[WG-P3] Research report on IdM within the EU Data Protection Directive

Smedinghoff, Tom tsmedinghoff at edwardswildman.com
Wed Nov 30 11:43:48 EST 2011

I recognize that I'm viewing this document as a lawyer, but in that context I think it makes a valuable contribution.

Regardless of your views on the appropriateness of the proposed GINI approach, I think it's important to recognize that one of the key contributions of this document is its attempt (1) to identify the existing legal requirements affecting the development of an identity ecosystem and the provisioning of identity services, and (2) to identify the potential legal barriers that those existing legal requirements may create.  This document focuses, of course, on existing EU laws, but the same kind of analysis must ultimately be done for every jurisdiction in which an identity system will operate.


Thomas J. Smedinghoff
Edwards Wildman Palmer LLP
225 W. Wacker Drive
Chicago, Illinois 60606
Office: +1 312-201-2021
Cell:  +1 312-545-1333
tsmedinghoff at edwardswildman.com<mailto:tsmedinghoff at edwardswildman.com>

From: wg-p3-bounces at kantarainitiative.org [mailto:wg-p3-bounces at kantarainitiative.org] On Behalf Of Rainer Hoerbe
Sent: Sunday, November 13, 2011 10:45 AM
To: j stollman
Cc: Anna Slomovic/Equifax; wg-p3 at kantarainitiative.org
Subject: Re: [WG-P3] Research report on IdM within the EU Data Protection Directive

Am 13.11.2011 um 07:06 schrieb j stollman:

After reviewing the GINI document I was particularly disappointed in two items:

 1.  They use the term Actor to identify the various parties to a transaction,.  I think that Role is a far better term, since any one Actor may have one or more Roles in a particular transaction.  But this technicality does not impact the overall value of the document.

OMG defines a (use case) actor as "a role played by a person or thing when interacting with the system". So in a context of IS analysis both are valid terms.

 1.  More discouraging is that the GINI approach presupposes that same fatal error that every other organization seems to be taking:  start programming and worry about the requirements later.  I refer to Section 4.8.3 which states, "One of the first steps in the development of such a framework involves putting in place (or at least identifying) reliable identification and authentication mechanisms." I would argue that while this is exactly what people have been doing, it is a mistake to start putting in place (or, even, identifying) identification and authentication mechanisms until we have developed the requirements for the different types of identification and authentication that the framework needs to handle.  I can accept the deployment of small, special-purpose frameworks to meet specific subsets of the goals envisioned under GINI.  But these may be no more useful to the overall GINI vision than a narrow-gauge railway is to a national rail network.

It is not quite clear from the context of section 4.8.3 if it refers to the existing legal obligation of each trust service provider, or an approach to define a new overarching generic trust framework. In the first case this is not only best practice, but even mandatory according to some DPD guidelines. Even in the second case, as we don not start from scratch, it is state of the art to have reliable identification and authN as a key requirement. The question is rather how this is plumbed skillfully into a framework as not to jeopardize general applicability and minimum requirements.

The problem that concerns me is that we start giving undue wait to early adopters (early trust frameworks) just because they are in place and "work" within their narrow goals and misjudge the real needs of a more ambitious global identity system.  We seem to be so enamored with leveraging what has been deployed without considering what the requirements are for what we really need.

What is really needed is a thorough mapping of the requirements for the system envisioned by GINI -- without any consideration of what exists.  Then, we can map the current deployments against this inventory and make a rational decision if there are things worth keeping (including legislation) , or if we need to start with a clean slate.

The paper gives some acknowledgement to one aspect of the problem in Section 8 on page 82:

Practical barriers are likely to arise due to lack of harmonization in implementation (e.g., divergent consent requirements) or legal uncertainty (e.g., determination of the legal qualification of each actor). However, the legal barriers in this area result more from sector-specific requirements rather than general data protection or privacy requirements. The most prominent examples in this regard are the regulation of use of personal data by public sector bodies and the use of identifiers of general application.

But this phrasing suggests a passive acknowledgement that problems will arise, rather than taking a proactive position and seeking to define a meta model that will allow harmonization by design, rather than by happenstance.
Acknowledgment of a lack of harmonization is the first step. Harmonization as  the second step won't come in a single project. While I agree with you point that we need to make requirements clear, I think that a meta model and work on practical trust frameworks will inevitably happen in parallel, within and even more outside Kantara.

- Rainer

Thank you.


We've just released a research report which I hope may be of interest to you and others on this list. It's available at http://www.gini-sa.eu/images/stories/2011.11.06_GINI_D3.1_Legal%20Provisions%20for%20Deploying%20INDI%20Services_FINAL.pdf

The partnerships of Edwards Angell Palmer & Dodge LLP and Wildman, Harrold, Allen & Dixon LLP merged on October 1, 2011. The new firm is known as Edwards Wildman Palmer LLP. For more information visit edwardswildman.com.
Boston, Chicago, Ft. Lauderdale, Hartford, London, Los Angeles, Madison NJ, New York, Newport Beach, Providence, Stamford, Tokyo, Washington DC, West Palm Beach, Hong Kong (associated office) 
This e-mail message from Edwards Wildman Palmer LLP and Edwards Wildman Palmer UK LLP is intended only for the individual or entity to which it is addressed. This e-mail may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you received this e-mail by accident, please notify the sender immediately and destroy this e-mail and all copies of it. We take steps to protect against viruses but advise you to carry out your own checks and precautions as we accept no liability for any which remain. We may monitor emails sent to and from our server(s) to ensure regulatory compliance to protect our clients and business.
Edwards Wildman Palmer UK LLP is a limited liability partnership registered in England (registered number OC333092) and is regulated by the Solicitors Regulation Authority. A list of members' names and their professional qualifications may be inspected at our registered office, Dashwood, 69 Old Broad Street, London EC2M 1QS, UK, telephone +44 207 583 4055. 
Disclosure Under U.S. IRS Circular 230: Edwards Wildman Palmer LLP informs you that any tax advice contained in this communication, including any attachments, was not intended or written to be used, and cannot be used, for the purpose of avoiding federal tax related penalties or promoting, marketing or recommending to another party any transaction or matter addressed herein.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20111130/08aece16/attachment-0001.html 

More information about the WG-P3 mailing list