Germany has recently issued an identity card, that includes a very basic system for using anonymous credentials. Other countries, including the Netherlands, are considering a similar approach. Such a plastic identity card also contains a smart card chip that allows the card to be used in on-line transactions with service providers
- to establish the identity of the bearer with high confidence,
- to put an electronic signature on documents, or
- to disclose your age or other attribute while remaining anonymous.
While studying these systems, we started wondering whether users would really believe that when disclosing an attribute using such an identity card, no additional personal data is actually revealed in the process. Because when you think of it, using an identity card (whose purpose is to prove your identity) as a means to reveal a certain attribute anonymously seems counter-intuitive at best. It will be very hard to convince the general public that the system can be trusted and is indeed privacy friendly.
Research from the Karlstad University, Sweden, confirms this. In their paper “Evoking comprehensive Mental Models of Anonymous Credentials”, presented today at iNetSec 2011, Luzern, Switserland, Erik Wästlund, Julio Angulo and Simone Fischer-Hübner show that the card metaphor for anonymous credentials – as used in the late Windows Cardspace – has severe problems.
Anonymous credentials are used in a transaction between a user and a service provider to prove to the service provider that the user has certain credentials (aka properties or attributes), while the user remains anonymous. In a anonymous credentials system based on the card metaphor, users select images of cards (e.g. credit cards, driving licences, passports) to select the credentials to reveal to the service provider. Such cards also contain additional data (e.g. the name of the user), which is greyed out in the user interface before the user confirms the use of the cards.
The study found that
- Users still think that the greyed-out data is also released to the service provider as part of the transaction.
- Users believe that additional data that is not on the card at all, but that they think should be present on the card (e.g. their address), is also released to the service provider as part of the transaction.
- Users believe that issuers of such cards will be informed about the fact the card is used in a particular transaction, and that therefore these issuers know about all transactions a user was engaged in.
These are interesting findings, that force us to think about a different metaphor for using anonymous credentials that will be understood by users.