 |
 |
 |
 |
 |
|
|
|
|
|
Often, when we're asked for "identification," it's not because the asker needs to know everything about us, but because they need to verify one aspect of identity: that I'm over 21, for example, if I'm trying to buy a drink. But since I don't have an "over 21" card that the bar can verify connects to me, I'm forced to give them my driver's license, from which they can also glean and store other data. Online, it doesn't have to be that way.
Builders of identity-management systems can design in stronger protections for their users' privacy, giving people a separate virtual "card" for every transaction, with only the necessary data included. Ben Laurie has written a good concise overview, Selective Disclosure, explaining how zero-knowledge proofs let us make verifiable assertions without giving away the store.
I claim that for an identity management system to be both useful and privacy preserving, there are three properties assertions must be able to have. They must be:
- Verifiable
There’s often no point in making a statement unless the relying party has some way of checking it is true. Note that this isn’t always a requirement - I don’t have to prove my address is mine to Amazon, because its up to me where my goods get delivered. But I may have to prove I’m over 18 to get alcohol delivered.- Minimal
This is the privacy preserving bit - I want to tell the relying party the very least he needs to know. I shouldn't have to reveal my date of birth, just prove I’m over 18 somehow.- Unlinkable
If the relying party or parties, or other actors in the system, can, either on their own or in collusion, link together my various assertions, then I’ve blown the minimality requirement out of the water.
While digital signatures are widely used for verification, the same signature on each item is a privacy-busting linkage. With the help of third parties and selective disclosure proofs, however, we can make assertions that are minimal and don't leave a trail. We can create digital one-time cards each time we're asked for a facet of our identities.
These properties fit well with legal principle of narrow tailoring. Limiting the identification provided to that required limits spillover effects and opportunities for misuse ("mission creep"). An ID-check law shouldn't become a source of marketing information; an online purchase needn't be an entry in a growing retailer profile -- unless that's an explicit choice. We might even be more willing to give accurate information in places like online newspaper sign-ins if we knew that information could never be added to or correlated with profile data elsewhere.
The next hard part, of course, is getting those with whom we do business to accept less information where they've been accustomed to getting more by default, but at least if we build the identity technology right, it will be possible.