OKKAM Community Portal

OKKAM User Data Privacy Policy

/Last updated on November 26, 2009/

1.   General Scope

This policy applies to user private information stored or held by the OKKAM project. The Project governs the user private information as closely as possible to Regulation (EC) 45/2001  [1].

OKKAM (referred to hereafter as the Project) is a large-scale integrating project funded by the European Commission under the 7th Framework Program. The Project provides a scalable and sustainable infrastructure, called the Entity Name System (ENS), for making systematic reuse of global and unique entity identifiers. The ENS stores identifiers for entities and provides a collection of core services needed to support their pervasive reuse.

The Project is collaboratively developed by its users using the Project's software and ENS core services, and any third-party services based on the Project's software and core services.

This policy does not cover privacy aspects of entities and their global identifiers stored at the ENS servers. This policy covers users' personally identifiable information collected or stored by the Project on its servers in relation to the Project's activities and its community process. The Project collects and retains the least amount of personally identifiable information needed to fulfill the Project's operational needs.

Registration is not required for use of some of the Project's services. Anonymous access to the Project ENS system is allowed to those services intended for open and uncontrolled community access. An example of such a service is the ENS entity query service, which if accessed publicly, returns all results filtered out for the general public.

Registration is required for use of some of the ENS services, such as anyone with Internet access (and not otherwise restricted from doing so) may create ENS entities by logging in as a registered user, and may edit ENS entities by logging in as a registered user and, whenever necessary, attesting possession of administrator privilege.

By creating and editing ENS entities, users create a published document, and a public record of every word added, subtracted, or changed. This is a public act, and users are identified internally as the author of such changes (for example by logging such information). All contributions made to the Project, and all publicly available information about those contributions, are irrevocably licensed and may be freely copied, quoted, reused and adapted by third parties with few restrictions.

Interactions with the Project not covered by this Policy include, but are not limited to, aspects of browsing Project's pages, use of the Project "e-mail user" function, subscribing and posting to the Project hosted e-mail lists, and corresponding with volunteers via the Project communication means. These interactions may reveal a contributor's IP address, and possibly other personal information, indiscriminately to the general public, or to specific groups of volunteers acting independently of the Project.

Users may interact with one another outside of the Project system, via email, IRC or other chat, or independent websites, and should assess the risks involved, and their personal need for privacy, before using these methods of communication.

1.1.     Purpose of the collection of private information

The Project limits the collection of personally identifiable user data to purposes, which serve the well-being of the project, including but not limited to the following:

• To enhance the public accountability of the Project. The Project recognizes that any system that is open enough to allow the greatest possible participation of the general public will also be vulnerable to certain kinds of abuse and counterproductive behavior. The Project and the community have established a number of mechanisms to prevent or remedy abusive activities. For example, when investigating abuse on data, including the suspected use of malicious "sockpuppets" (duplicate accounts), vandalism, harassment of other users, or disruptive behavior, the IP addresses of users (derived either from those logs or from records in the database) along with their registered personal information may be used to identify the source(s) of the abusive behavior. This information may be shared by users with administrative authority who are charged by the community with protecting the Project.
• To provide site statistics. The Project stores raw log data from users' interactions. These logs are used to produce the site statistics pages; the raw log data is not made public.
• To solve technical problems. Log data may be examined by developers in the course of solving technical problems and in tracking down badly-behaved web spiders that overwhelm the Project's system.

2.   Privacy Statements

2.1.        What information is collected and through which technical means

Upon successful registration, a user obtains his/her registration data in a single file encrypted with the specified password in the registration form. The obtained registration data includes: (i) user's private key and the corresponding user's public-key certificate (also known as identity certificate) digitally signed by a Project's trusted certification authority, and (ii) a set of the Project's trusted certification authorities, forming a trust chain of certificates to the user's public-key certificate. The user's public-key certificate includes user's distinguished name, user's public key, and the distinguished name of the issuing certification authority.

A user is identified by its distinguished name, which is a composition of its personal information, such as first and last names, country of residence, organization of current employment, e-mail address and username.

The use of username is only for convenience of users when using their registration data. The username has no special role, and it is not necessary to be unique (in contrast to classical username/password authentication systems). Technically, the username is only used to refer to users' private key information (also called alias of key entry) inside the obtained registration file.

The e-mail address, a mandatory part of the registration data, is used as a unique identifier in order to avoid registration of duplicate records. The e-mail address provides the only means the Project communicates with a user. The Project does not guarantee that the e-mail address will be changed on request.

