Category Archives: Identity Oracle

Will Identity Oracles be like Credit Bureaus?

Yvonne of Sun has some very good insight into the issue of derived attributes in an Identity Oracle context here. Phil Hunt has some interesting thoughts about Identity Providers here. Both of these look at different aspects of being an Identity Provider or Oracle in practice. Yvonne raises the excellent point about what happens when the data used for the derived attributes is erroneous.

I was thinking recently that we have a very good example of something like an Identity Oracle today where there is a clear and successful business case: Credit Bureaus. This is ironic because answering questions derived from credit ratings is a common example cited for credit ratings. Supposedly an Identity Oracle could derive an attribute indicating your ability to handle a loan based on your credit rating, which itself is a derived attribute.

So what is interesting here?

  • The Credit Bureau has a derived attribute (credit score) which is derived from a multitude of sources of information.
  • If one of those sources is wrong, it becomes the user’s responsibility to try to correct it.
  • The Credit Bureau has a very profitable business being an identity oracle
  • The SPs really have only a tenuous business relationships with the Credit Bureaus.
  • The user supposedly has control over the release of his credit score. But the user is often forced to consent to release this information for both important and not so important business transactions. Many users are not even aware that they have consented to release their credit scores.
  • Most people pretty much hate the system.

So how do we prevent Identity Oracles, if there ever are any, from becoming like Credit Bureaus? Regulation is clearly not the answer since Credit Bureaus are already heavily regulated and people hate them.

(Mirrored from TalkBMC)

If only

Phil believes that I am unaware of the advantages of the user-centric aspect of an Identity Oracle. Quite the contrary, that’s the one part of the idea that I like. If I was to opt into an Identity Oracle (assuming it wasn’t compulsory), I would very much like to control what queries are allowed and be able view and approve the responses.

But that was not my original objection. My objection was to the specific use case of credit scores and how the yes or no answer really doesn’t hide the underlying data from a practical standpoint.

I believe that information leakage would be a big problem. User-centric control won’t really solve this because the average user is not going to be able to understand the identity leakage ramifications when consenting to a transaction.

But putting that aside for a moment, Phil does paint compelling picture of how an Identity Oracle would work:

Further, Jeff might also be able to choose from a list of Identity Oracle’s accepted by his employer enabling Jeff to overcome a bad/false report from one provider with an assertion from another provider. The idea that you Jeff, could stop the flow of information is truely revolutionary! In this case, Jeff, you would be able to intercept the negative report and take appropriate action (e.g. hire a lawyer). While you are disputing the negative report, your employer would not know the results until you choose to release them.

If only. If only.

Once the Identity Oracle exists and you opt in (again, assuming it’s not compulsory), any organization that has leverage over you will expect immediate and full access to all available decisions. Failure to get any access will be viewed as non-compliance. It will all be done quite politely of course:

“I’m sorry, but we can’t finish processing you job application because there are unanswered queries from your IO. Please be patient.”

“We are sorry, but you have been denied for medical coverage because you IO won’t answer the following queries…”

“Your auto insurance rates will automatically be moved to the high risk category unless your IO answers the following queries by the date indicated below. Thank you for your business.”

And of course the government will be allowed unrestricted access. As will any lawyer with a subpoena in a civil case. It’s not that they can’t get this information already; I’m just not interested in consolidating it for them.
 
I am deeply suspicious of where we are going on this because I have seen where we have been.

(Mirrored from TalkBMC)

Funny, I don’t feel crashed

Dave Kearns thinks I have missed the mark in my comments on Phil Hunts post. Perhaps I did not express myself well enough. I will have another go at it for Dave’s benefit.

When I said:

First party claims such as personal info can and should be made directly by the consumer who owns them. Information Cards provide a convenient way to do that. I see no compelling business case for a third party to make first party claims in a B2C scenario. 

I was referring to the same kind of personal information that the RP already trusts me to enter directly on a web site, or over the phone. The trust is implicit in the business relationship I am establishing. Involving a third party in this information exchange seems over complicated and without added value. I certainly don’t see why either the consumer or the SP would be willing to pay to involve a third party.

The statement that such claims are worthless without third party validation is risible at best. If that was the case then internet commerce wouldn’t exist. If I give Amazon my shipping address, they don’t need to have a third party validate it. I have no reason to give them an invalid address because then the business relationship I am paying to establish wouldn’t function. Specifically Amazon couldn’t ship me my purchased goods.

Perhaps someone could build a business as a third party personal information provider. Paul Madsen made the very good point that such a service could be valuable for providing that information while the consumer is offline. Perhaps, but I still don’t see a viable business case there. If someone could point me to such a service that is making money as a third party provider of personal information (things you would normally be trusted to enter on a web form) I will gladly admit I am wrong.

