[IUCC-GDPR] Eduroam and GDPR
Hank Nussbacher
Hank at mail.iucc.ac.il
Mon Dec 18 21:31:02 IST 2017
Geant has created a Wiki page to track all services and systems that will be affected by GDPR and what needs to be done:
https://wiki.geant.org/pages/viewpage.action?pageId=82641501
Not much there yet but supposedly that is where they will document what needs to be done, if anything.
-Hank
From: Ariel Biener [mailto:ariel at aristo.tau.ac.il]
Sent: 18 December 2017 20:56
To: Eli Beker <eli.beker at iucc.ac.il>
Cc: Roy Shapira <roys at savion.huji.ac.il>; Hank Nussbacher <Hank at mail.iucc.ac.il>; GDPR <gdpr at iucc.ac.il>
Subject: Re: [IUCC-GDPR] Eduroam and GDPR
Yup.
This data can be anonymized after a month or so.
This requirement, amongst others, steers us towards
centralizing logs using ELK like infrastructure, allowing
to perform anonymizing after a set period a lot easier
than by going over text files.
בברכה,
אריאל בינר
מנהל יחידת תשתיות ותפעול , אגף מחשוב וטכנולוגיות מידע
משרד: 03-6406086 | פקס: 03-6405158
דוא"ל: ariel at aristo.tau.ac.il<mailto:maayanta at tauex.tau.ac.il> | אתר: http://www.tau.ac.il<http://www.tau.ac.il/>
On 18 Dec 2017, at 20:46, Eli Beker <eli.beker at iucc.ac.il<mailto:eli.beker at iucc.ac.il>> wrote:
Which leads to the user location...
On Dec 18, 2017 20:38, Ariel Biener <ariel at aristo.tau.ac.il<mailto:ariel at aristo.tau.ac.il>> wrote:
This is not the use IP address, it is the NAS IP address,
usually the wireless controller.
בברכה,
אריאל בינר
מנהל יחידת תשתיות ותפעול , אגף מחשוב וטכנולוגיות מידע
משרד: 03-6406086 | פקס: 03-6405158
דוא"ל: ariel at aristo.tau.ac.il<mailto:maayanta at tauex.tau.ac.il> | אתר: http://www.tau.ac.il<http://www.tau.ac.il/>
On 18 Dec 2017, at 11:22, Eli Beker <eli.beker at iucc.ac.il<mailto:eli.beker at iucc.ac.il>> wrote:
The visited site knows the user's account, which in most cases is the email and user name, and the IP of the users logged through.
See real example from the eduroam server below.
My believe a pseudoanonymization can be easily achieved by providing the users a unique identifier for eduroam and other federated services, which contains no personal data, where only the home institute will be able to identify the user, authenticate and authorize him/her. some already do that..
User-Name = "XXXX at win.tu-berlin.de<mailto:XXXX at win.tu-berlin.de>"
NAS-IP-Address = 132.72.207.2
NAS-Identifier = "WLC_4404_BGU"
User-Name = "YYYY at uibk.ac.at<mailto:YYYY at uibk.ac.at>"
NAS-IP-Address = 132.72.207.2
NAS-Identifier = "WLC_4404_BGU"
User-Name = "ZZZZ at uibk.ac.at<mailto:ZZZZ at uibk.ac.at>"
NAS-IP-Address = 132.72.207.2
NAS-Identifier = "WLC_4404_BGU
User-Name = "AAAA at unipv.it<mailto:AAAA at unipv.it>"
NAS-IP-Address = 132.72.207.9
NAS-Identifier = "eduroam"
User-Name = "BBBB at uni-wh.de<mailto:BBBB at uni-wh.de>"
NAS-IP-Address = 132.64.1.222
NAS-Identifier = "wlc-a"
-eli
From: gdpr-bounces at noc.ilan.net.il<mailto:gdpr-bounces at noc.ilan.net.il> [mailto:gdpr-bounces at noc.ilan.net.il] On Behalf Of Roy Shapira
Sent: Monday, December 18, 2017 9:00 AM
To: Hank Nussbacher <Hank at mail.iucc.ac.il<mailto:Hank at mail.iucc.ac.il>>; GDPR <gdpr at iucc.ac.il<mailto:gdpr at iucc.ac.il>>
Subject: Re: [IUCC-GDPR] Eduroam and GDPR
So the Geist of it is that supposedly :
“
The visited site only knows where a roaming user comes from, not who they are, and sees no username, e-mail address or other information that would allow them to contact the user directly.
”
בברכה,
<image002.jpg>
רועי שפירא | CISO
מנהל אבטחת מידע
הרשות למחשוב, תקשורת ומידע
האוניברסיטה העברית בירושלים
T +972-2-549-4969 | M +972-50-699-2414
roy.shapira at savion.huji.ac.il<mailto:roy.shapira at savion.huji.ac.il>
“There are known knowns; … there are known unknowns… But there are also unknown unknowns… it is the latter category that tend to be the difficult ones.”
Donald Rumsfeld, 12 February 2002.
From: gdpr-bounces at noc.ilan.net.il<mailto:gdpr-bounces at noc.ilan.net.il> [mailto:gdpr-bounces at noc.ilan.net.il] On Behalf Of Hank Nussbacher
Sent: Friday, December 15, 2017 12:27
To: GDPR <gdpr at iucc.ac.il<mailto:gdpr at iucc.ac.il>>
Subject: [IUCC-GDPR] Eduroam and GDPR
בסדנא שלנו ביום רביעי נשאלה השאלה בנושא EDUROAM + GDPR.
ראה בלוג של ה- NREN באנגליה:
https://community.jisc.ac.uk/blogs/regulatory-developments/article/gdpr-wifi-access
בברכה,
הנק
_______________________________________________
GDPR mailing list
GDPR at noc.ilan.net.il<mailto:GDPR at noc.ilan.net.il>
http://noc.ilan.net.il/mailman/listinfo/gdpr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://noc.ilan.net.il/pipermail/gdpr/attachments/20171218/68fc5b98/attachment-0001.html>
More information about the GDPR
mailing list