Could some uses of OpenID create a large privacy issue?
I just finished a news story about VeriSign's (NASDAQ: VRSN) secure OpenID services chosen by Microsoft for HealthVault users. The story discusses VeriSign's DNS services and its OpenID services and asks if this is a problem or a feature. Is this a possible privacy issue or could the two technologies be used to strengthen OpenID and encourage its use.
VeriSign assured me that there could be no collusion between its OpenID and its DNS services. It said it has strict privacy guidelines to protect users.
[Here is a crowdsourcing opportunity: I haven't checked VeriSign's privacy policy to see if there is specific wording that would exclude such a business.]
But consider this:
- VeriSign operates the Internet's "telephone directory." It runs the Domain Name System (DNS) servers. Every time your web browser pulls up a website it consults a VeriSign DNS server to find its location. It's a huge number of queries. [ The Domain Name Primer]
During the 1st quarter, VeriSign processed loads of more than 50 billion Domain Name System (DNS) queries per day, with each query representing an instance of an Internet user accessing a Web site or through sending email. The VeriSign DNS continued to maintain 100% operational accuracy and stability throughout 2007 - just as it has for the past decade.
The VeriSign Domain Report – June 2008 >>
- Every OpenID is also a URL that means the use of OpenID naturally requires the services of VeriSign's DNS.
VeriSign could track all OpenID use and use that information to strengthen OpenID and help prevent others from criminally exploiting OpenID.
But tracking OpenIDs would not sit well with many Americans. US Internet users don't like the idea of tracking anything more than their FedEx package let alone their OpenIDs.
There is a bigger issue here than identifying or tracking one Internet user. OpenIDs are used to reference specific personal networks of contacts, content and communications. Tracking an OpenID could potentially do more than provide a name, - it could help identify each person's complete networks of friends, families, colleagues and their comments, blogs and communications. Currently a lot of that information is kept by the social networks such as MySpace, Facebook, Google, Yahoo, AOL, etc. Maybe it's better to keep things that way rather than use OpenID.
Let me know what you think.
Could OpenID open a Pandora's box of privacy issues that extend beyond an individual and affect large groups of people at a time? Especially if DNS systems were to be used to help strengthen security and authentication.