I recently joined the PrimeLife Project which is funded by the European Commission’s 7th Framework Programme. It aims to bring sustainable privacy and identity management to future networks and services, and builds upon the former Prime Project. Privacy is something that most people take for granted, but we leave a digital trail as we interact with websites, and this can lead to abuse ranging from identity theft, discrimination, or even mild embarrassment. Privacy enhancing technologies have the potential to restore the balance and give all of us better control over data we would prefer to keep private.
One of the challenges is the ease with which interactions can be linked across websites. Having to remember user names and passwords for a large number of websites is hard. The increasing use of email addresses in place of user names for signing into websites makes it easier to link interactions across sites since email addresses are globally unique names. OpenID offers users the means to use a single digital identity for accessing participating websites, and relies on the user providing an HTTP URL as a globally unique identifier, with the same drawback as using an email address.
Having to remember lots of user names is much too hard, but using a gloabally unique identifier just makes it easier for people to track your detailed behavior. What’s the solution? I have been thinking about the possible role of a trusted privacy provider. With OpenID you are asked to provide your HTTP URL to the website you are connecting to. Imagine instead, that you are asked to disclose your privacy provider (e.g. through a drop down list or typing a URL). The website then re-directs the browser to your privacy provider to sign in. If this is the first time you have visited the website, your privacy provider will ask you for your privacy preferences for interacting with that site. The approach allows you to effortlessly use a different identity for each website if you wish, and like OpenID avoids the need for you to sign in with every website you visit. There are lots of further opportunities for privacy management, but I will leave those to another blog.