For the sake of documenting complete data flows and producing the advisory for the NROs, IdPs and SPs, this data inventory contains the data that is processed by the eduroam core operations, but also NROs, SPs and IdPs. 

List of datasets


eduroam RADIUS server logs


GEANT central opsNROIdPSP
Dataset description:Logs from the European top level RADIUS servers (ETLR)Logs from the national top level RADIUS server(s) (FTLR)Logs from the IdP RADIUS server(s)Logs from the SP RADIUS server(s)
Purpose of processing:

Troubleshooting issues and resolving security incidents.

Troubleshooting issues and resolving security incidents.

Recommendation by the eduroam Service Definition.

Troubleshooting issues and resolving security incidents.

Requirement by the eduroam Service Definition.

Troubleshooting issues and resolving security incidents.

Recommendation by the eduroam Service Definition.

Requirement by the eduroam Service Definition is to keep the logs of public IP addresses assigned to users and its relation to users MAC address.

Data source:

Data is logged in the ETLR servers when a RADIUS authentication or response passes (user accesses eduroam in another country)

Data is logged in the FTLR server(s) when a RADIUS authentication or response passes (user accesses eduroam in another institution)

Data is logged in the IdP RADIUS server(s) when a RADIUS authentication or response passes (institution user accesses eduroam anywhere)Data is logged in the SPs RADIUS server(s) when a RADIUS authentication or response passes. (user accesses eduroam at that SPs location)
Data storage and access:

Data is stored in the ETLR servers, accessible only to the eduroam operational team personnel.

Data is stored in the FTLR server(s), accessible only to the NRO operational team personnel.

(This may vary based on local practices)

Data is stored in the IdP server(s), accessible only to the IdP operational team personnel.

(This may vary based on local practices)

Data is stored in the SP server(s), accessible only to the IdP operational team personnel.

(This may vary based on local practices)

Data transfer:

No

NoNoNo
Data retention:All data related to roaming are kept for a period of six months.

Depends on the local policy.

eduroam Service Definition recommendation is: The minimum log retention time is six months, unless national regulations require otherwise

Depends on the local policy.

eduroam Service Definition recommendation is: The minimum log retention time is six months, unless national regulations require otherwise.

Depends on local the policy.

eduroam Service Definition recommendation is: The minimum log retention time is six months, unless national regulations require otherwise.

Personal data processed:YesYesYesYes


Dataset content


Data itemIs personal data?
central opsNROIdPSP
1Timestamp -   The time the authentication request was exchanged i.e usert tried to access the eduroam service
  •  
  •  
  •  
  •  
2

Outer EAP-identity - username@institution_domain, username can be anonymised but not all users do that

  •  
  •  
  •  
  •  
3Inner EAP-identity - username@institution_domain
  •  
  •  
  •  
  •  
4Calling-Station-Id - users MAC address, MAC address can be randomized but that's not the default in all clients
  •  
  •  
  •  
  •  
5Authentication result
  •  
  •  
  •  
  •  
6Chargeable-User-Identity - users anonymous ID
  •  
  •  
  •  
  •  
7IP address assigned by the SP after the sucessfull authenticaiton, including its relation to users MAC address
  •  
  •  
  •  
  •  


eduroam F-ticks


GEANT central opsNROs
Dataset description:

Usage log messages for each international and national roaming authentication request.

Usage log messages for international and national roaming authentication request coming from IdPs belonging to that NRO.
Purpose of processing:

Log data provides basic statistical information about service usage. It provides statistics about the number of logins for national and international roaming. The data is used for generation of usage statistics that are publicly available at https://monitor.eduroam.org and for reporting to EC and other stakeholders.

Log data provides basic statistical information about the service usage. It provides statistics about the number of logins for national and international roaming. The data is sent to the GEANT central operations as requested by the eduroam service definition. Depending on the NRO practices, the data can processed by the NRO for creating usage statistics.
Data source:

NROs Federation top level Radius servers.

F-ticks data are generated by the data from RADIUS authentication requests or responses sent by the IdP, and that transverses the NROs Federation top level Radius servers. This happens in the event when a user access eduroam at a visited SP location and authenticates.
Data storage and access:

F-ticks data are stored in the SQL database that is operated in the infrastructure provided by CARNet. The raw data is accessible only by the personnel of eduroam operations team.

Depending on the NRO practices, data can be kept and stored by NRO as well.
Data transfer:

F-ticks data are not transferred to any other party or system.

