thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Tuesday, March 11, 2008

Dangerous Moves: OpenID and Government-Issued ID tokens

As I wrote in my last post: "The identity management systems that are being developed and rolled out right now are laying the foundations that may be used to end online anonymity." This is becoming especially relevant with the development of e-government identification tokens that are issued by more and more governments around the world. I consciously said "may", because a cruicial question is how the systems are designed.

This is a very crude ranking:
  • U-Prove and related zero-knowledge technologies can really help securing privacy by offering untraceable and unlinkable tokens based on an existing ID.
  • CardSpace only offers some privacy protection in specific use cases (self-issued cards, non-auditing mode), but has general problems with unlinkability.
  • OpenID offers basically no privacy if you don't run your own OpenID server and thereby authenticate yourself, because the OpenID provider can always see what you do.
  • Using CardSpace for logging into your OpenID provider only secures the login process, but does not protect you against the OpenID provider seeing what you do.
So what happens if OpenID and government-issued identification tokens are combined? It depends.

If my government would be my OpenID provider, they could basically track all instances where I log into a web site. Very bad, and luckily nobody is thinking of this (yet). But a number of big companies have already started giving their employees an OpenID identity, which is not much better. The company can track what people do, and the relying party can be sure that is a real person namend John Doe who works at CompanyXYZ. I wonder when we see the first suggestion to do this for government authorities.

If the government-issued ID token is used for logging into your OpenID provider (what CardSpace can also be used for), it may secure the login process here. But the OpenID provider still can see all instances when you log in anywhere. But now, because you identify yourself with a government-issued ID token, the OpenID provider can link the activities of your (maybe pseudonymous) OpenID account to a real person.

This is exactly what is happening in Finland right now:
TrustBearer Labs, a leading authentication solutions company, has announced support for the Finnish National Electronic Identification Card (FINEID) with its OpenID service. With this support, the FINEID smart card can now be paired with the OpenID online authentication standard, enabling FINEID cardholders to use their cards for logging in to any website that accepts OpenID. (...)
As far as I can tell from the press release and the little background info, it only works with an OpenID provided and managed by TrustBearer themselves.

So how does the FINEID technology work? The FINEID smart card is carrying a "Citizen Certificate". This citizen certificate is not allowing stable pseudonyms or even transaction-specific pseudonyms:
The Citizen Certificate is standardized personal data, an electronic identity based on Public Key Infrastructure. It contains, among other information, a citizen’s first name, family name and an electronic client identifier.
The legislators in Kentucky who want to force everybody to use his or her real name for even the smallest online publications will be happy if they see this. The TrustBearer press release praises it:
"We believe that our OpenID service complements national identification programs, like Finland’s ID card. National ID card holders can now securely and efficiently manage many of the things they do on the Internet using a central and secure identity," says David Corcoran, Chief Executive Officer of TrustBearer Labs.
This is a very dangerous development. We have a technology here that allows the tracking of your online activities (OpenID) combined with a technology that always identifies you with your real, legal persona (FINEID). The only firewall between this and a fully-fledged government surveillance system for online activities is that
  • it is not mandatory (yet) and
  • the Finnish government can't (yet) directly peek into TrustBearers database.
These are only legal restrictions, and they can change over time, as history has proven many times. On the infrastructure side, identity management technologies are slowly moving us towards more online surveillance if we stick with the current ones and don't quickly develop, integrate and roll out the most secure products. Otherwise we have to abandon the whole idea that identity management for the web is a good thing.

When I started writing and speaking about the privacy problems connected with OpenID and similar Identity 2.0 projects, many people replied: "Yes, but it is only meant for blog comments and harmless stuff like that. Of course you can always use a pseudonym, and you will never use it for serious stuff like e-government." Well...

(Thanks to Kai Raven for the link to the TrustBearer story.)


Anonymous Anonymous said...

Interesting article...
Although, I do want to bring up a point. The anonimality in virtual spaces has brought us more harms than goods. Why would one do something in virtual space that he or she wouldn't do in real life (perhaps, illegal/unethical)?

It is highly unlikely that Finnish governemnt would abuse this system to track down an innocent life of a citizen. I do hope that this system can help prevent and reduce the amount cyber crimes which are present due to those who abuse the gift of anonimality.

I do respect your argument on this, if you would like to talk about this more in depth, you may reach me at

12/3/08 05:55

Blogger david said...


I respect your opinions and certainly there are many others that share your opinions. I personally like the idea of a true identity on the Internet. As a law abiding citizen, I fear more the scenario where someone uses my identity in a criminal manner than I fear someone knowing what I'm doing.

With that said, I still do share your concern about government tracking though we have this issue today with telecom's and ISPs. The government can subpoena this data with (and sometimes without) warrant. I don't think OpenID provides anything new that your ISP doesn't already know.

I think there are mixed reactions to this. Some people like the ability to use their government smart card with OpenID (for convenience) and some people are concerned. My feeling is that those concerns already affect us today with our without OpenID and smart cards.

12/3/08 13:31

Anonymous Anonymous said...

You may have some valid points, but there is one thing you are missing: no one company or government can force you to use their source as an OpenID provider. If any government wants to track you, they will find ways of doing so. Look at the US government and what Bush has done with the spying.

The whole issue about OpenID is to provide a mechanism where you don't need to create an extra username/password combination for each site you visit, and make the internet readily accessible. So, if you don't like using Yahoo! as your OpenID provider, you're free to pick someone else.

8/9/08 02:28

Anonymous SEO said...

This is fantastic. Here’s to open government and the open web! I believe OpenID will continue to be the most convenient and trustworthy open identity standard on the Web. Open standards create a better Internet for everyone, and the U.S. government's adoption of OpenID is a huge endorsement of OpenID and a big step forward for open standards. from SEO Rider

11/11/09 21:58


Post a Comment

<< Home