Re: Choosing an ID - was : Re: CalNet ID Changes

Good morning everyone,

Conversations around the CalNet ID and privacy have been happening in
various forums over the past month, especially in light of the new
requirement to self-select a CalNet ID. I agree that information about
choosing a CalNet ID, especially as it relates to choosing other
usernames (like CalMail), should be consistent and coordinated.

The CalNet ID in the past has been a piece of information which people
consider private and confidential (SID and Employee ID). One significant
driver for the unified ID project was the desire to protect exposure of
those identifiers by not allowing them to be used as the CalNet ID. It
is natural that as the campus moves from an era where privacy of CalNet
ID was protected to one in which the CalNet ID is considered a more
public attribute, that questions around privacy will emerge.

In the past two months, I have brought the subject of CalNet ID and
privacy to the Identity and Access Management Steering Committee and the
CalNet Tech Team (an open meeting which anyone can attend). We have had
a number of lively conversations in both settings. Unfortunately, not
everyone on campus who is concerned about CalNet ID and privacy was
present at those conversations.

To get the information out to a broader audience, I took the various
topics of conversation around CalNet and privacy and created some
proposed documentation on the subject. Yesterday I shared that
documentation with the Identity and Access Management Steering
Committee. The group decided that we should go ahead and provide links
to the documentation within the CalNet Change ID application and in
relevant IST Knowledge Base articles now, even though the content is
still under review.

The next step is to solicit campus input on this documentation.
So...please take a look and send your feedback to
calnet-admin_at_lists.berkeley.edu by next Wednesday, January .

http://lazybuddha.berkeley.edu/display/calnet/CalNet+and+Privacy

To Cathy's point that students need this information but don't like to
read instructions, I would welcome language suggestions from people who
are expert at marketing to students.

Some things to note:
The Family Education and Privacy Rights Act (FERPA) has recently been
modified in a way that impacts the privacy requirements for the CalNet ID:

"New regulation will permit the designation as directory information a
student’s ID number, “user ID” or other unique personal identifier if it
cannot be used without some other authentication factor (such as a
secret password or PIN) to authenticate the user’s identity."

In addition, the new FERPA guidelines state that:

"An institution may decide to make a student’s user ID or email address
available within the institution but not release those elements to the
general public as directory information."

That essentially sums up our current plan for the CalNet ID, which was
endorsed by the Identity and Access Management Steering Committee on
which the Registrar serves. The plan is to maintain CalNet ID as a
private attribute within the directory (it will still require a
privileged bind), but grant the CalNet team authority to release CalNet
ID to campus developers without Registrar approval. In essence, the
CalNet ID would be considered a public attribute on campus (and for
federated parnters - see below).

As for how we handled the CalNet ID in relation to identity federations,
in which a campus identifier will be asserted off campus, here is the
current situation:

* The standard approach for asserting an identifier via Shibboleth
authentication will be to use eduPersonTargetedID as the unique
identifier. That is an identifier specific to a particular application
and will not identify an individual by name.
* There may be a small number of applications which require the use of
eduPersonPrincipalName (ePPN) as the unique identifier that we assert
off campus, and we will be using CalNet ID as ePPN. All members of the
identity federations to which UCB belongs (UCTrust and InCommon) have
agreed to standards and practices for handling identity information and
the IAM Steering Committee felt assertion of CalNet ID was acceptable in
these cases. We have included information regarding the assertion of
CalNet ID off campus in our documentation so that users will be informed
of this possibility.

Finally, when I first discussed providing documentation to users
regarding CalNet ID and privacy, I suggested giving them lots of detail
as part of the change ID application. The IAM Steering Committee (which
is made up of stakeholders from across campus) overwhelmingly agreed
that we should limit the amount of information we present to users as
part of the application, but provide a link to more detailed information
for those who want more information. The documentation I referred to
above is intended to be that extra detail for interested users.

This issue will be a primary agenda item on next week's CalNet Tech Team
meeting which meets on Thursday, January 15 at 11am in 60 Barrows.
Anyone who is interested is welcome to attend.

I look forward to your feedback.

- Dedra
-----------------------------------------------------------------------
Dedra Chamberlin
Manager, CalNet - Identity and Access Management

