Posted May 21, 2009

OK, it’s a trick question. The answer, as with much data and all personal data, is “it’s contextual”… which is basically a fancy way of saying “it depends”. This CNet News article from yesterday throws up some of the questions, in a US-centric context, though there are many more, and even those it raises, the article doesn’t necessarily resolve.

So, what do I mean by contextual? Well, I’ve already given one example of that; the CNet News article (entitled “What you need to know about e-health records”) is fairly useful if you’re in the US healthcare system – but a lot of it is irrelevant if you aren’t. One huge contextual factor is which country you live in, with the associated factors like that country’s attitude towards state- vs. privately-funded healthcare, preventive medicine, health insurance, family doctors, privacy law and so on.

Here are a few more examples of contextuality which the CNet article illustrates:

* at a “political” level, Electronic Patient Records (EPRs) ‘mean’ money. If you’re a techno vendor only interested in cornering a chunk of President Obama’s stimulus package for commercial gain, the data is incidental (in fact, paying to secure it only reduces your bottom line): what’s important is the subsidy;
* if you’re an insurer, EPRs mean being able to get sufficient detail to judge – automatically if at all possible – whether a given treatment is covered under the policy or not. In that context, the distinction between “cancer which has spread to the brain” and “cancer which has spread to the spine” may well be irrelevant, as the article notes;
* if you’re the patient or the physician, of course, that distinction might be highly relevant… but in the example given, the data in the EPR was ambiguous because it was designed primarily to meet the insurer’s requirements, rather than those of the other relevant stakeholders.

So what EPRs mean depends on things like who you are, what you’re doing with the data, where you’re doing it, why you’re doing it, and very often even when you’re doing it… (it’s one thing to need data urgently in the heat of emergency treatment – it’s another to need it forensically post mortem).

Why’s all this an issue? Well, as the CNet article points out, the stimulus package is driving a lot of efforts to standardise EPRs and make them portable, interoperable and consistent. At a syntactic level, that raises one set of problems (which experience suggests are solvable with time and effort). At a semantic level, as the contextual examples show, the problems are of a quite different order of difficulty.

That’s the point at which the technical work on interoperability needs to be complemented by work on contextual factors like policy, regulatory measures, user consent and control, and matching purpose of collection against purpose of use. These are the kinds of question we have worked on for some time in the Liberty Alliance Public Policy Expert Group (PPEG), and which I confidently hope will continue to grow into a compelling work stream under the Kantara Initiative. Also in the Kantara structure there is a proposal for a Health Information Assurance (HIA) Work Group, whose draft charter you can find here. I will be adding a draft charter for the Privacy and Public Policy Work Group (P3WG) within the next few days, and that will include a goal of effective liaison with the HIA group.

Precisely because EPRs raise so many issues – both within and between different national healthcare and regulatory systems – this work needs to be able to draw on a broad range of expertise. Please have a good look around the Kantara website; there are many levels at which you can participate in this work, and I would encourage anyone with a stakeholder interest in EPRs to do so.

–posted by Robin Wilton, Director of Privacy and Public Policy, Liberty Alliance

Project Concordia, a Kantara Initiative co-founder, recently responded to a need of one of its members and issued a simple survey to learn more about the community’s use of identity federation. 112 respondents viewed the survey (which weeded-out organizations who were not participating in a federation, resulting in 103 survey respondents). Some interesting highlights (the full survey is available here) include:

• The most popular federation protocol was SAML 2.0 (75.6%). The next highest response category (respondents could select all that applied) was SAML 1.x at 53.5%.
• Between two and ten federated relationships, for both Service Providers and Identity Providers, was the most popular number of relationships, although the next most popular category for both was “more than 10”, so clearly where there’s traction, it’s growing (proving getting over that first hump is often the hardest task).
• Commercial federation products were popular (59.8% of respondents using), although open-source toolkits also had a strong showing (46.3%).
• Many recognized benefits had more than 50% of respondents, including single sign-on benefits (87.8%), enhanced user experience (64.6%), greater security (63.4%), and reduced costs to support partners (63.4%).
• But there are still challenges, chief among them potential partners lacking identity federation technology (78%) and lack of experience in implementing federation technology (65.9%)

Most telling of all was the ending free response area, which is best summed up with the very first comment: “[We] need to find ways to make people realize [federation is] a business partnership first before technical; more emphasis gets placed on technical, but should be placed on business.” Several others went on to point to the importance of trust, legal relationships, clear administrative boundaries, and a common identity assurance framework (yes, some of our prospective members have some thoughts here!).

Clearly the time is ripe for federation. Where the audience is educated and relationships exist, benefits are being realized. But we still have a huge opportunity ahead of us to better educate and make it easier to “do” federations by solving some of those business partnership issues in a more consistent way. Those who are succeeding seem very happy and realizing great results—they just want more partners to federate with—now!

Looking forward to some more research from the Concordia community! Survey suggestions appear to be welcome on the survey page.

Kantara Initiative has become a sponsor of this month’s IIW (Internet Identity Workshop) taking place at the Computer History Museum in Mountain View California. We join Information Card Foundation, Google, Microsoft, OASIS ID Trust, OpenID Foundation, OUNO, Plaxo and Yahoo Developer Network in sponsoring the May 18-20 event.

 

IIW was launched in 2005 by Kaliya and Phil and since then developers and those working in the identity industry have found these “un-conference” sessions incredibly valuable for addressing a wide variety of digital identity issues. Next month’s event features some great proposed topics as well as some really cool demos.

 

The registration page is here. We’re pleased to be part of IIW and hope to see many of you there!