[IUCC-GDPR] Eduroam and GDPR

Eli Beker eli.beker at iucc.ac.il
Mon Dec 18 20:46:31 IST 2017


Which leads to the user location...

On Dec 18, 2017 20:38, Ariel Biener <ariel at aristo.tau.ac.il> wrote:
This is not the use IP address, it is the NAS IP address,
usually the wireless controller.


בברכה,





אריאל בינר
מנהל יחידת תשתיות ותפעול , אגף מחשוב וטכנולוגיות מידע
משרד: 03-6406086 | פקס: 03-6405158
דוא"ל: ariel at aristo.tau.ac.il<mailto:maayanta at tauex.tau.ac.il>   | אתר:  http://www.tau.ac.il<http://www.tau.ac.il/>


On 18 Dec 2017, at 11:22, Eli Beker <eli.beker at iucc.ac.il<mailto:eli.beker at iucc.ac.il>> wrote:


The visited site knows the user's account, which in most cases is the email and user name, and the IP of the users logged through.

See real example from the eduroam server below.

My believe a pseudoanonymization can be easily achieved by providing the users a unique identifier for eduroam and other federated services, which contains no personal data, where only the home institute will be able to identify the user, authenticate and authorize him/her. some already do that..



        User-Name = "XXXX at win.tu-berlin.de<mailto:XXXX at win.tu-berlin.de>"

        NAS-IP-Address = 132.72.207.2

        NAS-Identifier = "WLC_4404_BGU"

        User-Name = "YYYY at uibk.ac.at<mailto:YYYY at uibk.ac.at>"

        NAS-IP-Address = 132.72.207.2

        NAS-Identifier = "WLC_4404_BGU"

        User-Name = "ZZZZ at uibk.ac.at<mailto:ZZZZ at uibk.ac.at>"

        NAS-IP-Address = 132.72.207.2

        NAS-Identifier = "WLC_4404_BGU

        User-Name = "AAAA at unipv.it<mailto:AAAA at unipv.it>"

        NAS-IP-Address = 132.72.207.9

        NAS-Identifier = "eduroam"

      User-Name = "BBBB at uni-wh.de<mailto:BBBB at uni-wh.de>"

        NAS-IP-Address = 132.64.1.222

        NAS-Identifier = "wlc-a"



-eli



From: gdpr-bounces at noc.ilan.net.il<mailto:gdpr-bounces at noc.ilan.net.il> [mailto:gdpr-bounces at noc.ilan.net.il] On Behalf Of Roy Shapira
Sent: Monday, December 18, 2017 9:00 AM
To: Hank Nussbacher <Hank at mail.iucc.ac.il<mailto:Hank at mail.iucc.ac.il>>; GDPR <gdpr at iucc.ac.il<mailto:gdpr at iucc.ac.il>>
Subject: Re: [IUCC-GDPR] Eduroam and GDPR





So the Geist of it is that supposedly  :



“

The visited site only knows where a roaming user comes from, not who they are, and sees no username, e-mail address or other information that would allow them to contact the user directly.

”





בברכה,



<image002.jpg>


רועי שפירא | CISO
מנהל אבטחת מידע

הרשות למחשוב, תקשורת ומידע
האוניברסיטה העברית בירושלים
T +972-2-549-4969 | M +972-50-699-2414
roy.shapira at savion.huji.ac.il<mailto:roy.shapira at savion.huji.ac.il>




“There are known knowns; … there are known unknowns… But there are also unknown unknowns…  it is the latter category that tend to be the difficult ones.”

Donald Rumsfeld, 12 February 2002.







From: gdpr-bounces at noc.ilan.net.il<mailto:gdpr-bounces at noc.ilan.net.il> [mailto:gdpr-bounces at noc.ilan.net.il] On Behalf Of Hank Nussbacher
Sent: Friday, December 15, 2017 12:27
To: GDPR <gdpr at iucc.ac.il<mailto:gdpr at iucc.ac.il>>
Subject: [IUCC-GDPR] Eduroam and GDPR



בסדנא שלנו ביום רביעי נשאלה השאלה בנושא EDUROAM + GDPR.

ראה בלוג של ה- NREN באנגליה:

https://community.jisc.ac.uk/blogs/regulatory-developments/article/gdpr-wifi-access



בברכה,

הנק

_______________________________________________
GDPR mailing list
GDPR at noc.ilan.net.il<mailto:GDPR at noc.ilan.net.il>
http://noc.ilan.net.il/mailman/listinfo/gdpr

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://noc.ilan.net.il/pipermail/gdpr/attachments/20171218/712deb47/attachment-0001.html>


More information about the GDPR mailing list