Boosting privacy online - anonymous credentials in the browser
Identity matters! In everyday life we present different "faces" to different people according to the social context, e.g. family, personal, and professional. Our online life is the same, and our privacy depends on keeping these different faces compartmentalized. To support this, we need ways to restrict access to services. As an example, a social website used by college students could be restricted to fellow students and off limits to everyone else including college staff and past students. You certainly don't want potential employers sifting through the site and rejecting your job application on the grounds of some loose talk or revealing party photo!
A powerful way to implement this is with anonymous credentials. Imagine the student union providing electronic credentials to all students that asserts that you are a current student at that college/university. This is an electronic equivalent of a student ID card. When you go online to the social website operated by the student union, you are asked to prove you are a current student, but not for your actual identity.
This has been done with support from the EU PrimeLife project, and we hope to be able to make the extension and servlet widely available in the near future. Further work is needed on tools for simplifying the creation of credentials and proof specifications, and there are opportunities for integrating biometric techniques as alternatives to typing a PIN or pass phrase. One possibility would be for the browser to confirm your identity by taking a photo of your face with the camera built into phones and notebook computers. Another would be to ask you to repeat aloud a few randomly chosen digits and use the built in microphone for voice authentication. We've also discussed the role of physical tokens such as smart cards, and USB sticks for credential stores, but this is hindered by a lack of platform independent ways to access these from browser extensions.
As Dave Birch is fond of saying, there is no privacy without security. Anonymous credentials provide a powerful new way to boost privacy on the Web, and it is time to turn them from a laboratory curiosity into widely deployed solutions. I look forward to working on incorporating them in W3C's suite of standards for Web platforms.