Summary of the EUNIS 2023 Pre-Congress Workshop on EMREX Security and Privacy

We are pleased to report on the successful joint workshop held at the EUNIS 2023 Congress in Vigo, Spain, on June 13th, focusing on the security and privacy assessment of EMREX. This workshop brought together experts and stakeholders to evaluate and enhance the EMREX framework’s security and privacy measures, contributing significantly to its continuous improvement.

EMREX at a Glance

EMREX is a pioneering protocol that allows students and alumni to access and share their academic records securely with third parties, ensuring data exchange is solely based on the owner’s consent. Originally developed under an Erasmus+ project and launched in 2017, EMREX has undergone numerous evaluations concerning GDPR and security to keep pace with technological advancements.

Workshop Highlights

The workshop delved into various aspects of EMREX, including GDPR compliance, data ownership, client registration, and the technical mechanisms underlying data exchange. Key outcomes include:

  • GDPR Compliance: The importance of aligning EMREX with GDPR requirements was underscored, with an emphasis on enhancing data ownership and user control. Suggestions included regular reviews of data handling practices and the implementation of a GDPR checklist for new data sources.
  • Client Registration: The workshop identified challenges in the current client registration process and proposed the adoption of voluntary registration coupled with minimal security requirements to mitigate the risk of unauthorized access.
  • Technical Security: Discussions on the technical framework highlighted potential security issues, including those related to ELMO signing and cross-site posting. The adoption of OAuth (RFC 7636) was recommended as a solution to enhance security and user experience through the establishment of specific endpoints for improved functionality.

Pen-Test Insights

A pen-testing session of the EMREX client within the Norwegian Studentweb revealed a vulnerability, which was promptly addressed. This session underscored the importance of continuous testing and validation to ensure the integrity and security of the EMREX ecosystem.

Positive Aspects of EMREX

EMREX stands as a testament to the power of collaboration and innovation in the digital education space. Its user-centric approach empowers individuals with control over their academic records, facilitating seamless and secure data exchange across borders. The continuous evaluation and enhancement of EMREX’s security and privacy frameworks attest to its commitment to excellence and user trust.

Conclusion

The workshop has been instrumental in identifying areas for improvement within the EMREX framework, leading to immediate and planned enhancements. The engagement and proactive measures taken by the EMREX Executive Committee, coupled with the community’s dedication, ensure that EMREX remains at the forefront of secure and privacy-conscious digital academic record exchange.