When users consent to data exchange, the consent dialogue must be ‘informed’. This means the user must understand what is going on. A tall order…
The amount of personal information (the attribute release policy) must be balanced with the ‘purpose’ of the service receiving the data. Only data necessary for the functionality of the service may be transferred – and only if the user agrees (consents), of course.
After thorough discussions with both usability and legal experts on handling of personal data, the recommendations for purpose descriptions may be summed up as:
- purpose descriptions should be short. Very short (they should not be like most AUP’s). As a consequence WAYF has an upper limit of 200 characters which is a bit more than a SMS text message.
- purpose descriptions should be recognizable to the users, also when going to different services. Not at least to build confidence in consent functionality. WAYF therefore uses a template for purpose descriptions, see: http://www.wayf.dk/wayfweb/howto_describe_the_’purpose_of_the_service’.html )
So far, this seems to work out just fine. But think about what happens when services become available in multiple federations. One example is the Nordic Kalmar2 Union (http://www.kalmar2.org) ? As consent dialogues are managed by identity providers (IdPs), agreement on both form and content should be reached.
How do we ensure that purpose descriptions originating from federation X can be used in federation Y? Do the various SAML implementations behave the same way?What if the templates do not fit? What if there are no templates at all? What does it take to transfer purpose descriptions between federations?
This, and presumably many more questions must be handled in the growing world of both federation and interfederation.