德莫斯研究所-重塑網絡：個人數(shù)據(jù)的未來（英）

REWIRINGTHEWEBTHEFUTUREOFPERSONALD

ATAJONNASHCHARLIEHARRYSMITHJUNE2023OpenAccess.Somerightsreserved.OpenAccess.Somerightsreserved.Asthepublisherofthiswork,Demoswantstoencouragethecirculationofourworkaswidelyaspossiblewhileretainingthecopyright.We

thereforehaveanopenaccesspolicywhichenablesanyonetoaccessourcontentonlinewithoutcharge.Anyonecandownload,save,performordistributethisworkinanyformat,includingtranslation,withoutwrittenpermission.ThisissubjecttothetermsoftheCreativeCommonsByShareAlikelicence.Themainconditionsare:?

Demosandtheauthor(s)arecreditedincludingourwebaddresswww.demos.co.uk?

Ifyouuseourwork,yousharetheresultsunderasimilarlicenceAfullcopyofthelicencecanbefoundat/licenses/by-sa/3.0/legalcodeYou

arewelcometoaskforpermissiontousethisworkforpurposesotherthanthosecoveredbythelicence.DemosgratefullyacknowledgestheworkofCreativeCommonsininspiringourapproachtocopyright.To

?ndoutmoregotoPublishedbyDemosJune2023?Demos.Somerightsreserved.15Whitehall,London,SW1A2DDT:

02038783955hello@demos.co.ukwww.demos.co.uk2C

NTENTSACKNOWLEDGEMENTSPAGE

4PAGE

5PAGE

6PAGE

7PAGE

10PAGE

14PAGE

17PAGE

20EXECUTIVESUMMARYINTRODUCTIONREPLACINGPERSONALD

ATA

WITHTRUSTEDCONNECTIONSPRESERVINGPRIVACYENSURINGINTEROPERABILITYREQUIRINGMEANINGFULCONSENTCONCLUSION3ACKNOWLEDGEMENTSWe

wouldliketothankanumberofpeoplefortheirinputandfeedbackonthedraftofthispaper.

Theseinclude:KeeganMcBride,VickyNash,RogerTaylor,

JohnTaysom,

KirstyInnes,To

mWestgarth,LeoRinger,

AndrewBennett,SimonWorthington,MarkBembridge,AreeqChowdhury,JuneBrawner,

ElliotJones,ValentinaPavel,WillHayter,

BluebellDrummond,VincenzoRampulla,CaseyCalista,SamuelRowe,BryanGlick,DaveBirch,andIanBrown.AtDemos,wewouldliketoacknowledgetheassistanceofPollyCurtis,EllenJudson,andOliverMarshthroughouttheproject.ABOUTTHISPROVOCATION

PAPERThispaperproposesaseriesoftechnical,regulatory,

andinstitutionalinterventionsthatreimaginethefoundationsofamoderninternetbuiltonprivacy,

interoperability,andconsent.JonNashCharlieHarrySmithJune2023JONNASHJonisapoliticalscientistandentrepreneur.

Heco-foundedMainstream,alivevideostreamingplatform,withformerFacebookandABCexecutives,andwentontobuildapopularlocationbasedmessagingservice.HisresearchfocusesontechnologypolicyanddemocraticinnovationandhehasadvisedthegovermentonreplacingGeneralDataProtectionRegulationandthefutureroleoftheICO.CHARLIEHARRY

SMITHCharlieisapoliticalphilosopheranddoctoralstudentattheOxfordInternetInstitute.Hisresearchconsidersthenormativeandtheoreticalissuessurroundingdigitalidentitysystems,withaparticularfocusoncontemporarygovernmentalpolicyinEnglandandWales.Charliealsoregularlyconsultsonglobalidentityprojects,andcurrentlyadvisestheOpenIdentityExchange,thetradebodyforUKdigitalidentitycompanies.4EXECUTIVESUMMARYInthispaper,

wearguethatthewidespreaduseofpersonalinformationonlinerepresentsafundamental?awinourdigitalinfrastructurethatenablesstaggeringlyhighlevelsoffraud,underminesourrighttoprivacy,

