Think about the last time you bought a DVD, booked a flight, rented a car, or signed up for a service or newsletter on the Internet. At some point, you had to fill out a form that asked for a lot of personal information. While it's a hassle unto itself, filling out forms can lead to a bigger problem: each time you give out your information, you provide an opportunity for your information to be picked off by identity thieves.
As more services migrate online, and as tactics of identity thieves become more sophisticated, people will need better ways to manage their information, says Nataraj Nagaratnam, chief architect of identity management for IBM Tivoli.
Nagaratnam and other IBM researchers have developed open-source software that they think can help. Called Identity Mixer (Idemix), the digital identity management software lets people make online transactions--from filling out forms to purchasing plane tickets--without disclosing personal information. The software lets a person use artificial identity information, in the form of digital "tokens," to make online transactions. Using these encrypted tokens, which are issued by trusted sources such as the Department of Motor Vehicles (DMV) or a bank, a person can effectively be anonymous to Web services such as Amazon.com or Expedia, never giving out his or her information.
In a typical online purchase, Idemix could obviate the need for a person to fill out a form or reveal her credit-card number. Instead, she could use a token that vouches for her, verifying that she is who she says she is and that she has the appropriate funds and credit to make a purchase.
In addition, these tokens would provide only the information that is needed. For instance, if you're renting a car online and need to verify that you're older than 25, a token from the DMV could verify that you can legitimately rent without divulging your birth date, license number, or address. Otherwise, you reveal more than you need to about yourself, says John Clippinger, senior fellow at the Berkman Center for Internet and Society at Harvard Law School. "It's like using a passport when you buy a Coke."
To explain digital identity management, Clippinger draws from a real-world example: we have wallets that hold identifying cards such as a license or credit cards, he says, but we don't have an analogy in cyberspace. "It's hard to make people appreciate things like privacy and [online] identification," he says, "but I think these things are going to become much more critical."
People might start to pay attention soon, because an early identity management system is now commercially available through Microsoft Vista, the company's recently released operating system. Microsoft's technology is called CardSpace, and it also acts like a digital wallet, but it differs from Idemix in a couple of ways. One major difference is that Idemix is open-source software that can be used by any software developer to make applications for myriad technologies, from Web browsers to mobile phones.
Another difference is that CardSpace must ping an identity provider (such as the DMV) each time you need to have personal information verified, says Mike Neuenschwander, an analyst for Burton Group, an IT research and advisory firm. Idemix, on the other hand, allows you to maintain a collection of your tokens yourself, once they've been initially issued, either on your hard drive or in some other way, he says, so the identity provider doesn't have to be contacted. There could be an advantage here, as the logistics of continuously contacting many different types of identity providers could be challenging.
While CardSpace is already available through Vista, Idemix won't be available as a product for months. However, there are projects under way to develop Idemix plug-ins for browsers, says IBM's Nagaratnam, and the goal is to integrate the technology into browsers like Firefox within a year. "Building an application will take some time," he says, "but we believe it will take off soon."
"In another year, people are going to start seeing the value [of Idemix]," says Clippinger. And when they do, he says, "it will be a very big deal."