Home | Public Area

Comment #00819 - Split and note privacy implications of use case(s) 1 - NISO_RP-27-2019_RA21_Identity_Discovery_and_Persistence-public_comment.pdf

Comment 819
New (Unresolved)
NISO_RP-27-2019_RA21_Identity_Discovery_and_Persistence-public_comment.pdf (Revision 0)
Comment Submitted by
John Mark Ockerbloom
2019-04-18 11:16:20

Use case 1 (starting on page 14 and continuing onto page 15 of the draft) seems to me to be two distinct cases, the first being "Assert that the user is a member of the institution?s authorized user community..." and the second being "Enable SSO to any personalized features...." They should be clearly separated, both in this document, and in the user's experience.  The second case calls for considerably more user information and trust than the first, and users should be get to decide if they're going to let the service provider get any more information than the non-persistent anonymous assertion that suffices for the first case.

It's worth noting in the document that even without any additional attributes, a persistent pseudonymous ID, such as that specified by eduPersonTargetedID, can often be reidentified and then linked to a particular person's data.  The risk increases the longer this ID is used and the more data and transactions are associated with it.

Submitter Proposed Solution