andlimitscompetition.Together,

thesetechnical,regulatory,

andinstitutionalinterventionsreimaginethefoundationsofamoderninternetbuiltonprivacy,

interoperability,andconsent.We

presentanalternativesystemwherestandardisedrequestsareinsteadroutedbyauser’s

device,withtheirconsent,betweencerti?edorganisations.Thisallowstheirpersonalinformationtobesubstitutedforsecurealternatives,likeuniqueidenti?ers,claims,andtokens.Forexample,anonlineretailercouldmakearequestfor‘payment’insteadofaskingacustomerfortheircarddetails.Theuser’s

devicewouldthenmatchthisrequesttotheorganisationsthatcouldrespondandpresenttheseoptionstotheminastandardisedconsentdialogue.Onceselected,thepaymentrequestwould

beforwardedbytheuser’s

devicetotheirbank,whichwouldresponddirectlytotheretailerwithaonetimepaymenttokenthatonlytheycoulduse.Theabilitytosecurelymoveinformationbetweentrustedorganisations—withuserconsent—wouldhaveaprofoundeffectonallaspectsoftheweb.Inparticular,

weexplorehowdigitalidentity,

onlinepayments,anddigitaladvertisingwouldbeaffected,anddescribethebene?tsofthissystemforbothusersandorganisations.Finallywearguethatthecommoncarrierlawsthatalreadyapplytointernetserviceprovidersshouldbeextendedtoourdevicesandtheroutingofstandardisedrequests.Thatanewnationalcerti?cationauthorityisneededtoestablishtrustandresolveliability,

andthatstandardsforrequestsandresponsesshouldbesetincooperationwithexistingstandardsbodiesandconsortia.5INTRODUCTIONTheweb’s

creatorsdidnotsetouttobuildthefoundationsofourtwenty-?rstcenturyeconomies.Theycouldneverhavepredictedthevolumeandvarietyofservicesthewebwouldonedayhandle.Whatstartedlifeasacommunicationstoolforacademicandmilitaryresearchersnowletsusdoalmostanything,fromshoppingforgroceriestoapplyingforamortgage.Butperformingthesetaskstodayinvolvestheuseoflargeamountsofpersonalinformation.We

areconstantlyexpectedtoacquire,remember,

andprovideinformationaboutandrelatingtoourselveswheninteractingwithorganisations;notjustusernamesandpasswords,butbankaccountnumbers,addresses,nationalinsurancenumbers,andevendoctors’lettersandutilitybills.homefromunderneathhim.Thenewowner,

whohadlegallyboughtthepropertyfromthemanhethoughtwasHall,wasnonethewiser.Althoughextreme,Hall’s

storyillustratesbothhowbrazenlyfraudstersarepro?tingfromthestatusquo,aswellasjusthowdramaticallytheuseofpersonalinformation—andparticularlyourcredentials—isfailingus.To

takeanotherexample,BritainwaslastyearcrownedthecardfraudcapitalofEurope,with84%ofattacksusingstolencarddetails

.3Yet

becausewereusethesamepaymentdetailseverywhereweshop,ifthesecredentialseverdogetintothewronghandswehavetothrowthemawayandstartagain,waitingforoursensitivebankingdetailstobepostedtousonanotherplasticcard.To

realiseaweb?tforthetwenty-?rstcentury,

weneedtofundamentallyrethinkthewaysinwhichweinteractwithorganisationsonline.We

mustlookbeyondthepersonalinformationthatfuelsfraudandaddsfriction,andchallengetheideathatweshouldbepersonallyresponsibleforremembering,managing,andrepeatedlyenteringallthisinformationourselves.Thewebhascatalysedhugelevelsofgrowthandinnovation,butourapproachtopersonalinformationhasbecomenotjustabottleneck,butaliability.Managingallthisinformationnowlimitseverythingfromouraccesstogovernmentservicestothehealthofourdemocracy.

