IBM researchers has announced plans for a cloud-based technology that holds potential to help consumers better protect online personal data, including date of birth, home address and credit card numbers.
The technology, called Identity Mixer, uses a cryptographic algorithm to encrypt the certified identity attributes of a user, such as their age, nationality, address and credit card number in a way that allows the user to reveal only selected pieces to third parties.
Identity Mixer can be used within a digital wallet, which contains credentials certified by a trusted third party, such as a government-issued electronic identity card.
“Identity Mixer enables users to choose precisely which data to share, and with whom,” said Christina Peters, IBM’s Chief Privacy Officer. “Now web service providers can improve their risk profile and enhance trust with customers, and it’s all in the cloud, making it easy for developers to program.”
According to comScore, the average person spends nearly 25 hours per month* using the Internet, accessing dozens of different Internet services, including banking, shopping and social networks. For virtually every service, users have to create a personal profile with a username and password — or for stronger security — cryptographic certificates.
IBM researchers say that although such tools can offer sufficient security for many purposes, they do not typically provide any level of privacy for the users, causing them to reveal more personal data than is necessary, which can be costly if it falls into the wrong hands.
For example, consider a video streaming service that offers films with age restrictions. To stream a 12+ movie, Alice needs to prove that she is at least 12 years of age and that she lives within the appropriate region. The typical way to do this would require Alice to enter her full date of birth and address, but this reveals more about her than is necessary to complete the transaction. Identity Mixer can simply confirm that Alice is at least 12 without disclosing the month, date and year of her birth and reveal merely that she lives in the correct region (i.e. region 1). This ensures that even if the video streaming service is hacked, Alice’s personal data remains safe.
Similarly, if Alice needed to use her credit card to purchase a movie, the video streaming service would only learn that Alice’s credit card is valid and that it can accept payment, never revealing the actual number or expiration date.
Previously available for download and demonstrated to work on smart cards, Identity Mixer is now being made available to developers as an easy-to-use web service in IBM Bluemix, IBM’s new platform-as-a-service (PaaS) cloud that combines the strength of IBM software, third-party and open technologies.
Beginning this spring, Bluemix subscribers will be able to experiment with Identity Mixer within their own applications and web services. Using simple pull-down menus, developers can choose the types of data that they wish to secure and Bluemix will provide the code, which can then be embedded in their services.
“Identity Mixer incorporates more than a decade of research to bring the concept of minimal disclosure of identity-related data to reality, and now it is ready to use for both computers and mobile device transactions,” said Dr. Jan Camenisch, cryptographer and co-inventor of Identity Mixer at IBM Research.
“We wanted individuals to have control over what they reveal about themselves,” said, Dr. Anna Lysyanskaya, a co-inventor of Identity Mixer, who is currently a professor of computer science at Brown University. “With Identity Mixer now in the cloud, developers have a very strong cryptographic tool that makes privacy practical; it is a piece of software that you can incorporate into any identity management service, enabling the service to verify that an individual is an authorized user without revealing any other personal information.”