Many online services seem to think they need to know who you are, before granting you access to the service. Why else would they ask you for your name, your address, and sometimes even your phone number? We are so used to this practice that we often provide this information without thinking, not questioning whether this is really strictly necessary. But why should you identify yourself when buying a ticket to a show online, when you can buy the same ticket anonymously over the counter at the box office?
(This is the fifth myth discussed in my book Privacy Is Hard and Seven Other Myths. Achieving Privacy through Careful Design, that will appear October 5, 2021 at MIT Press. The image is courtesy of Gea Smidt.)
This unfortunate state of affairs can perhaps be explained by looking how traditionally access to resources (mostly computers) and later services in general was controlled. Historically, such access control is based on accounts, where a username or email address is used to unambiguously identify the owner of the account. To access a resource or a service, you first need to prove you are the owner of an account (using some form of authentication to log in, for example). After this, the authorisations linked to that account determine whether you are granted access or not.
In the old days this identity centric approach to access control might have made sense, but in general it creates significant security and privacy issues (see the book or this paper for details). Moreover, many day to day activities where we access something or purchase something are (or used to be) completely anonymous. To enter my house, I use a key (not my name). To unlock my bike, I use another key. To buy concert tickets, I used to go to the local record store and paid with cash. (BTW: an earlier write-up that served as a basis for this chapter of the book, also explains in detail how concert tickets can be bought online in a privacy friendly fashion.)
A particular technology aimed at making access control decisions much more privacy friendly, and that we helped to implement in practice, are attribute based credentials. The attributes describe a certain property of an individual, like their age, their qualifications (education, skills), their sex, their nationality, their name, their address, etc. Attributes are securely stored in attribute based credentials. An attribute can in essence be anything that can reliably be attributed to an individual by some entity (an institution, a government, a school, but also in theory any other individual). This entity is the issuer, that vouches for the fact that the attribute belongs to the holder of the credentials in which it is contained.
Users obtain credentials with attributes that are relevant to them from the necessary issuers once, beforehand. In that sense they function much like traditional paper based credentials like diplomas or drivers licenses, except that they are not bound to a person through their name (as is the case with paper based credentials) but bound to a person using a cryptographic key known only to that person.
Similarly, a subset of the attributes in a container can selectively disclosed to a particular service provider in an attempt to access the service based on the value of these attributes. For example, a person wishing to access age restricted content from the national broadcasting corporation could use attribute based credentials to prove that they are over eighteen and English, without revealing their name at all. It is important to mention that the actual privacy protection offered by attribute based credentials is much stronger than implied here. In fact an attribute based credential is unlinkable, meaning that subsequent uses of the same credential cannot be distinguished from uses of different credentials that happen to contain the same values for the disclosed attributes.
A much more thorough description of attribute based credentials and their potential application, as well as a wider discussion on the topic of identity and the benefits and risks of identity management can be found in the book.
(For all other posts related to my book see here)