Withsocialnetworksstrugglingtodistinguishhumansfrombots,badactorscanin?uencethepublicdiscourseonamassivescale.Atthesametime,safelymakingpayments,providingourdetails,andprovingwhoweareisbecomingever-more

challenging.And,againstthisbackground,theusabilityofthewebhassteadilydeclined.Inthispaper,

weproposeasetoftechnical,regulatory,

andinstitutionalinterventionsthatwouldrealiseawebbuiltnotonpersonalinformation,butontrustedconnections.Animportantinsightunderpinsthisproposal:iftherightorganisationscouldasktherightquestionsofoneanother,

thenourinformationcouldgetfromwhereitistowhereitneedstobewithoutushavingtoreaditout,writeitdown,ortypeitin.Thisability—toreliablyaskforandprovidedata—isthereforekeytomakingthewebfaster,

safer,

andmoreusable.Indeed,ourcontinuedrelianceonpersonalinformationisfuellingasecurityandprivacynightmare:asmanyas82%ofalldatabreachestodaystemfromthemisuseofcredentials

.

Behind1thescenes,companiesandgovernmentsarestrugglingtokeepup.Intheperpetualarmsracetoprotectourpersonalinformation,thecriminalsarewinning—astheReverendMikeHalldiscoveredin2021.Hallreturnedhomeafterafewweeksawayto?ndhisbelongingsgone,someoneelselivinginhishouse,andnewbuildingworkunderway

.

Itturned2outafraudsterhadusedafakedriver’s

licencetosetupabankaccountinHall’s

namebeforesellinghis123/business/resources/reports/dbir/2022/master-guide/https://www.bbc.co.uk/news/uk-england-essex-59069662https://www.smf.co.uk/uk-is-card-fraud-capital-of-europe-think-tank/6REPLACINGPERSONALD

ATAWITHTRUSTEDCONNECTONSToday,

ifacompanywantstocontactus,theyaskforouremailaddress.To

takepayment,theyaskforourcarddetails.And,tosignusin,theyaskforourusernameandpassword.Thesystemweproposeisradicallydifferent.Itwouldallowustodothesethings—andmanymore—bycreatingtrustedconnectionsbetweenexistingorganisations,withouthavingtoshareanypersonalinformation.withsomanypolicies,terms,andconditionsthatwecandolittlemorethanblindlyagree.Compoundingtheproblem,userinterfacesareoftendesignedtomaximiseclick-throughratestoservicetheinterestsoforganisationsratherthanusers.Insteadofgivingeachcompanylatitudetoaskfor‘consent’intheirownway,

onsitesandin-apps,thesamestandardisedscreenwouldbeusedacrossTake

onlinepaymentsasanexample.Insteadoftypingyourlongcardnumber,

expirydate,securitycode,fullname,andhomeaddressintoaretailerswebsite,arequestforpaymentwouldberouted,byyourdevice,toyourbank.Your

bankwouldthenbeabletoresponddirectlytotheretailerwithauniquepaymenttokenthatallowedthepaymenttobemade.Whilethisdescribesoneexample,thesamemodelwouldapplytoalmosteveryinteractionwehaveonline.FIGURE1DIAGRAMOFTHESYSTEMARCHITECTUREThiswouldallbeenabledbyyourdevice,whichwouldbuildupalistofwhohadwhat,functioningasaprivatedirectoryoftheorganisationsthatyouinteractwith.Whenanotherorganisationneededtoknowsomething,itwouldsimplyaskforitintheformofaspeci?crequest.Your

devicewouldthenroutetheserequeststotherelevantorganisations,whowouldeachresponddirectlywiththeappropriateinformation

