Taxonomy Birds of a Feather: Anonymity and Pseudonymity Session

From IDESG Wiki
Jump to navigation Jump to search


Quick Links: Taxonomy | Taxonomy Project Management | Taxonomy AHG Catalog | Taxonomy AHG Glossary |



IDESG Plenary Birds of a Feather Session: Anonymity and Pseudonymity 1/15/2014 Notes taken by Bob Blakley

  • Both certainty of identification and certainty of anonymity are impossible
  • There's a need to preserve what we have in the physical world, de facto anonymity in a range of situations and transactions.
  • Even online, anonymity and pseudonymity are easier to assure in transactions than it is for all an individual's actions.
  • Issues of linkability (same person in multiple transactions) and observability (can I be identified by a third party) are difficult in the physical world and more difficult online.
  • Even in the real world, it's very difficult to be truly anonymous, except in a transaction brokered by a third party (and even then you're not anonymous to the broker; the example of a journalist with a confidential source is brought up, the journalist knows the source's identity in some cases).
  • Therefore we need to choose our battles; we choose to define anonymous transactions (rather than "anonymity"), pseudonymous transactions (rather than "pseudonymity"), and pseudonymous digital ID (rather than "pseudonym").
  • Multiple pseudonyms could be used - both online and electronically - to minimize the possibility of linking.
  • But we need to acknowledge what we can't control - for example, disclosure of IP addresses. (tracking cookies also mentioned here).
  • We also need to be clear about which ecosystem participants we can be anonymous or pseudonymous with respect to - RPs, IDPs, APs, etc.
  • There's a limited set of standards supporting anonymity and pseudonymity. TOR is an example of a standard); we need to ask what the consequences of the lack of standards are.
  • When dealing with anonymity, we need to have good models of re-identification risks - and of the threat actors who might seek to re-identify individuals.
  • There's an issue of choice of names; this isn't pseudonymity but is related. What names are permissible, and who decides? Can George Robert be Bob? is Jello an acceptable name? What's the range of acceptable identifiers?
  • Choice of name is an autonomy issue.
  • There need to be levels of expectation (of privacy etc.) on the part of the individual, to go with the levels of assurance available to relying parties.
  • What might the contract terms for use of a pseudonym be?
  • Anonymity & pseudonymity are features everyone might want to use SOMETIMES.
  • But there are specific risks associated with using anonymous or pseudonymous access - particularly in healthcare transactions.
  • Nevertheless there are healthcare transactions in which anonymity and pseudonymity are common :*for example online support groups, disease testing, and pregnancy testing.
  • There may need to be performance agreements on both sides of risky anonymous or pseudonymous transactions, to protect both parties.
  • In some contexts - like healthcare treatment - it may be necessary to reveal the fact of pseudonymity to the relying party, so that the RP will be aware of potential risks.
  • This makes it clear that there are tradeoffs between anonymity/pseudonymity and other values, and participants on both sides of a transaction need to be able to make these tradeoffs.
  • There's a problem with coercive aggregation of identity information for the purpose of facilitating secondary uses. And this often happens without transparency.
  • Is a "real names" policy like a dress code in a restaurant - or is it like a segregated lunch counter?
  • In what types of transactions is it OK to require a legal name? Is this a decision for IDESG to make?
  • Standards should at least require transparency: Users should be given as much control over sharing attributes and context info as possible.




Quick Links: Taxonomy | Taxonomy Project Management | Taxonomy AHG Catalog | Taxonomy AHG Glossary |