Goal of midPrivacy project is to develop open source privacy-enhancing identity management solution on top of midPoint.

Identity management systems are fundamentally data management engines. Therefore they are in excellent position to implement data protection and privacy mechanisms. This insight leads to midPrivacy project as an initiative to enhance existing midPoint platform with support for data protection and privacy-enhancing capabilities.

Goals

Long-term goal of this project is to place user in control of personal data managed by organizations. For example we envision an employee to use midPoint user interface to review personal data usage by the employer, a customer using midPoint GUI to review personal data use of the merchant, review origins of the data, target systems where copies of the data are stored and so on. The goal is to place user in control.

Approach

One of the basic principles of personal data protection is control over the flow and usage of data. Personal data will be shared one way or another and it is a known fact that secrecy is not, by itself, a solution to data protection issues. Our approach takes a different direction: we try to make sure that data are used properly, especially that they are used in a legal way and in accord with user’s wishes. Identity management systems are in control of data usage in most large-scale organizations. Therefore we propose concept of a privacy-enhancing identity management solution.

Identity management (IDM) and identity governance systems are common tools used in variety of organizations – medium to large enterprises, universities, government institutions and so on. IDM systems are used to provision user accounts, apply policies, evaluate compliance, keep audit trails and implement variety of other data management functions. IDM systems are already in the right position to govern data protection. There are just few obstacles that prohibit IDM systems to reach full data protection potential.

Phases

Phase 0: Experimental data protection features in midPoint (2017-2018)

Several experimental features were developed for midPoint as a functionality preview. This was a prototyping phase, to make sure than midPoint is a suitable platform for data protection features.

Phase 1: Data provenance prototype (2020)

Project phase that aims at providing fundamental foundation for data protection: data provenance. MidPoint will keep meta-data about every data value that specifies where the value came from and how it was processed.

We plan more phases for the project. Specific plans are currently in preparation.

Documents

See also individual project phases for more detailed and phase-specific documents.

Project Progress And Funding

The ultimate goal of midPrivacy is privacy and data protection. We know that both privacy and data protection are necessary and fundamental features. But these are inherently qualitative features and it is very difficult to "sell" them. Commercial companies do not emphasize data protection. In fact, many companies see data protection as a problem, rather than something that should be desired. Therefore it was very hard to get commercial funding for data protection.

We have experimented with data protection features in midPoint since 2017. However, there was zero commercial interest in data protection features, despite the fact that GDPR was about to become enforceable. Therefore we had to look for alternative sources of funding.

We are fully committed to the concept of privacy and data protection. We understand why it is necessary and even desirable. We know that data protection is the right thing to do. And we believe that data protection will provide significant value for everybody in the long run. Therefore we have created midPrivacy initiative - to raise awareness, but also to get funding for the work that needs to be done.

The midPrivacy initiative will progress as fast as the funding allows. Which may be quite slow at times. But privacy and data protection is crucial for everybody. Therefore we will not quit. We will go on. We will prove that data protection is possible and that it brings significant benefits to everybody in the long run.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under the NGI_TRUST grant agreement no 825618.