.4Importantly,however,

noconnectionswouldeverbemadewithoutyourdevices?rstsecuringyourexplicitconsent.Meaningfulconsentiscurrentlyhardtocomebyontheweb.We

areregularlyfaced4Thisdescribeswhatwecalladynamicrequestasitcreatesadirectconnectionbetweentwoorganisations,butinsomecases,blindrequestscouldbemadethatwouldroutetheresponsebackthroughthedevice.Thiswouldallowustoshareinformationwithoutrevealingtheoriginoftherequest.7FIGURE2MOCKUPOFTHECONSENTINTERFACEdifferentdevicesandmanufacturers.Fromauser’sperspective,givingconsentwouldbetransformedintoaconsistentprocess.Theirdevicewouldclearlyshowthreethings:theorganisationmakingtherequests,thetypesofrequestsbeingmade,andthenamesoftheorganisationsorservicesintheuser’slifethatcouldrespond.Theywouldthenbeabletomakeaninformeddecisionandbetterunderstandwhohadtheirinformation.beset,butwewouldexpecttougherrequirementstobeputinplacefororganisationsrequestingorprovidingmoresensitiveinformation.Taking

outFIGURE3DIAGRAMOFTHEDEVICEQUERYINGTHERECORDOFCERTIFIEDORGANISATIONSThiswouldalwaysbeextremelystraightforwardforusers.Theywouldnothavetosetanythingup,andtheirdevicewouldneverredirectthemtoabrowserorauthenticator,askthemtoenteranypersonalinformation,oracceptextensivetermsandconditions.Ofcourse,wewouldwanttoknowthatthecompaniesaskingforourinformationhadsomelegitimacy;thattheywerenottryingtodefraudus,steal,orsellourinformation.Likewise,organisationsrequestinginformationwouldneedtoknowthatitwascomingfromalegitimatesource;thatitcouldbereliedupon,andwouldnotexposethemtounduerisk.Forthisreason,wearguethatarecognisedauthorityshouldbeestablishedtosetandcertifytherequirementsfordifferenttypesofrequestswithinthissystem.Forlow-riskinteractions,minimalrequirementswould8amortgage,forinstance,wouldrequirehigherlevelsofassurancethansubscribingtoastreamingservice.Thereisprecedenthere.Inmanysectors,likebankingandaviation,wealreadyexpectgovernmentstoguaranteealevelofprotectionbylicensingorcertifyingcompaniestoact.Itisnot,afterall,leftuptoconsumerstoaudittheliquidityofbanksorassessthesafetyofairlinesandwethinkthesamemodelshouldbeappliedtoourinformation.Whenthereareonlyafewinformationprovidersinanecosystem,thisisnotnecessarilyaproblem.Organisationsaregenerallyhappytospenddevelopmenttimeintegratingwitheachorganisationandaccepteachproviders’governancedemands.Butthisproprietaryapproachquicklybecomesunworkableatscale.Organisationsprovidingaccesstoinformationbecomeoverburdened,whilesmallerorganisationsareleftstructurallydisadvantaged.Theresultishugelydamagingforcompetitionandinnovation.Thebene?tsofensuringthatparticipatingorganisationswerecerti?edtohandleourinformationwouldbemanifold.Goingforwards,individualswouldknowthatanyinteractionshandledinthiswaywouldalwaysbecomingfromorgoingtotrustedorganisations.Thiswouldmassivelyreducetheriskofphishingattacks,scams,and?nancialfraud,removingtheburdenonuserstocheckasite’s

SSLcerti?cateorURL,andtherebymakingitfarmoredif?cultforthemtomistakenlygivetheirdetailsordatatomaliciousactors.Bycontrast,inthismodel,lotsofdifferentrequestscouldberoutedbetweenlotsofdifferentorganisations.Thewayinwhicheachorganisationaskedfororprovidedinformationwouldthereforeneedtobestandardised.Thiswouldensurethatallactorsinthesystemcouldseamlesslyinteroperatewithoneanother,

andiskeytorealisingthebene?tsofanopen,?exibleecosystembuiltonafoundationoftrustedconnectionsandcerti?edorganisations.Inmuchthesameway,

organisationswouldalsobeabletointeractwithgreatercon?dence,knowingtheycouldtrustthosethattheywereinteractingwith.Butcerti?cationwouldsaveparticipatingorganisationsaconsiderableamountoftimeandmoney,

too,astheywouldtakeonsigni?cantlylessliabilitywhensharingoraccessingdatafromcerti?edentities.Additionally,tobeginoperatingwithinthissystem,alltheseorganisationswouldneedtodoisbecomecerti?ed.Thislowbarriertoentry,

