Hm. In a perfect world, there would need to be a contractual component to any and all technical federations, and those contractual components should go through review by the privacy officer, and also by the admin team.
Companies and admin groups need to get religion over the process involved with creation of federations, if for no other reason than to protect themselves from liability.
Here is more about liability and federation: http://www.rsasecurity.com/go/siliconcom/liability.asp
Cheers,
Pam