 I think it's time to get started. Welcome everyone. I'm Cliff Lynch. I'm the director of the Coalition for Networked Information, and it's my pleasure to welcome you to this breakout session from the spring 2020 virtual member meeting that CNI is conducting. We are approaching the middle of that meeting, which will run through the end of May. The topic today is untangling the confusion on federated identity access controls and privacy. This is a very important topic, particularly now that we are in such a distributed mode and relying so extensively on federated access to provide our user community. Our institutions would access to a whole collection of diverse resources. This is also a very fraught issue in the sense that people have expressed a lot of opinions on it. This is really on work like RA-21 that often is not particularly well grounded, I think, in the specifics about the technology. There's a lot of misunderstanding about what's dictated by technology, what's dictated by policy, and how the two fit together. I think of anyone more authoritative and well qualified to speak to this than Ken Klangenstein. Ken has been advancing these technologies tirelessly since the early days of CNI and Internet too, and it's been a great pleasure and a great honor to work together with him over the years on these topics. I am just absolutely delighted to be able to welcome Ken to this virtual meeting. We will take questions at the end. Beth Seacrest will moderate those. You can type in questions by using the Q&A tool at the bottom of your screen. And please feel free to queue up questions at any point as they occur to you, and we'll just sort them all out at the end. But it's fine to put them in as we go along. So with that, welcome all, and I'm going to disappear and turn it over to Ken. Thank you, Cliff. Just want to check that the sounds coming through. All good. Good. Okay. And the title slide is up on the screen. So with that, if I can do the advancing. I guess I better go here. Okay. I want to talk a little bit about what's driving all of the developments that as Cliff indicated are now bubbling up in the environment. You see as our target and the target hasn't changed since 2000 when these ideas first started percolating up. But I want to talk in detail what those look like. What's coming along in terms of the infrastructure. Many of the pieces are in place sliding into place. I'm going to talk a little bit about the work that's ahead because there are still gaps. I don't know that this is going to finish on my watch but I love for it to arrive ultimately intact on that far shore and have an environment that appreciates our traditional interests in privacy while providing new levels of personalization and access control. So I don't think I've received a proper attention. And so I'd love to make sure that we give give a give some focus on that. And then one of those gaps is can the users really manage their privacy and we'll talk a little bit about what Daniel so love calls the privacy paradox about users wanting to have a lot of privacy but then giving it away for rubber squeeze So with that. Let's talk about the drivers for change. Certainly federated identity has taken a strong root in the internet. Whether you're asked to log on with your institutional credits credentials or with your Google account or your earth link account since there may be some people in this crowd who still do earth link or whatever other identity provider. The pattern is increasingly that you use an authentication at a single spot and leverage it at many different locations across the internet. Another major driver for change is protection of IPR and content. There are websites that this community is well aware of things like Cy Hub, which have stolen a massive amount of content from journals and the journal publishers are rightfully concerned about keeping their business alive so they can publish these kinds of research work. And so they'd like to stop that kind of bulk downloading that enables those kinds of IPR violations and federated identity is a part of that answer. With privacy opportunities with personalization, I can make the world look exactly like what you need on the screen without knowing who you are. I can take your color blindness, your other physical disabilities and make adaptive changes to the screens and the presentations of content without knowing exactly who has those kinds of characteristics. Finally, I can post comments and dialogues and have privacy anonymity persistent anonymity. All of the techniques that the trolls use in Russia can be used positively in other ways in in those kinds of conversations. I think the requirement now around compliance and with international and state regulations. Wouldn't it be nice if I could say national regulations as well as state for the US but I can't. But I can talk about, and we will talk briefly about GDPR. We'll talk a little bit more about what's happening up north in Canada because what they're doing I think of as the state of the art in privacy protection. So there are these compliance requirements. We all have them no let no legislation comes along these days that doesn't seem to have a compliance aspect. Attribute release friction. At this beginning in 2000 we didn't expect there to be so much friction about releasing attributes because attributes are the currency of this ecosystem and they need to flow and whether they flow on an institutional decision or on a user decision, they need to flow. And we've made one attempt in the federated community with the research and scholarship bundle or attributes, but that hasn't gotten the traction we hoped, and there was certainly needs for attribute bundles beyond the R&S bundle. And we'll talk about those