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent.

In several opinions, the Working Party has explored the limits of consent in situations where it cannot be freely given. This was notably the case in its opinions on electronic health records (WP131), on the processing of data in the employment context (WP48), and on processing of data by the World Anti-Doping Agency (WP162).

Or in my wording: a consent given in a situation where the person did not really have a choice is basically no consent, and another basis for processing the data is needed. I guess the consent could be considered a form of conformation that the person was at least informed, but the opinion did not state that explicitly.

To be valid, consent must be specific. In other words, blanket consent without specifying the exact purpose of the processing is not acceptable.

To be specific, consent must be intelligible: it should refer clearly and precisely to the scope and the consequences of the data processing. It cannot apply to an open-ended set of processing activities. This means in other words that the context in which consent applies is limited.

Consent must be given in relation to the different aspects of the processing, clearly identified. It includes notably which data are processed and for which purposes. This understanding should be based on the reasonable expectations of the parties. “Specific consent” is therefore intrinsically linked to the fact that consent must be informed. There is a requirement of granularity of the consent with regard to the different elements that constitute the data processing: it can not be held to cover “all the legitimate purposes” followed by the data controller. Consent should refer to the processing that is reasonable and necessary in relation to the purpose.

The need for granularity in the obtaining of consent should be assessed on a case-by-case basis, depending on the purpose(s) or the recipients of data.

Actually, this one does not help me much. Completely open-ended consent is of course not valid, but there are many gray zones here … I guess doing a user survey on what users expect what the consent would reasonably include would be an approach, but don’t know if that would hold up in court.

“consent by the data subject (must be) based upon an appreciation and understanding of the facts and implications of an action. The individual concerned must be given, in a clear and understandable manner, accurate and full information of all relevant issues, in particular those specified in Articles 10 and 11 of the Directive, such as the nature of the data processed, purposes of the processing, the recipients of possible transfers, and the rights of the data subject. This includes also an awareness of the consequences of not consenting to the processing in question”

Two sorts of requirements can be identified in order to ensure appropriate information:

• Quality of the information – The way the information is given (in plain text, without use of jargon, understandable, conspicuous) is crucial in assessing whether the consent is “informed”. The way in which this information should be given depends on the context: a regular/average user should be able to understand it.

• Accessibility and visibility of information – information must be given directly to individuals. It is not enough for information to be “available” somewhere.

I do not understand the difference with transparency, but it certainly makes sense that consent needs to be informed. This is in my opinion also very difficult in reality, since users will often not be willing to spent time/attention to be informed. There are trade-offs here. I think in current practise the quality of information requirement is violated with long legal texts that no-one wants to read or is able to understand.

As time goes by, doubts may arise as to whether consent that was originally based on valid, sufficient information remains valid. For a variety of reasons, people often change their views, because their initial choices were poorly made, or because of a change in circumstances, such as a child becoming more mature.This is why, as a matter of good practice, data controllers should endeavor to review, after a certain time, an individual’s choices, for example, by informing them of their current choice and offering the possibility to either confirm or withdraw. The relevant period would of course depend on the context and the circumstances of the case.

This is what we call “timed consent“. I didn’t realize this was a good practise from a legal perspective 🙂 Our primary motivation for introducing timed consent is also different, we did it because people will forget what they consented to, not because they changed their mind or circumstances changed.

What becomes clear in the opinion, is that simply asking for consent is often not enough. There has to be an actual choice, and the data processor has to provide different legal grounds if this choice is not there. This is also argued by this blog post of Andrew Cormack (JANET). Although I, of course, agree with this, I do not think this means that a consent functionality is therefore not beneficial in cases that a different legal ground is needed.

To make this more specific, taking the consent-from-a-user-perspective pilot we did as an example. In this case, in the SURFfederatie. personal information is exchanged between universities and service providers. Some of the provided services a student simply has to use to be able to complete some course. In this case, there is little choice and there needs to be a different legal ground for the data exchange (and I think there is). However, I believe there is added value in still offering a consent question during the login user experience because:

  1. The users are informed that this exchange takes place, which in my opinion is a goal in itself.
  2. There are also services that the user does have a choice, and consent is needed as a legal ground to exchange data, and we need a consistent user experience for all services
  3. Last but not least: users appreciate the consent question, as our research showed (85% in our pilot)

Or to make it as simple as I can make it (repeating my earlier statement): even in cases that privacy law requires a different legal ground for data exchange than consent, it does not forbid to additionally ask for consent. I therefore argue that the decision if and how to offer consent should be primarily based on whether users want it.

Position paper on digital identity from Thuiswinkel.org (Dutch online retail association)



Last week the Dutch online retail association Thuiswinkel.org published a press release and position paper (in Dutch) on online identity services. The press release contains five recommendations aimed at ‘parties in the online identity services area’. I think it is good that this is thuiswinkel.org apparantly considers this an important subject, and I agree with most of what they state in the recommendations. I do however have some comments on the specific recommendations. I translated each recommendation below, and give my comments to each of them.

