Written by Quite a few people tweeted or posted about the announcement of IBM’s “new” technology in the identity space, now available to developers on its Bluemix cloud platform. Here’s a typical example.
Back in January — on Data Privacy Day, no less — IBM announced Identity Mixer, a new technology for protecting users’ personal data during authentication.
[From New IBM tech lets apps authenticate you without personal data | Computerworld]
If this new “Identity Mixer” technology sounds familiar to you, it may be because five years ago it won a well-deserved prize.
Munich, Germany, 5 May 2010—IBM Research was honored with the Best Innovation European Identity Award 2010 from Kuppinger Cole, an analyst firm focused on information security, identity, and IT governance. IBM’s Identity Mixer technology was recognized for its pioneering work that offers simultaneously both strong authentication and privacy.
[From IBM Research – Zurich | News]
Now, don’t get me wrong. I think Identity Mixer is a great technology, and IBM’s Zurich research laboratory has done some great work in this space, and I wholeheartedly agree with the idea of using pseudonymity as a means to deliver both security and privacy into the mass market in an effective way.
In its simplest form, Identity Mixer works similar to traditional attribute-based credentials with a few crucial differences. Each user has a single secret key but can have multiple public keys that correspond to it. In a way, this secret key is the user’s secret identity, and users can derive as many public identities from it as necessary.
[From Identity Security and Privacy for Electronic User Authentication]
This is a good model for identity. If it sounds familiar, it’s because you will have read something similar in “A Model for Digital Identity” by Neil McEvoy and me in that seminal tome “Digital Identity Management: Technological, Business and Social Implications“, edited by yours truly (Gower: 2007). It’s on pages 95-104, for ready reference. In that chapter, Neil and I put forward the idea that digital identity as a bridge between mundane and virtual identities makes sense in many different ways, one of them being that the use of multiple pseudonymous virtual identities (what the above article means by “many public identities”) is a great way to move forward and a great way to think about identity in an online world. Now, back in 2007, we weren’t the only people thinking this way, because IBM announced a great new technology that was built on the same lines.
Armonk, NY, and Zurich, Switzerland, 26 Jan 2007—IBM (NYSE:IBM) today announced software that allows people to hide or anonymize their personal information on the Web, ensuring protection from identity theft and other misuse. Developed by researchers at IBM’s research laboratory in Zurich, Switzerland, the software—called Identity Mixer—will enable consumers to purchase goods and services on the Internet without disclosing personal information.
[From IBM Research – Zurich | News]
Note that when this announcement was made in 2007 the IBM version of the concept was already more than five years old. You can read about it in Camenisch, J. and E. V. Herreweghen (IBM Research, Zurich), “Design and implementation of the idemix anonymous credential system” in the Proceedings of the 9th ACM conference on Computer and communications security (Washington DC, 2002). The new technology that people were telling me about this week has been around for at least 14 years and probably longer.
So, whatever Identity Mixer is, the one thing it is not is new. Hence one is forced to ask the question that if it is such a good idea, how come we’re not using it? Why doesn’t my iPhone allow me to log in to apps and services while selecting dynamically between Dave Birch (my personal ID), David G.W. Birch (my work ID), Leadbelly Gutbucket (my games ID) and Lord Tantamount Horseposture (my ID for arguing with people in newspaper comment sections)? Is the concept of multiple identities and pseudonymity just too difficult for the mass market? I’m genuinely curious to hear what you think!
Short answer:
IMHO it happens because the people who care about their privacy are also so smart to easily use different identities.
Long answer:
Much of the technologies involved in the digital identity has been around for years. But almost all technologies involves a central authority or a MITM server that can track any your action.
Really interesting is this quote of 2004 from Kim Cameron, Architect of Identity, Microsoft Corporation
####
The identity system must make its user aware of the party or parties with whom she is interacting while sharing information.
The justification requirements apply both to the subject who is disclosing information and the relying party who depends on it.
Our experience with Microsoft‟s Passport is instructive in this regard. Internet users saw Passport as a convenient way to gain access to MSN sites, and those sites were happy using Passport – to the tune of over a billion interactions per day. However, it did not make sense to most non-MSN sites for Microsoft to be involved in their customer relationships. Nor were users clamoring for a single Microsoft identity service to be aware of all their Internet activities. As a result, Passport failed in its mission of being an identity system for the Internet.
####
So why hasn’t anyone built a decentralized identity system before now? Because people who cares about their privacy don’t care about privacy of others. Nor was it clear how they could make a profit by working on the problem. It was a classic market failure.
Now we are trying to shake up the market by releasing, in an open-source way, a patented process that can solve at the root the problem that Microsoft has not been able to solve.
Take a look at SingleID 😉