Users select a password, which is confidential and used only at users' side to protect and verify the integrity of their registration data. The ENS system does not store users' passwords. Except insofar law may require it, no person should disclose, or knowingly expose user passwords.

The data obtained from the registration process and stored in the Project's system includes a user's public-key certificate, and, if a user explicitly agrees, the private key information corresponding to the user's public-key certificate. In case of forgotten password or lost registration data, the user can recover its registration data by using the Project's registration data recovery service, only if the user's private key information is stored in the ENS system.

The user account information contains enough information for the Project to have reasonable confidence that its subsequent usage is by the user only, or by someone with access to the information the user provided (including the password).

The Project also grants users with special attribute-based privileges (also called credentials) for well-being of the Project and its community growth. An attribute certificate contains the user's distinguished name (the same as indicated in the user's public-key certificate), the attribute the user possesses, and the issuer's distinguished name that signed the attribute certificate.

All users wishing to obtain an attribute certificate must be registered ENS users. Attribute certification is a non-automated process, and depending on the attribute one wishes to obtain, it requires a specific authorization process by a dedicated ENS community user qualified as "ENS Public Authorization Manager".

For example, if a registered user wishes to become an administrator of ENS, the same has to contact the ENS authorization manager, and via a proof of authenticity and ability to be such, the authorization manager may grant the user the right to be administrator.

Any administrator user can delegate to other registered users the right of being "ENS Public Trusted Entity Creator" service providers. A user needs to contact an administrator user (via a dedicated service on the official ENS site), and upon successful communication between the user and an ENS administrator with a proof of user legitimacy to become a trusted ENS entity creator service provider, the user will be granted (normally given by e-mail) an attribute certificate attesting him/her as a trusted entity creator service provider.

The Project also stores the following information in the user account:

• List of all attribute certificates activated to a user,
• List of all revoked/deactivated certificates of a user.

The Project reserves the right to revoke/deactivate any user certificate where it is reasonably necessary to protect the rights, property or safety of the Project, its users or the public.

The following information related to the activity of users is stored in log files:

• Date and time of any successful and unsuccessful user authorization,
• Date and time of any activated and revoked credential,
• Date and time of any password reset by a user.

When a user resets password or revokes a credential, the Project may also record further information in log files, such as the IP address used, in line with the purposes stated in Section 1.1. This information can help in following up any doubtful activity relating to users' accounts.

The core ENS services do not use cookies on user side to keep any session data. Instead a trusted proxy component (downloaded only from the official ENS site) is used to leverage secure and trusted communications between ENS users/service providers and ENS services.

Third party services attracting ENS users (i) may use cookies to keep information of a current security session, as in the case of HTTPS protocol, and in such cases the cookies should contain information only regarding a current session; (ii) may store a log data of user identity accessing the services and some additional technical information, such as IP addresses of users.

2.2.        Access to and release of personally identifiable information

By registering, a user authorizes the disclosure of the personal details, he/she has entered during user registration, to the ENS system that the user accesses after having authenticated to the ENS. If a user was registered by his/her organization, the user consent is assumed to have been given (implicitly or explicitly) for the transfer of his/her details. The details of the activity associated with your account are never passed to any third-party sites/systems other than the Project ENS conforming to the exceptions listed in Section 2.2.2. Users can inspect all the data that is maintained about their own account via the dedicated ENS service for that.

If a user needs to access a Project community site that requires the user to authenticate (e.g., ENS Web front-end toolkits), but the user does not wish the site to have access to the details he/she supplied in order to gain access, it is recommended that the user create a separate account for this purpose. This will require the user to provide a distinct e-mail address, which needs not be traceable to the user personally. However, this will disable user's active credentials assigned to the user's original identity certificate when accessing via a different registration data.

OKKAM modules and services outside the OKKAM core services, e.g., the entity subscription service, may gather additional user personal data based on corresponding requirements of service usage. Each such service is bound to notify the user of the type of data gathered and its use, as well as verify the user's consent on this process.

2.2.1.     Access

The Project is primarily run by volunteer contributors. Some dedicated users are chosen by the community to be given privileged access, such as an administrator privilege or a trusted ENS entity creator privilege.

ENS users with an administrator privilege have a high level of service access to any ENS service and any private identifiable information except users' private key data. The administrator user examines its authority only in response to the situations listed below. The administrator users have the authority to identify who is the author of a given public act of creating or modifying ENS entities. There is a trusted authorization manager user elected by the ENS management consortium that has the authority to grant (promote) administrator privileges to ENS users. This is a non-automated process including (whenever necessary) proofs supporting the decision of granting the administrator privilege.

