OVERVIEW
To address privacy requirements, Willo Labs contains features to manage the flow of personally identifiable information (PII) between an institution’s learning management system (LMS) and a service or content provider’s LTI application.
These features address the following privacy scenarios:
- Require explicit user consent prior to sending PII to a service provider.
- If the user does not consent or cannot consent due to legal requirements, the user can still access a service provider’s LTI application anonymously.
- For Canada-based institutions with provincial legislation specific to PII, ensure PII remains in Canada when integrating with US-based service providers.
PRIVACY MODES
Allow all PII on launch
All personally identifiable information provided by the institution’s LMS will be forwarded to the service provider’s application.
Allow PII on launch - LMS user id, name, and email
Only the user’s user_id, name, and email address will be forwarded to the service provider’s application. The user_id value is provided by the LMS per the LTI specification.
Allow PII on launch - name and email only - Willo user id
Only the user’s name and email address will be forwarded to the service provider’s application. All other fields, including user_id, will be removed or anonymized. User_id will be replaced with a Willo-generated value that is shared across a student’s enrollments.
Allow PII on launch - name only - Willo user id
Only the user’s name will be forwarded to the service provider’s application. All other fields, including user_id, will be removed or anonymized. User_id will be replaced with an Willo-generated value that is shared across a student’s enrollments.
Anonymous - do not allow PII on launch - Willo user id
Only the user’s name will be forwarded to the service provider’s application. All other fields, including user_id, will be removed or anonymized. User_id will be replaced with an Willo-generated value that is shared across a student’s enrollments.
Allow name and email only - anonymous user id
Only the user’s name and email address will be forwarded to the service provider’s application. All other fields, including user_id, will be removed or anonymized. User_id will be replaced with an anonymous value that is unique to each enrollment.
Allow name only - anonymous user id
Only the user’s name will be forwarded to the service provider’s application. All other fields, including user_id, will be removed or anonymized. User_id will be replaced with an anonymous value that is unique to each enrollment.
Anonymous
All personal information provided by the institution’s LMS will be removed or anonymized. User_id will be replaced with an anonymous value that is unique to each enrollment.
Users who decline permission to share personal information will always launch in Anonymous mode.
USER CONSENT PROMPT
For any specified privacy mode, an additional feature can be enabled which which prompts users for permission to share their PII with the service provider.
If the user consents to share their PII, the service provider’s LTI application will receive the user’s PII according to the configured privacy mode. If the user declines, the service provider’s LTI application will receive no PII - the LTI launch will be fully anonymized.
Note: When the privacy mode is set to “anonymous”, users will never be prompted for permission to share their PII, as all launches will already be fully anonymized.
ANONYMOUS STUDENT NAMES
When student names are anonymized, LTI launches into the service provider’s application will replace the LMS provided value with anonymous names in the following format:
- First name: <role>
- Last name: <anonymous id>
Each enrollment will have a unique anonymous id value.
Example Anonymous Names
- Instructor cf66165
- Teaching Assistant 6a952aa
- Student ff6ccac
- Student 8315dcb
- Student a710687
INSTRUCTOR SELF SERVICE - VIEW CLASS ROSTER
When any privacy is configured, a new option will be available in the Instructor Self Service Tool: View Class Roster
The View Class Roster tool will allow the instructor to view the mapping between anonymous student names and the original values provided by the institution’s LMS.
BASIC WORKFLOW
CONSENT SCREENS
Requesting consent to share personal information
User has declined consent

User has chosen to share data
View Class Roster Tool
PII FILTERING RULES
When an LTI launch flows through Willo Labs that requires anonymization, the following rules are applied prior to forwarding the LTI launch to the service provider.
LTI Parameters
user_id
The LTI user_id parameter identifies a user within a single LMS installation. For each enrollment, the LMS will provide the same user_id value for a student.
Willo Labs generated user_id values
For each launch received from the LMS, Willo Labs will replace the LMS-provided user_id with a universally unique identifier (UUID). The user_id value may be either:
- Re-used for all of a student’s enrollments
- Totally anonymous, not shared with any other enrollments for the same user
If a student declines to share personal information, the user_id value will always be completely anonymous.
lis_result_sourcedid
The LTI lis_result_sourcedid parameter identifies an entry in the LMS gradebook. Some LMS may embed PII into this value.
If present on LTI launch, Willo Labs will replace the LMS-provided lis_result_sourceid with a UUID, and will replace lis_outcome_service_url with a Willo Labs LTI outcomes service proxy. Using the outcome service proxy, a service provider can continue to return outcomes to the LMS without any knowledge of the original lis_result_sourcedid value provided by the LMS.
launch_presentation_return_url
If present on LTI launch, Willo Labs will replace the LMS-provided launch_presentation_return_url with a Willo Labs forwarding link. A service provider can continue to redirect the student to the return url without any knowledge of the original value provided by the LMS.
Other standard LTI parameters
The following LTI parameters will be removed from every LTI launch that requires anonymization:
- user_image
- lis_person_name_given
- lis_person_name_family
- lis_person_name_full
- lis_person_contact_email_primary
- lis_person_sourcedid
Custom LTI parameters
LTI tool links inside an LMS support custom parameters. Depending on configuration and policy, these parameters may be defined by an instructor, an LMS admin, or a service provider via a Common Cartridge definition.
Willo Labs provides the ability to override custom LTI parameters as part of a site-wide configuration. For example, Willo Labs can be configured to always remove the custom parameter ext_user_username for every launch from a specific LMS, or configured to always override user_image with a stock image.
LMS-specific parameters
Some common LTI parameters are not part of the LTI specification. Often these are LMS specific and contain PII. For example:
- ext_user_username
- custom_canvas_user_id
- custom_canvas_user_login_id
- custom_canvas_user_uuid
- ext_d2l_username
- ext_sakai_provider_displayid
- custom_username
Willo Labs will maintain a list of common LMS-specific parameters that may contain PII. These parameters will be removed from every LTI launch that requires anonymization.