WAYF is 'data processor' on behalf of the institution where you log in.
WAYF does not store any personally identifiable data about users.
A user may ask WAYF to store information about his consent to data exchange for one or more services. This information is kept in an encrypted form which cannot, in any way, be made human readable (one-way destructive encryption, so-called 'hash-values').
When you log into a service via WAYF, the information about you released from your institution may be re-used for up to eight hours (a working day), provided you do not close your browser. This re-use of data enables 'single sign-on', meaning you will not have to log in for every service when you try to access the same or other WAYF-enabled services.
- With a consent you yourself decide whether you want to let WAYF send the information to the information services.
- Your consent applies to one visit only at the service you are trying to access—however:
- You may let WAYF remember which services you have consented for the data exchange for. That way you do not need to consent next time you visit the same service. No personally identifiable information is stored at WAYF.
WAYF provides a consents administration web page where users may manage their consents. When you click on the link you will be asked where you come from. Please log in, in order to provide WAYF with your updated personal information from your institution. In the web page you may withdraw prior consents or consent to prior data exchange to services. Each service's purpose is described, and the data that will actually be transferred to it are described, so you can decide if you want to transfer this information in the future. If your personal information changes (i.e. change of name), you will be asked to consent again, as all consents are specific for the data presented about you.
WAYF creates attributtes
For security reasons are the following attritbutes generated by WAYF:
- SchackHomeOrganisation - the domain name of your institution. This is set by WAYF and not by the institution itself to prevent spoofing (when someone impersonates another person or institution). As WAYF always knows from where the information originates, and has no (economical) interests in any access control rules at the services, WAYF is authoritative of this attritbute.
- User pseudonyms - see below.
A pseudonym is a 'mask' you may wear to get recognised—without being identified.
If you want to be recognised in the electronic world, without revealing your indentity you should use pseudonyms. A pseudonym for the author of this text (David Simonsen) is 'WAYF-DK-8ee5f9ce8db1bff7eb6cd392c39fb6de24938b41'.
If your employer or educational institution has bought general access to a database, collaboration tool or similar, there is no reason for the service to know the identities of individual users. For the service to grant access it suffices to know which institution a given user is affiliated with. Pseudonyms are personal and may therefore be used to personalise web pages or let users continue where they left off last time they used the service. All the service needs to know is that the present user is the same user as last time—not who the user is.
Many aspects of our daily life is lived on the net: we shop, communicate, have hobbies etc. The business of web based targeted commercials has grown fast and is getting increasingly sophisticated by the use of data mining, pattern search for behaviour etc. A new economy has risen in the shade of the many web based services which now exchange 'experience'—often for money. One way of protecting the users (consumers) agains cross-service analysis, and thereby protecting the users' privacy, is to use pseudonyms in the electronic world. Why should your travels agent or insurance company know your preferences for food, medication, underwear etc.?
Pseudonyms must live up the following three requirements:
- a given user's pseudonym must be the same from time to time, to make her recognisable;
- different services (ie. web sites) must receive different pseudonyms (service specific) to prevent cross-service data mining;
- it must be technically possible, but really hard, to find the person behind the pseudonym (which by definition is not possible for anonymous persons).
When logging into a website using the eID federation WAYF, predefined personal information is transferred from the user's home institution, via WAYF, to the service. WAYF has a secret formula for calculating personal, service specific pseudonyms. In the formula the name of the service appears (to make the pseudonym service specific) as well as the name of the user (to make it personal).
When the user is being recognised by the service it may now personalise the interface and/or functions—without knowing the identity of the user.
If a serious abuse case occurs (being investigated by the police or similar), the service will only know the pseudonym of the user, not her identity. WAYF does not store any personal information and may therefore only contribute to the investigation with the secret formula for the pseudonyms.
Equipped with the pseudonym of the abuser and the secret formula, the recalculation of pseudonyms for all users in all user databases connected to WAYF may begin. When a match is found the identity of the abuser can be revealed.
With this three-party pseudonymisation (user data, formula, and result) users can feel absolutely safe that the pseudonyms are only used for recognition purposes—not for identification. With WAYF a trusted third party, generating the pseudonyms, it is impossible to data mine across services. Also, services cannot query the users' identities at their home institutions, as the formula is only known to the trusted third party.
Around 800,000 Danish electronic identities can already take advantage of WAYF-generated pseudonyms today.