Identity cards should not be used to store anonymous credentials

June 9, 2011

Germany has recently issued an identity card, that includes a very basic system for using anonymous credentials. Other countries, including the Netherlands, are considering a similar approach. Such a plastic identity card also contains a smart card chip that allows the card to be used in on-line transactions with service providers

  • to establish the identity of the bearer with high confidence,
  • to put an electronic signature on documents, or
  • to disclose your age or other attribute while remaining anonymous.

While studying these systems, we started wondering whether users would really believe that when disclosing an attribute using such an identity card, no additional personal data is actually revealed in the process. Because when you think of it, using an identity card (whose purpose is to prove your identity) as a means to reveal a certain attribute anonymously seems counter-intuitive at best. It will be very hard to convince the general public that the system can be trusted and is indeed privacy friendly.

Research from the Karlstad University, Sweden, confirms this. In their paper "Evoking comprehensive Mental Models of Anonymous Credentials", presented today at iNetSec 2011, Luzern, Switserland, Erik Wästlund, Julio Angulo and Simone Fischer-Hübner show that the card metaphor for anonymous credentials - as used in the late Windows Cardspace - has severe problems.

Anonymous credentials are used in a transaction between a user and a service provider to prove to the service provider that the user has certain credentials (aka properties or attributes), while the user remains anonymous. In a anonymous credentials system based on the card metaphor, users select images of cards (e.g. credit cards, driving licences, passports) to select the credentials to reveal to the service provider. Such cards also contain additional data (e.g. the name of the user), which is greyed out in the user interface before the user confirms the use of the cards.

The study found that

  • Users still think that the greyed-out data is also released to the service provider as part of the transaction.
  • Users believe that additional data that is not on the card at all, but that they think should be present on the card (e.g. their address), is also released to the service provider as part of the transaction.
  • Users believe that issuers of such cards will be informed about the fact the card is used in a particular transaction, and that therefore these issuers know about all transactions a user was engaged in.

These are interesting findings, that force us to think about a different metaphor for using anonymous credentials that will be understood by users.

In case you spot any errors on this page, please notify me!
Or, leave a comment.
Remco Bakker
, 2011-06-09 11:37:04
(reply)

Jaap-Henk,

I don’t think these are such strange findings. Although I do not generally take the “public” as the standard measurement, this time it seems to me that this shows the general discomfort people feel when defining trust in relation to technology. To me, the first and foremost step is clarification instead of keeping “us” in the dark. I am not familiar with this particular German initiative, but I refer to situations in the Netherlands with, for instance, the public transportation card. The first reaction of the card manufacturer upon the first breach was exactly the opposite. Denial, never taking us seriously. I think that has to change first, before people will really trust this kind of systems, no matter the metaphor…

yours, Remco Bakker

Het recht op inzage is een wassen neus. Wat nu? « Jaap-Henk Hoepman – on security, privacy and…
, 2011-08-25 10:57:57
(reply)

[…] Dit is meteen een interessant voorbeeld van het wellicht ironische feit dat soms een sterke vorm van authenticatie van jou identiteit juist nodig is om je privacy te beschermen. De andere kant op ligt dat meer voor de hand: een opsporingsambtenaar moet zich kunnen identificeren voordat je verplicht bent zelf je paspoort of rijbewijs te tonen. Sterke authenticatie van websites (door middel van TLS) is een ander voorbeeld van een maatregel die er voor bedoeld is om te voorkomen dat jou persoonlijke gegevens in verkeerde handen vallen. Maar dat terzijde. […]

On using identity cards to store anonymous credentials. « Jaap-Henk Hoepman – on security, privacy and…
, 2011-11-16 23:17:56
(reply)

[…] a previous blog post I argued that identity cards should not be used to store anonymous credentials. The reason being that users may not believe that a card that is used to identify them in one […]

Het recht op inzage is een wassen neus. Wat nu? « oracle fusion identity
, 2012-02-23 04:55:56
(reply)

[…] Dit is meteen een interessant voorbeeld van het wellicht ironische feit dat soms een sterke vorm van authenticatie van jou identiteit juist nodig is om je privacy te beschermen. De andere kant op ligt dat meer voor de hand: een opsporingsambtenaar moet zich kunnen identificeren voordat je verplicht bent zelf je paspoort of rijbewijs te tonen. Sterke authenticatie van websites (door middel van TLS) is een ander voorbeeld van een maatregel die er voor bedoeld is om te voorkomen dat jou persoonlijke gegevens in verkeerde handen vallen. Maar dat terzijde. […]

On using identity cards to store anonymous credentials. « oracle fusion identity
, 2012-03-06 19:33:51
(reply)

[…] a previous blog post I argued that identity cards should not be used to store anonymous credentials. The reason being that users may not believe that a card that is used to identify them in one […]