F-ticks data are sent to the eduroam core operations.
Data retention:F-ticks data are kept permanently. (question)Depends on the NRO practices if they keep a copy and for how long.
Personal data processed:YesYes

Dataset content


Data itemIs personal data?Comment
1REALM - As in users username used for the authentication (for example “@education.lu”) - contains the user’s country of origin and the institution of originYes
2Calling-Station-Id - User’s device MAC addressYes
3Viscountry - ISO country code of the NRO that generated the log messageYesNo (VP proposal)
4Visinst - Identifier of visited institution i.e. operator-name RADIUS attributeYesNo (VP proposal)
5Result - Authentication outcome: OK / FAILNo

eduroam Database - NRO information

Dataset description:National Roaming Operator information.
Purpose of processing:Data is used to feed the central data repository for eduroam service. It provides information about National Roaming Operators that participate in the eduroam service. The data is used for providing public available information about eduroam service, available at https://monitor.eduroam.org/.
Data source:The eduroam database has been build as a central database with the mechanism that enables automatic data collection from (National) Roaming Operators - (N)ROs. (N)ROs should provide general data in the defined XML or JSON format. The data should be available at the specific, predefined URLs: http://www.eduroam.<tld>/general/<dataset-name>.
Data storage and access:Data is stored in the SQL database that is operated in the infrastructure provided by CARNet. The raw data is accessible only by the personnel of eduroam operations team.
Data transfer:Data is not transferred to any other party or system.
Data retention:Data is kept permanently.
Personal data processed:Yes

Dataset content


Data itemIs personal data?Comment
1ROid - Unique identifier provided by the database operator during the RO registrationNo
2country - two letter country codeNo
3stage - 0=preproduction/test, 1=activeNo
4org_name - (N)RO corporate nameNo
5address_street - (N)RO addressNo
6address_city - (N)RO addressNo
7coordinates - longitude, latitude, altitudeNo
8contact_name - (N)RO contact: nameYesIf contact is person
9contact_email - (N)RO contact: e-mailYesIf contact is person
10contact_phone - (N)RO contact: phone no.YesIf contact is person
11contact_type - 0=person, 1=service/departmentNo
12contact_privacy - 0=private, 1=publicNo
13info_URL - (N)RO web page URLNo
14policy_URL - (N)RO Policy URLNo
15ts - date: last changedNo

eduroam Database - Institution information


GEANT central operationsNROs
Dataset description:Institution information (IdP or SP), participating in eduroam service.Institution information (IdP or SP) participating in eduroam service and belonging to the given NRO.
Purpose of processing:Data is used to feed the central data repository for eduroam service. It provides information about Institutions that participate in the eduroam service as IdPs and SPs. The data is used for providing public available information about eduroam service, available at https://monitor.eduroam.org/.Data is requested by the eduroam service definition.
Data source:The eduroam database has been build as a central database with the mechanism that enables automatic data collection from (National) Roaming Operators - (N)ROs. (N)ROs should provide general data in the defined XML or JSON format. The data should be available at the specific, predefined URLs: http://www.eduroam.<tld>/general/<dataset-name>

Data is collected from the institutions participating in the eduroam in that NRO. Exact process is a matter of local implementation in a NRO.

Data storage and access:Data is stored in the SQL database on the host that is operated in the infrastructure provided by CARNet. The raw data is accessible only by the personnel of eduroam operations team (OT). THe host is mantained by the OTData is stored in the national eduroam web site. Data access is public. Additional storing locations may be implemented based on NROs practices.
Data transfer:Data is not transferred to any other party or system.-
Data retention:Data is kept permanently.
Personal data processed: YesYes

Dataset content


Data itemIs personal data?Comment
1instid - provided by the NRONo
2ROid - Unique identifier provided by the database operator during the RO registrationNo
3type - IdP, SP, IdP+SPNo
4stage - 0=preproduction/test, 1=activeNo
5inst_realm - (only for IdP or IdP+SP)No
6inst_name - institution’s corporate nameNo
7address_street - institution’s addressNo
8address_city - institution’s address: cityNo
9coordinates - longitude, latitude, altitude of institution’s locationNo
10inst_type - IEEE 802.11-2012, clause 8.4.1.34 Venue InfoNo
11contact_name - institution’s contact: nameYesIf contact is person
12contact_email - institution’s contact: e-mailYesIf contact is person
13contact_phone - institution’s contact: phone no.YesIf contact is person
14contact_type - 0=person, 1=service/departmentNo
15contact_privacy - 0=private, 1=publicNo
16info_URL - institution’s web page with the information related to the serviceNo
17policy_URL - institution’s PolicyNo
18ts - date: last changedNo

