Taxonomy AHG Meeting 1/30/2014

Attendees

Objectives/Intro:

Glossary Version 1.1:

The glossary was reviewed and approved by the Privacy Evaluation Subcommittee; though there will be a comment centering on the idea of digital identity and its impact on pseudonymity and anonymity.

Most conversation focused around the technical capabilities to support anonymity and whether it can be achieved; though the committee decided that defining the term will help to ensure these ideas remain relevant in IDESG conversations.

Adam will post the process for updating and approving the terms to ensure the privacy committee is aware of the Taxonomy group’s process and is aware that terms can be revisited. He will also look into the formal process for plenary adoption.

Terms of Reference

The Taxonomy AHG initially came out of work that was being conducted within the Standards Committee and a desire to ensure a common understanding of terminology.
It’s not clear if a “terms of reference” were ever created for the AHG.
Sal believes that the AHGs themselves should not develop their own TORs, but instead their work should be defined by the Plenary and Committees; he wants more input from a broader audience.

Suzanne suggested that shifting to “on-demand” would achieve this goal; the committees of the Plenary would tell us what work they intend to do and how the AHG can help them achieve that work.

Adam proposed we make this the formal approach of the committee going forward; finalizing the three current terms and doing one more review of the glossary to determine if there are any immediate needs first, then shifting to as needed.
Sal sought the sense of the group on whether or not it was worth continuing to work on terms.

Mike suggested only if we are requested to do so by a committee.
Sal agrees, but wants to know why we should pursue the current terms centering on pseudonymity and anonymity.
Mike suggested we had already committed to completing these terms and that several other committees expect them to be finalized.

We will refer to our deliverable as the glossary, the AHG will be known as Taxonomy, and we will eliminate references to terminology on the wiki or elsewhere.
We will continue with Anonymous and Pseudonymous definitions for now.
Sal will continue with development of the AHG’s terms or reference and scope.

Pseudonymous Interaction

The current proposed definition is: An interaction for which the data released is not sufficient to infer the entity involved, but for which multiple interactions to the same relying party may be associated with each other.
The group had previous discussion on anonymous identity, anonymity, and pseudonymity that resulted in the determination to deliberate on “interactions.”
Tom had suggested focusing the definition on intent rather than results. He thinks you cannot force a result but only drive towards intent. Also, he suggested changing data release to claims provided.

Suzanne suggested that it needs to be more than just claims; there is other transactional data involved that should be included in the definition.
Tom thinks this is policy and not technology controllable; it seems beyond the scope of the definition.
Suzanne suggested that the term needs to be able to set a baseline of both Policy and Technology.
Tom thinks that user intent needs to be included if you want to this definition to applicable to policy. The RP needs to know which policy to enforce.
Suzanne suggested that there could be two parts of the definition that addresses policy and technical. Furthermore, the definition should be not be, “this is how you figure out if an interaction is intended to be anonymous or pseudonymous” but, “this is what an anonymous interaction is.”
Seetharama suggested the confusion is around the term “interaction” and that there are too many interaction types to have them covered under a single definition.
Ryan suggested adding the term “collected” to the definition to cover the both what is passed as part of the authentication as well as what is revealed during follow on interactions. Most agreed with this and an updated definition was suggested as: An interaction for which the data released and collected is not sufficient to infer the entity involved, but for which multiple interactions to the same relying party may be associated.

The term Pseudonymous Interactions requires further conversation. Adam will be introducing a new thread on Pseudonymous Interaction on the listserv.

Anonymous Interaction

Based on changes to the “pseudonymous interaction” definition, the following updated definition was proposed for Anonymous Interaction: An interaction for which the data released and collected is not sufficient to infer the entity involved, and for which information to correlate multiple interactions to the same relying party is not provided.

Pseudonymous Digital Identity

Close out

Action	Owner	Due	Status
Submit new definitions for Anonymous and Pseudonymous Interactions	Tom Jones	30 Jan	Complete
Develop udated workplan	Adam Madlin	TBD	In Progress
Provide input to Adam on "Taxonomy Process"	All	6 Feb	In Progress
Develop Terms of Reference	Sal D’Agostino	6 Feb	In Progress
Submit Glossary 1.1 for Plenary approval	Adam Madlin	Feb	In Progress