in a second there's some interesting work happening being led by Heather Flanagan and others in the RA 21 cloud. And then there's a mistake we made in 2000 that we're paying the price for and we need to fix which is selective release of values from a multi valued attribute. When we first started designing group memberships in those early years of this development. We decided we'll stick all your group memberships in one attribute. How many could there be, and this sucker will never fly anyway so we don't have to worry. Well the suckers in the air. There are people who have 1000 group memberships. And right now with today's technology for relying party says, I want group memberships of this person so I can do access control, they may get all 1000. There's supposed to be privacy preserving. I'll come back to that. And finally, there's a number of visionaries out there who believe that transparency and user control are guiding principles for our society, regardless of the technologies. What do we want them freedom of the shelves this is that old ability to climb into some musty building, I guess they're not so musty anymore, and walk down the shelves and and look at content and have privacy, and have the ability at the same time to check books out and to make notes and all of the other things that we believe a free society should have. So, in the federated version of that we have a global set of identity and attribute providers. We have access control techniques to limited license content so that we recognize the business models of the world and they should be places where content is protected by some kind of gated community. So, there's a lot of free privacy preserving. That's what we set out to do. And I think we're there. And then finally, the compliance with the national and international regulations I can't say we set out to be compliant with those because they weren't around at the time but they've come along. So, here's a little drill down on each of those four categories for the identity providers. We want a world with more than Google. We want to build in there and Facebook and Amazon, but we also want universities we want your business addresses we want the earth links. Maybe we even want linkages to the national identity efforts that are going on no longer in this country. In Europe, there are efforts, especially in the northern European countries to build national identities that can be used for tax purposes for voting purposes, and for participating in community interactions, and perhaps even for accessing the kinds of content we're talking about today. That whole bundle of stuff is talked about as the IDIS activities in Europe and my guess is they'll be going slower because everything's about to go slow. And then we'd like to see a global set of attribute and badge providers and identity decorators people who don't do identity but decorate identity with verified attributes and credentials. It may be your membership in a professional society. It may be your accreditation from some service. It may be government and private sectors decorating your identity with stuff that would be useful in voting environments, such as your precincts. There are some capabilities being provided by medical doctors so that those adaptive screen technologies that I talked about early on can be done with you concealing your privacy but recognizing your need for adaptive screen presentations. Scalable access controls were a big part of the vision. And we've moved somewhere along the way. It may be the traditional create, read, update, and delete mechanisms of CRUD, but we also have needs for much finer grain controls. My poster child for this is Wikis. We're often familiar with a Wiki. If you want to have different access controls for different parts of the Wiki, so group memberships, for example, could determine which parts of the Wiki you chose you were committed to visit. We would need then to provide that kind of fine grain control. That is one of the holy grails we're aiming for is that kind of control over Wiki. It turns out when I talk about signaling that we don't have that piece in place. We do have tools in the toolbox. We use your affiliations as a student, faculty, staff, etc. We look at entitlements. I mean, entitlements tend to be permissions that are granted by the enterprise based upon a sharing of business logic with a resource provider. That's very common in the library space. Who can get to these journals? The journal publisher will agree with the institution on a set of rules. And then the institution will compute eligibility based upon those sets of rules and the attributes that they have about the user. But the attributes never leave the institution just entitlement that whoever this user is, they're permitted to access this content. Group memberships give us a much finer and more subtle mechanism for doing access control. We can, again, use your groups to say you can get to this part of the Wiki or that part of the Wiki because you're a member of the group. And then finally, some of the major infrastructure as a service platforms that serve the research, the science research community like Globus and TAC give very sophisticated access control mechanisms. So we're largely there on this piece. More needs to be done. But at the beginning, I think one of the participants in all this said, you know, group membership is going to solve 80% of the access control issues. That turned out to be correct. And so just having the group tools have been excellent. Obviously preserving approaches now the water gets muddier, even though initially we thought this was going to be the most straightforward path. Identifiers turn out to be a very complex space. They can be opaque. They can be transparent