[IUCC-GDPR] Eduroam and GDPR

Hank Nussbacher Hank at mail.iucc.ac.il
Mon Dec 18 21:31:02 IST 2017


Geant has created a Wiki page to track all services and systems that will be affected by GDPR and what needs to be done:
https://wiki.geant.org/pages/viewpage.action?pageId=82641501
Not much there yet but supposedly that is where they will document what needs to be done, if anything.

-Hank

From: Ariel Biener [mailto:ariel at aristo.tau.ac.il]
Sent: 18 December 2017 20:56
To: Eli Beker <eli.beker at iucc.ac.il>
Cc: Roy Shapira <roys at savion.huji.ac.il>; Hank Nussbacher <Hank at mail.iucc.ac.il>; GDPR <gdpr at iucc.ac.il>
Subject: Re: [IUCC-GDPR] Eduroam and GDPR

Yup.

This data can be anonymized after a month or so.

This requirement, amongst others, steers us towards
centralizing logs using ELK like infrastructure, allowing
to perform anonymizing after a set period a lot easier
than by going over text files.
בברכה,




אריאל בינר
מנהל יחידת תשתיות ותפעול , אגף מחשוב וטכנולוגיות מידע
משרד: 03-6406086 | פקס: 03-6405158
דוא"ל: ariel at aristo.tau.ac.il<mailto:maayanta at tauex.tau.ac.il>   | אתר:  http://www.tau.ac.il<http://www.tau.ac.il/>


On 18 Dec 2017, at 20:46, Eli Beker <eli.beker at iucc.ac.il<mailto:eli.beker at iucc.ac.il>> wrote:
Which leads to the user location...

On Dec 18, 2017 20:38, Ariel Biener <ariel at aristo.tau.ac.il<mailto:ariel at aristo.tau.ac.il>> wrote:
This is not the use IP address, it is the NAS IP address,
usually the wireless controller.


בברכה,





אריאל בינר
מנהל יחידת תשתיות ותפעול , אגף מחשוב וטכנולוגיות מידע
משרד: 03-6406086 | פקס: 03-6405158
דוא"ל: ariel at aristo.tau.ac.il<mailto:maayanta at tauex.tau.ac.il>   | אתר:  http://www.tau.ac.il<http://www.tau.ac.il/>


On 18 Dec 2017, at 11:22, Eli Beker <eli.beker at iucc.ac.il<mailto:eli.beker at iucc.ac.il>> wrote:

The visited site knows the user's account, which in most cases is the email and user name, and the IP of the users logged through.

See real example from the eduroam server below.

My believe a pseudoanonymization can be easily achieved by providing the users a unique identifier for eduroam and other federated services, which contains no personal data, where only the home institute will be able to identify the user, authenticate and authorize him/her. some already do that..



        User-Name = "XXXX at win.tu-berlin.de<mailto:XXXX at win.tu-berlin.de>"

        NAS-IP-Address = 132.72.207.2

        NAS-Identifier = "WLC_4404_BGU"

        User-Name = "YYYY at uibk.ac.at<mailto:YYYY at uibk.ac.at>"

        NAS-IP-Address = 132.72.207.2

        NAS-Identifier = "WLC_4404_BGU"

        User-Name = "ZZZZ at uibk.ac.at<mailto:ZZZZ at uibk.ac.at>"

        NAS-IP-Address = 132.72.207.2

        NAS-Identifier = "WLC_4404_BGU

        User-Name = "AAAA at unipv.it<mailto:AAAA at unipv.it>"

        NAS-IP-Address = 132.72.207.9

        NAS-Identifier = "eduroam"

      User-Name = "BBBB at uni-wh.de<mailto:BBBB at uni-wh.de>"

        NAS-IP-Address = 132.64.1.222

        NAS-Identifier = "wlc-a"



-eli



From: gdpr-bounces at noc.ilan.net.il<mailto:gdpr-bounces at noc.ilan.net.il> [mailto:gdpr-bounces at noc.ilan.net.il] On Behalf Of Roy Shapira
Sent: Monday, December 18, 2017 9:00 AM
To: Hank Nussbacher <Hank at mail.iucc.ac.il<mailto:Hank at mail.iucc.ac.il>>; GDPR <gdpr at iucc.ac.il<mailto:gdpr at iucc.ac.il>>
Subject: Re: [IUCC-GDPR] Eduroam and GDPR





So the Geist of it is that supposedly  :



“

The visited site only knows where a roaming user comes from, not who they are, and sees no username, e-mail address or other information that would allow them to contact the user directly.

”





בברכה,



<image002.jpg>


רועי שפירא | CISO
מנהל אבטחת מידע

הרשות למחשוב, תקשורת ומידע
האוניברסיטה העברית בירושלים
T +972-2-549-4969 | M +972-50-699-2414
roy.shapira at savion.huji.ac.il<mailto:roy.shapira at savion.huji.ac.il>




“There are known knowns; … there are known unknowns… But there are also unknown unknowns…  it is the latter category that tend to be the difficult ones.”

Donald Rumsfeld, 12 February 2002.







From: gdpr-bounces at noc.ilan.net.il<mailto:gdpr-bounces at noc.ilan.net.il> [mailto:gdpr-bounces at noc.ilan.net.il] On Behalf Of Hank Nussbacher
Sent: Friday, December 15, 2017 12:27
To: GDPR <gdpr at iucc.ac.il<mailto:gdpr at iucc.ac.il>>
Subject: [IUCC-GDPR] Eduroam and GDPR



בסדנא שלנו ביום רביעי נשאלה השאלה בנושא EDUROAM + GDPR.

ראה בלוג של ה- NREN באנגליה:

https://community.jisc.ac.uk/blogs/regulatory-developments/article/gdpr-wifi-access



בברכה,

הנק
_______________________________________________
GDPR mailing list
GDPR at noc.ilan.net.il<mailto:GDPR at noc.ilan.net.il>
http://noc.ilan.net.il/mailman/listinfo/gdpr

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://noc.ilan.net.il/pipermail/gdpr/attachments/20171218/68fc5b98/attachment-0001.html>


More information about the GDPR mailing list