Tony Christopher wrote:
> Cathy is spot on. The information about the friendly ID/CalMail username
> should be coordinated everywhere it's displayed. I'm concerned confusion
> will rain down on us if the information/instructions aren't consistent.
> Tony
>
> On Fri, January 9, 2009 8:16 am, Cathy Taruskin wrote:
>
>> Likewise we are looking for suggestions on how to advise newly admitted
>> students within myBerkeleyApp. They have 'Create Your Calnet ID' on their
>> myBerkeleyApp checklist and typically do this in March/April, right after
>> learning they've been admitted to Berkeley -- 5 months before they ever
>> set
>> foot on campus. We'd like to provide a brief 'pros and cons' about the
>> implications of choosing a revealing ID vs. an obscure/cute one.
>>
>> But members of this audience:
>> a) are largely 17-year-old facebook/myspace users who don't know/think
>> much
>> about protecting their privacy
>> b) are very excited about finding out they just got admitted and not
>> likely
>> to read wordy instructions carefully -- so each word is precious
>> c) are completely unfamiliar with Berkeley acronyms and systems: have
>> never
>> heard of Calnet, BearFacts, Telebears, bSpace, Cal1Card, identity
>> federations, etc.
>> d) my have to fend off their parents from making this permanent decision
>> for them (while student is out celebrating, parents want to find out what
>> the financial aid offer is)
>>
>> For the 'cons' on the revealing ID, we can link to
>> http://lazybuddha.berkeley.edu/display/calnet/CalNet+ID+and+Privacy. But
>> if
>> we could encapsulate these cons in one or two succinct sentences keeping
>> in
>> mind the perspective of this particular audience, it's more likely they
>> would be absorbed.
>>
>> Any suggestions would be welcome!
>>
>> Cathy Taruskin
>> myBerkeleyApp
>>
>> At 09:36 AM 1/8/2009, Rob Weinberg wrote:
>>
>>> Has there been any resolution to the "friendliness" discussion on the
>>> new ID's? That is, how should we advise users who want to know if they
>>> should choose:
>>>
>>> a) A revealing ID - like "Rob_Weinberg_at_UC - good for federations
>>> where your ID will be displayed as your online handle when privately
>>> chatting among known authenticated users, peers perhaps - and where you
>>> have no opportunity to choose another "handle"
>>>
>>> b) An obscure ID - like de8uo23o8u - good for protecting your real
>>> identity in federated applications where it is seen by people who you
>>> may not want further contact with
>>>
>>> c) A "cutsy" ID - like "CatLover" - something easy to remember and
>>> befitting your quirky personality, potentially embarrassing, under the
>>> assumption that it will only be read by machines, never by people.
>>>
>>> We've discussed this earlier, and I'm sure people will ask us for
>>> guidance.
>>>
>>> Rob
>>>
>>> Dedra Chamberlin wrote, On 1/7/2009 9:35 AM:
>>>
>>>> Jon,
>>>>
>>>> I would just like to add a bit to Lucas' response:
>>>>
>>>> The communications plan for the CalNet Unified ID project is still
>>>> posted at:
>>>>
>>>>
>>>>
>>> http://lazybuddha.berkeley.edu/display/calnet/Unified+ID+Communications+Plan
>>>
>>>> Email went out to all students yesterday regarding the ID change
>>>> requirement. A CalMessage went out to Deans and Directors last night
>>>> and will go to the rest of staff (including faculty) today.
>>>>
>>>> After that, the CalNet team will send reminders in January to those
>>>> people who have not set a self-selected ID.
>>>>
>>>> At the end of January, users who have not self-selected an ID will see
>>>>
>>> a
>>>
>>>> javascript message when they attempt to CAS authenticate that will let
>>>> them know they need to change their ID. On Feb 1st, users will be
>>>> informed they have 24 days left to select an ID and we will reset the
>>>> count down on each subsequent day. Beginning February 25th, anyone
>>>>
>>> who
>>>
>>>> still has an all numeric ID will be redirected to the Change ID
>>>> application before they can CAS authenticate. That means that even
>>>> people who return from winter break right when the semester begins
>>>>
>>> will
>>>
>>>> have a full month to self-select their CalNet ID.
>>>>
>>>>
>>> Rob Weinberg
>>> Programmer Analyst II
>>> Tech Support for IB
>>> robweinberg_at_berkeley.edu
>>>
>>> Department of Integrative Biology
>>> 3060 VLSB
>>> University of California
>>> Berkeley, CA 94720
>>> 510-642-2917
>>>
>>>
>>> -------------------------------------------------------------------------
>>> The following was automatically added to this message by the list server:
>>>
>>> To learn more about Micronet, including how to subscribe to or
>>> unsubscribe
>>>
>> >from its mailing list and how to find out about upcoming meetings, please
>>
>>> visit the Micronet Web site:
>>>
>>> http://micronet.berkeley.edu
>>>
>>> Messages you send to this mailing list are public and world-viewable, and
>>> the list's archives can be browsed and searched on the Internet. This
>>> means these messages can be viewed by (among others) your bosses,
>>> prospective employers, and people who have known you in the past.
>>>
>>
>>
>> -------------------------------------------------------------------------
>> The following was automatically added to this message by the list server:
>>
>> To learn more about Micronet, including how to subscribe to or unsubscribe
>> from its mailing list and how to find out about upcoming meetings, please
>> visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable, and
>> the list's archives can be browsed and searched on the Internet. This
>> means these messages can be viewed by (among others) your bosses,
>> prospective employers, and people who have known you in the past.
>>
>>
>
>
>

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Received on Fri Jan 09 2009 - 10:13:57 PST