coupledwiththereductioninliability,

wouldthereforebeextremelyappealing.Ofcourse,inmanysectors,liketelecommunicationsandbanking,industryparticipantsalreadydevelopandmaintainstandardsviavariousinternationalorganisationsandconsortia.Standardssettingwouldaccordinglybelargelylefttotheseorganisations.Buttheoutputsofthesebodieswouldneedtobeconsolidatedintoauni?edrecord,publishedbyanewinternationalorganisation—astandardsforum,ratherthanastandard-settingbody.

We

believethatthisforumshouldalsoincludea‘layer’ofcivilsocietyorganisations,toadvocatefortherightsofcitizensandcounterbalanceindustryinterestsinthestandardisationprocess.Certi?cationwouldalsorealiseapowerfulgovernancemechanism,helpingensuresuf?cientoversightandaccountability.Eachcountry’scerti?cationauthoritywould,forinstance,beabletorevokecerti?cationiforganisationsmisbehaved.Wewouldalsoexpectregularauditingtoaccompanyhigherlevelsofassurance.Whilesimilarprocessestothesealreadyexistonpartsoftheweb,wethinksuchdecisionsshouldbehandledbypublicbodiesembeddedinthelegalandpoliticalframeworkofeachcountry—nottheprivatecompaniesthatcurrentlyprovideunaccountableaccreditationandcerti?cationfunctions.Settinguniversalstandardswouldusherinnumerousadvantages.Itwouldsavetime,reducecosts,andenableamuchhighervolumeofinteractionsto?owthroughthesystem,ensuringthatorganisationsknewwhatinformationtoexpectaswellashowtohandlerequestsandresponses.Integratingwithanypotentialorganisationwouldbecomefarmorestraightforward,openinguppossibilitiesforinnovativenewusecases.Thetransformationwouldbeanalogoustothatwhichrevolutionisedtherailways.Beforestandardisation,differentrailcompaniesuseddifferentgaugesoftrack.Mandatingastandardgaugeenabledthesetrackstointerconnectandkick-startedthetechnology’s

massiveexpansion.Forsimilarreasons,therewouldbeaclearincentivefororganisationstousetheagreeduponstandards.Followingthesestandardswouldbeaprerequisiteforcerti?cation,whichinturnwouldgrantThelastmajoraspectofthisproposalinvolvesstandardising

requests.To

facilitateeasyandsecureconnectionsbetweentrusted,certi?edorganisations,everyonewouldneedtospeakthesamelanguage.Atthemoment,anyorganisationlookingtointeroperatewithothersontheweb?rsthastoregisterandintegratewithseparatedataproviders,aseachmaintainstheirownbespokeapplicationorganisationsaccesstothissystem,thebene?tsofwhichwediscussinthefollowingchapter.programminginterfaces(APIs).55APIsfunctionsomewhatlikepipes,connectingsoftwareattwoorganisationstogetherthroughadatastream.9PRESERVINGPRIVACYRebuildingthewebonafoundationoftrustedconnectionswouldrealisenumerousadvantages.Notonlywouldtheimportantinteractionsinourlivesbecomemoresecure,easiertomake,andbasedonourexplicitconsent,butthisshiftwouldalsoopenupnewopportunitiesforinteractionsthatarenotpossibletoday.thisinformationgetsleaked,stolen,orsold,itcanthereforequicklybeputtowork(againstyou)inanothercontext,torealisefunctionsthatyoudidnotoriginallyintendandtowhichyoudidnotconsent.Inthisway,

dataaboutyouissomewhatanalogoustonuclearwaste

—valuableifitcanbeprocessedin6well-managed,high-securityfacilities,butdangerousifimproperlyhandledor,

worse,allowedtoleakoutintotheenvironment.Ourproposaltakesthisprovocationseriously,

