Taxonomy Birds of a Feather: Anonymity and Pseudonymity Session: Difference between revisions

Quick Links: Taxonomy | Taxonomy Project Management | Taxonomy AHG Catalog | Taxonomy AHG Glossary |

IDESG Plenary Birds of a Feather Session: Anonymity and Pseudonymity 1/15/2014 Notes taken by Bob Blakley

• Both certainty of identification and certainty of anonymity are impossible
• There's a need to preserve what we have in the physical world, de facto anonymity in a range of situations and transactions.
• Even online, anonymity and pseudonymity are easier to assure in transactions than it is for all an individual's actions.
• Issues of linkability (same person in multiple transactions) and observability (can I be identified by a third party) are difficult in the physical world and more difficult online.
• Even in the real world, it's very difficult to be truly anonymous, except in a transaction brokered by a third party (and even then you're not anonymous to the broker; the example of a journalist with a confidential source is brought up, the journalist knows the source's identity in some cases).
• Therefore we need to choose our battles; we choose to define anonymous transactions (rather than "anonymity"), pseudonymous transactions (rather than "pseudonymity"), and pseudonymous digital ID (rather than "pseudonym").
• Multiple pseudonyms could be used - both online and electronically - to minimize the possibility of linking.
• But we need to acknowledge what we can't control - for example, disclosure of IP addresses. (tracking cookies also mentioned here).
• We also need to be clear about which ecosystem participants we can be anonymous or pseudonymous with respect to - RPs, IDPs, APs, etc.
• There's a limited set of standards supporting anonymity and pseudonymity. TOR is an example of a standard); we need to ask what the consequences of the lack of standards are.
• When dealing with anonymity, we need to have good models of re-identification risks - and of the threat actors who might seek to re-identify individuals.
• There's an issue of choice of names; this isn't pseudonymity but is related. What names are permissible, and who decides? Can George Robert be Bob? is Jello an acceptable name? What's the range of acceptable identifiers?
• Choice of name is an autonomy issue.
• There need to be levels of expectation (of privacy etc.) on the part of the individual, to go with the levels of assurance available to relying parties.
• What might the contract terms for use of a pseudonym be?
• Anonymity & pseudonymity are features everyone might want to use SOMETIMES.
• But there are specific risks associated with using anonymous or pseudonymous access - particularly in healthcare transactions.
• Nevertheless there are healthcare transactions in which anonymity and pseudonymity are common :*for example online support groups, disease testing, and pregnancy testing.
• There may need to be performance agreements on both sides of risky anonymous or pseudonymous transactions, to protect both parties.
• In some contexts - like healthcare treatment - it may be necessary to reveal the fact of pseudonymity to the relying party, so that the RP will be aware of potential risks.
• This makes it clear that there are tradeoffs between anonymity/pseudonymity and other values, and participants on both sides of a transaction need to be able to make these tradeoffs.
• There's a problem with coercive aggregation of identity information for the purpose of facilitating secondary uses. And this often happens without transparency.
• Is a "real names" policy like a dress code in a restaurant - or is it like a segregated lunch counter?
• In what types of transactions is it OK to require a legal name? Is this a decision for IDESG to make?
• Standards should at least require transparency: Users should be given as much control over sharing attributes and context info as possible.

Quick Links: Taxonomy | Taxonomy Project Management | Taxonomy AHG Catalog | Taxonomy AHG Glossary |