Now third party attributes are another story. From a business standpoint their value lies in the fact that they must be asserted by a third party. But keep in mind that the same information may be either a first or third party attribute depending on context. A site that wants my age for personalization purposes would accept it as a first party attribute. A site that wants my age to determine if I am legally old enough for an offered service would need it as a third party attribute.

Which leads to the Identity Oracle. If what makes an Identity Oracle different that an Attribute provider is that it can provide answers without divulging the underlying data, then there are serious issues that are not being discussed. When I said:

The mistake is saying an identity oracle can divulge whether your credit is good enough for the purposes of the transaction without divulging your credit score itself. I don’t believe that is possible in practice. If you say ‘Jeff’s credit score is as good as %90 of the people who have not defaulted on a loan of that amount’, then you have for practical purposes divulged Jeff’s credit score.

I was talking about information leakage. Let me give a more concrete example. Suppose a SP asks an Identity Oracle if Jeff qualifies for a specific loan and gets a yes answer. Technically the Identity Oracle has not divulged Jeff’s credit score. But suppose the loan amount would typically require AA rating? Then the SP knows Jeff’s credit score is between 720 and 850. While not technically the same as knowing the exact value, it’s functionally the same given how credit scores work.

Likewise if the SP asks if Jeff qualifies for a loan that virtually everyone without bad credit qualifies for, and the Identity Oracle says no, then the SP knows Jeff has a credit score less than 500. Again, that is functionally the same as knowing the value.

Does anyone really think that an Identity Oracle saying Jeff’s credit score is 720-850 has any more effective privacy associated with it than saying its 753? I should hope not.

So of course Dave gives the age counter-example. Everyone gives the age example. I am sick of the age example because it is an outlier case that distracts from the real issues, but all right, I’ll play along. Suppose the SP asks the Oracle if Jeff is allowed to buy alcohol. Then suppose the same SP asks if Jeff can vote. If the respective answers are No and Yes. The SP would then know that Jeff is between 18 and 21, effectively as good as knowing Jeff’s age.

Let me give you a chilling example. Suppose a potential employer asks an Identity Oracle if Jeff can purchase firearms in the state of FL. If the Identity Oracle says no, then since Jeff would have already disclosed his age and lack of criminal record, the employer then would suspect that it is because Jeff has a history of mental illness and would probably decline to hire Jeff.

Er… I’m strictly speaking hypothetically here.

This kind of information leakage is a huge privacy risk that is being ignored in the Identity Oracle discussion.

(Mirrored from TalkBMC)

House of Cards

As both a Liberty Dude and an Info Cardian, I am really enjoying a recent thread (Pamela’s post is here, and Paul’s response is here) that covers trust issues and level of assurance for authentication. But then Phil Hunt has to go and bring the Identity Oracle into it.

Phil makes some good points here, but he is conflating different kinds of claims about a person. Specifically he is conflating claims that a person can make about themselves and claims that must be made by a third party.

First party claims such as personal info can and should be made directly by the consumer who owns them. Information Cards provide a convenient way to do that. I see no compelling business case for a third party to make first party claims in a B2C scenario.

Let me put this in a personal way. I own my personal data. I don’t want to depend on a third party to decide who gets my personal data and who doesn’t. I don’t want a third party involved and I see no reason they should be. If that’s not user-centric, then I don’t want user-centric.

And Phil also makes a mistake I have seen often when discussing Identity Oracles and credit scores. The mistake is saying an identity oracle can divulge whether your credit is good enough for the purposes of the transaction without divulging your credit score itself. I don’t believe that is possible in practice. If you say “Jeff’s credit score is as good as %90 of the people who have not defaulted on a loan of that amount”, then you have for practical purposes divulged Jeff’s credit score. 

(Mirrored from TalkBMC)

I’m really skeptical about this use case

In the discussion around Identity Oracles, I am seeing a lot of references to the use case of asking about potential drug interactions. For instance Paul Madsen gives the example:

Can Kim take drug X without fear of drug interactions?

The person that most needs to be asking this question is the prescribing doctor, and he really needs to know the list of other medications and medical conditions involved. Meta-data won’t cut it in this example. For instance if the resulting drug interaction caused a loss of appetite that would be acceptable in many cases, but not for a chemotherapy patient. The fact there is or isn’t a drug interaction is simply too course-grained to be sufficient.

A common theme among the Identity Oracle examples I have seen so far.

My doctor needs to know everything about my medical condition. He needs data, not meta-data. My insurance company needs to know what prescriptions I am taking that they are paying for. No other parties need the data or the meta-data.

(Mirrored from TalkBMC)