WAYF is 'data processor' on behalf of the institution where you log in.

WAYF does not store any personal identifiable data about users.

A user may ask WAYF to store information about his consent to dataexchange for one or more services. This information is kept in an encrypted form which cannot, in any way, be made human readable (one-way destructive encryption, socalled 'hash-values').

When you log into a service via WAYF the information about you, released from your institution, may be re-used for up to 8 hour (a working day), provided you do not close your browser. This re-use of data enables 'single-sign-on' which means that you will not have to login for every service you try to access the same or other WAYF-enabled services.

Administer your consents

• With a consent you yourself decide whether you want to let WAYF send the information to the information services.
• Your consent applies to one visit only at the service you are trying to access - unless:
• You may let WAYF remember which services you have consented for the data exchange for. That way you do not need to consent next time you visit the same service. No personal identifyable information is stored at WAYF.

WAYF provides a consent administration web page where users may administer their consents. When you click on the link you will be asked where you come from. Please log in, in order to provide WAYF with your updated personal information from your institution. In the web page you may withdraw prior consents or consent to prior data exchange to services. Each services' purpose is decribed, and the data that will actually be transferred are presented, so you can decide if you want to transfer this information in the future. If your personal information changes (i.e. change of name), you will be asked to consent again, as all consents are specific for the data presented about you.

Pseudonyms

Be recognized without being identified

A pseudonym is a 'mask' you may wear to get recognized - without being identified.

If you want to be recognized in the electronic world, without revieling your indentity you should use pseudonyms. A pseudonym for the author of this text (David Simonsen) is 'WAYF-DK-8ee5f9ce8db1bff7eb6cd392c39fb6de24938b41'.

If your employer or educational institution has bought general access to a database, collaboration tool or similar there is no reason for the service to know the identities of individual users. For the service to grant access it suffices to know which institution a given user is affiliated with. Pseudonyms are personal and may therefore be used to personalize web pages or let users continue where they left off last time they used the service. All the service needs to know that the present user is the same user as last time - not who the user is.

Why care about privacy?

Many aspects of our daily life is lived on the net: we shop, communicate, have hobbies etc. The business of web based targeted commercials has grown fast and is getting increasingly sophisticated by the use of data mining, pattern search for behavior etc. A new economy has risen in the shade of the many web based services which now exchange 'experience' - often for money. One way of protecting the users (consumers) agains cross-service analysis, and thereby protecting the users' privacy, is to use pseudonyms in the electronic world. Why should your travels agent or insurance company know your preferences for food, medication, underwear etc.

WAYF provedes secure pseudonyms, taking advantage of a new eID federation architecture

Pseudonyms must live up the following three requirements:

• a given users' pseudonym must be the same from time to time, to make her recognizable
• different services (ie. web sites) must recieve different pseudonyms (service specific) to prevent cross-service data mining
• it must be technically possible, but really hard, to find the person behind the pseudonym (which by definition is not possible for anonymous persons)

When logging into a website using the eID federation WAYF, predefined personal information is transferred from the users' home institution, via WAYF, to the service. WAYF has a secret formula for calculating personal, service specific pseudonyms. In the formula the name of the service appears (to make the pseudonym service specific) as well as the name of the user (to make it personal).

When the user is being recognized by the service it may now personalize the interface and/or functions - without knowing the identity of the user.

If a serious abuse case occurs (being investigated by the police or similar), the service will only know the pseudonym of the user, not her identity. WAYF does not store any personal information and may therefore only contribute to the investigation with the secret formula for the pseudonyms.

Equipped with the pseudonym of the abuser and the secret formula, the recalculation of pseudonyms for all users in all user databases connected to WAYF may begin. When a match is found the identity of the abuser can be reviled.

With this three-party pseudonymisation (user data, formula and result) uses can feel absolutely safe that the pseudonyms are only used for recognition purposes - not for identification. Having WAYF as trusted third party, generating the pseudonyms, it is impossible to data mine across services. Also services cannot query the user' identity at their home institutions as the formula is only know to the trusted third party.

Around 800.000 Danish electronic identities can already take advantage of WAYF-generated pseudonyms today.