OpenID Privacy Concerns from Evan Prodromou

I've been asked a couple of times about any privacy concerns I might have with OpenID. I thought it might be a good idea to list them out here and just point people to this URL. Laziness, to your benefit, gentle reader.

First and foremost, I think that OpenID is about as good as it can get with respect to privacy. There's nothing I see that's a glaring design problem in the protocol. Given its basic requirement -- to enable single sign-on between Web sites with no previous relationship necessary -- it does a great job. On top of that, I think that any changes to the structure of OpenID would do more harm than good.

But there are some places that privacy-concerned people can pay close attention. Here are my lists of things to watch for with OpenID privacy.

Unified reputation

With OpenID, you use a single identity to log into multiple Web sites. Along with ease-of-use and not having to remember a lot of different passwords, this lets you establish a reputation on several different sites with the same ID.

For example, nobody necessarily knows if is the same person as just because they have the same user name (and they're not, actually). But you can be pretty sure that is the same person as , because both users used the same OpenID identifier to log in. Anything you know or feel about Evan-at-Wikitravel is applicable to Evan-at-Jyte.

That's good for establishing a reputation on the Web, but it can be bad, too. It's not going to be lost on marketers or law-enforcement officials that it's easier to track a single person across multiple sites with OpenID, and you may not want that to happen. For example, I may not want my Suicide Girls account linked to my Wikitravel account. If I participate in fringe-politics or drug-rights forums, I may not want that identity associated with my "business" persona. As more and more sites become OpenID-enabled, the value of unifying your reputation across them is greater, but also the danger.

(It's worth noting that if you use the same email address on more than one site, the site owners can link your identities together, even if you're not using OpenID. There are other seemingly innocuous bits of data that can identify you uniquely -- for example, birthdate and ZIP code are usually unique.)

(Also worth noting is that to unify your identity, a person would have to know about the two accounts and see your OpenID on both. A Web spider would need the same. Some sites and software let you log into the site with an OpenID but hide the ID if you want; depending on your reputation requirements, that's probably a good thing to watch for.)

The good and bad news is that you've got much more power to manage your own distributed reputation with OpenID. You can, of course, set up different OpenID identities, and some OpenID identity providers allow you to set up multiple "personae" under the same account. So, you can log into your porn sites as "captain nasty" and your work sites as "larry" and no one will be able to link them together. The bad news, of course, is that you have to manage this yourself -- nobody's going to do it for you. (Actually, an OpenID provider that divided up OpenID-enabled sites automatically and helped you use different personae for each might have a pretty good business...)

A trustable OpenID provider

You get an OpenID identifier from an OpenID provider. There are a lot of them out there; see OpenIDServers for a list.

There is not any organization that "qualifies" or reviews OpenID providers; anyone who implements the OpenID standard can become one. This is a good thing; it's what makes OpenID open. But it also means that you could unwittingly sign up with an unethical or incompetent OpenID provider who will leak your personal information by mistake or on purpose.

And this can be pretty bad. To use OpenID to its fullest, you should let your OpenID provider have some personal information (like your real name, email address, preferred language, time zone, country, postal code, etc.). But these are just the kind of data bits that unscrupulous marketers, as well as hackers and crackers of various stripes, would love to get at.

On top of that, your OpenID provider will know every Web site you log into with OpenID -- something that it's relatively hard for others to know. That means they could be using your login info for sneaky, underhanded things, like marketing profiling.

Your best bet to mitigate this risk is to choose an OpenID provider with an established reputation. You should also look for, and read, any privacy policy that's available. I of course recommend and refer you to its privacy policy as an example.

Sharing private information

Part of the OpenID standard is that, at your option, you can share the personal information you have stored at your OpenID provider with a relying party (a Web site you're trying to log into). This saves you the time and energy of re-entering the same registration information into multiple Web sites. You normally configure what data can be shared when you log into a Web site with your OpenID identifier for the first time; here's a typical screen:

configuring trust

There are some tricky parts with this, however. First, it can be hard to tell whether or not you really want to share personal data with a site the first time you log in. You may not find out that they're unethical or abusive until later, and by then the damage is done.

Second, if you click "allow forever", that same data is re-shared with the relying site each time you log in -- including any updates you make on the OpenID provider site. This is a great convenience -- it means you only have to keep the data up-to-date in one place. But it also means that if you've changed the level of trust you have in your OpenID provider (say, by changing your stored email address from a throwaway junk-magnet to your real address), that information will get shared to relying parties also.

Third, you can usually tell your OpenID provider to stop sharing data with the relying site, but by then the damage may already be done. There's no part of the protocol where an OpenID provider can tell a relying party, "Hey, forget that data I shared with you before. I wasn't supposed to tell you that after all." This would be kind of pointless; unethical relying parties wouldn't comply, after all.

There are two ways to mitigate this problem. First, it's important to be cognizant of this data-sharing model -- that once you've shared the data, it's out the door and into the wild world, and there's not much you can do to get it locked back up. If that worries you, be really conservative with what data you share. You won't get the benefits of skipping lots of registration info, or keeping it all up-to-date in one place, but that's kind of a given.

Second, it may be worthwhile to use some spam-diverting tools, like Mailinator, in your OpenID profile. That should help a bit with data that you do share out.

Your hacked account

The biggest danger of OpenID to your privacy is if your account gets hijacked. If someone cracks my password, they'll be able to get all the private information I've stored in that account: any profile information (like IM or email address, or physical location), my private messages to/from other members, and some of my previous browsing history. They'll essentially have access to any data that I thought was OK to share with

But if someone manages to gain access to my OpenID account, they'll be able to get into all my different OpenID-enabled sites. I may have shared some information with Wikitravel, other information with wikiHow, and a third set of data with LiveJournal. They'd be able to merge all that data into a super-profile of me.

Also, they'd be able to operate as me on each of these sites, so there's a possibility of further privacy invasion. For example, sending my wife a message asking for our bank account info. She may or may not be suspicious enough to ask me personally before sharing the info. It's potentially a huge security and privacy problem.

The key to mitigating this, of course, is using strong security on the OpenID provider. The good news is that since your authentication is centralized, you can use much stronger authentication than most Web sites support. I really appreciate using browser certificate authentication on -- it's a very strong system that's (almost) immune to phishing, brute-force attacks, or other password-stealing scams.

If it's not possible for you to use certificate authentication, make sure you use good password hygiene for your OpenID password. That means:


I think all of the above issues are worth considering when you're using OpenID. They're all good principles to follow when using any kind of security system, and whenever you share personal information with a Web site. They're not fatal flaws in OpenID, just things you should look out for.