ENS users who have the administrator privilege have the authority to grant to ENS users the trusted ENS entity creator privilege. This is a non-automated process including (whenever necessary) proofs supporting the decision of granting the trusted entity creator privilege.

ENS users with a trusted ENS entity creator privilege have the right to (i) create ENS entities on behalf of ENS users, and as such, have the authority to make users as authors of such public act (of ENS entity creation) in the ENS system; and (ii) store locally users' identity information in their own log data.

ENS users with a trusted ENS entity creator privilege are given permissions to provide an easy and intuitive ENS entity creation process as a third-party ENS service to ENS users.

2.2.2.     Policy on Release of Data

It is the policy of the Project that personally identifiable data collected in the server logs, or through records in the database, or through other non-publicly available methods, may be released by the Project administrators, trusted entity creators (from their log files), or the ENS staff, in any of the following situations:

• In response to a valid subpoena or other compulsory request from law enforcement,
• With permission of the affected user,
• When necessary for investigation of abuse complaints,
• Where the information pertains to page views generated by a spider or bot and its dissemination is necessary to illustrate or resolve technical issues,
• Where the user has been vandalizing ENS entities or persistently behaving in a disruptive way, data may be released to a service provider, carrier, or other third-party entity to assist in the targeting of IP blocks, or to assist in the formulation of a complaint to relevant Internet Service Providers,
• Where it is reasonably necessary to protect the rights, property or safety of the Project, its users or the public.

Except as described above, the Project policy does not permit distribution of personally identifiable information under any circumstances.

2.2.3.     Third-party access and notifying registered users when receiving legal process

As a general principle, the access to, and retention of, personally identifiable data in the Project should be minimal and should be used only internally to serve the well-being of the Project. Occasionally, however, the Project may receive a subpoena or other compulsory request from a law-enforcement agency or a court or equivalent government body that requests the disclosure of information about a registered user, and may be compelled by law to comply with the request. In the event of such a legally compulsory request, the Project will attempt to notify the affected user within three to five business days after the arrival of such subpoena by sending a notice by e-mail to the e-mail address that the affected user has listed in his or her registration account.

The Project cannot advise a user receiving such a notification regarding the law or an appropriate response to a subpoena. The Project does note, however, that such users may have the legal right to resist or limit that information in court by filing a motion to quash the subpoena. Users who wish to oppose a subpoena or other compulsory request should seek legal advice concerning applicable rights and procedures that may be available.

If the Project receives a court-filed motion to quash or otherwise limit the subpoena as a result of action by a user or their lawyer, the Project will not disclose the requested information until the Project receives an order from the court to do so.

Registered users are required to provide an e-mail address. When an affected registered user provides an invalid/non-existing email address, the Project will not be able to notify the affected user in private e-mail messages when it receives requests from law enforcement to disclose personally identifiable information about the user.

2.3.         How the Project protects and safeguards users' personal information

The Project stores users' personal information in a secure storage and authorized people can only access that information. The Project keeps all users' registration data confidential, encrypted with a server master password. The server master password is kept secretly, not shared or communicated with anybody. All users' information stored in log files is used to diagnose and resolve problems and to deal with security incidents.

A user provides its personal information during registration and submits it to the ENS system only via a secure connection. There are two ways a user can register to the Project: via a proxy component, or via a trusted entity creator (external to ENS) system.

The proxy component directly interacts with the ENS, and provides secure communication between the user proxy instance and an ENS server. To achieve authenticity of the proxy software the user has to download the proxy from the official ENS site.

A trusted entity creator system is distinguishable by the ENS logo and an explicit reference to an ENS service verifying legitimacy of third party ENS entity creator systems. A trusted entity creator system provides a Web-based interface for users to register to ENS. All communications between users' browsers and the trusted entity creator system are over a secure connection. As a back-end of the trusted entity creator system, there is a proxy component that handles the true registration to ENS (via a secure communication) and then returns back the result of the registration to the user through the trusted entity creator registration interface.

A user does not login to ENS or any third-party systems using the classical username/password mechanism. In contrast, the user password should never be communicated over a communication channel for logging purposes. ENS users should never use their password to authenticate to any ENS service or third party site. Users passwords are never stored in the ENS system.

