Does minimal disclosure provide maximum protection?

A Canadian company has launched an identification service that embodies some of the most important principles of identity crime prevention.

Credentica is the brainchild of Stefan Brands, cryptographer and privacy pioneer*. He’s one of only a handful of individuals who combines a fearsome grasp of technology with a deep understanding of the social and commercial issues that affect privacy. In a nutshell, Credentica allows individuals to make assertions about themselves online without revealing any unnecessary data. If this takes off, it could rewrite the entire way we approach online and offline transactions.

Think about the unnecessary and invasive data trail we leave every time we make a transaction. For example, a debit card tells a retailer my name, card number, bank account number and sort code, signature, with whom I bank (and hence a good guess at my nationality), when I expect to receive a replacement card, and possibly even a little about my account status if it’s a gold card or it’s issued by a high-net-worth bank. All the retailer actually needs to know is that I’m the legitimate holder of that card, and that the transaction will be honoured – everything else is unnecessary. If I hand over a loyalty card at the same time, then I’m giving the retailer the ability to aggregate my spending habits across time and shopping outlets. And these transactions can be aggregated across retailers and card issuers, resulting in a detailed profile about me.

The beauty of Credentica’s U-Prove service is that it offers the cryptographic mechanisms to deliver this minimal disclosure by using a software development kit, rather than providing the delivery mechanism itself, so providing organisations can implement their own privacy services (ask Microsoft what they learned about inappropriate third parties through MS-Passport). Stefan’s plans are certainly attracting interest, and seem to be getting support in the right places – hopefully it won’t be long before we see implementations in Europe.

* I have no personal or commercial association with Stefan or Credentica.