Join InCommon
Laptop keyboard and screen.

Putting the User in "User Consent"

Consent-informed Attribute Release (CAR) module developed at Duke

By Ken Klingenstein, Identity Evangelist
Internet2

The Original Vision of federated identity anticipated a thriving ecosystem where attributes, more than identities, were carefully exchanged between holders of those attributes and relying parties to provide appropriate services. Privacy would be preserved; scalable access control would be enabled; users would be empowered.

Slide from the user consent demo video

What has emerged, however, is much less fluid. Concerned organizations have restricted the flow of attributes. Internationally, legislation has fractured a consistent global approach and within the US, state-based laws that try to fill a federal vacuum results in even more complexity. And user control is often completely left out.

Several mechanisms have been created to try and remedy the situation. The Research and Scholarship end-entity category (aka R&S) is supposed to encourage release by assuring identity providers that relying parties are only asking for necessary information and would be prudent in their use of what they received. However, adoption of R&S has been limited, due to privacy concerns and the lack of user control. Moreover, additional categories will be needed for other situations and the international process for creating such categories is slow. Some early consent mechanisms have been built, but they lack important features, such as a rich set of “informed content” that would allow users to make educated choices. And the idea of a single tool that could work across protocols has not emerged.

A set of videos that show CAR in action are available on YouTube: an introduction and one that provides a view into the management tools that users and institutions have that allow consent and notification to scale to a large number of sites.

Until now. CAR (Consent-informed Attribute Release) has been developed by Duke University, leveraging a “Scalable Privacy” grant that Internet2 received from NIST several years ago.

CAR has a number of distinctive features. As a service, it can be used in many different situations. It can provide consent for Shibboleth and for other protocols such as OAuth and OIDC. It can even be used to apply policies such as FERPA to batch feeds and non-real-time situations. It offers users a self-service console where they can revoke consent, choose default release policies for new sites, and set release choices for when they are away. It provides fine-grain capabilities including per-attribute controls and the selective release of values from a multi-valued attribute. (This is an important privacy-preserving capability, allowing, for example, just a limited release of group memberships from a much larger and more revealing set.) For the enterprise, it offers useful management options, including giving users advice, requiring re-consent after a relying party changes their privacy policy, and offering notification when mandatory information is shared.

A set of videos that show CAR in action are available on Youtube. The first one is an introduction, including the basics of the consent screen, storing and revoking consent, and having different institutional release policies applying to faculty and students. The second provides a view into the management tools that users and institutions have that allow consent and notification to scale to a large number of sites. Additional videos will be added to show other advanced features, such as selective release and delegated institutional policy setting. A number of universities are “kicking the wheels” on CAR and sessions are planned for TechEx.

In the long arc of federated identity development, consent was always envisioned as the capstone of the infrastructure. It provides privacy and user control. After many years, the capstone may be ready to be placed.