IBM project seeks privacy controls for users

A three-year project to infuse privacy controls into identity technologies and emerging social networking communities is being undertaken by IBM Research with funding help from the European Union.

The intent is to create technology to ensure users can protect their privacy online for their entire lifetime, especially given the rising popularity of social networks and virtual communities.

PrimeLife (Privacy and Identity Management in Europe for Life) is a three-year research project funded by the European Union's Seventh Research Framework Program, one in a series of programs the E.U. has established to provide financial support for research and development across various scientific disciplines

The group has seeded IBM's Zurich Research Lab with 10 million euros ($15.8 million). The lab is coordinating the research, which involves 14 other partners from various countries, including Brown University in the United States.

IBM Research says it hopes to create a "toolbox" that amounts to an electronic data manager that gives users an overview of which personal data they use when, where, and how. Users would be able to define default privacy settings and preferences for many applications and would receive prompts if applications seek data for any other purpose.

"The project aims to provide some technology to address these problems," said Jan Camenisch, the PrimeLife technical project leader and research staff member for cryptography at IBM's Zurich Research Lab. "PrimeLife will interact with the open-source community, standardization bodies, as well as other projects so that they can pick up our technology."

PrimeLife builds on another EU project called Prime (Privacy and Identity Management for Europe), an effort to develop a working prototype of a privacy-enhancing identity management system.

Camenisch said current standards and protocols either address privacy in a very limited way or not at all. The aim will be to integrate PrimeLife's privacy-enhancing technologies with those standards and protocols, such as the Security Assertion Markup Language.

He said current user-centric identity systems, such as information cards and Open ID, are the right way to do things because users control their information.

"However, they do not yet provide privacy to the users," said Camenisch. One major problem is that at hops in the identity exchange -- most notably the identity issuing party and the relying party -- data about the user is collected and stored.

"PrimeLife hopes to bring the latest privacy-enhancing technologies and mechanisms to these emerging systems," said Camenisch.

The first goal of the project is to provide scalable and configurable privacy and identity management that integrates with emerging Internet services and applications, most notably social networking. The long-term goal is to provide users the means to protect their privacy indefinitely.

The project will strive to advance many technologies, including human-computer interfaces, configurable policy languages, Web service federations, infrastructures, and privacy-enhancing cryptography.