Privacy-Enhancing Identity Management – An Overview – Marit Hansen [email protected] Independent Centre for Privacy Protection Schleswig-Holstein,

Privacy-Enhancing Identity Management – An Overview –

Marit [email protected]

Independent Centre for Privacy Protection Schleswig-Holstein, Germany

Dresden – March 30, 2004

Privacy-Enhancing Identity Management – An Overview2

Overview

• Introduction: Terminology

• Privacy-Enhancing Identity Management Systems: Motivation, Principles, Methods

– Core Concept: Pseudonyms– Third Party Services

• Status of Identity Management Systems: Types, Examples, Findings

• Conclusion


Partial Identities of Alice

MasterCard

Diners Club

Government

Alice

Telecom-munication

Leisure

BoyfriendBob

Travel

Shopping

Work

Payment

Health Care

HealthStatus

CreditRating

Interests

Age

DrivingLicence

TaxStatus

NameBirthday

Birthplace

Good-Conduct

Certificate

Insurance

PhoneNumber

BloodGroup

ForeignLanguages

Income

Diary

Address

CellphoneNumber Likes &

DislikesLegend:

Identityof Alice

PartialIdentityof Alice

Identities

Management

• Individual Identity vs. Organisation Identity

Definition of Terms wrt “Identity”

• Physical Identity vs. Digital Identity vs. Virtual Identity

Definition of Identity Management in PRIME

Identity Management is managing of own partial

identities according to specific

situations and contexts:

a) choice and development of partial identities

b) role making and role taking

IMA + Infrastructure = IMS

• IMA = Identity Management Application• IMS = Identity Management System

IMS


Overview





• Conclusion


Privacy-Enhancing Identity Management: Motivation

• Solves two major problems in the Internet:– Lack of anonymity

– Lack of authenticity

• Main aim:– Enforcing right to informational self-determination

– i.e. the user can control the flow of his/her personal data ...

– ... or at least is aware of it

Right to informational self-determination:

to know what other parties know about oneself


Privacy-Enhancing Identity Management: Principles & Methods

• Principles for Privacy-Enhancing Technologies (PET)– Data minimisation

– Transparency

– System integration: built-in privacy protection / privacy by design

– User empowering: do-it-yourself privacy protection

– Multilateral security: minimal trust required

• Methods:– Tailored (un-)linkability (pseudonyms, convertible credentials)

– Default setting: as much anonymity as possible or as desired

– History and context interpretation

– Privacy support for the user:

• Good usability for choice of pseudonyms

• Privacy control functionality for access, correction, deletion, objection ...


Pseudonym Domains (PD):“Unlinkage” of Partial Identities

Task of IMS: Providing linkage for authorised parties while preventing unauthorised linkability


Scenario “E-Commerce”


Scenario “Multi-Purpose Identity ManagementControlled by the User”

Core element:

pseudonyms

• Pseudonym = identifier [technical point of view]• Pseudonymity does not say anything about the degree of

anonymity (= “who is able to reveal its holder”); it covers the whole range between unique identification and anonymity:

Various Properties of Pseudonyms

Better: Identification

Linkability through Re-Use of Pseudonyms

Privacy-oriented default setting in an IMA:– for one-time use: transaction pseudonym– for establishing a relationship: role-relationship pseudonym

Requirement:

User-controlled (re-)

use of pseudonyms


Overview





• Conclusion


Identity Management and Third Party Support 1/2

• Infrastructure security and resilience

• Certification services:– Possibly supporting various degrees of data minimisation, e.g.,

by allowing pseudonymous but accountable authentication(incl. convertible credentials).

• Mediator services, e.g.:– Identity brokers reveal the identity of a pseudonym holder under

specific circumstances.

– Liability services clear a debt or settle a claim on behalf of the pseudonym holder.

– A value broker may perform the exchange of goods without revealing additional personal data.


Identity Management and Third Party Support 2/2

• Separation of knowledge:– E.g., unlinkability of the “who (buys)” and the “what (is bought)”

in a partially on-line purchase may be achieved by applying separation of knowledge between payment and delivery services.

• Reference information: – A privacy information service can give input on privacy

information data such as security and privacy risks with respect to the IMA deployed, which may influence the behaviour of the system.

– The privacy information service could also be offered in a peer-to-peer manner.


Overview





• Conclusion


– For authentication:

• password and account management

• single sign-on

• digital signatures

• combined with authorisations / credentials

– Additionally reachability management

– Different pseudonyms

– Different sets of personal data bound to pseudonyms,incl. form filling

– Additionally reputation management

Types of Today’s IMS

• Access Management

• Pseudonym Management

Example:Federated Identitiesin Liberty Alliance

Question of Trust

Centralised vs. Federated Identity

Centralised Identity:

Single IMS provider

+ Easier to maintain+ Less effort in user support+ Cheaper– Concentrate personal data of

people (content and data trails)– Put big responsibilities on the

providers– Are attractive targets for attackers– May act as convenient data bases

of other interested parties

Federated Identity

a) User-side identity administration

b) Multiple IMS providers+ User can be in control (a)+ No concentration of personal data (b)+ IM solution for SME (a,b)± Put bigger responsibilities on the user (a)– More effort in user support (a)– Standardisation of protocols/interfaces

necessary (b)


Findings of Study “Identity Management Systems (IMS): Identification and Comparison” (JRC Seville)

• Approx. 100 IMA identified• Detailed evaluation for 7 IMA:

– Single Sign-On:

• Microsoft Passport

• Liberty Alliance (in spec. process, > 150 companies involved)

• Yodlee

– Form Filler:

• Mozilla Navigator

• DigitalMe

• CookieCooker

– E-Mail Client: Outlook Express

• Usage: Big user numbers only when integrated such as

Microsoft Passport (200 million accounts, 3.5 billion authentications per month, 91 websites supported)


Findings of IMS Evaluation in IMS Study

State-of-the-Art of IMS:– Main goal: usefulness

– Deficiencies concerning privacy and security functionality, and if realised: usability problems

– Digital evidence is not addressed (lack of liability / no non-repudiation), no support for law enforcement

– Identity theft is not prevented

– Little functionality, limited purposes

– No general solutions, no standards

– Trustworthy computer systems and infrastructure are still missing no trustworthy and secure IMS possible

– Business models: Service and software mostly free for users

Today’s IMS: Playground for users & service providers


Overview





• Conclusion


Conclusion

• Privacy-Enhancing Identity Management:Providing linkage for authorised parties (esp. the user) while preventing unauthorised linkability

• Importance of user’s sovereignty

• Today’s approaches: not sufficient or even privacy invasive

• Building blocks for Privacy-Enhancing IMSare readily available

PRIME will demonstrate solutions for Privacy-Enhancing IMS with a focus on usability


Thank you for your attention!

Questions?

Documents

Privacy-Enhancing Identity Management – An Overview – Marit Hansen [email protected] Independent Centre for Privacy Protection Schleswig-Holstein,