This guidance is a request for clarificaiton in which cases to assert specific REFEDS RAF assurance component values, in particular "ID/unique", when the identity is based on social media login. But this general question on the alignment of social ID qualities and the REFEDS RAF ID/Unique requirements may well been tackled or at least discussed earlier as well. Taking the T&C of Facebook and LinkedIn at face value implies that both meet the ID/unique requirement of the RAF, but of course we all know of fake accounts (according to FB itself in its Q3 statement on QE to the SEC, it states 3% fake accounts and 10% duplicates , so ~ 270 million non-compliant accounts out of 2.1 billion. There's no a priori reason to assume LinkedIn is any better. So what to do in view of the REFEDS RAF ID/unique component requirements:
R1. User account belongs to a single natural person
R2. The person and the credential they are assigned is traceable i.e. the CSP knows who they are and can contact them which both rule out fake accounts (>9% even in controlled social platforms - I know for sure Google login has many more duplicates & fakes).
I don't remember hearing this discussed anywhere in the REFEDS RAF or any other REFEDS meeting (probably out of scope there), but can we get to a rough consensus? Are compensatory controls needed (either automated or otherwise, despite the guidance on automated decision making in WP251rev1 :) ? Must heuristics be applied before any social ID can be decorated with ID/unique? Can we come up with guidance what those should be?
Of course, this still leaves open that social accounts can be shared and there is hardly any way to detect that one unless you are the OP yourself. So should social id NEVER result in ID/unique being asserted unless it has been post-processed in the Proxy? Or can we make something good off it nonetheless?
Infrastructure Proxies may convey assurance information derived from multiple sources, one of which may be ‘social identity’ sources. This guidance explains under which conditions combination of assurance information and augmentation of identity data within the Infrastructure Proxy should result in assertion of the REFEDS Assurance Framework components “unique identifier”, and when it may be appropriate to assert the “identity proofing” component value low.
See mail thread "[aarc-na3] Fwd: [appint] RAF ID component and combined assurance evaluation" in the NA3 list and AppInt.
Draft document for commenting: https://docs.google.com/document/d/1kpHFLnJH1zITj7J7BXDRSTwNpo3AyrXyPFtE_dCb7Dc/edit#