[Fim4l] LexisNexis Advance
Bernd Oberknapp
bo at ub.uni-freiburg.de
Mon Mar 15 19:53:39 CET 2021
Hi Meshna,
On 15.03.21 18:14, Koren, Meshna (ELS-AMS) wrote:
> "when no pairwise-id/eduPersonTargetedID is passed to the SP, the SP
> still should offer personalization based on a registered account ."
>
> Human users tend to re-use passwords, and instead of protecting
> themselves behind the institutional credentials, they are sharing the
> password with SPs during the 'registration' and make themselves
> vulnerable. That's not how federated access is meant to work.
if you regard a registration as not secure enough, that's of course your
choice. Maybe you could consider offering different options like PubMed
does.
> Also; as far as the user's choice goes; users don't understand what the
> consequences of releasing or not releasing a pesudonymous attribute are,
> and why should they. This system is too complicated for users to be able
> to make informed decisions.
Well, if the users don't understand why they release PII like a
pairwise-id/eduPersonTargetedID, then we have a fundamental problem,
because the consent wouldn't be free and informed and therefore would be
invalid. So we have to explain this in a way the users can understand.
> If you don't trust the SPs that they are not
> going to abuse personal data than that is what you need to address.
If an IdP doesn't trust an SP, an attribute like
pairwise-id/eduPersonTargetedID of course shouldn't be released at all,
and the trust issue indeed would have to be addressed. But that's not my
point. The point is that we cannot force users to consent to releasing
PII (like a pairwise-id/eduPersonTargetedID) that isn't necessary (if
the user doesn't want to use the personalization) and deny access to
resources necessary for their studies or research if the users don't
give their consent - that again wouldn't be free and informed consent.
So this could get the institution into trouble, unless there is a
comparable alternative (back to IP based access?) the users could be
pointed to if they don't want the information to be released. Or the
institution would have to argue that no consent is needed because
releasing the attribute is necessary (which would be difficult for an
optional feature like personalization).
Best regards,
Bernd
--
Bernd Oberknapp
Gesamtleitung ReDI
Albert-Ludwigs-Universität Freiburg
Universitätsbibliothek
Platz der Universität 2 | Postfach 1629
D-79098 Freiburg | D-79016 Freiburg
Telefon: +49 761 203-3852
Telefax: +49 761 203-3987
E-Mail: bo at ub.uni-freiburg.de
Internet: www.ub.uni-freiburg.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5627 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.daasi.de/pipermail/fim4l/attachments/20210315/e3426d57/attachment-0001.p7s>
More information about the FIM4L
mailing list