New IBM tech lets apps authenticate you without personal data

Back in January -- on Data Privacy Day, no less -- IBM announced Identity Mixer, a new technology for protecting users' personal data during authentication.

On Friday, it announced that the technology is now available to developers on its Bluemix cloud platform.
It's common for apps today to require that users prove their identity and other credentials, but all too often that authentication process exposes a raft of unnecessary and potentially sensitive personal information along the way.

To access an online streaming-movie service's app, for example, users might have to prove that they have a paid subscription and are over 18 years old. Traditionally, that would mean revealing their full date of birth along with assorted other personal details that aren't actually necessary for the proof, such as first and last name, address, etc.

When a breach happens, there's all that much more potentially sensitive information exposed.

Identity Mixer is designed to protect users' privacy by focusing just on the essentials of the proof. Thanks to a set of algorithms based on cryptography work done at IBM Research, the tool allows developers to build apps that can authenticate users' identities using what's known as a "zero-knowledge proof" that collects no personal data.

Specifically, Identity Mixer authenticates users by asking them to provide a public key. Each user has a single secret key, and it corresponds with multiple public keys, or identities. Each transaction a user makes receives a different public key and leaves no privacy "breadcrumbs."

So, in the streaming service example, users would have both identity and subscription credentials stored in a personal Credential Wallet. To access a movie, they could use that electronic wallet to prove that they're entitled to watch the selected content without having to expose any other details.

The result, according to IBM, is that users' privacy is better preserved, and the service provider is spared the need to protect and secure all that extraneous data.

"One of the key principles for protecting privacy is the concept of data minimization," said Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse. "Anything that can be done to reduce the amount of data that's collected as part of the authentication process is definitely a very good thing."