Life in Madison »

25 MPH on a Cargo Bike
[4 Sep 2008 | No Comment | 45 views]

I had an 8:30 AM meeting this morning, it was raining and I was running around looking for my rain gear (helmet cover, shoe covers, leg warmers, etc). It was 92 degrees F yesterday - the warmest day of the year. This morning, the remnants of Gustav rolled into town. They will go North with me up to Door County for my century ride on Sunday but that’s another story.

I finally race out of the house running about 10 minutes behind when I should have left. I get on my bike and I start cranking it out to get into work. I see a guy (Mike it turns out), riding past the house on a cargo bike.

He is going North on Gilbert (which runs on the West side of our house). I head out East on Dorsett. We are traveling perpendicular paths to each other. I turn left on Luan and I see Mike on Hammersly. I turn right on Hammersly and Mike is ahead of me also heading for the South-West bike path.
We climb the fly-over and head out on the trail proper. I pass him on the flats and say, “Good morning”. He says, “Good morning”. I ‘m still cranking away because I’m running late. I get to the first stop sign and I realize that he is in my draft. He says, “You’ve got fenders so I can draft properly” and we both laugh. We get a break in traffic, both cross Midvale Blvd and take off. Mike pulls out in the lead like he is going to pull for a while.
First off: this is strange. I get a lot of people who suck my back wheel into or out of work. Rarely to they swap leads with me.
Well, I’m glad for the help because it is raining and I’m late. He pulls for a while, I swap and take lead and cruise to the next stop. We cross Odana and Mike pulls out. I start to chase him down to get in his draft but he is flying. I look at my computer - 25.3 MPH. “Man, this guy is cranking on a cargo bike. He must be a monster.” I pull out the stop and get in his draft for while then it is my turn to take lead. I pull out around him.
(I will say that he looked surprised when I took the lead again.)
I’m thinking to myself, “well, if he is going pull us at 25 MPH, I’ll pull at 25 MPH.” I’m on my commuter bike with full fenders, a rack and a 12 pound pannier with lunch, change of clothes and all my miscellany in it. I’m working hard but if we’re going to do a 25 MPH pace, then dammit, I’m going to take my pull.
Suddenly Mike (as I later learn his name is) pulls along side and says, ” You do know I’m cheating don’t you? I mean, I hate to let people think that this is all human power. Have a look down there.” He nods his head, pointing back behind his legs. I look down. He has an electric assist motor. It provides 100-300 Watts of assist to his pedaling!
Ha! I’m killing myself to pull a guy with a motor. He does do a long commute as I learn (about 15 miles each way).
We had a good laugh and a good chat on the rest of the way in.
That’s what love about bike commuting - the laughs and camaraderie.

Enterprise Architecture, IT Architecture, JimPhelps, Work »

Advanced CAMP - Part 3
[20 Jun 2008 | No Comment | 6 views]

Merri Beth Lavagnino - Privacy and Policy

Policy and privacy are really consideration of the human aspects and impacts of technology.  Policies are: strategic direction and operating philosophy (which are usually informal and cultural), Public and Institutional policies (these are both documented and usually legal documents).

Institutional policy - a statement that reflect the philosophies and values of the project, service, organization or federation.  Policies should be clear and concise, applicable across a wide range of activities and should not change very much.

Why create a policy?

• When reasonable people disagree
• To guide thinking when making decisions
• To correct repeated misbehavior
• When there are significant risks or liabilities
• In response to external forces like regulation or law

Where does the policy apply?  Federation, Institution, Service

Real-life stories:

• Email Outsourcing:  vendors proposed that we would do incident response and legal requests for both students and alumni.  There was no policy that said they had to be in charge and n control.  She took the discussion back to the original goals for the project. (1) Improve and add services for students and (2) reduce their costs.  So they did not take on the incident response because that would not reduce the costs.  That was the policy that helped inform the decision.
• Course Management System:  they changed their course management model.  They began to get incident reports because the new service didn’t match the old policies for the previous system.
• Virtualization:  They moved to a new virtualized systems.  The old policies where around knowing that super-hot data is on a specific machine, with a specific system admin.  Now, they didn’t know what machine had the data and all sys admins might have access.  Had to expand training and the understanding of how they would manage super-hot data.
• InCommon Agreement:  Thought that went very well.

