[Clips] Selective Disclosure and Privacy

R.A. Hettinga rah at shipwright.com
Wed May 2 19:40:57 PDT 2007 

--- begin forwarded text


  Date: Wed, 2 May 2007 22:37:37 -0400
  To: Philodox Clips List <clips at philodox.com>
  From: "R.A. Hettinga" <rah at shipwright.com>
  Subject: [Clips] Selective Disclosure and Privacy
  Reply-To: clips-chat at philodox.com
  Sender: clips-bounces at philodox.com


<http://wendy.seltzer.org/blog/archives/2007/05/02/selective_disclosure_and_privacy.html>



  Wendy's Blog: Legal Tags:


  .SELTZER.ORG: LEGAL TAGS, THE BLOG

  Musings of a techie lawyer.


  May 02, 2007

  SELECTIVE DISCLOSURE AND PRIVACY

  Often, when we're asked for "identification," it's not because the asker
  needs to know everything about us, but because they need to verify one
  aspect of identity: that I'm over 21, for example, if I'm trying to buy a
  drink. But since I don't have an "over 21" card that the bar can verify
  connects to me, I'm forced to give them my driver's license, from which
  they can also glean and store other
  data<http://www.dgahouston.com/dlsplit1.htm
  http://www.dgahouston.com/dlsplit1.htm>. Online, it doesn't have to be that
  way.

  Builders of identity-management systems can design in stronger protections
  for their users' privacy, giving people a separate virtual "card" for every
  transaction, with only the necessary data included. Ben Laurie has written
  a good concise overview, Selective
  Disclosure<http://www.links.org/files/selective-disclosure.pdf>, explaining
  how zero-knowledge proofs let us make verifiable assertions without giving
  away the store.

  I claim that for an identity management system to be both useful and
  privacy preserving, there are three properties assertions must be able to
  have. They must be:

  	*	Verifiable
  There's often no point in making a statement unless the relying party has
  some way of checking it is true. Note that this isn't always a requirement
  - I don't have to prove my address is mine to Amazon, because its up to me
  where my goods get delivered. But I may have to prove I'm over 18 to get
  alcohol delivered.

  	*	Minimal
  This is the privacy preserving bit - I want to tell the relying party the
  very least he needs to know. I shouldn't have to reveal my date of birth,
  just prove I'm over 18 somehow.

  	*	Unlinkable
  If the relying party or parties, or other actors in the system, can, either
  on their own or in collusion, link together my various assertions, then
  I've blown the minimality requirement out of the water.

  While digital signatures are widely used for verification, the same
  signature on each item is a privacy-busting linkage. With the help of third
  parties and selective disclosure proofs, however, we can make assertions
  that are minimal and don't leave a trail. We can create digital one-time
  cards each time we're asked for a facet of our identities.

  These properties fit well with legal principle of narrow tailoring.
  Limiting the identification provided to that required limits spillover
  effects and opportunities for misuse ("mission creep"). An ID-check law
  shouldn't become a source of marketing information; an online purchase
  needn't be an entry in a growing retailer profile -- unless that's an
  explicit choice. We might even be more willing to give accurate information
  in places like online newspaper sign-ins if we knew that information could
  never be added to or correlated with profile data elsewhere.

  The next hard part, of course, is getting those with whom we do business to
  accept less information where they've been accustomed to getting more by
  default, but at least if we build the identity technology right, it will be
  possible.

  Posted by Wendy at May 02, 2007 01:34 PM | TrackBack

  --
  -----------------
  R. A. Hettinga <mailto: rah at ibuc.com>
  The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
  44 Farquhar Street, Boston, MA 02131 USA
  "... however it may deserve respect for its usefulness and antiquity,
  [predicting the end of the world] has not been found agreeable to
  experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
  _______________________________________________
  Clips mailing list
  Clips at philodox.com
  http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list