Last months I tought a lot about
LID,
SXIP,
ISSO
(based on i-names that are based on
XRI) and other
similar "identity" systems. The recent posts by
Drummond Reed,
Phil Windley,
Eric Norlin
and others indicates that these systems got some traction. That's quite
interesting. Why?
All of these systems use global user identifiers (URL, XRI, GUPI). People get some of these identifiers and then use it to log into different web sites. Nice and easy for the user, but terrible for privacy. The different web sites may easily collude and join their data about user, using global identifier as reliable correlation key. How would you like if an on-line flower shop (that you used to send flowers to your friend) would collude with "adult entertainment" site. The "adult" site may learn from the flower shop your real name (from credit card data) and shipping address that you used for sending flowers. The site may provide you with "better customer service" by sending a spicy catalog, personalized exactly to your needs (and with your name on it) to the address you used for shipping flowers. Surprise guaranteed.
The global identifiers used there are on-line equivalents of SSN, with most of the SSN drawbacks. The attribute protection mechanisms implemented by "identity" systems does not help here, as the data are already out at service provider's systems and are not in control of "identity" system anymore. Yes, you may create several "personalities" by using several global identifiers, but the management of these different accounts may soon become very difficult. And even that does not help much. Imagine, that you make a mistake and login to the "adult" site with your "civil" account. That alone leaks some information, that you might not want to be leaked. And if you logout and login with the other account, it may be easy to correlate these two accounts (cookies, IP addresses). And great part your privacy is lost ...
The use of randomly generated identifiers that are shared only between Authentiation/Identity Provider and one Service Provider (as it is in Liberty case) may help a bit. It limits collusion an such way, that the Identity Provider must be one of colluding parties. That may be more acceptable is some cases (but not everywhere).
But neighter of these approaches is ideal. There must be something else to look at, some better solution. Or maybe we are chasing ghosts and people does not really want privacy, after all ...
Disclaimer:
Don't get me wrong about XRI. I don't see anyting bad about XRI (as I don't
see anything bad about URI either). I must admit that the more I know about
XRI the more I like it. But I don't like i-names. That use of XRI somehow
does not feel right ...
Responses (3)Nice post, btw. I think that maintaining multiple IMS (Info Management Service) accounts is a user's best bet for privacy. Then we need query delegation to express authorative resource location, of course...
You are right that nobody has implemented yet a really simple way of managing N non-correlatable identifiers (with N: large) from a single, simple user interface/experience. However, such a way can be found -- through a combination of authentication chaining (as we do in LID), relationship-specific identifiers (pretty much all URL-based systems), appropriate defaults and a common look and feel (e.g. LID 2.0). The important thing is that the *protocols* do not preclude such a thing, and in due time as these systems get beyond the early adopter phase, they will be implemented. It's a great differentiator ... and so it will only be a matter of time.
Radovan, no body text appears in your blog feed, which is a bit annoying. ; ) L