Is anyone worried by hailstorm?

Philip Greenspun's Homepage : Philip Greenspun's Homepage Discussion Forums : Ask Philip : One Thread
Notify me of new responses
Is anyone worried about the privacy implications of hailstorm and
other online identity management systems, or is it just us privacy
obsessed knee-jerk Microsoft-fearing Brits. I've been mildly concerned
by passport & the like for some time. The idea that all this
information about me, where I've been, whom I link to, what I like,
whom I trust, what I do online etc. is going to be mineable by some
very large organisations about who's motivations I have little
information has me thinking. The _concept_ here is great, but it
should be about taking _control_ of your own identity. I do want a
single online identity and a single online view of myself but I want
to be in control of it. I want it to live on my (always on) computer
and be servable to the world but under my control. I want it encrypted
and I want to be able to say at a very fine level who sees what about
me. I want to own it in the sense of having total physical control
over it.

Am I paranoid?

-- Steve Crossan, May 15, 2001


Someone once asked me if I thought it would be a good idea to have a central registry of losers on the Internet. So that, for example, if someone had been banned from for flaming about how stupid Leica owners were then that same person could be excluded from other online communities.

My response was that this way of thinking fell into the "Fundamental attribution error" of psychology ("A feature of attribution theory, so frequently seen that it has its own name. This refers to the fact that whenever people are making attributions about an action, they tend to over-emphasise dispositional factors about the actor, and under-emphasise situational factors. An example is attributing a friend's recent car accident to the fact that the friend is a poor driver rather than to the fact that another car just happened to pull out in front of her. The former would be a dispositional attribution; the latter a situational attribution.").

A pyschologist would tell you that you think your friends all have very stable personalities and that you know their characteristics well only because you've only seen them in a limited number of situations. You don't think that your rich suburban friend would ever become a drug dealer and end up in jail but that's only because you've never seen him poor and lawyerless and in the ghetto. The same psychologist would probably say that a person might be a flamer in the community but if he gets sick and joins his behavior might be completely different.

So yes, Hailstorm is worrisome. As a publisher it would be convenient to have all of my users arrive 100 percent authenticated by Microsoft. Our moderation burden would be eased. The community would probably be strengthened. But I worry that a poor kid in India won't be able to use unless he pays Microsoft. And I worry that someone who gets on the wrong side of Microsoft, because of situational behavior, will be precluded from using the Internet.

-- Philip Greenspun, June 17, 2001


Like you, I also think that there is a need for a service providing an online identity. The only way I see for implementing this and also ensuring privacy would be to split up this information in two (or more) parts and store them on different servers that are owned by different firms in a way that you need all parts in order for them to make sense. Here's an easy implementation:

Let's say your online identitiy consists of the bytes id[0][n]. Let r[0]..r[n] be random bytes. Calculate s[0]..s[n] as s[i]<-id[i] XOR r[i]. Now look at the two sequences r[i] and s[i]. Both of them look like random numbers. If you only have access to one of them, you can't recover sequence id[i]. You need access to both of them in order to recover the sequence id[i] as id[i]=r[i]XOR s[i].

A scheme to store online identities while retaining your privacy would be: Store sequence r[i] on server A using your password pa. Store sequence s[i] on server B using your password pb. When you use a network computer C, make this computer retrieve sequence r[i] from server A using password pa, and retrieve sequence s[i] from server B using password B. Then network computer C calculates your profile stored in id[i], and can make use of it.

In this scheme, you don't need to trust the two servers, but you must trust the network computer C. And whenever you change your profile data, you need transaction coordination between servers A and B (or version information).

-- Carsten Kuckuk, May 17, 2001

Hailstorm worries me quite a bit. In fact after reading an artilce on Salon about privacy and I have stopped using hotmail all together (see:

-- Phillip Harrington, May 17, 2001