and email addresses often transparent. A opaque identifier is a legion in other parts of the world. They can be session based. And you get a new identifier every time you log in or open a window, or they can be persistent and you can have a identifier, still anonymous, but is available every time you log in and go to a site. Identifiers to be reassignable versus permanent that turns out to be very important within the access control space because if you're going to grant permissions on the basis of identifiers and an institution changes who that identifier belongs to you might be giving access to someone you don't intend to. It, it turned out to be a thick space it still is and, and it's some of the stuff that the RA 21 crowd is nobly wrestling with attributes we've learned need to be well managed, otherwise they grow like weeds. So the entitlements versus the groups distinction I made earlier attributes are often scoped. If you're going to say somebody is a member of a certain affiliation with an institution, what light do you have to speak for that institution. In some cases if you're Harvard and you're the registrar at Harvard, sure you can speak for that. But when you get to the five colleges, the Claremont colleges in, in the LA area, what any one of those five colleges may make assertions about being a participant of a different college than the one making the assertion. And those need to be permitted where appropriate. So we have to scope them. And then we have to make them have meaning on the wire. Because you're going to have your own little subtleties of attributes. And then if we're going to exchange them with other people, we need to find a lingua franca on the wire. And that will make the other side do a correct interpretation of the information they're receiving. Many, many years ago in the early design of the Internet, there was a one of the chivalrous as aware was be careful in what you send, be liberal in what you accept. And that has played out in terms of on the wire attributes as well. Out of those identifiers and attributes we build persona. And you can visit a website unauthenticated, authenticated but anonymous, authenticated but pseudo anonymous which says you may not be easily identified by people looking at the identifier, but it's the same identifier for the same person in this thread. So every time that identifier is used it's the same person making the comment. And then you can have verified credentials as well and that's the coin of the realm and many of the places where you need to have tight security, etc. And then all of these persona can be decorated with attributes and that's much of the work up ahead. And then once you have those decorations, building attribute based gated communities. I have a variant we might get to in demos at the end called the scholarly garage named after other shared the community activities and then the scholarly garage. It's a gated community but within there I can have identity I can have privacy I can make comments in a rich number of fashions relative to my identity. And finally I want to make the point that even if you're going with a fully private mindset in all of this stuff. A strong act of authentication is very helpful. So strong identity needs are out there, even if you only are focused on privacy. We want to make sure that the account has not been prolonged that even if the rest of the world doesn't know who this user is. It's been a fair mapping compliance. National international and community. So, almost everybody on on this webinar is familiar with GDP are Canadian stuff I want to introduce because people are not quite as familiar and I think the Canadians have nailed it. And then, at one point, several years ago, I was giving presentations at NIST about some work we would sell presentations at CNI about some work we were doing for NIST. NIST has a few survivors huddled in its wonderful old building in Gaithersburg and Boulder still trying to maintain the torch of advancing identity in the US. And then some states have stepped forward. Those of you in California have the California Consumer Privacy Act CCPA as something to work with. The other side of the coin is codes of conduct where you don't want necessarily compliance from some external source but you want a community to create its own rules and adhere to them. These are often then self asserted in terms of compliance. One of the ones that we've been looking for in our in our world is the refeds code of conduct refeds is the International Federal Army Federation space. I'll talk about that code of conduct in a second. And then another code of conduct that we're trying to normalize is around baseline expectations of how enterprises both IDPs, SPs and federated operators do their jobs properly. And then increasingly there's compliance activities that we need to do. And some of us are getting agreement or I about a reporting infrastructure in the institution and enterprise where there's almost a policy layer on top of these technology layers that would allow all of the reports that need to be generated with compliance to be done in a normative fashion versus a hand managed spreadsheet. GDPR I'm going to move through fairly quickly. Again, people are familiar with it. It only it affects a lot of US institutions because we have students who land in Europe and they're suddenly subject to GDPR. We have European students on our campuses subject to GDPR. So, lots of sensitivity to this stuff. I want to highlight the basis for release and purpose of use as key issues, because we're not doing enough of this. Every time an institution and an enterprise releases information to another third party, it has to record the basis for release of that. There's a limited six, I believe, bases