[WG-P3] Research report on IdM within the EU Data Protection Directive

j stollman stollman.j at gmail.com
Sun Nov 13 01:06:37 EST 2011


After reviewing the GINI document I was particularly disappointed in two
items:

   1. They use the term Actor to identify the various parties to a
   transaction,.  I think that Role is a far better term, since any one Actor
   may have one or more Roles in a particular transaction.  But this
   technicality does not impact the overall value of the document.
   2. More discouraging is that the GINI approach presupposes that same
   fatal error that every other organization seems to be taking:  start
   programming and worry about the requirements later.  I refer to Section
   4.8.3 which states, "One of the first steps in the development of such a
   framework involves putting in place (or at least identifying)
   reliable identification and authentication mechanisms."  I would argue that
   while this is exactly what people have been doing, it is a mistake to start
   putting in place (or, even, identifying) identification and authentication
   mechanisms until we have developed the requirements for the different types
   of identification and authentication that the framework needs to handle.  I
   can accept the deployment of small, special-purpose frameworks to meet
   specific subsets of the goals envisioned under GINI.  But these may be no
   more useful to the overall GINI vision than a narrow-gauge railway is to a
   national rail network.

The problem that concerns me is that we start giving undue wait to early
adopters (early trust frameworks) just because they are in place and "work"
within their narrow goals and misjudge the real needs of a more ambitious
global identity system.  We seem to be so enamored with leveraging what has
been deployed without considering what the requirements are for what we
really need.

What is really needed is a thorough mapping of the requirements for the
system envisioned by GINI -- without any consideration of what exists.
 Then, we can map the current deployments against this inventory and make a
rational decision if there are things worth keeping (including legislation)
, or if we need to start with a clean slate.

The paper gives some acknowledgement to one aspect of the problem in
Section 8 on page 82:

Practical barriers are likely to arise due to lack of harmonization in
implementation (e.g., divergent consent requirements) or legal uncertainty
(e.g., determination of
the legal qualification of each actor). However, the legal barriers in this
area result more from
sector-specific requirements rather than general data protection or privacy
requirements. The
most prominent examples in this regard are the regulation of use of
personal data by public
sector bodies and the use of identifiers of general application.


But this phrasing suggests a passive acknowledgement that problems will
arise, rather than taking a proactive position and seeking to define a meta
model that will allow harmonization by design, rather than by happenstance.

Thank you.

Jeff

On Fri, Nov 11, 2011 at 8:09 AM, Anna Slomovic/Equifax <
anna.slomovic at equifax.com> wrote:

>  Everyone,****
>
> ** **
>
> I thought you would find this report interesting. It explores, among other
> things, how different entities participating in an identity transaction may
> be classified under the Privacy Directive and how the Directive would apply
> to them.****
>
> ** **
>
> Anna****
>
> ** **
>
> Anna Slomovic****
>
> Chief Privacy Officer****
>
> Equifax, Inc.****
>
> 1010 N. Glebe Rd.****
>
> Suite 500****
>
> Arlington, VA 22201****
>
> ** **
>
> P: 703.888.4620****
>
> M: 703.254.9656****
>
> F: 703.243.7576****
>
> E: Anna.Slomovic at equifax.com****
>
> ** **
>
> *From:* Federated Identity Management Task Force Discussion [mailto:
> BL-FIDM at MAIL.AMERICANBAR.ORG] *On Behalf Of *Brendan Van Alsenoy
> *Sent:* Thursday, November 10, 2011 8:12 AM
> *To:* BL-FIDM at MAIL.AMERICANBAR.ORG
> *Subject:* Re: [ABA-IDM-TASK-FORCE] Request for Input - IdM Laws****
>
> ** **
>
> Hi Tom,****
>
> ** **
>
> Another follow-up on your earlier request:****
>
> ** **
>
> We’ve just released a research report which I hope may be of interest to
> you and others on this list. It’s available at
> http://www.gini-sa.eu/images/stories/2011.11.06_GINI_D3.1_Legal%20Provisions%20for%20Deploying%20INDI%20Services_FINAL.pdf
> ****
>
> ** **
>
> This report does NOT provide an in-depth analysis of instruments that
> specifically regulate IdM processes. However, it does distill some specific
> requirements for IdM services on the basis of the more “generic” EU
> Directives (e.g., data protection, eSig), so I hope it might nevertheless
> be useful to you. ****
>
> ** **
>
> In our next report we plan to outline recommendations for future policy
> initiatives at the EU level. In this document we’re also taking the
> “identity trust framework angle”, building heavily upon your work and that
> of the task force (with appropriate references, of course). This document
> will in all probability be finalized by the end of this year.****
>
> ** **
>
> Any and all feedback much appreciated. ****
>
> ** **
>
> Kind regards,****
>
> ** **
>
> Brendan****
>
> ** **
>
> --****
>
> Brendan Van Alsenoy****
>
> Legal Researcher****
>
> Interdisciplinary Centre for Law and ICT (ICRI), K.U.Leuven - IBBT
> Sint-Michielsstraat 6 B-3000 Leuven - Belgium****
>
> [t] +32 16 32 07 76 [f] +32 16 32 54 38****
>
> [e] brendan.vanalsenoy at law.kuleuven.be****
>
> [w] http://www.law.kuleuven.be/icri - http://www.ibbt.be****
>
> *NEW! Postgraduate Studies in ICT & Media Law: please consult our website<http://www.law.kuleuven.be/icri/psiml/>for more information!
> ***
>
> ------------------------------
> This message contains information from Equifax Inc. which may be
> confidential and privileged. If you are not an intended recipient, please
> refrain from any disclosure, copying, distribution or use of this
> information and note that such actions are prohibited. If you have received
> this transmission in error, please notify by e-mail postmaster at equifax.com
> .
>
> _______________________________________________
> WG-P3 mailing list
> WG-P3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3
>
>


-- 
Jeff Stollman
stollman.j at gmail.com
1 202.683.8699
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20111113/c6cfb66b/attachment-0001.html 


More information about the WG-P3 mailing list