‘Identity Service Providers’ Could Take User Hassle Out of Privacy, FTC Hears

The launch of ClearSight Interactive, a behavioral targeting provider with 165 million “permission-based” users available to advertisers (WID March 1 p5), shows the reach of data-collection services, said Loretta Garrison, a staff lawyer in the FTC’s Division of Privacy and Identity Protection. The rise of IPv6 and the “static” IP addresses it will bring to many devices will make them easier to identify, she said. Peter Eckersley, senior staff technologist for the Electronic Frontier Foundation, said “shuffling” the staggering number of addresses in IPv6, so they're reassigned regularly to users, could make unwanted tracking harder. But there’s a “bewildering mass of different tracking mechanisms,” which would complicate the solution, he said.

The problem is aggravated because people voluntarily hand over information that can be combined with “passive” data, said Lucy Lynch, director of trust and identity initiatives at the Internet Society: “There’s a user-education issue out there.” Many services don’t work without user identification, she said. Internet users aren’t prepared to “have a strategy for dealing with all of those” tracking mechanisms, said Ed Felten, director of the Center for Information Technology Policy at Princeton University. “There’s a very large perimeter I have to defend” to keep personal information private.

Making the user experience smooth within browser-control settings is a challenge, Lynch said. Users don’t want to “actively manage their sessions all the time,” but they may change a setting once and leave it there regardless of problems that come up. There are “too many choices that are crucial” for safe browsing, Eckersley said. “You only need to get this wrong once,” and two sites may link together a user’s accounts on both without the person’s realizing it. Felten said his lab is studying browser architecture and how users might “compartment” the information they give different sites.

Eckersley said companies and officials could first go after “low-hanging fruit” such as the further adoption of SSL encryption. Though Google applied it by default to Gmail after its Chinese hacking incident, the encryption wouldn’t get in the way of law enforcement requests that use due process to get information, as opposed to authoritarian efforts to snoop, he told FTC division lawyer Naomi Lefkovitz. “Perhaps privacy is like we're trying to make a fruit salad” with many smaller components, Eckersley said. He cited AdBlock Plus, a free service that lets users block advertising servers manually or subscribe to a blacklist compiled by users. The “crowdsource” model could work for other technologies -- but the larger hurdle is creating for users “throwaway” identities that can be trusted but not permanent, Eckersley said. Attacking the obvious sources of tracking such as cookies could hurt the user experience, Lynch said.

"Authenticated anonymity” is becoming more plausible as providers find ways to minimize the amount of information needed to get a service, said John Clippinger, co-director of the Law Lab at Harvard University’s Berkman Center. One example is Microsoft’s new U-Prove software, available in a “community technical preview,” which uses “minimal disclosure tokens” so Internet users don’t have to share more than necessary with a service, said Jules Cohen, director of the company’s trustworthy computing group. Such “zero-knowledge proofs,” long theoretical, could finally verify that a user is of legal age to access a service without needing the birth date, for example, said Drummond Reed, executive director of the Information Card Foundation. That group is one of the funders of the Open Identity Exchange and Reed is its acting executive director.

Setting Up ‘Proxies’ to Guard Data -- How Will Companies Respond?

The advent of “identity service providers” that can act as a “proxy” between users and services “can get those same kind of trust moments” that take place offline between two people, but with more privacy, Cohen said. Such a proxy could also act as an “advocate” for users to drive a hard bargain with a given service on how much data it needs, Reed said. The Open Identity Exchange has certified Google, PayPal and Equifax to issue “digital identity credentials” that are accepted for registration and login at U.S. government sites, such as the National Institutes of Health, and the exchange meets the government’s Identity, Credential and Management trust framework process, known as ICAM. Reed said Yahoo and AOL are looking at becoming certified providers.

Ari Schwartz, the Center for Democracy & Technology’s chief operating officer, was skeptical that those collecting data would go along with a framework that reduces available information. The Berkman Center’s Clippinger challenged that view. “I was very surprised” by the center’s discussions with big financial services firms and retailers, who said they would actually prefer a minimized-collection regime to absolve them of potential liability from possessing unnecessary information, he said. It was a “big flip” from previous attitudes, Clippinger said.

Schwartz said overarching rules are needed for identity service providers, a “super trust framework” governed by an “FDIC-like entity” that gives providers safe harbors in exchange for following regulations. Mobile data in particular need to be protected under such a system because the information is readily identifiable, Clippinger said. Lynch raised another hurdle: The best-known early frameworks for identity management are specific to countries and regions, allowing wrongdoers to move to friendlier places.