for release. And it's something that we as identity providers and institutions need to be doing. And then those things may get audited to see if we did the proper basis for release. We are heavily reliant at this point on contract as a basis for release as a tool. And it's legitimate, but it's limited. The purpose of use stuff is interesting as well. It's required by GDPR that a user be informed of the purpose for which their data is being used. You'll see those fields in the consent demo I do at the end of this talk. You want to normalize those things. You want to have users understand what those various purposes of use tend to mean. The purposes of use have been developed in the advertising space, and they've been developed in healthcare, and they haven't been developed in other verticals, and it would be helpful to have that. Finally, GDPR talks about when is consent to be used and not to be used. That said, I want to segue into the Canadian activities where legislation called PAPEDA was created maybe 15 years ago as a personal information protection act in Canada. And then the model the Canadians use to implement in infrastructure around that legislation is to create a system of private identity providers, typically banks. And those identity providers have come together to create the Pan-Canadian Trust framework and DIAC, and they have drafted an elegant set of rules for acting in the digital economy. I particularly like their stuff because they dive into consent and notice. And again, it was part of the original vision of federated identity, and the Canadians get it. And where the Europeans tend to say legitimate interest, consent is hard, but the power ratio balances, the Canadians say consent will normally be sought. It's going to be opt-in. It's at the time of transaction. And it can either be persistent or just for that one time. You should be able to withdraw the consent. But it applies to future transactions. That's the right interpretation. You're not going to get the data that you released last year back. It should be explicit and in language that will be easily understood. And wouldn't it be nice if you had a privacy console where you could manage your privacy preferences? You'll see, I hope, all of those features in the demo at the end. Putting together the answer then from the piece parts that are coming along. We have baseline expectations as the first element to level the trust fabric, to move from a best effort environment to a shared expectations environment. Dynamic metadata because we succeeded. And so the metadata bundles have gotten huge, and we need to not ship them around anymore, but provide them on demand. We need IDP discovery. It happens as a result of dynamic metadata. It's an essential first step in the process. And the RA-21 software that we'll look at is doing that. Institutional and attribute release is the next element to get those attributes flowing and reduce that friction. You'll see that software in action. But there's still gaps in the metadata and signaling as with Wikis that I alluded to earlier. And then finally, there's a variety of community standards. Whereas a community, we need to take a deep breath and wait into. Some of those are what I call informed content so that users can make informed consent decisions, purposes of use, privacy policies. We need community taxonomies so that we have shared understandings of what's happening. We need applications to be a lot more aware of attributes versus grab all the identity that it can take. We need to be able to translate data minimization from a nice concept into which specific attributes are minimal and which ones are optional. So these are the five pieces that we'll talk about. We'll move progressively through this. The first three are well in hand. The next, the bottom two still needs some work. If we get all this together, what do we deliver? A privacy experience that can be managed by both the institution and the user. Which gives the user informed choices, but not intrusively allows the institution to manage access controls. We want users to have choice, but we want users not to be able to suppress negative information which we want, which the institution wants to transmit, like this user is not permitted to have this kind of capability. We want to address the cognitive load of the user. You'll see that in the screen design. We're very careful to keep the white space and the thinking opportunities. We want meaningful choice and we want to be able to do compliance. It's got a scale and hopefully it can be slid into places. What this won't deliver all the other ways that privacy is a threat. And it won't deliver the fact that users still express high importance to their privacy, but then give it away for bright shiny objects. Baseline expectations is something that is happening widely now, at least in the US in common has raised the bar. And institutions are now doing a consistent set of approaches. They might vary a tad by their own situations, but security patching the software. Operations who has access to signing keys incident handling. There's a violation of either relying party and is trapped back trace back to something that went wrong at your identity provider. Do you agree to participate in a diagnostic effort to handle that incident. Keep your metadata fresh provide privacy policies provide updated contact people. This baseline expectations has sections that address IDPs, SPs and federated operators. It began as an in common activity. I think around 2018 we rolled out be one of the two is now under active discussion and the in common website has pointed us to that. And that was a solid enough idea that we're trying to help the international Federation community adopt a similar set