BALÁZS RÁTAI Federated IdM (F-IdM) and protection of personal data - Budapest New Technology Meetup, April 16, 2008 -

1. BALÁZS RÁTAI Federated IdM (F-IdM) and protection of personal data - Budapest New Technology Meetup, April 16, 2008 -

2. Federated Identity Management (F-IdM)‏

3. What is F-IdM? „Federated Identity is just one of several new distributed computing constructs that recognizes the fact that individuals move between corporate boundaries at an increasingly frequent rate.” http://discuss.andredurand.com/stories/storyReader$320 „A system that allows individuals to use the same user name, password or other personal identification to sign on to the networks of more than one enterprise in order to conduct transactions.” http://www.eweek.com/article2/0,1895,1378436,00.asp

4. F-IdM concept • Web services oriented solution • Single-Sign-On (SSO) solution • User authentication and authorization data is maintained and utilized by a group of organizations (federation)‏ Source: Eric Norlin and Andre Durand: Federated Identity Management- Whitepaper, 2002.

5. Wide-scale F-IdMs • Windows Live ID (.NET Passport)‏ • Facebook External Web Apps Login • AOL Open Auth • Open ID • IndaPass

6. Protection of Personal Data

7. Hungarian Data Protection Regulation • Decision of the Constitutional Court 15/1991 (IV. 13.) AB • “the meaning of the right to the protection of the personal data as laid down in Article 59 of the Constitution … is, that everyone has the right to decide on the disclosure and processing of his or her personal data” • Act LXIII. of 1992 on the Protection of Personal Data and the Disclosure of Information of Public Interest • Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data

8. Personal data • data relating to a natural person (data subject)‏ • conclusion with respect to the data subject which can be inferred from personal data • in the course of data processing data shall be considered to remain personal as long as the relation to the data subject can be restored

9. Data controller • determines the purpose of the processing of data • makes decisions on data processing (including those as to the means of the processing) and implements these decisions or has them implemented by the technical data processor • natural person or organization

10. Recommendations of the EU DPWP • Working Document on on-line authentication services, 10054/03/EN WP 68, Article 29 Data Protection Working Party (http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2003/wp68_en.pdf)‏ • allow anonymous or pseudonymous use of on-line authentication systems • provide adequate information concerning the data protection implications of the system • authentication providers should work with service providers who take all necessary measures to provide adequate protection • avoid to use identifiers • software architecture that minimises the centralisation of personal data • easy means to exercise users' rights (including their right to opt-out) and to have all their data deleted • appropriate organizational and technical security measures

11. Thank you for your attention! e-mail: balazs.ratai@carneades.hu tel.: +36-20-3559911