User-centric identity: boon or worst nightmare to privacy?
Two weeks ago I presented at the 7th Annual Privacy and Security Workshop in Toronto, which was well-attended by representatives from industry, government, and academia. Most of the presentations are now available for online download. In my own presentation, I discussed whether user-centric identity will turn out to be a boon to information privacy or its worst nightmare. Following are my key points.
To protect privacy it is NOT enough for the data subject to be the “choke point” for identity flows about him or her. At its worst (for privacy), user-centrism does nothing for the data subject but (a) greatly extend the reach of cross-domain sharing of identity data about him or her, and (b) result in a common cross-domain user identifier (handle) with each user-centric data transfer. Once previously unlinked “accounts” are “federated” (i.e., linked), the data subject is powerless: from here on, organizations can freely exchange user data directly between themselves. In this scenario, the data subject is in essence contributing to “super-federation.” To analyze how well a user-centric identity solution protects information privacy, one must consider at least the following questions:
- Can the data subject consent to or withhold the release of identity data? (on a case-by-case basis, informed, non-coerced, …)
- Can the data subject see the actual identity data that is flowing? (Or is it encrypted for the SP?)
- Can the data subject hide the identity of the RP from the IdP?
- Can the data subject hide the RP’s request from the IdP?
- Can the data subject locally store and manage long-lived identity credentials? (If not, then all the data subject’s actions – and therefore accounts – can be traced and linked via trivial timing analysis.)
- Can the data subject selectively disclose attribute data on identity credentials? (If not, the data subject cannot reveal the minimum information required for long-lived identity credentials.)
- Can the data subject avoid correlation handles across IdPs and SPs? (If not, then data subjects are unknowingly linking up – “federating” – all of their account relations with each and every disclosure.)
Without a resounding “yes” to at least the three last questions in this list, a society-wide roll-out of user-centric identity will without any doubt be devastating to privacy.