of requirements. And so there is a global conversation now going on in refeds about a global baseline standard. Now that'd be interesting because the variation in federations between countries is significant. The metadata rolling out as we speak. It's needed because the fields within each entity within the metadata have increased. The number of entities in the metadata have increased as well as their fields getting bigger. This is what the internet went through in the mid 90s when DNS came along. And doing this is creating some it's leaving some problems that identity providers had as the metadata bundle got very big. There are two elements of this approach. There's a query protocol get me my get me the metadata on this relying party I need it now. And then there are places that aggregate metadata and register authoritatively the metadata for various enterprises. All these things are sliding into place pretty nicely and in common in other federations. And the future one unfortunate aspect of this is that many many service providers used to depend upon that massive static metadata file to populate an identity provider list so you could find your identity provider can't do that. How do we solve that. Well that came along has come already 21 to solve that IDP discovery problem. We can use it to their identity provider. Today we have inconsistent experiences across sites. It wouldn't be nice if users know to go to a certain part of the screen or look for a certain icon and be able to select the identity provider that way. Again we want to solve the problems that dynamic metadata has created. The next stage of the R21 process. It comes in several different flavors. You'll see in an action in the demo. It works well and the different flavors give you different integrations and it looks like it's beginning to get traction and some major content providers have started to use. Attribute release consent notification. So even if you don't believe in consent, it's probably valid to do motivation. Let's see in this section here I'm supposed to look at the chat at the same time. So I'm attribute release. It wasn't supposed to be expect it wasn't. Okay Lisa I'm sorry I just got to your question. I'll make a note of that and get back to that and thrilled to have you as a participant in the session. So attribute release is the biggest friction in the federated landscape. It's something we didn't anticipate. Obviously because we expected the users to be in control and the consent pieces lag, but partially because institutions have been much more attribute retentive than we expected them to be. So that we made one attempt. The RNS tag. It's, it's gotten a nice step up from researchers needing access to covert data, but it still has limited penetration within the community. We're going to continue to push that other tags are under discussion as well on consent is not widely deployed, but we have a software that we developed with an end stick grant and internet to and most particularly Duke University. And I'll be demonstrating that software and it's capstone in that it gives users exactly the information and control over their privacy that we wanted to achieve a while. I'll just mention these they're happening as part of the RA 21 or refeds community. For those of you who know has a flan again. It's sometimes hard to know which hatches wearing when she's doing her good work. We're doing an authentication only bundle, you know, anonymous authorization bundle, typically an anonymous identifier decorated with some attributes and then synonymous support. Right now these all of these attribute release bundles will be self asserted that is you will assert as a relying party. That's what you need. You will assert as an IDP that you are responsive to these needs. They may be need be need for registration down the road user. The use of this. Well, the IDP can use these bundles to configure attribute release policies. Users can get a second set of recommendations for consent based upon these profiles. We can maybe guide contracts between libraries and content providers so that they start to use normative language about access controls. That's some of our hope for this work. So when one tool for attribute release mechanisms is called car it's a consent informed attribute release was indicated Duke's been the lead developer for this. It stresses the informed aspects of this. It provides self service. It translates the hideous names that we use for these attributes internally and identity management into something that might be more friendly to a user like your relationship to the university versus an affiliation things like that. Gifts fine-gain controls it records the basis for release provides revocation and interestingly it provides user not present mechanisms. So one of the glitches in our privacy as an institution is that we can have a student be enabled as furper and then we will not pass information in an attribute release bundle in real time to a relying party. But we don't apply for controls by and large to batch feeds to third parties. That's just outside the can of the identity management system. We have mechanisms now so that your consent choices can be applied when you're not there. And that can be used in attribute release situations. I wanted to show you a typical car screen. Again at the end if we have time I'd love to do a real time demo and move all these buttons around and show you the consequences of that. But a few things to note. Off on the right we have the logo of the relying party that I'm about to release attributes to in this case R and SRS. We have the privacy policy of that relying party. On the left side we have the sets of attributes that are being released. This is for an undergraduate going to