Users use their passwords to protect confidentiality and integrity of their personal data. Users use (locally) their username and password to make the ENS proxy component or a web browser aware of user's available certification. These are the only places where the password is needed. Then on, the true authentication is achieved with the use of the user's private key, and via widely used secure and safe cryptographic protocols, such as HTTPS (over SSL), or Web service message security (with mutual certificate authentication).

The details about a user account are available only to the user and the ENS administrators. The ENS administrators can view all personal data pertaining to a particular user, except the user's private key information (if stored at the ENS). This helps administrators to perform duties such as helping users with problems and diagnosing suspected security incidents. Users' private keys are never revealed to anybody except the cases listed in Section 2.2.2.

If a user has registered directly, the user should be aware that anyone with access to read its e-mail address may be able to use the account the user created and may acquire the identity the user represents. Users are responsible for assessing the risk that the e-mail address presents to them personally.

When registering, a user should make sure that his/her browser indicates (usually by means of a padlock or other icon) a secure connection and that the user is connected to the ENS official site address.

Any third party site or server, offering services to ENS users, should (i) register to ENS in order to provide services to ENS users; and (ii) use the ENS trusted certification authorities (the Project root of trust and its subordinate certification authorities) for authenticating and authorizing ENS users.

ENS users are not required to have registration account at any third party ENS service provider's system in order to use those provider's services that are built on the core ENS services.

Any ENS user wishing to use third party ENS service providers' systems should require from the ENS service provider mutual authentication before accepting to use its services. The Project recommends that any communication between ENS users and ENS service providers should occur over an encrypted (confidential) channel, such as HTTPS with mutual authentication. ENS users should not give any identity data over unencrypted message communication channel. ENS users should never reveal their password to anybody for the sake of authentication.

2.4.         How a user verifies, modifies or deletes its personal information

Users can verify their account information directly form the registration file received upon a successful registration process. Users can review their personal information either in the Internet browser they imported the registration data, or in the operating system certificate management service, if their imported their registration data at that level, or using the ENS proxy component.

If a user has registered to the ENS system, the user will be able to change (make up-to-date) any personal information on-line via dedicated ENS services. All services are accessible via the ENS official web site.

Users are allowed to reset their password or entire registration information using the registered e-mail address. Users should bear in mind that anyone else with access to their e-mail (because of automatic forwarding, delegation or other reasons) will be able to reset the above data. All changes to users' personal data, including account deletion, are communicated to the e-mail address provided at registration time, and confirmed via a message code sent to that e-mail.

However, if user details were registered through a third party, the user may not be able to change its details, and he/she will have to contact that third party in order to have the information changed: you may nevertheless have the information updated by the ENS, but if the third party re-submits this information to the ENS, it will be re-instated.

Password reset does not generate a new public/private key pair, but just rebuilds user registration data file encrypted with a different password. Password reset is only possible if a user has agreed to keep its private key in the ENS system.

If a user has any reason to believe that his/her password has been compromised the user should report that to a dedicated ENS service for certificate revocation, and redo personal data registration following the ENS service support.

Users whose accounts do not have a valid e-mail address will not be able to reset their password/private key/registration data if such is lost. In such a situation, however, users may be able to contact an administrator user of the Project (with proper proofs supporting user authenticity and relation to user's account) to delete the user's account (including revocation of user's public-key certificate and all active attribute certificates) and then register user personal data again.

2.5.         How long the Project keeps users' personal data

User registration is for 3 years from the date of registration. Users' public-key certificates are valid for 3 years. All users' attribute certificates are either valid as long as the user's public-key certificate is valid, or valid until a date defined by the authority at the time of registering the user attribute certificate. In the latter case the date must be before the user's public-key certificate expiration date.

Any registered user is responsible to renew its registration some time before its public-key certificate expires, and via a dedicated ENS service for that. If a user was registered through a third party the renewal of user registration is to be done via that third party.

When a user registration expires, the ENS system will deactivate the user account, and will keep it available for user activation for a period up to six months from the expiration date. After that period the user account will be erased from the ENS database.

Data from the ENS registration service is backed up regularly to ensure a correct system restore if necessary to restart operations. Furthermore, the ENS registration service is monitored and all sensitive actions on the system are logged, including each authentication request. These logs (log files) are rotated regularly and removed from the active system after a maximum of six months in accordance with Regulation (EC) No 45/2001. All log files backed up by the ENS backup procedure, and removed from the ENS active system, will remain in a backup archive stored in a separate storage.