“A policy is a temporary creed liable to be changed, but while it holds good it has got to be pursued with apostolic zeal.”  Mohandas K. Gandhi

Privacy:

Categories of privacy harms:

• Intrusions : They come into your space and contact you and tell you what to do (spam, cold calls)
• Information Collection:  They watch what you are doing more than they should (tracking, interrogation, etc)
• Information Processing:  They have a lot of data about you, and they do things with it. (data mining)  Need to watch out for secondary use - collect for one reason then use it for another reason.
• Information Dissemination:  They disclose data about you, perhaps more than you think they should.  (Transferring data, true or false facts)

Fair Information Practice Principles:  The FTC drafted these principles and they do enforce them.  Higher Ed is not under the FTC’s jurisdiction but users are expecting these principles to be met.  If we don’t

• Notice/Awareness:  User should be given notice of your information practices, in order to make an informed choice about whether to provide information.
• Choice/Consent:  User should be given options as to how any personal information collected from them may be used.
• Access Participation:  Users should be given access to the data held about them, and ability to contest that data’s accuracy and completeness.
• Integrity/Security:  data should be secure and accurate
• Enforcement/Redress:  there should be a mechanism in place to enforce fair information practices and it should include appropriate means of recourse by injured parties.  At a minimum, you should right the wrong.

Ken Klingenstein: Federated Identity and Data Protection Law

Good quote from Ken K:  “This is an attempt to bring trust to internet via technology not just because it is just us chickens”.
EU Law Directive 95/46/EC :  You can process personal data when it is required to perform contact, required to satisfy legal duty or consent.

Identity Providers must identify which services are necessary for education and research.  Must inform the users.  May seek users’ informed freed consent to release personal data to other services.  You have to show why it is important.    Should have a data process/data controller agreement with all service providers to whom personally identifiable data is released.  Must ensure adequate protection of any data released to services outside the EU.  We have to play by the EU rules.

Service Providers must consider whether personally identifiable information is necessary for their service or whether anonymous identifiers are sufficient.  You may request personal information from users but you must inform.

There is no normalized definition of what Personal Identifiable Information (PII).  There are questions about email addresses:  if it is a third party email address it might not be but a .edu address might be.  So the content might be more important than the field.

IP Addresses - if it is a dynamic address it is not PII.  So, unless you know it is a dynamic address, then you have to treat it as PII.

EduPerson Targeted ID - this is going to the EU privacy commission this Fall.  It is a 32 bit opaque identifier that is different per site visited.

OASIS Cross-Enterprise Security and Privacy Authorization (XSPA) - just formed group.  A mechanism to allow consent agreements flow with data.  The first and dominant Use Case is health care.  Looking for other Use Cases.  Does this make consent a new service in our loosely coupled service?  Do services need to be consent aware?

Report Out from Discussion Sessions:

Data Modeling Group:

Modeling person and organization data.  Modeling of organization data is remarkably difficult not just in the nature of the data but also in the resistance that you get from organizations to being characterized.  Multiple organization charts - financial, hr and reporting structure.  The characterizations can be political.  Are there pressures that will lead to the marginalization old way of doing things?  Organizations that don’t want to be characterized may not get services.

Service Discovery:

What would a service description look like:  what is it called, cost, how to call it, operational context (where is it physically located).  Discussion about how you describe the service, how do you recognize similar services in distributed locations.  Talked about the grid is doing this with their RNA.

What is happening today: people using Google to search for services and looking for a WSDL.

How do you get consent?  What about promises and claims?  What about a directory of all the services?  What about a directory of directory?  You could have a convention for naming the directory so you could at least find the directories.

DNS works for finding things.

Governance:

Domain Governance - governance revolves around an application or a data element, or attribute (student ID).  These models will have to evolve to domain governance: enrollment, IdM etc.

Who owns the data especially as the data is transformed and sent along the ESB?  Services are requesting the data that can then be used by other services.

SLAs - keeping tracking of who can use the use the service.

The need for a directory of services especially in emergency notification.  There is also a need to know who is consuming services so you can notify on changes.

What is being done now on campuses?  It is evolving on campuses.  Identity and Access Management is a domain that is being governed  as a domain at Penn State.

Saint Louis University has a good examples of domains in higher education that need to be governed as a domain.

Lightening Talks:

Rob Carter:  Tracking and Authenticating IP in Cyberspace

We had all of our resources stored inside the walls of the institution.  We now see with cloud computing and Web 2.0 applications, our intellectual property out in the cloud.  How do we track the reuse of them?  How do we contextualize the content.

How do we know that it is really and artifact of mine and not someone spoofing my creations?

Could solve this with digital signatures.  What if we could add metadata before it goes out into the cloud.  Get a signature of the object and attach the signature to the object or store it elsewhere.

How does this align with Creative Commons licensing efforts.  You can search and crawl for for CC licensed objects that you use.

Loretta Auvil:  Music Analysis.

Dynamic analysis of a Tom Lehrer file.    Very entertaining.

Scotty Logan:  IAM Services and Well Behaved Apps

If every app does its own thing, there is no real management.

Trust the container:  Identity - you can get a user name from Tomcat et al, Authentication, Authorization

Have the container provider the groups and privileges as a URI

OAuth.net - a specification developed by a group to solve the “I want my Flickr protected photos on Facebook but I don’t want to give you my Flickr username and password”.

Technorati Tags: CAMP, EDUCAUSE, IT Architecture, Policy