  1. Re-use of existing consumer identities, such as login data, bank cards and phones
    My comment: yes! this is/was also a key element in our vision for a trustworthy consumer identity in the cidSafe priject (see whitepaper  and authencation overview) especially the “existing” in this recommendation is important because of the business case and user convenience implications.
  2. Choice for online retailers between several providers that each provide universal access to identities, also internationally
    My comment: this seemed a bit naive, that there will be several providers that can provide universal access. But checking the explanation in the position paper itself made is clear that they refer to intermediate brokers between the online retailers and the identity providers. These may make life easier, see a previous post on 3 vs 3.5 vs 4 party models.
  3. The user determines which parts of his identity he reveals, the online retailers determine the desired trust level
    My comment: good! Where in many case revealing “nothing” should be an option …
  4. Good communication about online identities for users
    My comment: absolutely, the question is more the ‘how’, and where the trade-offs are between keeping the solutions simple enough so we do not need to explain too much, and having an open and flexible solution.
  5. Government should start with a pilot with verified attributes that online retailers can use, including age
    My comment: no 😦 see below

In the press release, and following press articles such as this one, focus on the online age verification recommendation. This is a hot subject in the Netherlands, also because of legislation on what you cannot sell to minors, e.g., porn, violent video games or gambling to 16 years or younger. In the offline world this can be (but is not always …) checked by cassier, in the online world there is currently no way to do so. I however disagree with the fifth recommendation because of two reasons. The first is that it is more general on the verified attributes than age, and with minimal data disclosure in mind I do not see why this needs to be so general (with post-payment as a possible exception, but more creative things can be done there). Secondly, it assumes a government solution. Why exclude a private market solution? Actually, Novay (in the person of my colleague Bob Hulsebosch) did a impact & feasibility study on using iDEAL for online age verification for online retailers. Our client was a public-private working group from the Ministerie of Security and Justice and NICAM. iDEAL is the Dutch online payment service provider for retailers and is used by 81% of Dutch web shoppers. Online retailers would in this case rely on the banks behind iDEAL for age verification. See also this recent article in emerce with an interview with workinggroup lead Willem van Teeseling from Buro 240a. Of course, also a private market solution may benefit from ‘encouragement’ from the government, but that’s not what the fifth recommendation states (contrary to section 6.5 of the actual position paper which is more in line with my position on this).

Only somewhat related to the above, in the position paper a few sentences discuss combining identity with payment, which would streamline the user experience. We all know: less clicks, more convergence, thus this is IMHO a good point: payments providers have an edge as identity providers especially when it comes to online retail. And the point they also make is that the mobile channel needs a user friendlier identity solution (with less user input) , is also very true I think.

Government eID versus identity trust frameworks, at EIC


I spent most of this week in Munich, at Kuppinger Cole’s European Identity Conference. This had again a full program with presentations and panels on digital identity, GRC and, of course, cloud. Some personal high-lights were presentations and panels on:

  • externalization of authorization (XACML 3.0 won an identity award)
  • privacy (including personal clouds/datastores, Qiy won an identity award)
  • consumer identity/trust frameworks/OpenID (including an interesting presentation by Andrew Nash from Paypal). 
  • and mostly the off-sessions discussions with leading people in the digital identity area

I also had a presentation myself on consumer identity, and participated in panel. I presented my ideas on government issued consumer/citizin identities versus doing this through the market via an identity trust framework.

Quotes from IT-security-in-2010


While catching up on my reading my favorite blogs, I read Bruce Schneier’s blog post on IT security in 2010 (already a couple of weeks old …). Worth the read, especially these quotes:

One old trend: deperimeterization. Two current trends: consumerization and decentralization. Three future trends: deconcentration, decustomerization, and depersonization.

IT security in 2020 will be less about protecting you from traditional bad guys, and more about protecting corporate business models from you.

With decustomerization Bruce refers to the trend that we get IT services for free, but then become the product contrary to the customer, e.g., Google, or Facebook. Eve Maler also has some blog posts on this, for example “The price of free service“.

User consent pilot for SURFnet


Together with my colleagues Ruud Janssen and Dirk-Jan van Dijk we have been working for SURFnet to help them if, and if so how, they should add a user consent feature to their SURFfederatie identity federation service. See also this previous post on user-centric SAML that describes what we did last year. We continued this year, doing additional user studies, deciding on architectural issues, developing a prototype and doing a pilot. This pilot started two weeks ago J, see also a SURFnet news item (Dutch) on this. The pilot is with three of the bigger Dutch universities, and students/employees that go to the selected service providers will be asked to participate in the pilot. They go through the consent pages, and we bother them with two online surveys to get their feedback. It’s too early to predict the outcome, but the pilot itself seems be going well.

At ISSE 2010 I gave a presentation on the current status of this work, the presentation is on slideshare. In December we’ll finalize a report with the outcome of the pilot, after which it’s up to SURFnet to decide if they’ll add this feature to the SURFfederatie.