eduroam Database - Service Location information


GEANT central opsNROs
Dataset description:Service Location informationService Location infromations, from SPs belonging to the given NRO.
Purpose of processing:Data is used to feed the central data repository for eduroam service. It provides information about Service Locations that are provided in eduroam by participating SPs. The data is used for providing public available information about eduroam service, available at https://monitor.eduroam.org/.Data is requested by the eduroam service definition.
Data source:The eduroam database has been build as a central database with the mechanism that enables automatic data collection from (National) Roaming Operators - (N)ROs.(N)ROs should provide general data in the defined XML or JSON format. The data should be available at the specific, predefined URLs: http://www.eduroam.<tld>/general/<dataset-name>.Data is collected from the service providers participating in the eduroam in given NRO. Exact process is a matter of local implementation in a NRO.
Data storage and access:Data is stored in the SQL database that is operated in the infrastructure provided by CARNet/SRCE. The raw data is accessible only by the personnel of eduroam operations team.Data is stored in the national eduroam web site. Data access is public. Additional storing locations may be implemented based on NROs practices.
Data transfer:Data is not transferred to any other party or system.-
Data retention:Data is kept permanently.
Personal data processed: YesYes

Dataset content


Data itemIs personal data?Comment
1instid - provided by the NRO

No


2ROid - Unique identifier provided by the database operator during the RO No
3locationid - provided by the NRONo
4coordinates - longitude, latitude, altitudeNo
5stage - 0=preproduction/test, 1=activeNo
6type - 0=single spot; 1=area; 2=mobileNo
7loc_name - location’s nameNo
8address_street - location’s address No
9address_city - location’s address: cityNo
10location_type - IEEE 802.11-2012, clause 8.4.1.34 Venue InfoNo
11contact_name - on site contact: nameYesIf contact is person
12contact_email - on site contact: e-mailYesIf contact is person
13contact_phone - on site contact: phone no.YesIf contact is person
14contact_type - 0=person, 1=service/departmentNo
15contact_privacy - 0=private, 1=publicNo
16SSID - SSID usedNo
17enc_level - supported encryption levelsNo
18AP_no - number of APsNo
19wired_no - number of enabled sockets for wired accessNo
20tag - specific characteristic(s): port_restrict, transp_proxy, IPv6, NAT, HS2.0No
21availability - 0=default, 1=physical access restrictionsNo
22operation_hours - If service is not available 24 hours per dayNo
23info_URL - info page with additional info in case of any restrictions No
24ts - date: last changedNo

eduroam CAT (as of version 1.1)

Dataset description:Configuration Assistant Tool operator database (NRO administrator and institution-level administrator)
Purpose of processing:allowing administrators to upload and maintain the information needed to create eduroam installation programs ("installers") within their country / institution
Data source:eduroam database - NRO information & institution information (see datasets above), eduroam SP proxy authentication data (see dataset above), administrator input, produces web server and application logs (cat-ams.eduroam.org)
Data storage and access:

Data is stored in the SQL database on the virtual machine that is operated in the infrastructure provided by SURF. The raw data is accessible only by the personnel of eduroam operations team. The virtual machine is maintained by the OT.

Data transfer:

System sends emails with invitation tokens (one variant to institution administrators for sign-up, one variant to NRO personnel for general status updates)

Data retention:
  • The authorisation status of administrators who ever logged in is retained permanently.
  • The installer-relevant information is kept until the administrator chooses to delete it (then deleted immediately).
  • There is a cache for previously generated installers which gets invalidated upon deletion of the installer-relevant information (but remains on disk until manual cleanup is triggered).
Personal data processed: Yes


Dataset content


Data itemIs personal data ?
1

administrator authentication - supplied from eduroam SP proxy

  • eduPersonTargetedId or equivalent
  • real name
  • email address
Yes
2

administrator authorisation

  • is user an NRO administrator, and for which country - supplied from eduroam SP proxy
  • initial email address of new institution administrators during signup (supplied from NRO administrator)
  • is user institution administrator, and for which institution - information gathered from NRO administrators and with email voucher verification process
Yes
3

general institution information - supplied by institution administrator input

  • institution name, multi-language
  • geographical coordinates of institution
  • institution logo
  • whether institution also exists in eduroam database (institution information), and the ID in that database
No
4

eduroam media deployment information - supplied by institution administrator input

