Attribute release

Problem
...
Opt-in to opt-out
Attribute release - scalable attribute release management
Data protection complicated
Federation operator might not help IDPs
What can we do it? How soon can we do it? What are the solutions?

Wolfgang (DFN-AAI)
Many things available, like entity categories, acceptance by IDP operators is very low (in Germany, e.g., CoCo).
Reason: IDP operators feel uneasy and usafe to release attributes. Complex legal setup of data protection with national wide data protection, federal data protection, several laws, and local data protection officer -> lawyer. Attribute filter policies after consent, contracts etc. Some IDPs are different.
Paperwork as a service??? Good idea
Local context - data protection officer see things more relaxed
-> risk assessment
Ask lawyer for legal statement

FEIDE/Estonia
FEIDE: Need to convince institution to opt-in
No big issue with attribute release, much stricter requirements with quality of attributes
Risk assessment done, so basically for each service
User to understand what is going on
Is it due to registriction, voted for paperwork/policy initially, juridiction, minimal attribute release
opt in for entity category?
discussed
Facilitate users?
federation page with contact points for institution
attributes from other sources, side channel liked to federation (verified)
user consent related to attribute release?

opt-in for idps, checking attributes, layout, certificate,...
if it does not fit, users get afraid?
users should understand

SWAMID
no idp does consent
no complaints about it
use entity categories heavily
5 or 6 internal, national entity categories
good as default, can be changed after complaints

SWITCHaai
eduGAIN user consent employed
attribute release for entity categories
no complaints

who looks at consent pages? you want to use it
consent page of denmark is more flexible, release attribute A, not B
home organisation might not be aware of what edugain service wants
institution can't protect users
how many users care about the release?
minority care about release, but care after the leak
change name of institution? complaints at release because of transparency
to do with understanding
what when consent is not freely given?
Estonia: federation for secondary school - consent does not apply
contract?

what could federation operator do to improve situation?
trust is involved
Norway: service access now, when exam situation. do not want to understand, when stressed
Risk in not doing it: facebook/google is doing it, so they get used to it
protection of the user? user friendly layout, branding etc
usability tests/user tests of wayf - problems
when user does not know his credentials, it's a problem of the university
for user it is important that they know what to do and what is going on

law requires data minimal policy and that user gives data away - not scalable to access every sp in edugain
Estonia opt-ins SPs on federational level and then consent
consent earlier? before login workflow?
federation itself has given entity categories, not self declared