Radovan Semančík recently wrote about the privacy concerns with global unique identifiers in his blog post called Global Troubles. He points out that the same issues arises whether those global unique identifiers are URLs (OpenID, LID, and now SXIP) or XRIs (i-names, i-numbers).

Since my work on XRI has been grounded deeply in privacy since the mid-1990’s, I wanted to point out two things:

1. Radovan is absolutely right — it is very important that techologies that use globally unique identifiers pay supreme attention to the privacy implications.
2. When the privacy architecture is done right, the use of abstract globally unique identifiers can increase privacy, not decrease it.

For example, a major selling point for i-names when they go into general release in early 2006 will be that they offer a higher level of privacy and personal control than any other global addressing system. The reason is that an i-name does not by itself need to reveal any information about its owner. It is not an email address or an IM address or a phone number. It is nothing more than a human-friendly global unique identifier which may be deferenced (resolved) into a set of services for interacting with its owner, all of which are controlled by its owner.

Radovan’s point, however, is that no matter what the nature of a globally-unique-identifier, even just a plain old URL, it can be used for triangulation or correlation by third parties that do not want to respect your privacy. As he says:

The global identifiers…are on-line equivalents of SSN, with most of the SSN drawbacks. The attribute protection mechanisms implemented by “identity” systems does not help here, as the data are already out at service provider’s systems and are not in control of “identity” system anymore. Yes, you may create several “personalities” by using several global identifiers, but the management of these different accounts may soon become very difficult. And even that does not help much. Imagine, that you make a mistake and login to the “adult” site with your “civil” account. That alone leaks some information, that you might not want to be leaked. And if you logout and login with the other account, it may be easy to correlate these two accounts (cookies, IP addresses). And great part your privacy is lost …

He goes on to say:

The use of randomly generated identifiers that are shared only between Authentiation/Identity Provider and one Service Provider (as it is in Liberty case) may help a bit. It limits collusion an such way, that the Identity Provider must be one of colluding parties. That may be more acceptable is some cases (but not everywhere).

But neither of these approaches is ideal. There must be something else to look at, some better solution. Or maybe we are chasing ghosts and people does not really want privacy, after all …

He then adds one final disclaimer:

Disclaimer:
Don’t get me wrong about XRI. I don’t see anyting bad about XRI (as I don’t see anything bad about URI either). I must admit that the more I know about XRI the more I like it. But I don’t like i-names. That use of XRI somehow does not feel right …

Radovan is not unique in this respect. I find the more Internet architects and developers understand about XRI, the more they like it because, as an open standard for structured identifiers (“XML for identifiers”), it can solve a number of problems around intelligent, persistent, privacy-protected identification of resources. And it’s also true that i-names and i-numbers (as the new form of fully-abstract globally-unique resolvable identifiers that XRI architecture makes possible) are only one small fraction of overall XRI architecture.

I find that the discomfort about i-names (whether global or delegated) as identifiers for individuals generally revolves around precisely Radovan’s concern that they may somehow be used to compromise privacy, because even though they can be used to shield personal data (as explaine above), once that data is shared, the i-name provides a global correlation handle.

I have two answers to this, one social/legal, and the other technical.

The social/legal answer is that techologies like i-names, when coupled with the right technical underpinnings like XDI link contracts, provide strong, machine-auditable mechanisms for enforcing privacy restrictions. My personal belief is that the legal and social penalities for not maintaining privacy of customer/partner data will only increase, and the more technology is available to support this, the stronger these protections will become.

However there will always be companies/governments/groups that operate “outside the law” and for this technical solutions are necessary. Again, I believe carefully designed privacy architecture can accomplish the goal. With XRI architecture, for instance, we can address a specific concern of Radovan’s…

Yes, you may create several “personalities” by using several global identifiers, but the management of these different accounts may soon become very difficult. And even that does not help much. Imagine, that you make a mistake and login to the “adult” site with your “civil” account. That alone leaks some information, that you might not want to be leaked. And if you logout and login with the other account, it may be easy to correlate these two accounts (cookies, IP addresses). And great part your privacy is lost …

I-SSO (the i-name-based single sign-on protocol under development at XDI.org), can be designed to offer an anonymous login option, where the user does not login with their i-name, but the i-name of their i-broker or of another third-party service provider that provides anonymous SSO service. That party then generates a unique XRI for the relationship just like the Liberty scenarios that Radovan refers to.

Is it perfect? No — users could still make the mistakes Radovan mentions. Or the i-broker or third-party anonymous SSO service provider could slip over to the dark side. Just like your bank could go out of business and steal all your money tomorrow.

My point is, properly employed, these services and the globally unique resolvable identifiers they use can and will build steadily stronger and more reliable user privacy, not the opposite.