  • SSIDs and encryption levels
  • whether or not eduroam is on wired ports
  • onboarding SSIDs which should be removed upon installation
  • Passpoint consortia identifiers
No
5

support contacts of institution - supplied by institution administrator input

  • helpdesk email, multi-language
  • information web page, multi-language
  • Acceptable Use Policy, multi-language
  • telephone contact
No
6

RADIUS/EAP details - supplied by institution administrator input

  • name of deployment profile, multi-language
  • description of deployment profile, multi-language
  • production-readiness state of deployment profile
  • domain name ("realm") for deployment profile
  • anonymous outer ID to be used in installers
  • supported EAP types
  • CA certificates that identify EAP server
  • names of EAP servers
  • redirection URLs for external installer handling, multi-language
  • custom text accompanying installer downloads, , multi-language
  • EAP-TLS username handling directives (does not contain actual user names)
No

eduroam Managed IdP

Dataset description:eduroam Managed IdP is a derivative of eduroam CAT (see above), which additionally produces per-user personalised installation programs and maintains a database of these end users. It also authenticates the end users based on the installed programs
Purpose of processing:allowing administrators to upload and maintain the information needed to manage their end user base to the end of creating eduroam installation programs ("installers") within their country / institution, and to authenticate their users in eduroam
Data source:eduroam database - NRO information & institution information (see datasets above), eduroam SP proxy authentication data (see dataset above), administrator input, produces web server and application logs (cat-pilot.eduroam.org / auth-test.hosted.eduroam.org / auth-test-2.hosted.eduroam.org / ocsp-test.hosted.eduroam.org)
Data storage and access:

Data is stored in the database on the virtual machine that is operated in the infrastructure provided by GÉANT. The raw data is accessible only by the personnel of eduroam operations team. The virtual machine is maintained by the OT.

Data transfer:System sends emails with invitation tokens (one variant to institution administrators for sign-up, one variant to end-users for credentialing, one variant to NRO personnel for general status updates)
Data retention:
  • The authorisation status of administrators who ever logged in is retained permanently.
  • Most of the installer-relevant information is kept until the administrator chooses to delete it (then deleted immediately), with the exception of ...
  • ... end user authentication data, which is retained (indefinitely?) even after deletion of users to enable prosecution
Personal data processed: Yes

Dataset content


Data itemIs personal data ?
1-5Dataset content items 1 to 5 are IDENTICAL to those of eduroam CAT (see above)Yes
6

Deployment details of Managed IdP for NRO (from NRO admin input)

  • Whether it is enabled or not
  • max number of users per institution profile
  • EAP termination settings
No
7

Deployment details of Managed IdP for institution

  • whether the admin has accepted the system's ToU
  • (pseudonymous) usernames of the institution's users
  • expiry date of said pseudonymous usernames
  • list of eduroam credentials issued to these users (properties of these credentials in 8, below), linked to the respective username
  • list of pending invitation tokens with which users can create new credentials and inquire about their account status (properties of invitation toekns in 9, below)
  • status of the usernames (active, inactive)
  • data freshness: when were the set of users last checked by the administrator for continued validity?
Yes because of pseudonymous usernames ?
8

eduroam credentials (X.509 certificates)

  • unique, randomly generated username as certificate Subject (original pseudonymous username is not contained, but system maintains an internal link between pseudonymous username and the Subject of the certificate)
  • date of issue and expiry of certificate
  • unique, randomly chosen serial number for certificate
  • device type for which certificate was generated
  • revocation status of certificate
  • invitation token (see 9, below) which was used to generate certificate
?
9

end-user invitation tokens (URLs with unique, random long identifier)

  • pseudonymous username to which invitation token pertains
  • number of devices which can be credentialed witht his token
  • expiry date of invitation token
?
10

RADIUS authentication logs

The RADIUS server is an eduroam IdP in the sense of the dataset "eduroam RADIUS server logs → IdP" above, and the same data set considerations apply.