3.   Contact Information

If you wish to ask questions or post complaints about the service with respect to the use of your personal information, you should follow the contact link that is shown on the ENS official web page or write to the following address:

Paolo Bouquet (Project Coordinator)
Dipartimento di Ingegneria e Scienze dell'Informazione
Università degli Studi di Trento 
Via Sommarive 14, 
38050 Povo di Trento, 
Italy

4.   Details of data retention

General expectations

4.1.        IP and other technical information

When a visitor requests or reads an ENS page, or sends e-mail to an ENS server, no more information is collected than is typically collected by web sites. The Project may keep raw logs of such transactions, but these will not be published or used to track legitimate users.

4.2.        Cookies

All interactions with ENS services via the ENS proxy component do not require any form of cookies. The proxy component keeps session data in memory until the proxy is active. Once the proxy is quitted, all session data in memory is erased.

All interactions with ENS sites or third-party Web-based services may set a temporary session cookie on a visitor's computer whenever a communication is established. Readers who do not intend to log in or edit may deny this cookie. Contributors using a public machine who do not wish to show their session data to future users of the machine should clear these cookies after use.

4.3.        Creating and editing ENS entities

When a user requests to create or edit an ENS entity via the proxy component, the user is authorized to the ENS system, and a log data is stored with the user distinguished name, the operation requested to be performed, date and time of the request, and the ENS entity to be created/modified. In case the user is not authorized the log data stored is the same as the above, but without the ENS entity information.

If a user requests to create or update an ENS entity via a third-party service (for example via the ENS Entity Creator Web interface) then the user data, first, may be logged in the third-party system, and, second, will be logged in the ENS system including the user distinguished name, the operation requested to be performed, date and time of the request, the ENS entity to be created/modified, and the identity of the third-party system, on behalf of which the user requests. ENS may record also the IP address of the third-party system.

Users contributed to ENS entities are neither publicly identified, nor this information is given to anyone. However, IP address information and user contributions that share it can be retrieved from log files and released to respective authorities under certain circumstances (see Section 2.2.2). The log data of users' contribution to ENS will be kept permanently on the ENS in a dedicated log backup storage.

4.4.        History of ENS entities

Edits or other contributions on ENS entities' description, such as split, merge or delete entities, are internally logged by ENS servers along with users' identities made those contributions. The history of ENS entities' descriptions is for internal use only (e.g., for analysis and statistics) and is not made available to the public.

Removing text from an ENS entity's description does not permanently delete it. Administrator users can permanently delete information with access to ENS servers.

The Project has established a means to keep history of ENS entities evolution (also referred to as Entity Evolution Lists), which is a service with public access. Any user with public access can look up if an ENS entity has undergone any evolution by means of split, merge or delete operations. The entity evolution service does not contain any information on changes of ENS entity's description, but only information on changes of entity's unique identifier.

OKKAM modules and services outside the core OKKAM services, e.g., the entity subscription service, may use any subpart of information on changes concerning ENS entities. This part of information may be broadcast (i.e. made publicly available) to subscribed parties, based on the access policy applicable to registered users.

4.5.        Querying ENS entities

No more information on users and other visitors querying for ENS entities is collected than is typically collected in server logs by web sites. Aside from the above raw log data collected for general purposes, querying ENS entities does not expose any visitor's related data publicly. Sampled raw log data may include the IP address of any user, the query input format and data, and the produced output result. The log data of querying ENS entities is not reproduced publicly and used only internally for statistics and quality of service analyses.

4.6.        Discussions

Via e-mail:

Users who provide a valid e-mail address can enable other logged-in users to send e-mail to them through the Project means. When receiving e-mail from other users through the ENS system, one's e-mail address is not revealed to them. When choosing to send e-mail to other users, one's e-mail is displayed as the sender.

On mailing lists:

The e-mail addresses used to subscribe and post to the Project mailing lists are exposed to other subscribers. The list archives of most such mailing lists are public, and searches of public archives may be performed on the Web. Subscribers' addresses may also be quoted in other users' messages. These e-mail addresses and any messages sent to a mailing list may be archived and may remain available to the public permanently.

5.   Disclaimer

The Project believes that maintaining and preserving the privacy of user data is an important value. This privacy policy, together with other policies, resolutions, and actions by the Project, represents a committed effort to safeguard the security of the limited user information that is collected and retained on the Project servers. Nevertheless, the Project cannot guarantee that user information will remain private. We acknowledge that, in spite of our committed effort to protect private user information, determined individuals may still develop data-mining and other methods to uncover such information and disclose it. For this reason, the Project can make no guarantee against unauthorized access to information provided in the course of participating in running the Project and its community process.