Dangerous Moves: OpenID and Government-Issued ID tokens
As I wrote in my last post: "The identity management systems that are being developed and rolled out right now are laying the foundations that may be used to end online anonymity." This is becoming especially relevant with the development of e-government identification tokens that are issued by more and more governments around the world. I consciously said "may", because a cruicial question is how the systems are designed.
This is a very crude ranking:
- U-Prove and related zero-knowledge technologies can really help securing privacy by offering untraceable and unlinkable tokens based on an existing ID.
- CardSpace only offers some privacy protection in specific use cases (self-issued cards, non-auditing mode), but has general problems with unlinkability.
- OpenID offers basically no privacy if you don't run your own OpenID server and thereby authenticate yourself, because the OpenID provider can always see what you do.
- Using CardSpace for logging into your OpenID provider only secures the login process, but does not protect you against the OpenID provider seeing what you do.
If my government would be my OpenID provider, they could basically track all instances where I log into a web site. Very bad, and luckily nobody is thinking of this (yet). But a number of big companies have already started giving their employees an OpenID identity, which is not much better. The company can track what people do, and the relying party can be sure that John.Doe.OpenID.CompanyXYZ.com is a real person namend John Doe who works at CompanyXYZ. I wonder when we see the first suggestion to do this for government authorities.
If the government-issued ID token is used for logging into your OpenID provider (what CardSpace can also be used for), it may secure the login process here. But the OpenID provider still can see all instances when you log in anywhere. But now, because you identify yourself with a government-issued ID token, the OpenID provider can link the activities of your (maybe pseudonymous) OpenID account to a real person.
This is exactly what is happening in Finland right now:
TrustBearer Labs, a leading authentication solutions company, has announced support for the Finnish National Electronic Identification Card (FINEID) with its OpenID service. With this support, the FINEID smart card can now be paired with the OpenID online authentication standard, enabling FINEID cardholders to use their cards for logging in to any website that accepts OpenID. (...)As far as I can tell from the press release and the little background info, it only works with an OpenID provided and managed by TrustBearer themselves.
So how does the FINEID technology work? The FINEID smart card is carrying a "Citizen Certificate". This citizen certificate is not allowing stable pseudonyms or even transaction-specific pseudonyms:
The Citizen Certificate is standardized personal data, an electronic identity based on Public Key Infrastructure. It contains, among other information, a citizen’s first name, family name and an electronic client identifier.The legislators in Kentucky who want to force everybody to use his or her real name for even the smallest online publications will be happy if they see this. The TrustBearer press release praises it:
"We believe that our OpenID service complements national identification programs, like Finland’s ID card. National ID card holders can now securely and efficiently manage many of the things they do on the Internet using a central and secure identity," says David Corcoran, Chief Executive Officer of TrustBearer Labs.This is a very dangerous development. We have a technology here that allows the tracking of your online activities (OpenID) combined with a technology that always identifies you with your real, legal persona (FINEID). The only firewall between this and a fully-fledged government surveillance system for online activities is that
- it is not mandatory (yet) and
- the Finnish government can't (yet) directly peek into TrustBearers database.
When I started writing and speaking about the privacy problems connected with OpenID and similar Identity 2.0 projects, many people replied: "Yes, but it is only meant for blog comments and harmless stuff like that. Of course you can always use a pseudonym, and you will never use it for serious stuff like e-government." Well...
(Thanks to Kai Raven for the link to the TrustBearer story.)