Can you trust IBM's Identity Mixer?

Angus Kidman
Saturday, 27 January 2007 01:41

Your IT - Home IT

IBM has gained reams of publicity by launching software designed to allow safe, anonymous online shopping and making the code available as part of an open source project, but the Identity Mixer project may raise as many problems as it solves.

Developed in IBM's Zurich laboratories, Identity Mixer is designed to minimise the amount of personal information needed to perform common online tasks such as shopping or signing up to an email list. In effect, rather than supplying all those details, you simply send a specially encrypted file which confirms that you're allowed to make a particular transaction, without giving your personal information away.

IBM provides an example in its own press release announcing the project. "A bank would provide a credential containing a credit card number and expiration date, and when an online purchase is made, the Identity Mixer software digitally seals the information by transforming the credential so the user can send it to the online merchant," it says.

While this might sound like a useful approach, it's hardly a universal solution. In order to complete a transaction using Identity Mixer, both your bank and your merchant would have to already be involved in the project. Experience to date with other security technologies suggests this is hardly likely to happen.

For instance, how many people do you know who actually bother to encrypt their email? And why should we assume that merchant sites will be rushing to install new security systems, when many can't even be bothered to use existing technologies such as credit card verification codes?

And while protecting individual information is vital online, it's also important to have a sense of perspective. One of the suggested uses of the software is to allow purchases to be made without disclosing credit card information. That's already easy to achieve: you can use PayPal, or (in some countries) purchase a one-time credit card.