Because we live our lives digitally, there’s no turning back the clock to simpler times when personal data was locked up in file cabinets and bank safe deposit boxes. We spew information about ourselves into the cybersphere via Facebook, LinkedIn, Twitter, Web sites requiring registration, personal identity cards and other kinds of smart cards. But is there a way that we can dole out information in small, controllable pieces–just enough to get things done but not a byte more?
The answer is yes, and a European research consortium is leading the way to delivering this capability on a mass scale.
The consortium, called ABC4Trust, is building safeguarding systems based on privacy-protecting technologies from IBM and Microsoft. It plans on testing the systems in a university in Greece and a secondary school in Sweden. The technologies, called Attribute-Based Credentials (where the ABC in the name comes from), make it possible to build Web services and electronic ID systems that get just enough information to authenticate peoples’ identities, qualifications and permissions–but no more.
Today’s announcement of the research consortium and its project was timed to coincide with international Data Privacy Day, which is intended to bring attention to privacy threats that go hand in hand with living the digital life. “The more we use electronic communications and media, we’re revealing more and more information about ourselves–and it’s impossible to keep track of where the information goes and to keep it under control,” says Jan Camenisch, a cryptography researcher at IBM Research in Zurich who led the development of IBM’s Identity Mixer technology.
The first pilot program will be conducted at Norrtullskolan, a school in Soderhamn, Sweden. The system will allow pupils and parents to authenticate themselves when accessing the school’s social network and when communicating with medical and counseling personnel. The second pilot will be run at the Research Academic Computer Technology Institute in Patras, Greece. There, students using the university’s faculty evaluation system will be able to give their feedback anonymously. At the same time, the university will be able to confirm that a student is eligible to participate.
Participants in the pilots are issued electronic identity credentials, which they keep on a smart card or mobile phone. The credentials confirm that they’re eligible to take part–without giving our their names or other sensitive information. The Greek pilot will include a system for gathering feedback. “The hope is that students will participate in the evaluation system more readily if they’re assured of anonymity,” says Yannis Stamatiou, a math professor at the University of Ioannina who is the technical lead on the Greek pilot.
While Attribute-Based Credentials only address a narrow slice of the threats to digital privacy, they’ll be useful in a host of situations. For instance, electronic identity cards are proliferating rapidly in Europe, but along with their convenience they also bring problems. When a student uses their government-issued e-ID card to prove their age to access a teenage chat room or some vacationing family shows their passport at a hotel, they’re also handing over a lot of additional information. No good. So this kind of technology will be a key piece of our data defense systems going forward.
While new privacy-enabling technologies are being developed, Camenisch has some practical advice for consumers: “Minimize the information you send out, and, once you decide to give out information, try to control it by attaching usage policies that the people you give it to are obliged to follow.” That will take some effort, but, as anybody who has had their identity stolen will tell you, the effort to protect yourself is well worth it.
Some related links: