OpenID has seen its share of critics who are concerned that their OpenID Provider may collect too much information about them (recent example).
In a recent story titled "Which ISPs Are Spying on You?", Wired Magazine now points out a much bigger, and much more immediate privacy problem: privacy policies, or lack thereof, at big internet service providers.
Let’s do a quick comparison:
| ISP | OpenID Provider | |
|---|---|---|
| Has access to: | All of your activities on-line including every single click you make with a browser, regardless of which site you visit. | Only authentication transactions, and only the subset for which you used this particular OpenID provider. This easily translates into a 100-to-1 difference in data volume for privacy-relevant data. |
| Your choice as a customer: | Stay off-line, given that you typically have few (<10 or less) choices of competitive broadband providers in your area, none of whom will compete based on better privacy policies any time soon. | 1. Go do a different OpenID Provider, or several of them. There are plenty to choose from. 2. Run your own OpenID provider, by yourself or with your friends. No permission is required from anybody. |
| And government surveillance? | Your ISP always does business in the jurisdiction in which you live, so you are subject to whatever laws that may give the local government access to your records, perhaps without you ever finding out. | You find an OpenID Provider in a jurisdiction that has stronger privacy laws and privacy practices than wherever you happen to live. |
I do not mean to downplay the risk that your favorite OpenID provider may “go bad” and does nasty stuff with your data. However, in the grand scheme of privacy, I’m personally much more concerned about credit card transactions, say, entirely unprotected credentials such as your social security number, and as described in the Wired article, the tremendous amount of information your internet service provider probably already collects about every one of us.
I was hoping somebody would attempt to write this kind of article, and I’m very glad Ryan Singel did. The even worse story is how little information they actually managed to obtain from these big ISPs, and I’m sure he did try!