IBM contributes ID software to open source security project

IBM is unveiling its latest approach to tackling the identity theft scourge with software that allows users to control personal information by sharing only a pseudonym with third parties.

The company is also contributing the software, dubbed Identity Mixer, to the year-old Eclipse Higgins project, which is an open source effort to developing user control identity management.

Think of IBM's latest move as another way to take federated identity management to the masses. Meanwhile, the contribution of Identity Mixer to the Eclipse Higgins project sets up another open source vs. Microsoft skirmish. After all, Eclipse Higgins competes with Microsoft's Cardspace efforts.

Both projects operate under roughly the same theory: Users will be able to pick and choose what information is shared and personal data will be sealed. One key difference is Cardspace shares real identity data while Eclipse Higgins, which now has Identity Mixer, aims to use cryptography so real information is never exposed. The popularity of both efforts will depend on whether consumers will rely on a middleman to keep their data safe.  Cardspace recently got Firefox support.

Identity Mixer's biggest benefit is that it allows people to hide or "anonymize" their information on the Web. Think of Identity Mixer as a way to cover your e-commerce tracks. IBM argues that as consumers hand over information to download music, conduct transactions and share personal information, it'll be increasingly important to cover your Web tracks. Big Blue says:

"IBM's Identity Mixer software eliminates the trail by using artificial identity information, known as pseudonyms, to make online transactions anonymous. For example, the software allows people to purchase books or clothing without revealing their credit card number.  It can confirm someone's spending limit without sharing their bank balance, or provide proof of age without disclosing their date of birth."

Jan Camenisch, lead researcher on Identity Mixer at the IBM Zurich Research Lab, says Big Blue's latest software effort can be viewed in the context of federated ID management, which dictates that partners trust each other to vouch for data. Camenisch gave the following example: If all a third party needed to know was whether an individual was over 18 that's all that would be shared. Currently, it's likely a person's entire passport--and all of the data on it--would be shared just to verify an age.

"This is part of the movement to give users more control of their data," says Camenisch.

With Identity Mixer a person can get an "anonymous digital credential" from a third party like a bank to verify information such as credit card number, expiration date and date of birth. In other words, Identity Mixer becomes an e-commerce middleman--it is the vault with all the personal data.

The mental hurdle is whether consumers will trust a big entity like IBM or Microsoft to be personal data middlemen. In addition, rest assured Cardspace and Identity Mixer will become big hacker targets should they gain momentum.

It remains to be seen how either of these efforts will do. The need is certainly there--no one wants their identity leaking out in small increments all over the Web. As usual, the first movers in this space will be the healthcare and financial industries.

However, an industry like retail will be the one to make ID management mainstream. Camenisch notes that IBM hasn't talked to any retailers yet about Identity Mixer.