Privacy project uses cryptography to reduce shared info
- Published
A project that could radically reduce the amount of personal information we share in our dealings has been revealed by IBM researchers.
The ABC4Trust project is developing an "electronic wallet", with encrypted versions of all a person's details.
A query by a device like a "chip and PIN" reader will involve only the information that is strictly necessary.
The idea could also be applied to online transactions, and aims to give people more control over personal data.
IBM researchers, speaking at a press event at the firm's research laboratory in Zurich, say this exchange of encrypted data in a piecemeal fashion is far preferable to the case in which, for example, a consumer hands over a passport or driver's license for identification.
IBM is involved in developing some of the protocols and technology to accomplish the goals of the 13.6m euro (£11.4m) European-funded Attribute-Based Credentials for Trust, external project.
"There's two basic principles that we try to apply in order to protect online privacy," Jan Camenisch, an IBM researcher who is part of the ABC4Trust project, told BBC News.
"One of them is that with every piece of information that you're releasing you should specify what this information is used for - what's the purpose and why it's needed.
"The second is that whenever you release something, you should only release the information that is minimally necessary for this purpose."
For instance, renting a car might require no more information than confirming that a customer has had a valid licence for a given number of years.
Joining a chatroom for teenagers, by contrast, needs only a confirmation that a potential user is within a certain age group.
Token effort
In Dr Camenisch's vision, the future "electronic wallet" can be deployed to confirm these facts through encrypted transactions that give up no further information.
The project, which began in November and will run for four years, aims to define first of all the technology that is needed to accomplish its goal.
In principle, every single personal detail could be crunched into one long encrypted number that could even be stored in a mobile phone.
Dr Camenisch said a retailer or service provider such as a car rental agency would have a device that could send requests for specific pieces of information to a phone, and he described what the phone would display.
"It would open the 'wallet application', and tell you that the rental agency wants to know from you that you have a licence and you took the test more than four years ago," he explained.
The phone would list what information is being requested and then create an encrypted "token" that contains the answers.
"Your phone would do the rest - it would compute the new tokens from that and send that information off to the car rental agency."
Dr Camenisch said that the principle works the same for online transactions.
He explained that much of the project's work lies ahead in the development of the encryption protocols and the reader devices.
But the project is ensuring that the standards can be reviewed and improved as the technology is developed.
"In the end, these kinds of technologies will be open standards," Dr Camenisch said. "Some of our work is already available as open-source code so everybody can inspect that and see that it does what it promises to do."
- Published16 June 2010
- Published10 November 2010