A solution for Web 2.0 identity
In yesterday’s post, I described an ugly side of Web 2.0 where pseudonymous identity on its own was insufficient to protect a person being impersonated on MySpace. Not an uncommon occurrence but one with unhappy consequences for the victim.
One solution that can overcome this problem is discussed below. I imagine there are several others.
Consider a simple system in which there are multiple SPs (Service Providers) which provide online services to customers. There is an IdP (Identity Provider) which performs the functions of both identification and authentication (logon management).
The IdP is responsible to verify the real identity of a person to a sufficiently high level of confidence. The IdP also manages the person’s logon associated with the unique electronic identity record of the person. The logon could be a username and password or preferably something stronger, e.g. two-factor authentication.
Now, when a person wants to register for a service from a SP, the person is re-directed to log on at the IdP. After confirming the logon is valid, the IdP sends a persistent pseudonymous identifier to the SP which is specific to the SP, i.e. the person will have a different persistent pseudonymous identifier at each SP.
The SP uses the pseudonymous identifier as an internal unique record for the person. Under normal circumstances this provides all the positive benefits of people being able to operate pseudonymous online, including if appropriate, having multiple personas linked to the same unique pseudonymous identifier or internal record.
If things go bad, then it is possible for the pseudonymous identifier to be used to work out from the IdP who the person really is. By “bad” I mean really bad, say criminal activities or fraud. The bar needs to be set high and perhaps only an independent third party, such as a court or police or the privacy commissioner, should be allowed to work backwards from the pseudonymous identifier to the real identity.
To protect privacy further, it would probably be desirable that legislation protect the identity data at the IdP and also prevent aggregation of transaction data by the IdP.
Two refinements to the simple model are suggested.
First, the IdP is split into an IdP that provides pseudonymous authentication and an Attribute Provider (AP) that holds the real identity records.
A downside of the simple system is that the AP knows the SP at which the customer has verified identity. A second refinement is introducing a hub into which the SPs, IdP, and AP connect, to cryptographically overcome this.
Whether or not the solution presented here can actually be implemented depends upon country-specific factors such as the practicality of being able to set up an AP or multiple APs that can provide high quality identification for everyone (without which it is not possible to ensure the uniqueness that underpins the whole system).