IBM tool makes online purchases anonymous

Identity management started from an enterprise point of view, but we're realising that the next big wave is user-centricity. Michael Waidner, manager of emerging technologiesIBM Zurich Lab

New software developed by a team of IBM researchers eliminates the need to reveal personal information to an online merchant by using algorithms to confirm a bank authorisation for purchases. Called Identity Mixer, the software eliminates the data trail left when making an online purchase by using artificial identity information or pseudonyms.

IBM said the Identity Mixer works by allowing a computer user that has the software to get an anonymous digital credential, or voucher, from a trusted third party. A bank would provide a credential containing a credit card number and expiration date, and when an online purchase is made, the Identity Mixer software digitally seals the information by transforming the credential so the user can send it to the online merchant.

"Identity management started from an enterprise point of view, but we're realising that the next big wave is user-centricity," said Michael Waidner, manager of emerging technologies at the IBM Zurich Labs, where the software was developed.

IBM researchers started developing the tool in 2001, Waidner said. Waidner said the next step to make Identity Mixer viable is to convince big enterprises such as financial institutions to use the systems that accept the credentials. IBM plans to do its part by incorporating the Identity Mixer technology into its Tivoli identity management software suite, he said.

Identity management: IBM Identity management tool minimises threat of insider attacks   Identity and Access Management Security School Building an identity and access management architecture What is federated identity management?

Big Blue is also contributing the software to the Eclipse open source project, called Project Higgins.

While the software is a step in the right direction for consumers it is far from being ready for primetime, said Andrew Jaquith a senior analyst at the Boston-based Yankee Group. Before consumer adoption could take place, enterprises must build systems that accept Identity Mixer credentials and developers must create easy to use tools that embed the Identity Mixer technology.

"If you are requiring enterprises to adopt something like this then your putting a substantial barrier to acceptance in place," Jaquith said.

The new tool is the first user-centric online payment method produced by a large vendor, but Microsoft has deployed a similar technology in its new Vista operating system and other vendors have been talking about similar security tools for consumers, he said.

"The problem is that customers really are only concerned about their privacy when they're exposed and the rest of the time they don't think about it so much," Jaquith said. "The fact that IBM is turning it over to Eclipse is an indication that it doesn't see this as being commercialisable."

The Eclipse Higgins project was announced in February 2006 by the Berkman Center for Internet and Society at Harvard Law School. IBM, Novell and Parity Communications are taking an active role in the project.

The project's goal is to develop software for consumers to actively control who has access to their online personal information, such as bank account and credit card numbers, or medical and employment records, rather than having institutions solely manage that information as they do today.

Remaining anonymous to communicate on the Web is not difficult, according to Jacquith. For example, Tor, an open source peer-to-peer network of routers lets users keep their IP addresses private as they connect to Web servers. Web proxies can also be used to keep Web surfing anonymous, he said.