Why, Really, Do We Need Multiple Identity URLs?

I was asked that question today, and gave the standard answer along the lines of "we don’t want everybody to correlate all information about us all across the web, e.g. the employer with the direct marketers with the healthcare provider".

I got an unusual response, however, which was:

Couldn’t this be solved as well with a single identity URL and good access control?

On the face of it, that is indeed true: if we had the ability to control which information about us could go where, then nobody could correlate us either … because they would have no information to correlate with.

Unfortunately, this does not work for two major reasons:

  • Our identity is involved in the creation of a lot of information over which we do not have ownership rights. For example, if I use my identity to sign up for the service contract at ABC Inc., the transaction is owned as much by ABC Inc. as it is by me, and I cannot expect to be able to control the information about that transaction over the wishes (and needs, e.g. because of subcontracting) of ABC Inc. (Some jurisdictions may have laws about this — in general, however, I simply can’t make that assumption for all information that involves my identity).
  • Even if we had the exclusive and full rights over the use of all information related to us, one could bet that on the global internet with its 100’s of jurisdictions and special exceptions, the actual legal situation won’t matter very much.

Ergo, we use software code instead of the legal code, and build software that allows us to use as many non-correlatable identifiers as we like. A bit more clumsy for the user than we’d wish, but a lot safer.

Stefan Brands’ Credentica, for example, was founded on the basic idea that nothing should be correlatable, by default. In the URL-based identity world, we take a more pragmatic middle ground: create as many identities as you wish (through multiple URLs), but not necessarily one for each transaction you are doing because, among other things, that would get in the way of a lot of social behavior on the net that depends on "I recognize you" in different places, which is a form of (mostly desired) identity correlation.

Update: Stefan Brands clarifies:

More precisely, [Credentica’s] particular approach to avoiding breaks down into two categories:

  • For identifiers (“identifier claims”…), a user can use different “identity tokens” at different service providers (or, if allowed/desired, at the same service provider) in order to segment his activities. Naturally, to access the same “account” the user reuses the same protected identifier!
  • For “attribute claims” (as opposed to “identifier claims”), say “over 21, male, Quebec resident”, we avoid correlations (other than on the basis of the attribute values themselves, of course) between all protected “attribute tokens”.

Our first approach is not about eliminating identifiers (such as account indexes, e-mail addresses, usernames, etc etc), it is about protecting them in a manner that avoids correlations between _different_ identifiers.

Thanks, Stefan.


Posted

in

by

Tags: