Our research group at the Radboud University has been working on efficient implementations of so-called attribute based credentials (ABCs) on smart cards for several years now. The resulting IRMA card is ready for pilot deployment to see how this technology actually works in practice.
For us, techies, a privacy friendly technology like ABCs is a ‘good thing’ basically by assumption. We were recently challenged on this belief by a few colleagues in the Privacy & Identity Lab that come from the social sciences. For them this privacy friendliness was not obvious at all. They saw some real risks associated with a ubiquitous implementation of an identity management scheme, even a very privacy friendly one based on IRMA technology. So what are their concerns?
The discussion that ensued eventually resulted in a scientific paper that we (Merel Koning, Paulan Korenhof, Gergely Alpár and I) wrote. Below is a summary of the analysis in the paper. We assume familiarity with attribute based credential systems, and especially the IRMA system in the discussion below. An easy to read introduction can be found here (or in the full paper cited above).
From a socio-technical perspective, ABCs form a technology and as such actively co-shape the environment in which they are deployed, and in particular shape the way in which individuals interpret their identity and that of others. The thermometer is a good example to illustrate this point. People cannot feel ‘degrees’ as such. They can only perceive it with the use of this artefact. But once they are able to perceive degrees using a thermometer, they use it as a decisive factor to regard themselves as ill or verging on ill. Thus replacing the indicators they used before the invention of the thermometer to declare themselves ill or healthy.
Attributes: the ‘Haves’ and ‘Have Nots’
ABC’c could lead to a culture in which the individual becomes a ‘have’ or a ‘have not’ of certain attributes. ABC technology could potentially be a foundation for the use of overformalized personae because the individual gets access to certain services based on a black-and-white scenario: either one has the attribute or one does not have the attribute. This ignores the fact that there is an –often spacious– gray area between these two extremes, in which many factors play a role in self-interpretation. For instance, if the only option to express gender is to use the attribute ‘female’ or ‘male’, individuals with gender X are limited in their identity-construction. The available range of attributes and their values is determined by the issuers and, to some extent, the scheme manager.
Because ABCs are a more privacy friendly and hence less intrusive than requesting an ID document in a certain context, businesses and government will feel less restricted to ask for authentic information using ABCs. As a consequence, and especially once a nationwide infrastructure for identity management based on ABCs exists, more services may ask for an ABC card and attributes. The end result is that the use of
ABCs becomes mandatory in the daily life of a citizen, and that she has to prove certain properties about herself in a context where this previously was deemed unnecessary. Instead of increasing the privacy of the citizens, this function creep based on ABCs actually creates more opportunities for tracking and profiling.
Authentication Obstructs Obfuscation
Often services require the completion of complete user profiles when registering for them. Typically users fill in this forms with no or random data for those fields they deem irrelevant for the service. With a ubiquitous attribute based identity management system in place, this is no longer possible. Such a system also allows services like Google and Facebook to enforce a real name policy. And it helps them to enforce strict age restrictions on some of the services they offer. This removes the current discretionary power of users to lie about their age. Facebook for example restricts access to people that are over 13 years old. In the Netherlands, many parents allow their children to be on Facebook before that age.
Age restrictions to content vary wildly across the globe: what is deemed fit for minors in one country is only accessible to grown-ups in other parts of the world. Attribute based authentication may move the decision to who gets access to what based on the laws and regulations of the country where the company offering the service is based.
ABC’S and Data Protection by Design and by Default
Another issue to consider is the level of compatibility of an attribute based credential system with European data protection laws, and in particular the concepts of data protection by design and data protection by default.
Adherence to core data protection principles
The core principles on which the European data protection law is based are lawful processing, purpose limitation and data minimisation.
Processing is considered lawful in several cases, for example when the data subject has freely given informed consent to the processing. In the case of ABCs the user is typically asked permission to reveal a specific set of attributes. The user may of course choose not to reveal them. However, the service provider may then decide not to offer the service. Depending on the type of service (an essential service, a service that has a virtual monopoly), getting “no service” may not be an option. It is then doubtful that the consent was freely given.
Purpose limitation and data minimisation are hard coded in the IRMA system through the important role played by the scheme authority. This authority decides which attributes do or do not exist within the ABC system, because it controls which issuers are allowed to issue credentials in the system, and which attributes these credentials can contain. It also decides which attributes a service provider is allowed to ask for when offering a particular service. Finally, the underlying technology guarantees unlinkability of the use of the same credential at different service providers, further guaranteeing a large degree of data minimisation. This central role of the scheme authority is however also a weakness, as it introduces a central point of failure. If the scheme authority is compromised, and does not enforce a strict policy with regards to the issuing of rights to issuers and service providers, then the privacy protection of the overall system is severely damaged.
ABCs as part of a larger system
It is important to note that ABCs typically are part of or used by a larger system that processes personal data. Some of the attributes in a credential may be identifying, others may be pseudonymous. Whatever their type, the authenticity of these attributes is guaranteed because they are revealed using an ABC system. On the one hand this increases the integrity of the personal data being processed (also an important requirement in data protection law). On the other hand it makes these attributes more valuable to be used for profiling the user, even if these attributes are only pseudonymous. This is especially worrying because the current proposals for the new European data protection regulation offers a ‘light’ protection regime for such pseudonymous data. As a result the use of ABC could have a propelling effect on profiling.
Even the use of privacy friendly technologies like attribute based credentials does not necessarily guarantee that the overall system adequately protects the privacy of the citizen in everyday life. This is part of a general trend where privacy by design has to compete the current data-driven society. Personal data is considered the ‘new currency’ and without an ethical change the data processing practices will most likely not change. Connected to this issue is the nature of humans: people want to share data.
It is therefore no surprise that many of the issues we find with attribute based credentials also equally apply to identity management in general. Some of these are however exacerbated by the strong authenticity and privacy properties provided by ABCs.
It is an intriguing paradox that exactly because ABCs are privacy friendly by design, the could create privacy problems. A paradox, I fear, is inherent in many privacy enhancing technologies and privacy by design approaches.