Just come back from a short vacation, sry for the delay:
* Peter Gietz peter.gietz@daasi.de [2019-04-29 17:24]:
Yes, and I was part of that struggle too. The difference: we were (or at least I was) talking about research infrastructures that often had involvement of the IdP institution and that always belong to the same "side" (=publically funded research). In that case of course also personal data should be sent (but haven't a lot) to the SP and for such cases IMO R&S and Coco were invented and/or pushed. When I now learn that publishers promote Coco (and might want to activate the respective entity category), personal data might then be sent to the other "side", where it is, despite Coco, not certain that the data are used in a way the IdP wants them toi be used, and if it is Coco v1 it is only about European SPs any way, isn't it?
[...]
In an ideal world, all public research infrastructures would get email address and such, if they activate R&S (to prove they belong to the research community) and Coco (to prove that they adhere to EU privacy legislation). Publishers would be able to get more than a targeted ID (pairwise subjectID of course) if they activate - lets call it publisherCoco for now - (to prove that they belong to the community of for profit publishers and o prove that they adhere to EU privacy legislation), like a persitent ID, but still no email, etc., which they still would have to ask from the user. That was the idea.
The above would need some serious unpacking and closer analysis in order to draw any conclusions from it, IMO.
E.g. there are for-profit and non-profit library service operators in common use today, so that division is not overly helpful in practice. And at least GDPR doesn't differentiate between those cases at all. (I.e., you don't get a "get out of jail free"-card if you're non-profit and/or part of publicly funded research: The exact same criteria and rules apply either way.)
I find your whole notion of "sides" questionable which in my experience mirrors neither the "same side" situation (many research projects are having impossibly hard times[1] getting institutions to release needed attributes so that those institutions' own members can perform the research they've been hired to do, as you allude to above) nor the "other side" one (e.g. publishers pretty much always have a contract with either the institution itself or an agent acting on behalf of the institutiton, such as a local library consortium; due to that contractual relationship with institutions there's an extablished communication channel that allows to tie in discussions about up technical integration, too; so if anything they're closer to the institutions that their "same side" publicly funded research projects).
I also don't share your blanket statement of distrust wrt publishers who according to your first paragraph above are likely to misuse personal data even if they claim accordance with CoCo (and therefore, GDPR). Not least because their business model isn't based on monetising that personal data, AFAIK.
I'm still open to hearing arguments about what exactly it is you want to achieve and what you feel the problem/s is/are in this area but I think that requires more detailed discussion.
Best regards, -peter
[1] https://refeds.org/a/1154 to reference one well-known example