Verifier Collusion

When you, as an individual, share your information with someone verifying your identity, the principle of minimal disclosure is that you should only have to share the minimum amount of information needed. This means that if you are entering an age-restricted establishment, such as a bar, they should only require a picture of your face and a proof that you are over the age of 21 (if you are in the United States). You should not have to disclose, however, your full legal name, home address, or even your exact date of birth.

In order to maintain minimal disclosure, we need to ensure that the entities performing verification do not collaborate with one another in order to collect a fuller picture of who you are than what you wanted to share.

For example, a person might be given the option to present their mobile driver's license to prove their identity while applying online for a job, as a measure to filter through the bots and recruiters with automation tools that automatically apply for jobs.

That same person might also be given the option to present their mobile driver's license when they access their health records with their health insurance provider. If the person is a veteran undergoing treatment for PTSD, the employer should not be able to communicate with health insurance companies to correlate this data and make a discriminatory adverse hiring decision, based on information the applicant did not choose to disclose.

Similarly, if the person is receiving prenatal care, they are likely to need time off from work for parental leave in the near term of their employment. Again, the employer should not be able to collude with health insurance companies to introduce additional bias into hiring practices.

This is made possible by using a pairwise, pseudonymous user identifier, which is a unique identifier assigned to a particular holder of a credential to be used with a specific verifier. The same identifier would not be used for different verifiers, thereby limiting verifiers' ability to correlate holders across interactions where they used their credentials.

In order to prevent verifier collusion, we need to build privacy-by-design technology and inform policy decisions about how technology can protect individual privacy from additional user behavior and demographic tracking and profiling.