"Project Liberty" is an online identification and authentication system. It is similar to the Microsoft Passport system in that it allows individuals to use a single signon in order to access many different web pages. It is being developed by coalition of companies as an alternative to the Passport system.
Identification and authentication systems present privacy risks for individuals. They can become virtual toll booths for the Internet, requiring identity before one can view web pages. This violates a fundamental principle of privacy--the idea of collection limitation. Entities should not collect information unless it is necessary to complete some function. However, with a proliferation of authentication systems, individuals can be compelled to identify themselves for no legitimate reason.
These systems also enable profiling, which results in more spam, direct mail, and telemarketing for individuals. Project Liberty has a stated goal of profiling individuals. The Liberty Alliance web page claims that the service is designed to: "Enable commercial and noncommercial organizations to realize new revenue and cost saving opportunities that economically leverage their relationships with customers, business partners, and employees." The phrase "leverage their relationships" is business terminology for marketing and profiling.
The Project Liberty spec will enable organizations to control the profiles of individuals, as another stated goal is to: "Enable commercial and non-commercial organizations to control, maintain and enhance relationships with constituents."
The single signon feature of these systems exposes individuals to security risks. A single signon is a single point for failure--one that can be exploited and then used against many different web sites instead of a single one. Additionally, individuals assume less risk by storing their password in an encrypted text file on their own computers rather than keeping them with a third party.
It is questionable whether consumers want single signon authentication, and whether the system provides consumer benefits. An April 2002 Gartner report found that individuals distrusted online authentication systems.
In the physical world, trust and a "shared history" is not needed between buyer and seller because cash enables anonymous and secure payment. Instead of creating anonymous and secure transactions online, Project Liberty enables information sharing and profiling. As such, it is not a privacy enhancing technology. It moves us backwards hundreds of years to barter-style sale arrangements where information is necessary to complete a sale.
- Sun Shines Light on ID Alliance, Wired, July 15, 2002.
- Sun sends forth first version of Liberty, CNET News.com, July 15, 2002.
- New Web ID Standards to Be Unveiled, New York Times (AP), July 10, 2002.
- Industry Allies Seek to Limit Microsoft Drive Into New Fields, New York Times, June 3, 2002.
- Study: Customers wary of online IDs, CNET News.com, April 26, 2002.
- Online Services Race To Create Single ID, Password for Internet Users, ECommerce Times, March 6, 2002.
- The Battle For Your Online Identity, Techweb.com, February 11, 2002.
- Alliance, Microsoft weigh détente: Liberty Alliance may ask Microsoft to join online ID group, Wall Street Journal, January 30, 2002.
- Web Users Pass on Passport Style Services - Gartner, Newsbytes, December 4, 2001.
- Sun Microsystems Recruits Partners To Challenge Microsoft's Passport, Wall Street Journal, September 27, 2001.
- The Liberty Alliance Project.
- EPIC's Sign Out of Passport Page.
- EPIC's Passport Investigation Docket Page.
- Authentication Technologies and Their Privacy Implications, CSTB, National Academies of Science.
- Authentication Technologies and Their Privacy Implications: Technology and Policy Foundations - Annotated References, Roger Clarke, October 2001.
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a by-monthly newsletter highlighting emerging privacy issues.