Pseudonymisation

Be recognized without being identified

A pseudonym is a 'mask' you may wear to get recognized – without being identified.

Karen Blixen wrote under the pseudonym 'Isak Dinesen' to be recognized as writer, without being identified as 'Karen Blixen'. If you want to be recognized in the electronic world, without revealing your identity you should use pseudonyms. A pseudonym for the author of this text (David Simonsen) is 'WAYF-DK-8ee5f9ce8db1bff7eb6cd392c39fb6de24938b41'.

If your employer or educational institution has bought general access to a database, collaboration tool or similar there is no reason for the service to know the identities of individual users. For the service to grant access it suffices to know which institution a given user is affiliated with. Pseudonyms are personal and may therefore be used to personalize web pages or let users continue where they left off last time they used the service. All the service needs to know that the present user is the same user as last time – not who the user is.

Why care about privacy?

Many aspects of our daily life is lived on the net: we shop, communicate, have hobbies etc. The business of web based targeted commercials has grown fast and is getting increasingly sophisticated by the use of data mining, pattern search for behavior etc. A new economy has risen in the shade of the many web based services which now exchange 'experience' – often for money. One way of protecting the users (consumers) agains cross-service analysis, and thereby protecting the users' privacy, is to use pseudonyms in the electronic world. Why should your travels agent or insurance company know your preferences for food, medication, underwear etc.

WAYF provedes secure pseudonyms, taking advantage of a new eID federation architecture

Pseudonyms must live up the following three requirements:

  • a given users' pseudonym must be the same from time to time, to make her recognizable
  • different services (ie. web sites) must recieve different pseudonyms (service specific) to prevent cross-service data mining
  • it must be technically possible, but really hard, to find the person behind the pseudonym (which by definition is not possible for anonymous persons)

When logging into a website using the eID federation WAYF, predefined personal information is transferred from the users' home institution, via WAYF, to the service. WAYF has a secret formula for calculating personal, service specific pseudonyms. In the formula the name of the service appears (to make the pseudonym service specific) as well as the name of the user (to make it personal).

When the user is being recognized by the service it may now personalize the interface and/or functions – without knowing the identity of the user.

If a serious abuse case occurs (being investigated by the police or similar), the service will only know the pseudonym of the user, not her identity. WAYF does not store any personal information and may therefore only contribute to the investigation with the secret formula for the pseudonyms.

Equipped with the pseudonym of the abuser and the secret formula, the recalculation of pseudonyms for all users in all user databases connected to WAYF may begin. When a match is found the identity of the abuser can be reviled.

With this three-party pseudonymisation (user data, formula and result) uses can feel absolutely safe that the pseudonyms are only used for recognition purposes – not for identification. Having WAYF as trusted third party, generating the pseudonyms, it is impossible to data mine across services. Also services cannot query the user' identity at their home institutions as the formula is only know to the trusted third party.

Around 800,000 Danish electronic identities can already take advantage of WAYF-generated pseudonyms today.