Selective Disclosure and Privacy
Selective Disclosure and Privacy: "
Often, when we're asked for 'identification,' it's not because the asker needs to know everything about us, but because they need to verify one aspect of identity: that I'm over 21, for example, if I'm trying to buy a drink. But since I don't have an 'over 21' card that the bar can verify connects to me, I'm forced to give them my driver's license, from which they can also glean and store other data. Online, it doesn't have to be that way.
Builders of identity-management systems can design in stronger protections for their users' privacy, giving people a separate virtual 'card' for every transaction, with only the necessary data included. Ben Laurie has written a good concise overview, Selective Disclosure, explaining how zero-knowledge proofs let us make verifiable assertions without giving away the store.
I claim that for an identity management system to be both useful
and privacy preserving, there are three properties assertions must
be able to have. They must be:
- Verifiable
There’s often no point in making a statement unless the relying
party has some way of checking it is true. Note that this isn’t
always a requirement - I don’t have to prove my address is mine
to Amazon, because its up to me where my goods get delivered.
But I may have to prove I’m over 18 to get alcohol delivered.
This is the privacy preserving bit - I want to tell the relying
party the very least he needs to know. I shouldn't have to reveal
my date of birth, just prove I’m over 18 somehow.
If the relying party or parties, or other actors in the system,
can, either on their own or in collusion, link together my various
assertions, then I’ve blown the minimality requirement out of
the water.
While digital signatures are widely used for verification, the same signature on each item is a privacy-busting linkage. With the help of third parties and selective disclosure proofs, however, we can make assertions that are minimal and don't leave a trail. We can create digital one-time cards each time we're asked for a facet of our identities.
These properties fit well with legal principle of narrow tailoring. Limiting the identification provided to that required limits spillover effects and opportunities for misuse ('mission creep'). An ID-check law shouldn't become a source of marketing information; an online purchase needn't be an entry in a growing retailer profile -- unless that's an explicit choice. We might even be more willing to give accurate information in places like online newspaper sign-ins if we knew that information could never be added to or correlated with profile data elsewhere.
The next hard part, of course, is getting those with whom we do business to accept less information where they've been accustomed to getting more by default, but at least if we build the identity technology right, it will be possible.
"
Twitter
Digg
StumbleUpon
Technorati
del.icio.us
Facebook
Furl
LinkedIn
YahooRecent blog posts
- In Bid to Sway Sales, Cameras Track Shoppers
- Unprecedented 25-Year Sentence Sought for TJX Hacker
- EFF Appeals Dismissal of Warrantless Wiretapping Case
- Viacom Makes Its Case Against Yesterday's YouTube
- Obama supports Senators draft plan to rework U.S. immigration policy - Includes National Biometric ID card for all.
- Domain Names Can't Defend Themselves
- Hacker Disables More Than 100 Cars Remotely
- Judges Approves $9.5 Million Facebook ‘Beacon’ Accord
- Hooking Up The Big Brother Machine... And Fighting It
- Court: State Can Dump Non-Sex Offenders Into Registry