addressingthetwinissuesofcontextandfunctionimprecisionbybuildinginhardlimitstotheconnectionswemake.Thisamountstoaradicalreimaginationoftheroleofpersonalinformationontheweb.Byensuringthatusersmustexplicitlyconsenttoanyconnection,andlockinginthesehardlimitsaspartofthestandardisationprocess,wereducetheradioactivity,ensuringthat,ifdatadoesleak,itcannotcausethewidespreaddamagethatpersonalinformationinvites.We

havealreadyseenhowmanagingpersonalinformationexposesustosigni?cantprivacyandsecurityrisks.Ifandwhenourinformationiscompromised,asinglebreachquicklybecomesacatastrophe,astheeffectsofthatbreachcascadethroughallthedifferentcontextsinwhichwehavepreviouslyandrepeatedlyenteredourdata.Thereuseofpersonalinformationthereforemagni?esthechancesof,andnegativeimpactsof,itsmisuse.Thisisbadenough.Butaswellasintroducingsuchstructuralweaknessestotheweb’s

foundations,expectingindividualstomanagetheirownpersonalinformationalsoallowsthemtobetrackedandpro?ledacrossthesevariouscontexts.To

understandhowthisproposalmovesustowardsamoreprivateandsecuresystem,basedonnotionsofcontextandfunctionspeci?city,

therearethreedifferenttechnicalelementsthateachprotectauser’sprivacyandkeeptheirdatasafe.Theseareuniqueidenti?ers,tokens,andclaims.Together,

thesethreeelementswouldallowustoachievemuchofthefunctionalityofthecurrentweb,simultaneouslyunlockingentirelynewpossibilities,whileeliminatingthemorassofunspeci?edpersonalinformationthatcurrentlylimitsouronlineinteractions.Infact,awholeindustryofadvertisersanddatabrokers,somemorelegitimatethanothers,currentlypro?tsfromtheprocessingofpersonaldata.Trackingourdigitalfootprints,thesecompaniesbuildupdetailedpro?lesofourinterests,whichtheythenresellorelsemonetise—underminingourprivacy.Whatisworse,successiveattemptstobringthesecompaniestoheelviadataprotectionregulationhasdonelittletocurbtheirappetiteforinformation,indicatingagainjusthowbrokenthesystemhasbecome.UNIQUEIDENTIFIERSWe

thinktherootcauseofalltheseissuesisalackofspeci?city.

Namely,

thepersonalinformationthatwecurrentlyreplicateandreuseallacrossthewebisneithercontextnorfunctionspeci?c.Your

emailaddress,forexample,canbeusedbyanyone,tosendyouanything,atanytime—anditisassociatedwithallofyouraccounts.OnceanyofTheuseofuniqueidenti?erswoulddramaticallychangethewaythatorganisationsassessedwhotheyweredealingwithinonlineinteractions.Currently,

organisationsstoreanemailaddressandpasswordwhenyou?rstsignup,thenaskyoutoprovidethisinformationagainwhenyounextinteractwiththem.Thisindicatesthatyouarelikelytobe6/sites/johnkoetsier/2022/08/06/data-is-the-nuclear-waste-of-the-information-age-on-big-tech-and-privacy/10thesameperson.But,asweknow,

emailsareeasilycopiedorstolen,andmanyusersdonotchoosesecurepasswords.Ouruseofpersonalinformationinthiswaythereforeallowsbadactorstocommitfraudbyposingassomeonetheyarenot.TOKENSAtokenwouldallowanorganisationtorequestsomeparticularaction,orrespondtosucharequest.Theserequestsandresponsescouldbeextremelyfunction-andcontext-speci?c.To

makeasign-inrequest,forinstance,aone-timetokenwouldbesentalongsideyouruniqueidenti?ertoinstructtheorganisationinquestiontologyouin.Or,

acontacttokencouldspecifythatonlythreemessagesmaybesenttotheemailassociatedwithaparticularuniqueidenti?erbeforethattokenexpired.Thisspeci?citywouldbeapowerfultoolforensuringthatwide-rangingprivilegeswerenevergrantedtoorganisations,atleastnotwithoutauser’s

explicitconsent.Theproblemisthattheseidenti?ersareuniversal—theyarethesameacrossthemanycontextsinwhichweusethem.Thisproposalwouldreplacetheseuniversalidenti?erswithcontext-speci?c,pseudonymousidenti?ers