a research site. Notice clear permit and deny buttons. Notice fine-gain control. Notice that the value of the attribute is being displayed so that if there's a wrong value you can't correct it in the consent screen that would be inappropriate. But you can make a note and have those values cleaned up in the institutional systems. The clear markers for permit and deny and then near the bottom in the bottom. Don't show the screen the next time I log in. We don't want to intrude on you every time if you want this to be a persistent consent policy. We'll suppress the screen going forward. If you want it to be the policy, you'll release policy unless the value being released changes for some reason, at which point you want to re-consent, we can do that too. So there's the suppression stuff save and continue affirmative actions as required by the DDAC, DIAC legislation. This is what the screen looks like when I'm going to another site, content or I'm doing this as a faculty member. And what I wanted to illustrate here is limited license access controls. So if you look at those first two attributes for departmental fund codes, it indicates that you're a member of the institute of those departments. And so you're able to get to Lexis or ICSPR based upon those permissions. Notice you can get there without revealing any personal identity. In this configuration on the screen right now, I'm showing my academic affiliations but nothing personally identifiable. So I can browse the shelves freely at Lexis and ICSPR without my identity being known. Again, the suppression screen on the end. This is my self service console. Here's my attribute release policies as they've been stored. And there's a manage button for each of these. And I can go in and change what's been stored for my attribute release policies. The last area that we have to be working on is the community standards for behavior. Provisioning of informed content. Today, much of the metadata that you saw in the consent screens for CAR were gleaned from the in common metadata. And we'd love to continue to do that. But some are gleaned from well known private, well known URLs, and some are not well harvested at all. We need to work on some of that stuff. The codes of conduct that I alluded to, you want to know that the relying party has disposed of attributes properly when they're done processing them. How can I do that? Well, code of conduct covers that but the code of conduct doesn't apply to us be one. There's supposed to be a version two that would apply to us being developed in Europe, but that has gone very slow. Even when we have those kinds of kinds of codes of conduct will have lots of issues about fine tuning that lofty premises in the codes of conduct. We need to understand what's minimum for data minimization. If I don't release an attribute. Does that have to break the application for it to be a required attribute or not? Geolocation is often something that we share inappropriately. When is geolocation required versus option? And then finally, users need to understand some of these privacy tradeoffs. The more privacy you have, perhaps the less functionality you'll get at the website. So what's the work ahead? We have to apply. We have to get this stuff actually deployed. RA-21's gaining traction, dynamic metadata has arrived, baseline expectations needs internationalization, attribute release and consent needs adoption on campuses, codes of conduct need development. We have to figure out some of these gaps about how do I signal attribute needs along. And finally, we have to find good ways for users to understand some of these tradeoffs. My guess is users of because of the years of working in Facebook and Google have at least a better knowledge of how their privacy is being spindled and mutilated, and maybe this will be an easier thing for them to understand. Finally, a set of references and then I'm going to turn this back to you Cliff and catch up on any Q&A. There's a set of videos on YouTube that I've recorded, including one in particular from the librarian perspective that talks about how I can get access control while maintaining maximal privacy. The baseline expectations work is happening both in common in v2 and in baseline expectations for refeds at v1 and finally appointed to seamless access. So I'm going to stop the share, I think temporarily Cliff and give this back to you for the Q&A. Thank you very much, Ken, for your presentation and your efforts helping to build this essential infrastructure and we will open it up now to Q&A if you have a question. But as Ken mentioned, he does have some demos to show if we don't have questions. I know Lisa had a pending question. I wasn't sure if you had covered that or not, Ken. Yeah, let me, let me, I just pulled that up. So what's gone away from static metadata bundle with dynamic metadata. So if I was a, if I was Elsevier, well, let me take a simpler case. If I was a journal or a resource that was just in the US, and I wanted to provide identity providers for users to select from, I would download the in common metadata typically once a day. I'd use that to populate a pull down list, maybe of four or 500 Institute identity providers, and the user would use that for the discovery process. When you begin to add edge again, there's now 2000 identity providers or so in that list, the print gets really small, the user experience begins to suck. And then there is no more single bundle, because it's too big. So I now have to have a list of pre populated identity providers or favorite identity providers. Or some mechanism of fetching my own preferred identity providers and these are each flavors of what are a 21 can help us do in terms of populating an identity providers selection for the user