The TJX Cos.' Ben Cammarata is not the only retailer pulling out his hair over identity theft. There are countless ways customers' personal information can be compromised. For companies and organizations desperate to get out of the business of authenticating, digging up and holding information on customers they do business with online, Big Blue might have an escape hatch.
New technology developed by IBM and released last week to the open source community promises to let consumers do business online without disclosing personal information.
Identity Mixer, as it's called, uses sophisticated cryptographic algorithms to ensure that sensitive information -- a person's date of birth, Social Security number, bank balance or real credit card numbers -- is never disclosed to the inquiring online party.
"Identity information is about users, but the management of that information has been more in control of retailers, and there is not much users can do about it," said Nataraj Nagaratnam, chief architect, identity management, for IBM's Tivoli identity management software.
The software works by allowing the user to get an anonymous digital credential, or voucher, from a trusted third party such as the Department of Motor Vehicles, in the case of rental car customers, or a bank. When the online transaction is made, Identity Mixer digitally seals the information by transforming the credential so the user can send it to the online merchant.
Today, when a rental car agency asks you to prove your age, you submit a driver's license that includes your date of birth. All the company really needs to know is you're above the age of 25, says Nagaratnam.
IBM's software acts as a middleman, answering the question at hand while masking the personal information. The real credit card numbers or the actual date of birth or Social Security number are never revealed. The next time a purchase is made, a new encrypted credential would be used.
"It's a very important technology, not only for privacy issues but also for enabling important identity and security technologies," said Mike Neuenschwander, a research director at Midvale, Utah-based Burton Group Inc. specializing in identity and privacy issues.
"This allows you to store claims, as they call them, and other kinds of information about yourself which other people produce, and make that information tamperproof. It's like the 'what's in your wallet' metaphor, but it does things a little better than your wallet, because you can collect all these information cards, which have claims on them, and you can mix them around and not reveal the card."
But while the prospect is exciting, the software is a year or more from being commoditized, he added. "IBM is releasing its code as a toolkit. There is nothing to check unless you are a developer."
IBM is contributing the software to the Eclipse Higgins project, an open source initiative launched last February by IBM, Novell Inc., Parity Communications Inc. and the Berkman Center for Internet & Society at Harvard Law School. The aim is to develop software for "usercentric" identity management.
Making the code available, in principle, should help speed products to market. IBM plans to wrap it into its Tivoli portfolio. But analysts like Neunschwander caution that an open source approach that results in a "whole bunch of derivative products" can just as easily torpedo widespread use.
"If we end up with a lot of 'wallets' each using different derivative protocols, we could create another mess out of this; 110 products would kill this thing," Neuenschwander said. There needs to be a "coordinated effort" by the open source Eclipse Foundation or the Higgins Project and some serious marketing to attract consumers.
"The technology is designed to allow an organization is to ask a question about the counter-party and get the answer to the question without getting the personally identifying information which gave rise to the answer," Blakley said.
It's not a perfect solution, because with enough queries a merchant or other party could in principle find out personal information about an individual. "But most merchants aren't trying to do that," he said.
As to where this technology will lead, Blakley cited Yogi Berra's admonition that predictions are difficult, especially when they are about the future. One difficulty is that there are no commercial identity providers out there.
"You can't do a Google Search and look for an identity provider and find a service which will store information about you and provide it to other parties for a fee," Blakley says.
Moreover, a business model for such providers raises a number of issues, he said, including paying for the identity provider server and the service it provides; convincing relying parties that they should indeed rely on information provided by a third party rather than managing identity attribute information themselves; and assigning liability when a relying party asserts the claimed identity attribute is incorrect. In the case of security breaches, either from the identity provider or the relying party, how is liability assigned and who makes subjects whole?
Still, any CIO whose company does business on the Internet and accepts third-party assurances about people would do well to follow this technology, Blakley said.
"They should be excited about the prospect of the emergence -- eventually -- of a workable identity provision model," Blakley said. "What that does, is allow them to get out of the business of authenticating and digging up information on everybody in the world and to hand it off to a party that will accept liability and will do a better job of it."
Let us know what you think about the story; email: Linda Tucci, Senior News Writer