Irving Reid of Controlled Flight into Terrain has come up with exactly the kind of use case I wanted to see when I was thinking about Paul Madsen's points:
Kim Cameron responds to Paul Madsen responding to Kim Cameron, and I wonder what it is about Canadians and identityâ€¦
But I have to admit that I have not personally been that interested in the use case of presenting â€œmanaged assertionsâ€ to amnesiac web sites. In other words, I think the cases where you would want a managed identity provider for completely amnesiac interactions are fairly few and far between. (If someone wants to turn me around me in this regard Iâ€™m wide open.)
Shibboleth, in particular, has a very clear requirement for this use case. FERPA requires that educational institutions disclose the least possible information about students, staff and faculty to their partners. The example I heard, back in the early days of SAML, was of an institution that had a contract with an on-line case law research provider such that anyone affiliated with the law school at that institution could look up cases.
In this case, the â€œmanaged identity providerâ€ (representing the educational institution) needs to assert that the person visiting right now is affiliated with the law school. However, the provider has no need to know anything more than that, and therefore the institution has a responsibility under FERPA to not give the provider any extra information. â€œThe person looking up Case X right now is the same person who looked up Case Y last weekâ€ is one of the pieces of information the institution shouldnâ€™t share with the provider.
Put this way it is obvious that it breaks the law of minimal disclosure to reveal that “the person looking up Case X right now is the same person who looked up Case Y last weekâ€ when there is no need to do so.
I initially didn't see that a pseudonymous link between Case X and Case Y would leak very much information. But on reflection, in the competitive world of academic research, these linkages could benefit an observer by revealing patterns the observer would not otherwise be aware of. He might not know whose research he was observing, but might nonetheless cobble a paper together faster than the original researcher, beating him in terms of publication date.
I'll include this example in discussing some of the collusion issues raised by various identity technologies.
2 thoughts on “Revealing patterns when there is no need to do so”
More commentary at http://ejnorman.blogspot.com/2007/06/collusion-takes-effort-how-much.html.
Comments are closed.