On January 28, 2015, Data Protection Day, introduced in 2006, IBM announced Identity Mixer, a technology designed to protect users’ personal data when they need to authenticate. Since last Friday, this technology has been available to developers on the Bluemix cloud platform.
Apps today routinely ask users to prove their identity and provide various credentials. But too often, this authentication process collects a series of useless and potentially sensitive personal information. For example, to access an online movie streaming service, users must prove that they are subscribed to the service and that they are over 18 years old. This means that they must provide their date of birth plus other personal details that are not really necessary to prove their identity, such as name and surname, address, etc. So that, in the event of data theft at the service provider, hackers find themselves in possession of potentially sensitive information.
Identity Mixer was designed to protect users’ privacy by focusing only on the essential elements to establish a person’s identity. Using a series of algorithms based on cryptography work done by IBM Research, the tool allows developers to build apps that can authenticate users by providing what’s called “proof without disclosure of personal information.” . Specifically, Identity Mixer authenticates users by requiring them to provide a public key. Each user has a unique secret key, which corresponds to several public keys, or identities. For each transaction, the user receives a different public key and leaves no trace of his private life.
Thus, to authenticate its subscribers, the streaming service could find the useful credentials in the user’s credential wallet, and nothing else. To be able to view a film, the user can use this electronic purse to prove that he is of the required age to access the desired content, without having to provide further details about his identity. According to IBM, this technology makes it possible, on the one hand, to better protect the privacy of users, but it also allows the service provider not to have to protect and secure the excess information requested from users. “One of the key principles for protecting privacy is data minimization,” said Paul Stephens, policy director at the California-based NGO Privacy Rights Clearinghouse, which campaigns for the protection of personal data. “Anything that can be done to reduce the amount of data collected as part of the authentication process is certainly a very good thing.”