IBM researchers today announced Identity Mixer, a cloud-based technology that holds potential to help consumers better protect online personal data. The cryptographic algorithm encrypts the certified identity attributes of a user, such as their age, nationality, address and credit card number in a way that allows the user to reveal only selected pieces to third parties. The result, consumers don’t lose any data, and businesses don’t have to worry about securing it. (try for yourself)
Dr. Anna Lysyanskaya, a professor of computer science at Brown University, co-invented the technology with IBM cryptographer Dr. Jan Camenisch. The two worked together on Identity Mixer more than a decade ago when Anna was a summer intern at IBM’s Zurich Lab, publishing a number of seminal papers on anonymous credential systems.
Today, on Data Privacy Day, we caught up with Anna to look back and to hear about her current research.
While I know it was some time ago, can you reflect on your internship at IBM Research in Zurich and share how it helped prepare you for your career?
I originally wanted to spend a summer in Zurich because I just wanted to mix it up, to take a summer break. Little did I know that it would lead to a collaboration with Jan and a research breakthrough that has been supremely important to my research career.
Did you know back then how important privacy would be 10-15 years later?
Yes, it was pretty clear to me even back then that, unless we take serious steps to adopt privacy-protecting technologies, all our activities could easily be tracked.
Do you have any anecdotes or stories about when you and Jan were developing the idea for Identity Mixer?
A pretty funny one is that we initially thought, towards the end of the summer in 1999, that anonymous credentials, which would eventually be called Identity Mixer, was a pretty straightforward idea given the prior work both of us had done. So when I came back in the summer of 2000, we figured we should work that one out quickly just to tie loose ends from the previous summer, and then move on to other, more challenging problems. I guess we are still tying those loose ends, because we are still working on anonymous credentials.
Now that we have looked back, what are you currently working on?
Jan’s and my most-recent collaboration, also with Anja Lehmann and Gregory Neven of IBM Zurich, is on password-authenticated secret sharing, which we nicknamed the Memento Protocol, after the Christopher Nolan film of the same name.
Here, we considered a scenario where users’ data is backed up by a collection of servers, chosen by each user in such a way that the user is relatively certain that they won’t all conspire against him or her. We showed that all a human user really needs to remember in this setting is a short password – the same every time, no need to ever change it – in order to gain secure access to his data. This work appeared in the most recent CRYPTO conference.
Other things I have been working on range from non-interactive zero-knowledge proofs, to physically uncloneable functions to, yes, more anonymous credentials.
What will online privacy look like five years from now?
Hopefully we have, with the recent stories of data breaches, reached a point where large corporations understand that they need to protect the privacy of their data and their users. So this may lead to better security; whether five years is soon enough is not clear to me at this point, but I hope so.
In my opinion, a missing ingredient is leadership. I think IBM can show leadership in educating the industry on what can be done, and how to do it, and also how not to do it. It is already doing it to a large extent, and hopefully can do more.
Another missing ingredient is education, and not just for undergraduates, but also for practitioners. Here at Brown we are working on a Master’s program that will consist of a mix of on-campus and remote learning, and will teach executives what they need to know about security, privacy, and related law and policy. We are very excited about this!