to pick. Does that help. Okay. And just give it a little bit of time to see if there's any more questions and Lisa says thank you yes. Great. Roger Schoenfeld says thanks Ken for this great presentation. Can you say a little bit more about the benefits for risks of these kinds of federated approaches that are ultimately controlled by the academic institutions versus some of the efforts being made by Research Gate and others to serve as a comprehensive identity instance independent of academia. Roger always, Roger always has a good curveball what can I say. Let's see. The, I guess I've always been all my life I've been deployed by institutions. And so it, I don't think Roger I can escape that mindset of you know the institution provides me with shelter salary and identity and often content that it's purchased for its scholarly community. And so I don't you know I recognize that independent services can spring up and I'd be curious to know what your sense is going to be of that stuff but I'm a creature of the university sigh. But Beth, you want to address this too. Oh, okay. I got a prompt on the screen that I didn't I've not seen before but zoom has changed a lot in the last few weeks. Okay, let's see. And Roger responds that's really helpful thank you. And let's see if there's anything else. I think we have time for your demos, Ken. Okay, I'm going to slide right into that. Let me go back to this chair. Okay, let's just confirm that people can see a choose your institution on the screen confirming great. So this is RA 21 as you can see from the copyright notice on the bottom. We have set up an environment called slice bread fact probably if we're going to do this demo. Let me share go back to my slides. So, let's see are we seeing a slice bread environment. Good. Okay, so I'm just going to have this on for a second and then we'll go back to the live demo, but just to give you a sense, there's a bunch of IDPs here. And each has an attribute store typically a directory. They could be running ship they could be running actor they could be running active directory they could be running oh IDC as as their tool for provisioning identities. We don't care car is protocol agnostic it is a, excuse me consent as a service. We call the slice bread because I won't get into it there was a pun there a while ago. It's lost to the ages on the bottom of those triangles are various content providers that will be going to as part of the demo. So, screen sharing is stopped because that close. Let me share the right screen then for. Okay, so I hope I'm hopefully back now inside slice bread. Looking at the RA 21 service, which is listening to identity providers I'm going to pick. Well, let's see first I'm going to go to a resource and have this come up so let me go to the research or us screen. Resource provider and research or us says you need to pick an identity provided so it throws me here to access research or us. I'm going to pick castle amber. I'm going to go back to my identity provider I'm going to pick an identity I'm going to pick an undergraduate identity. I can clear previous permissions I got the usual stuff for identities and the display screen you saw earlier. I want to show you how the buttons move back and forth. Here's the purpose of use field right there that I was describing. If I don't release enough attributes research or us will not let me in. And then, but will what it will do if it's properly configured to say you didn't release the right attributes for access. We're going to throw you back to your consent screen. In this case, I'm going to release enough attributes to be able to get into research or us I'm going to even release my name so I can get a very nicely custom screen. If I wanted to see their privacy policy for research or us. There's their privacy. Sometimes they lose information so goes go back to here. I'm going to save and continue and then I should get to the site and notice that here's the set of attributes that has been received by research or us. I didn't release affiliation. If I had released affiliation, it would have gotten that attribute notice often the upper right hand corner it says it's personalized by sign out any E. And so it got my display name as an attribute in the process. I am in fact going to sign out. And then I'm going to go to a different site. And I'm going to pick my identity provider via R a 21. I'm going to be a particular faculty member that I just shown you. And again, here's the attributes that I can release. And if I release these attributes without identity. Notice I can get to Lexis nexus. Notice I can get to ICS PR. I don't know who I am just as I know. That's a very attractive situation in my mind to be able to get access to license content without revealing anything more than my affiliation with some academic departments. Federated identity, if it works the way it's supposed to work is good should allow me to go to other sites and log in. So if I go to the institutional site for salary and stuff. Notice I didn't have to log in again because I didn't log out. So this is just federated identity saying without you, you've done your single sign on. Here's the attribute you want to release. And again, show you those controls. This is interesting in that I can show sensitive information. This is part of what GDPR requires is that if I have sensitive information and some of my group memberships might be. Then it shouldn't come up on the screen unless I do a special click. That's an example of that. I can save and continue. And notice it got some information but I didn't release enough information for the payroll system to do any processing for that. Let's see. No, I still will say logged in. As a professor girdle. And I'm going to go and look at my