Yes
11

certificate status server logs

  • logs the timestamp when a revocation assertion was requested for a given eduroam credential - revocation assertions typically coincide exactly with the actual authentication happening on the RADIUS server. Does not log the actual revocation state that was returned.

eduroam Managed SP



eduroam Managed SP Web Frontendeduroam Managed SP RADIUS Servers
Local hotspot
Dataset description:Data required to manage deployment properties of eduroam Managed SP hotspotsLogs from the Managed SP RADIUS ServersLogs from the hotspot's APs/controllers
Purpose of processing:Allowing hotspot administrators to log into the system, add/edit/delete their Managed SP deployment, and to check usage logs of their hotspot

Troubleshooting issues and resolving security incidents.

Recommendation by the eduroam Service Definition.

Troubleshooting issues and resolving security incidents.

Requirement by the eduroam Service Definition is to keep the logs of public IP addresses assigned to users and its relation to users MAC address (no requirement imposed when using NAT).

Data source:

eduroam database - NRO information & institution information (see datasets above), eduroam SP proxy authentication data (see dataset above)

administrator input

web server and application logs

Data is logged in the Managed SP RADIUS servers when a RADIUS authentication or response passes (user accesses eduroam at a hotspot connected to Managed SP)

Data is logged in the equipment when a RADIUS authentication or response passes (user accesses eduroam at that SPs location)
Data storage and access:Data is stored in the database on the virtual machine that is operated in the infrastructure provided by GÉANT. The raw data is accessible only by the personnel of eduroam operations team. The virtual machine is maintained by the OT.

Data is stored in the Managed SP RADIUS servers, accessible to the eduroam operational team personnel and the registered hotspot operator

Data is stored in the equipment, accessible only to the hotspot operating personnel.

Data transfer:System sends emails with invitation tokens (one variant to institution administrators for sign-up, one variant to end-users for credentialing, one variant to NRO personnel for general status updates)

No

No
Data retention:
  • The authorisation status of administrators who ever logged in is retained permanently.
  • hotspot deployment information is kept until the administrator chooses to delete it (then deleted immediately)
?

Depends on local the policy.

Personal data processed:YesYesYes

Dataset content


Data itemComponentIs personal data ?
1

eduPersonTargetedId or equivalent user identifier

Of NRO or SP administrator

eduroam Managed SP Web FrontendYes
2

First name and Last name

Of NRO or SP administrator

eduroam Managed SP Web FrontendYes
3

email

Of NRO or SP administrator

eduroam Managed SP Web FrontendYes
4

Outer EAP-identity

Users username@institution_domain, username can be anonymised but not all users do that

eduroam Managed SP RADIUS ServersYes
5

Calling-Station-Id

Users MAC address

eduroam Managed SP RADIUS ServersYes
6

Chargeable-User-Identity

Users anonymous ID

eduroam Managed SP RADIUS ServersYes


Description of fields

The details of service related datasets (data collections) should be filled with a list of all kinds of data which is collected or processed by this service. The table should be filled by the Service Manager and afterwards reconciled with the GEANT Data Protection Officer in order to address GDPR requirements. One service often incorporates several datasets.

<dataset_name> - name of dataset (collection of data processed in similar way).

Dataset description: brief explanation of the kind of information or entities the dataset contains.

Purpose of processing: what is purpose of data collecting and processing.

Data source: what are source(s) of data - list of services, systems, applications, databases or similar source components, including user's input, from which data are being received. E.g. RIPE database, service ABC, organisation LDAP directory...

Data storage and access: describe where the data are stored, backup-ed etc. and who has access to the data.

Data transfer: list of other services, systems, applications, databases or similar destinations to which data are being sent. E.g. RIPE database, service ABC, GÉANT's database XYZ...

Data retention: describe data retention policy ie. for how long data are stored before being deleted. E.g. 1 year, 2 years after contract ending, forever...

Dataset content

  • Data item: a specific dataset item. It may be an attribute, component or structure within a dataset that can be clearly described in terms of content. If attribute, it is usually described with the formally assigned name and corresponding explanation of meaning, purpose, expected content or allowed values. Property values characterise all or some items (records, members...) within the dataset.
  • Is personal data (DPO fills in): whether this item is (a part of) personal data. Decided and entered by the GÉANT Data Protection Officer while analysing the GDPR requirements. Answer Yes of No.


Document ID


Version of document


Date of approval
Approved by
Status (draft, approved, obsolete)draft
Document owner (Service Manager?)
Contact person


Date of resubmission


Intervall of resubmission
Type of document (policy, procedure, Information)


  • No labels