Trust and Internet Identity Meeting Europe
2013 - 2020: Workshops and Unconference

Impact of Data Protection and GDPR

(Radovan Semancik)

The reasons for this discussion is because we’re developing midpoint, Three years ago we developed, I am wondering what is happening, nobody does much, fines for GDPR.

Is anyone here doing anything with GDPR?

One problem we have: attribute readings - a setup where we have a multilevel IDP chain and sort of traditional use for all attributes and get some transformation and ship them off to the next IDP but we want to limit the set. The IDPs belong to different legal entities. I’m working for the government in Denmark, so they have their own jurisdiction. You have the final step from IDP to sp, I am more interested in how to minimize which attributes I set.

Attributes are subjective matters. Here we talk about employees, so we won’t have roles and rights. Not sensible in the GDPR way. What your political affiliation is, or sexuality, I can’t recall all but not sensitive in that way.

Do you do it in a government network?

More academic POV. If we could do data minimization.

R: If someone asks about it?

? We don’t, legally, we may pass this info on but…. That would be one way to solve it. Prompt the user for consent. R: No technical measures.

? We have a few services on our own regularly facing the question, what should we do with our own IDPs? as federation operators have no control as we are full mesh federation. We don’t have any answers regarding GDPR. Maybe that will not be a common answer. We don’t have a good sort of answer. The question I was asking is that we all have standard attributes, all federations. There could be an unofficial one but as a federation, we could eventually develop one such. We have different attributes, not sensible, very sensible, medium sensible.

What should be a very sensible, personal address? We are fed operators who screen our different SP and all of them that require one sensible attribute should be double-checked.

R: Problem is that some attributes can have different sensibilities in a different context. Your email can also be sensitive.

Apache identifiers opaque, etc, targeted it’s a white area, should be in one part of the spectrum, so even if 80% are in a gray area maybe we can have a whitelist of those.

There’s suspicious silence. It started to clean up its data, we started to be very conscious of the places. We moved internally, we had multiple repositories which we moved internally

We were always conscious of this but we used a membership company to assist us with this. The Americans are a lot more relaxed about these things. One thing which we stopped doing was …. work with the access on a google drive but don’t store and forward in emails. SO we can control the data in one place instead of spreading it across many places.

They use the share point server. we worked hard on the access control. The other thing we did, we tried… we used the terms out of the GDPR.

It was a scary time, GDPR came on my birthday and I was in Finland going to Estonia and seeing that Kantara Europe was Thailand based and when I’ve been waiting for the US membership management company and they delayed and delayed and I got it in 11 in the evening I worked all night to get it in some shape that I would accept it. We had a couple of access requests but we were able to better manage them. They were not serious they just wanted to see what was going to happen. There was a guy who 4 years ago joined a Kantara weekend group. He didn’t have what to do, so he put in a subject, who is the most likely that would have no idea what to do? Kantara!

We didn’t hear much after that from him.

We haven’t had much from a market place.

I received recently a report comparing various finds from 2019. you always hear about the big ones but not the small ones.

For tiny indiscretions, not major breaches. If the bank is fined with 20000, someone will be blamed.

R: What is the most difficult part of the data protection? Subject access request? You’re doing this manually, right? You’re doing these manually?

I was never deleting data, you just don’t delete emails on Gmail. Let’s get rid of everything and I found some documents, and keeping that unprotected on my iCloud if the account is hacked, that would be a data breach. I tried to use two-factor authorization, there were 2-3 accounts where I haven’t activated 2-factor. Not always impressed with it. In GitHub I had a problem with publishing a repo because of some Microsoft restriction. Repo with some python code to a client and it wasn’t possible.even with an ssh key. I made it public and I Realised I had some ssh key in a previous commit. I realized I have had almost 150 GitHub repos but many of mine, there was a history and I had no idea whether they are plain emails or passwords. Let’s fix this and I will roll it out properly.

I might have had a key that I haven’t deactivated. I found out that this was a tedious exercise. I went through my Github, they just pull your current stuff and get a million of false positives.

I was deleting everything and if I didn’t touch.

Most likely if I haven’t touched it for two years, I never will. The best thing is to delete everything I don’t know, then I ran a tool and wanted to improve it but I haven’t finished.

I learned a lesson that just making copies and throwing it somewhere has a cost.

R: I wonder if we can change the future processes to change this?

When you committed to your company you didn’t think about who is administrating the emails. We are used to the fact that everything that we commit is gonna be public. with GDPR it was probably like people didn’t think about data protection and 4% fines of the revenue so it’s important.

Having strict policies and reviews is important.

The data protection wave already lost power. It raised attention but it already died out.

R: Wondering whether interest in data protection has reduced or increased?

I think there is a lot of stuff around but mostly from commercial companies. Usually, it is to try and sell you a tool or a service.

R2: It has become a part of the standard in large companies. It doesn’t catch everybody but the top 100 companies are very aware.

If you have a wider scope then there is something to be done in security.

R: I am wondering about those big corporations like Kantara C: right, they have over 80 employees We only have 18 members so that’s pretty feasible. There has to be a tool for bigger companies.

R: Data protection is a cross country concern, I know people in data protection practitioners. He will refuse to participate because data protection needs to be in each working package. You have to have it on the legal side, in app dev in IT. in operations.

? If you want to have data protection by design, I think it’s one of the topics of GDPR, and it’s similar to security.

?: It’s like quality assurance or quality control

R: How can we make the process easier? it’s hard to find any references at least for employees, you make the contract, while with the customer is a bit different

No registration through event prime? As they are not secured.

2018 was a messy year as the policies were changing constantly.