set of privacy policies. So here I can manage what I release to places. So if I'm not comfortable with what I'm releasing to scholarly garage, I can come to this management screen and say here are the attributes we have in landscape. Here's your choices. Here's what your IDP recommends amber recommends an additional settings and way down at the bottom you'll see the while I'm away stuff that I was talking about for batch feeds, etc. There's a lot of other features I can show you. I don't think I want to. I can run a muck on this demo and it would be quite late, but I can assign permissions to individual users. For example, the faculty want to see but not be able to edit release policies that the institution provides wants to understand what the further guidelines are the registrar wants to know that I can create them as an order to implement policy formation stuff. Etc. Etc. So let me just stop there and I'm going to turn it back to you Cliff. That was or to you best that was the demos and we'll take it from there. Lisa Hinshleff does have another question. It's certainly great to see that kind of transparency but it seems like this isn't user control per se, as much as user notification that they are being compelled to release their PII what's to stop an SP for demanding all the PII that's available, or is the thought that libraries will be negotiating to limit what the minimal release level is. Thank you, Lisa. And the answer is we're counting on the libraries to with librarians have a keen knowledge of privacy and the subtleties, and we're counting on the librarians to do that the attribute release that I talked about earlier that the RA-21 work is doing is exactly for that purpose. And if we get into the contracts then you know the other side of the coin by the way Lisa is that increasingly SP realize that the more data they have the more potential for data breaches they have. And they're trying to minimize data to some degree as well. So I think their interests are beginning to converge with the interests of the institution and the librarians to towards minimal disclosure, but it's certainly an area where we have a lot of work to do. Okay, and we do have some thank yous for people who either had to leave or whatever but Clifford has a question. Let's just have a quick question, Ken. That demo was just fascinating. And it's wonderful to see the amount of progress that's happened, particularly around the attribute control fundamentally. I guess the place where I take a little bit of a deep breath here is on the user education side. I have a very powerful, very detailed tool here. The question I'm struggling with and I love your views on is how much explanation, how much education is an institution going to need to do to allow a student or a faculty member to really make sense of what's going on here. Great question. Cliff, a couple of comments. One is that at least in terms of the car interface. It went through almost 40 iterations at Duke, where the wonderful people at Duke set up in a coffee shop, gave you a free cup of coffee if you'd play with it. Generally, and then asked a couple of questions to understand the level of comprehension. And they did it across age groups. And the results were very encouraging that people seem to be getting it, especially if we managed the cognitive load. What we have for managing that cognitive load is the presets that come up when you go to a site. Stuff, those presets are typically set by the institution, but they're malleable and again triggered by some of the attribute release bundles. And so the presets, if a user just wants to get to the gooey marshmallow at the end of authentication and attribute release, and they hit save and continue, things should work right. So the presets are set for privacy but functionality. And again, those can be set by the institution, however, it sees fit. Third comment on on on levels of users to manage this. I think sadly, you and I cliff are of a generation that wasn't born digital. And I, my guess is that for those coming up it's just, you know, these screens are annoyances but they understand what's kind of on there enough to get by but we'll see I hope we see over the fullness of time. Thanks, that's, that's helpful and you know I got to agree that the, the interface there is very nicely designed and very smooth that it shows that level of refinement in the, in the trials. And the one that I was sort of worried about a little more was there's an underlying, a little bit of an underlying conceptual model here that people have to get that, you know, you have an identity and it has attributes and it's passed around. And I, I'm, I'm, I have no data at all about whether people get that or not. Right, nor do I. And frankly, Cliff, it may well be culturally related as well. And so it may be that in the US where we've not developed a keen sense of privacy and been seduced by many bright shiny objects. And the underlying model that works and societies that have more orientation around privacy may have a better awareness of the model. Again, I sure hope we can get to discover this. Thank you so much, Ken. And I do. I really think implicitly here you've got a challenge for education where it's needed in your comment and I hope people will step up to that when it is needed. Thank you again. And I will just say that Lisa Hinchliff is chiming in, she says as an educator of the current generation, I share Cliff's concern on the user end question. And I believe that brings us to time and what to thank you so much Ken for your presentation today and remind others that we have more presentations tomorrow. So I hope you can join us for that. And thank you again today. Thank you. Applause. Absolutely super. Yes. Thank you. Thank you.