Funny, I don’t feel crashed

Dave Kearns thinks I have missed the mark in my comments on Phil Hunts post. Perhaps I did not express myself well enough. I will have another go at it for Dave’s benefit.

When I said:

First party claims such as personal info can and should be made directly by the consumer who owns them. Information Cards provide a convenient way to do that. I see no compelling business case for a third party to make first party claims in a B2C scenario. 

I was referring to the same kind of personal information that the RP already trusts me to enter directly on a web site, or over the phone. The trust is implicit in the business relationship I am establishing. Involving a third party in this information exchange seems over complicated and without added value. I certainly don’t see why either the consumer or the SP would be willing to pay to involve a third party.

The statement that such claims are worthless without third party validation is risible at best. If that was the case then internet commerce wouldn’t exist. If I give Amazon my shipping address, they don’t need to have a third party validate it. I have no reason to give them an invalid address because then the business relationship I am paying to establish wouldn’t function. Specifically Amazon couldn’t ship me my purchased goods.

Perhaps someone could build a business as a third party personal information provider. Paul Madsen made the very good point that such a service could be valuable for providing that information while the consumer is offline. Perhaps, but I still don’t see a viable business case there. If someone could point me to such a service that is making money as a third party provider of personal information (things you would normally be trusted to enter on a web form) I will gladly admit I am wrong.

Now third party attributes are another story. From a business standpoint their value lies in the fact that they must be asserted by a third party. But keep in mind that the same information may be either a first or third party attribute depending on context. A site that wants my age for personalization purposes would accept it as a first party attribute. A site that wants my age to determine if I am legally old enough for an offered service would need it as a third party attribute.

Which leads to the Identity Oracle. If what makes an Identity Oracle different that an Attribute provider is that it can provide answers without divulging the underlying data, then there are serious issues that are not being discussed. When I said:

The mistake is saying an identity oracle can divulge whether your credit is good enough for the purposes of the transaction without divulging your credit score itself. I don’t believe that is possible in practice. If you say ‘Jeff’s credit score is as good as %90 of the people who have not defaulted on a loan of that amount’, then you have for practical purposes divulged Jeff’s credit score.

I was talking about information leakage. Let me give a more concrete example. Suppose a SP asks an Identity Oracle if Jeff qualifies for a specific loan and gets a yes answer. Technically the Identity Oracle has not divulged Jeff’s credit score. But suppose the loan amount would typically require AA rating? Then the SP knows Jeff’s credit score is between 720 and 850. While not technically the same as knowing the exact value, it’s functionally the same given how credit scores work.

Likewise if the SP asks if Jeff qualifies for a loan that virtually everyone without bad credit qualifies for, and the Identity Oracle says no, then the SP knows Jeff has a credit score less than 500. Again, that is functionally the same as knowing the value.

Does anyone really think that an Identity Oracle saying Jeff’s credit score is 720-850 has any more effective privacy associated with it than saying its 753? I should hope not.

So of course Dave gives the age counter-example. Everyone gives the age example. I am sick of the age example because it is an outlier case that distracts from the real issues, but all right, I’ll play along. Suppose the SP asks the Oracle if Jeff is allowed to buy alcohol. Then suppose the same SP asks if Jeff can vote. If the respective answers are No and Yes. The SP would then know that Jeff is between 18 and 21, effectively as good as knowing Jeff’s age.

Let me give you a chilling example. Suppose a potential employer asks an Identity Oracle if Jeff can purchase firearms in the state of FL. If the Identity Oracle says no, then since Jeff would have already disclosed his age and lack of criminal record, the employer then would suspect that it is because Jeff has a history of mental illness and would probably decline to hire Jeff.

Er… I’m strictly speaking hypothetically here.

This kind of information leakage is a huge privacy risk that is being ignored in the Identity Oracle discussion.

(Mirrored from TalkBMC)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s