.Eachoftheseidenti?ers7wouldbeone-of-a-kind,andonlyeverheldbytwoparties.So,everyorganisationinyourlifewoulduseadifferentrandomalphanumericstringtoidentifyyou,eitherviayourdeviceorelsewhencommunicatingwithotherorganisationsdirectly.Atthesametime,tokenswouldalsohelpTheseidenti?erswouldstillallowtrustedconnectionstobemade,buteverytimeadevicebrokeredanewrelationship—eitherbetweenitselfandanorganisation,orelsedirectlybetweentwoorganisations—anew,

randomidenti?erwouldbegenerated.Whenyou?rstmadeaconnection,theorganisationinvolvedwouldstorethisuniqueidenti?erinsteadofyouremailaddressandpassword.Whenyouinteractedagain,yourdevicewouldthenautomaticallyprovidethisuniqueidenti?ertoreliablyidentifyyou.Indeed,userswouldnotbeabletoseetheseidenti?erswhich,followingcybersecuritybestpractice,wouldconsistofstringsofrandomly-generatedlettersandnumbersthatwerealwaysencrypted.guaranteeahighlevelofsecurity.

Forinstance,ifanorganisationreceivedarequestwithouttheappropriatetoken,orifthetokendidnotcorrectlyreferencetheappropriateidenti?er,

thenthatorganisationwouldignoreit.Becausetokenswouldalsobeencrypted,onlyorganisationswiththerelevantkeycouldreadtheinstructionstheycontained.Thecontrastwiththestatusquo,wherepersonalinformationisduplicatedallovertheinternetandwecandolittlemorethanblindlytrustthatitwillnotbemisused,wouldbestark.CLAIMSRatherthanallowingsomethingtohappen,aclaimwouldsaysomethingaboutus.Theywouldusuallybesentasaresponsetoarequest,andcouldtaketheformofameasure,suchasapercentageornumber,

orsimplyayes/noanswer.

Claimscanthereforebefarmoreprivacypreservingthantheirpersonalinformationequivalents.Forexample,insteadofprovidingyourdriver’s

licencetoacarrentalcompany,

arequestforlicencecon?rmationcouldberoutedtothedrivingauthority.

Theauthoritycouldthensendbackanarrowresponse,specifyingthatyoucoulddrive,wereovertheageof25,andhadlessthanthreepoints.Inmanycases,asimple‘yes’or‘no’responsewouldsuf?ce.Intheeventofadatabreach,thescopefornegativerepercussionswouldthereforebeseverelylimited.Eachidenti?erwouldnotbearichformofpersonalinformation;itwouldcontainnosensitivedetailsaboutyou.And,behindthescenes,youwouldalwaysbeassociatedwithadifferentidenti?erineachorganisation’s

database.Thismeansthatthevariousentitiesinyourlifecouldnotbelinkedupbybadactors,eveniftheydidmanagetoacquiretheuniqueidenti?erassociatedwithyouraccountinoneparticularcontext.Uniqueidenti?ers,however,

areonlythe?rstpieceofthepuzzle.Inpractice,theywouldrarelybeexchangedontheirown,andwouldmostlybeaccompaniedbyanotherelementthatcontainedtherequestorresponsenecessaryforaninteractiontotakeplace.Thesecouldtaketheformofeithertokensorclaims,whichbothbuildonthecontext-speci?cityofuniqueidenti?erstodesignateaspeci?cfunctionortransferacertainpieceofinformation.Asthisshows,thebene?tofclaimsisthattheyalloworganisationstosaysomethingaboutyouwithoutrevealingsigni?cantamountsofpersonalinformation.Liketokens,theyarefunctionallyspeci?candconstrainedtoonecontext—theyrespondtoasinglerequestandnomoreand,astheyarealsosignedandencrypted,possessnovalueifintercepted.BLINDVS.DYNAMICR