IBM software safeguards consumer identity on the Web
IBM today announced software that allows people to hide or anonymize their personal information on the Web, ensuring protection from identity theft and other misuse. Developed by researchers at IBM's laboratory in Zurich, Switzerland, the software—called Identity Mixer—will enable consumers to purchase goods and services on the Internet without disclosing personal information.
IBM will contribute its Identity Mixer software to Eclipse Higgins project, an open source effort dedicated to developing software for "user-centric" identity management. The current trend toward a user-centric approach means that individuals can actively and securely control who has access to their online personal information, such as bank account and credit card numbers, or medical and employment records, rather than having institutions solely manage that information as they do today.
As consumers hand over personal details in exchange for downloading music or subscribing to online newsletters, they leave a data trail behind that reveals pieces of information about the size, frequency and source of their online purchases that can be traced back to the user. IBM's Identity Mixer software eliminates the trail by using artificial identity information, known as pseudonyms, to make online transactions anonymous. For example, the software allows people to purchase books or clothing without revealing their credit card number. It can confirm someone's spending limit without sharing their bank balance, or provide proof of age without disclosing their date of birth.
"Unlike other identity management systems that transmit parts of a user's true identity, systems built using Identity Mixer software will help protect user privacy by sharing only pseudonyms, so real identity information can never be intercepted or exposed," explains Identity Mixer project lead and head designer Jan Camenisch of IBM's Zurich Research Laboratory.
Identity Mixer works by allowing a computer user who has the appropriate software to obtain an anonymous digital credential, or voucher, from a trusted third party, such as a bank, insurance company or government agency. A health insurance company, for example, could provide a credential confirming that a user has certain health insurance benefits. If the user wishes to consult their healthcare provider's online portal for medical information, the Identity Mixer software digitally seals the credential so the user can send it to the healthcare provider and get access to the online service. By using sophisticated cryptographic algorithms, the Identity Mixer software acts as a middleman—so the user’s real identity is never exposed to the health-care provider. The next time the user consults the service, a new encrypted credential would be used.
"When people don't have to disclose their personal information on the Web, the risk of identity theft is dramatically reduced," explains John Clippinger, senior fellow at the Berkman Center for Internet and Society at Harvard Law School. "The ability to anonymize transactions using Identity Mixer has the potential to bolster consumer confidence, opening digital floodgates to new forms of Internet commerce."
IBM plans to incorporate the Identity Mixer technology into its Tivoli software portfolio of federated identity management software. It brings another dimension to IBM's industry-leading technologies that protect the privacy of consumers and businesses. IBM currently offers software, in use by large governments, healthcare organizations and financial institutions, which provides a way to compare data about their passengers, patients or clients to identify relationships, while never exposing people’s sensitive information. The software irreversibly shreds personal artifacts such as names, addresses, phone numbers and social security numbers before the data is shared. The software analyzes the shredded information and alerts the company when a match is found between specific records, identifying only the record file number assigned by the software. It is then up to the organization to decide what amount of detail to share from the identified record. This protects the personal details within other records so they are not needlessly exposed during the comparison process.
Source: IBM Labs