<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Dear midPoint community,</p>
<p>Today is a <a
href="https://en.wikipedia.org/wiki/Data_Privacy_Day">Data
Protection Day</a>, which is a very symbolic day for midPoint.
We are taking data protection and privacy very seriously. We
believe that privacy in the cyberspace is necessary for the free
society to flourish. Despite such belief, we acknowledge the
implementation of privacy and data protection may not be easy. But
we are not afraid of challanges. We are fully committed to
implement privacy and data protection features in midPoint.<span
id="more-6237"></span></p>
<p>MidPoint was still quite young when we have realized that data
protection and identity management are in a very intimate
relationship. Identity management and governance system are in a
perfect position to control the flow of identity data. And the
essence of data protection is about controlling the flow and
especially the <i>use</i> of data. In fact, we believe that any
practical data protection solution must be supported by identity
management infrastructure. Many people see data protection as
liability. But we believe that data protection can be turned into
a substantial advantage when it is implemented properly.</p>
<p>This belief led us to several experiments with data protection
functionality. We have started several years ago. We presented
some of the results at <a
href="https://evolveum.com/fosdem-2018/">FOSDEM’18</a>. We
implemented several experimental features for data protection,
such as consent management and even more general <a
href="https://wiki.evolveum.com/pages/viewpage.action?pageId=24675100">management
of lawful bases for data processing</a>. Unfortunately, there
was almost no interest for those features in the industry and we
were not able to secure sufficient funding to finish all of them.
Some smaller pieces are implemented, but there is still a long way
to go to get a complete set of data protection functionality.</p>
<p>However, we are not giving up. Now we plan to implement a very
important feature that has many facets and many practical uses: <a
href="https://wiki.evolveum.com/display/midPoint/Data+Provenance">Data
Provenance</a>. There is one big problem that is common to data
protection and identity management. It is problem of data <i>origin</i>
or <i>provenance</i>. The problem can be described by something
that every identity engineer knows only too well: <i>In a
sufficiently large system nobody has any idea where the data
came from and how they ended up here.</i> There are too many
source systems, mappings, data transformations and information
flows that the resulting system resembles proverbial Labyrinth.</p>
<p>The provenance problem is causing a lot of troubleshooting
nightmares. This problem slows down IDM deployments and
complicates the maintenance. But it is a complete disaster for
data protection. <i>Accountability</i> is one of the basic
pillars of data protection. And how good is your accountability if
you have no idea where your data came from?</p>
<p>We had the provenance problems in our sights for a really long
time. In fact, one of the earliest data structures we are using to
manage identity data contains a notion of <i>origin</i>. But we
have realized quite early this is much more difficult than it
seems. The ideas were brewing in our minds for quite a long time.
But now we hope it is finally the time to do this, and to do it
properly. Therefore, we plan to implement data provenance features
in a couple of next midPoint versions. This is still not
completely certain. There are sill some variables, including the
most important enabler: funding. But our hopes are high. Because
some things <i>are</i> certain. Such as the importance of data
protection. For all of us.</p>
<p>(Reposted from <a moz-do-not-send="true"
href="https://evolveum.com/plans-for-data-provenance/">Evolveum
blog</a>)</p>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com</pre>
</body>
</html>