[Clips] Selective Disclosure and Privacy
R.A. Hettinga
rah at shipwright.com
Wed May 2 19:40:57 PDT 2007
--- begin forwarded text
Date: Wed, 2 May 2007 22:37:37 -0400
To: Philodox Clips List <clips at philodox.com>
From: "R.A. Hettinga" <rah at shipwright.com>
Subject: [Clips] Selective Disclosure and Privacy
Reply-To: clips-chat at philodox.com
Sender: clips-bounces at philodox.com
<http://wendy.seltzer.org/blog/archives/2007/05/02/selective_disclosure_and_privacy.html>
Wendy's Blog: Legal Tags:
.SELTZER.ORG: LEGAL TAGS, THE BLOG
Musings of a techie lawyer.
May 02, 2007
SELECTIVE DISCLOSURE AND PRIVACY
Often, when we're asked for "identification," it's not because the asker
needs to know everything about us, but because they need to verify one
aspect of identity: that I'm over 21, for example, if I'm trying to buy a
drink. But since I don't have an "over 21" card that the bar can verify
connects to me, I'm forced to give them my driver's license, from which
they can also glean and store other
data<http://www.dgahouston.com/dlsplit1.htm
http://www.dgahouston.com/dlsplit1.htm>. Online, it doesn't have to be that
way.
Builders of identity-management systems can design in stronger protections
for their users' privacy, giving people a separate virtual "card" for every
transaction, with only the necessary data included. Ben Laurie has written
a good concise overview, Selective
Disclosure<http://www.links.org/files/selective-disclosure.pdf>, explaining
how zero-knowledge proofs let us make verifiable assertions without giving
away the store.
I claim that for an identity management system to be both useful and
privacy preserving, there are three properties assertions must be able to
have. They must be:
* Verifiable
There's often no point in making a statement unless the relying party has
some way of checking it is true. Note that this isn't always a requirement
- I don't have to prove my address is mine to Amazon, because its up to me
where my goods get delivered. But I may have to prove I'm over 18 to get
alcohol delivered.
* Minimal
This is the privacy preserving bit - I want to tell the relying party the
very least he needs to know. I shouldn't have to reveal my date of birth,
just prove I'm over 18 somehow.
* Unlinkable
If the relying party or parties, or other actors in the system, can, either
on their own or in collusion, link together my various assertions, then
I've blown the minimality requirement out of the water.
While digital signatures are widely used for verification, the same
signature on each item is a privacy-busting linkage. With the help of third
parties and selective disclosure proofs, however, we can make assertions
that are minimal and don't leave a trail. We can create digital one-time
cards each time we're asked for a facet of our identities.
These properties fit well with legal principle of narrow tailoring.
Limiting the identification provided to that required limits spillover
effects and opportunities for misuse ("mission creep"). An ID-check law
shouldn't become a source of marketing information; an online purchase
needn't be an entry in a growing retailer profile -- unless that's an
explicit choice. We might even be more willing to give accurate information
in places like online newspaper sign-ins if we knew that information could
never be added to or correlated with profile data elsewhere.
The next hard part, of course, is getting those with whom we do business to
accept less information where they've been accustomed to getting more by
default, but at least if we build the identity technology right, it will be
possible.
Posted by Wendy at May 02, 2007 01:34 PM | TrackBack
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
_______________________________________________
Clips mailing list
Clips at philodox.com
http://www.philodox.com/mailman/listinfo/clips
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
More information about the cypherpunks-legacy
mailing list